Malware tracker blog: New malware document scanner tool released. We've recently released our malware document scanner tool called Cryptam (which stands for cryptanalysis of malware) . This system scans document files such as MS Office (.doc/.ppt/.xls), PDF and other document formats for embedded executables whether encrypted or not. As most embedded malware executables use varying lengths of XOR and ROL/ROR obfuscation to evade traditional A/V detection, we focus on the detection of the embedded executable rather than the exploit itself. A typical Cryptam report visually shows three critical pieces of the cryptanalysis done.
The first graph shows the count for each ascii character in the file, obvious single byte XOR keys can be seen here. The second graph is the entropy of the file, most documents other than PDFs are very light entropy on legitimate content, and only images or the embedded executables showing as red high entropy sections. The third and final graphic is the XOR dispersion over 1024 bytes with the calculated key overlayed. Malware tracker: cryptam malware analysis. Bernardo Damele A. G.: Dump Windows password hashes efficiently - Part 1. Windows Security Account Manager Slightly modified definition from Wikipedia: The Security Accounts Manager (SAM) is a registry file in Windows NT and later versions until the most recent Windows 7. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. Generally, dumping operating system users' password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc.
Depending on the type of access that you have got to the target, you can retrieve the password hashes from SAM in different ways. Physical access These tools are generally included in many GNU/Linux live distributions. Usage: Legacy techniques. Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 3 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!
--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day1 Part3 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs.
This class serves as a foundation for the follow on Intermediate level x86 class. The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files. Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 4 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<! --'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on.
Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day1 Part4 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs.
This class serves as a foundation for the follow on Intermediate level x86 class. The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files. Introductory Intel x86: Architecture, Assembly, Applications, Day 1, Part 5 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<! --'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day1 Part5 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs.
This class serves as a foundation for the follow on Intermediate level x86 class. The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 1 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<! --'--> in-browser video player requires JavaScript to be enabled.
It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day2 Part1 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. This class serves as a foundation for the follow on Intermediate level x86 class. The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files.
Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 2 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<! --'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day2 Part2 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs.
This class serves as a foundation for the follow on Intermediate level x86 class. The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 3 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!
--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day2 Part3 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. This class serves as a foundation for the follow on Intermediate level x86 class. The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files.
Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 4 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<! --'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day2 Part4 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs.
This class serves as a foundation for the follow on Intermediate level x86 class. The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 5 : Xeno Kovah. <div style="padding:5px; font-size:80%; width:300px; background-color:white; margin-left:auto; margin-right:auto; border:1px dashed gray;"> Internet Archive's<!
--'--> in-browser video player requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature. </div> Embedding Examples and Help PR IntroX86 Day2 Part5 More information about this class material is available at OpenSecurityTraining.info Intel processors have been a major force in personal computing for more than 20 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. This class serves as a foundation for the follow on Intermediate level x86 class.
The instructor-led lab work will include: This movie is part of the collection: OpenSecurityTraining.info Creative Commons license: Attribution-Share Alike 3.0 Individual Files. Introductory Intel x86: Architecture, Assembly, Applications, Day 2, Part 6 : Xeno Kovah. IntroX86. Creator: Xeno Kovah @XenoKovah License: Creative Commons: Attribution, Share-Alike ( Class Prerequisites: Must have a basic understanding of the C programming language, as this class will show how C code corresponds to assembly code. Lab Requirements: Requires a Windows system with Visual C++ Express Edition.
Requires a Linux system with gcc and gdb, and the CMU binary bomb installed. Either system can be physical or virtual. Class Textbook: “Professional Assembly Language” by Richard Blum. Recommended Class Duration: 2-3 days Creator Available to Teach In-Person Classes: Yes Author Comments: Intel processors have been a major force in personal computing for more than 30 years. 25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. This class serves as a foundation for the follow on Intermediate level x86 class.
Into the Darkness: Dissecting Targeted Attacks | Qualys Security Labs. The current threat landscape around cyber attacks is complex and hard to understand even for IT pros. The media coverage on recent events increases the challenge by putting fundamentally different attacks into the same category, often labeled as advanced persistent threats (APTs). The resulting mix of attacks includes everything from broadly used, exploit-kit driven campaigns driven by cyber criminals, to targeted attacks that use 0-day vulnerabilities and are hard to fend off - blurring the threat landscape, causing confusion where clarity is most needed. This article analyzes a specific incident - last March’s RSA breach, explaining the techniques used by the attackers and detailing the vulnerability used to gain access to the network. It further explores the possible mitigation techniques available in current software on the OS and application level to prevent such attacks from reoccurring.
Introduction General Mechanics of the Attack The Email The Spreadsheet ActionScript Source Code: Crimes Cibernéticos: Análise do Malware Intimação-MPF. Já está circulando há um tempo mensagens de phishing que utilizam o nome do Ministério Público Federal e do Departamento de Polícia Federal falando de uma suposta intimação para comparecer em uma audiência. Hoje recebi mais uma desse tipo e resolvi analisar, vamos ver o que conseguimos. Identificação do Artefato Ao clicar no link do e-mail foi feito o download do arquivo: INTIMACAO-MPF.SCR.exe (MD5: 3168711d7cb3a7a7c1a037dfaa8a66a9) O executável não possuia compactador e a linguagem de programação identificada foi Microsoft Visual Basic 5.0 / 6.0, assim o caminho estava livre para prosseguir. Análise Estática Ao abrir no IDA Pro e buscar pelas strings ficou fácil descobrir as intenções do artefato malicioso.
Vemos um endereço IP, várias URLs de bancos, referência ao arquivo hosts do Windows e por fim uma URL. Por fim deve acessar a URL final para “avisar” que mais um caiu no golpe, isso é bem comum e manjado. Análise Dinâmica Regshot: arquivos modificados na execução. Análise Web <? Introduction to Malware Analysis - Free Recorded Webcast by Lenny Zeltser. This webcast introduces you to practical approaches of reverse-engineering malicious software on a Windows system. I cover behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You'll learn the fundamentals and associated tools to get started with malware analysis.
You can view and listen to the recorded version of this webcast. You can also download my slides, complete with full speaker notes. The presentation walks you through the analysis of a trojan program. If you'd like to learn about the full Reverse-Engineering Malware course I teach at SANS Institute, take a look at the REM course page. My webcast mentioned a local behavior monitoring tool CaptureBAT. ShareThis Authored by Lenny Zeltser. Copyright © 1995-2013 Lenny Zeltser. Reverse-Engineering Malware Cheat Sheet by Lenny Zeltser. Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser. This cheat sheet outlines tips and tools for reverse-engineering malicious documents, such as Microsoft Office (DOC, XLS, PPT) and Adobe Acrobat (PDF) files. General Approach Locate potentially malicious embedded code, such as shellcode, VBA macros, or JavaScript.
Extract suspicious code segments from the file. If relevant, disassemble and/or debug shellcode. If relevant, deobfuscate and examine JavaScript, ActionScript, or VB macro code. Microsoft Office Binary File Format Notes Structured Storage (OLE SS) defines a file system inside the binary Microsoft Office file. Data can be “storage” (folder) and “stream” (file). Excel stores data inside the “workbook” stream. PowerPoint stores data inside the “PowerPoint Document” stream. Word stores data inside various streams. Tools for Analyzing Microsoft Office Files OfficeMalScanner locates shellcode and VBA macros from MS Office (DOC, XLS, and PPT) files. pyOLEScanner.py can examine and decode some aspects of malicious binary Office files.
ShareThis. 5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser. REMnux 1.0: the malware analyst's playground. OllyDbg v1.10. Homepage. Advanced Persistent Tweets: Zero-Day in 140 Characters. Netifera. BitBlaze: Binary Analysis for Computer Security. Anubis: Analyzing Unknown Binaries. Segurança da Informação. Projeto Malwares-BR - Início. Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code (9780470613030): Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard. Reversing: Secrets of Reverse Engineering (9780764574818): Eldad Eilam. Hacking: The Art of Exploitation, 2nd Edition (9781593271442): Jon Erickson. Yashira.org. Software - CERT.at. .:: Phrack Magazine ::. What is heap and stack? Heap: Pleasures and Pains. Heap spraying. Heap (data structure) ERESI – Trac. Reverse-Engineering Malware: Malware Analysis Tools and Techniques Course - Malware Analysis Training by Lenny Zeltser.
Zerowine.sourceforge. Vulnerability Research Blog ( Vulnerabilities, Exploits, Threats, 0-Days) NirSoft - freeware utilities: password recovery, system utilities, desktop utilities. Malware Analysis, Virus Sandbox - CWSandbox an Automated Malware Analysis Tool. :: mwanalysis :: CWSandbox :: Free Malicious PDF Analysis E-book.