background preloader

Reverse Engineering

Facebook Twitter

Malware tracker blog: New malware document scanner tool released. We've recently released our malware document scanner tool called Cryptam (which stands for cryptanalysis of malware) .

malware tracker blog: New malware document scanner tool released

This system scans document files such as MS Office (.doc/.ppt/.xls), PDF and other document formats for embedded executables whether encrypted or not. As most embedded malware executables use varying lengths of XOR and ROL/ROR obfuscation to evade traditional A/V detection, we focus on the detection of the embedded executable rather than the exploit itself. A typical Cryptam report visually shows three critical pieces of the cryptanalysis done. The first graph shows the count for each ascii character in the file, obvious single byte XOR keys can be seen here. The second graph is the entropy of the file, most documents other than PDFs are very light entropy on legitimate content, and only images or the embedded executables showing as red high entropy sections. Malware tracker: cryptam malware analysis. Bernardo Damele A. G.: Dump Windows password hashes efficiently - Part 1. Windows Security Account Manager.

Bernardo Damele A. G.: Dump Windows password hashes efficiently - Part 1

Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 3 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 3 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help. Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 4 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 4 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day1 Part4 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs.

This class serves as a foundation for the follow on Intermediate level x86 class. Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 5 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 5 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 1 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 1 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 2 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 2 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 3 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 3 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day2 Part3 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. This class serves as a foundation for the follow on Intermediate level x86 class. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 4 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 4 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 5 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!

Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 5 : Xeno Kovah

--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 6 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<! --'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. IntroX86. Creator: Xeno Kovah @XenoKovah License: Creative Commons: Attribution, Share-Alike ( Class Prerequisites: Must have a basic understanding of the C programming language, as this class will show how C code corresponds to assembly code.

Lab Requirements: Requires a Windows system with Visual C++ Express Edition. Requires a Linux system with gcc and gdb, and the CMU binary bomb installed. Class Textbook: “Professional Assembly Language” by Richard Blum. Into the Darkness: Dissecting Targeted Attacks. The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off - blurring the threat landscape, causing confusion where clarity is most needed. This article analyzes a specific incident - last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network.

It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring. Crimes Cibernéticos: Análise do Malware Intimação-MPF. Já está circulando há um tempo mensagens de phishing que utilizam o nome do Ministério Público Federal e do Departamento de Polícia Federal falando de uma suposta intimação para comparecer em uma audiência.

Introduction to Malware Analysis - Free Recorded Webcast by Lenny Zeltser. This webcast introduces you to practical approaches of reverse-engineering malicious software on a Windows system. I cover behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You'll learn the fundamentals and associated tools to get started with malware analysis. Reverse-Engineering Malware Cheat Sheet by Lenny Zeltser. This is a cheat sheet of shortcuts and tips for reverse-engineering malware.

It covers the general malware analysis process, as well as useful tips for OllyDbg, IDA Pro, and other tools. Feel free to customize it to your own needs. My reverse-engineering malware course explores these, and other useful techniques. General Approach Set up a controlled, isolated laboratory in which to examine the malware specimen. Behavioral Analysis Monitor local (Process Monitor, Process Explorer) and network (Wireshark, tcpdump) interactions. Detect major local changes (RegShot, Autoruns). Redirect network traffic (hosts file, DNS, Honeyd). Activate services (IRC, HTTP, SMTP, etc.) as needed to evoke new behavior from the specimen. IDA Pro for Static Code Analysis OllyDbg for Dynamic Code Analysis Bypassing Malware Defenses To try unpacking quickly, infect the system and dump from memory via LordPE or OllyDump. For more surgical unpacking, locate the Original Entry Point (OEP) after the unpacker executes. Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser.

This cheat sheet outlines tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files. 5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser. Examining the capabilities of malicious software allows your IT team to better assess the nature of a security incident, and may help prevent further infections. REMnux 1.0: the malware analyst's playground. OllyDbg v1.10. Homepage. Advanced Persistent Tweets: Zero-Day in 140 Characters. The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from businesses and the U.S. government often are described as being ultra-sophisticated, almost ninja-like in stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — the Chinese developers of those attack tools left clues aplenty about their identities and locations, with one apparent contender even Tweeting about having newly discovered a vulnerability days in advance of its use in the wild.

Zero-day threats are attacks which exploit security vulnerabilities that a software vendor learns about at the same time as the general public does; The vendor has “zero days” to fix the flaw before it gets exploited. Bragging rights may play a part in the attackers’ lack of duplicity. “call [0x1111110+0x08].” “Wrote the firefox 0day. Netifera. BitBlaze: Binary Analysis for Computer Security. Anubis: Analyzing Unknown Binaries. Segurança da Informação. Projeto Malwares-BR - Início. O projeto malwares-br é uma idéia para criação de assinaturas para projetos opensources (especialmente regras do Snort e num futuro Clamav. Talvez correlacionamento/regras pro OSSEC quando possivel) para uso em especial de empresas nacionais contras as ameaças "Made In Brazil". O foco inicial será baseado em poucos samples que colhemos durante a semana de onde faremos a análise básica , com uma pequena explicação e assinaturas para Snort inicialmente.

Dependendo da demanda e ajuda durante o passar do tempo também faremos algo para o Clamav visto que isso será de grande valia para eles também . Outra possibilidade é o projeto entrar como parte do ruleset do Emerging-Threats mas para isso temos que criar uma boa demanda de regras e mostrar que a comunidade nacional esta empenhada . Inicialmente o que mais precisamos é de amostras ou seja, se você receber algo de alguma empresa nacional por favor nos encaminhe o link ou email pois certamente retribuiremos com as assinaturas. Happy Snorting! Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code (9780470613030): Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard. Reversing: Secrets of Reverse Engineering (9780764574818): Eldad Eilam. Hacking: The Art of Exploitation, 2nd Edition (9781593271442): Jon Erickson. Yashira.org. Software - CERT.at. Phrack Magazine. What is heap and stack? The stack is a place in the computer memory where all the variables that are declared and initialized before runtime are stored.

The heap is the section of computer memory where all the variables created or initialized at runtime are stored. What are the memory segments? The distinction between stack and heap relates to programming. When you look at your computer memory, it is organized into three segments: text (code) segmentstack segmentheap segment The text segment (often called code segment) is where the compiled code of the program itself resides. Now let's get to some details. What is stack? The two sections other from the code segment in the memory are used for data. Data is stored in stack using the Last In First Out (LIFO) method. What is heap? On the other hand, heap is an area of memory used for dynamic memory allocation. The stack is much faster than the heap but also smaller and more expensive.

Heap and stack from programming perspective. Heap: Pleasures and Pains. Murali R. Heap spraying. Operation[edit] A heap spray does not actually exploit any security issues but it can be used to make a vulnerability easier to exploit. Heap (data structure) ERESI – Trac. Reverse-Engineering Malware: Malware Analysis Tools and Techniques Course - Malware Analysis Training by Lenny Zeltser. Zerowine.sourceforge. Vulnerability Research Blog ( Vulnerabilities, Exploits, Threats, 0-Days) NirSoft - freeware utilities: password recovery, system utilities, desktop utilities. Malware Analysis, Virus Sandbox - CWSandbox an Automated Malware Analysis Tool. Mwanalysis. Free Malicious PDF Analysis E-book.