Reverse Engineering

TwitterFacebook
Get flash to fully experience Pearltrees
We've recently released our malware document scanner tool called Cryptam (which stands for cryptanalysis of malware) . This system scans document files such as MS Office (.doc/.ppt/.xls), PDF and other document formats for embedded executables whether encrypted or not. As most embedded malware executables use varying lengths of XOR and ROL/ROR obfuscation to evade traditional A/V detection, we focus on the detection of the embedded executable rather than the exploit itself. A typical Cryptam report visually shows three critical pieces of the cryptanalysis done. The first graph shows the count for each ascii character in the file, obvious single byte XOR keys can be seen here. The second graph is the entropy of the file, most documents other than PDFs are very light entropy on legitimate content, and only images or the embedded executables showing as red high entropy sections. http://blog.malwaretracker.com/2012/02/new-malware-document-scanner-tool.html

malware tracker blog: New malware document scanner tool released

Bernardo Damele A. G.: Dump Windows password hashes efficiently - Part 1

http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html Windows Security Account Manager Slightly modified definition from Wikipedia : The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7 .
<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature.

Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 3 : Xeno Kovah

http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part3
<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part4

Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 4 : Xeno Kovah

http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay1Part5

Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 5 : Xeno Kovah

<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help
http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part1 <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div>

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 1 : Xeno Kovah

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 2 : Xeno Kovah

<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> PR IntroX86 Day2 Part2 http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part2
<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> PR IntroX86 Day2 Part3

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 3 : Xeno Kovah

http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part3
http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part4

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 4 : Xeno Kovah

<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature.

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 5 : Xeno Kovah

<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. http://archive.org/details/IntroductoryIntelX86ArchitectureAssemblyApplicationsDay2Part5

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 6 : Xeno Kovah

<div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on.

IntroX86

Creator : Xeno Kovah License : Creative Commons: Attribution, Share-Alike ( http://creativecommons.org/licenses/by-sa/3.0/) Lab Requirements : Requires a Windows system with Visual C++ Express Edition. Requires a Linux system with gcc and gdb, and the CMU binary bomb installed. Either system can be physical or virtual.
The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off - blurring the threat landscape, causing confusion where clarity is most needed. This article analyzes a specific incident - last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.

Into the Darkness: Dissecting Targeted Attacks | Qualys Security Labs | Qualys Community

Já está circulando há um tempo mensagens de phishing que utilizam o nome do Ministério Público Federal e do Departamento de Polícia Federal falando de uma suposta intimação para comparecer em uma audiência. Hoje recebi mais uma desse tipo e resolvi analisar, vamos ver o que conseguimos. Identificação do Artefato Ao clicar no link do e-mail foi feito o download do arquivo:

Crimes Cibernéticos: Análise do Malware Intimação-MPF