Clik here to view.
PDF Info Stealer PoC
An info stealer is malware that steals credentials or files from its victims. Info stealers don’t require admin rights to perform their task, and can be designed to evade or bypass AV, HIPS, DLP and...
View ArticleClik here to view.
Frisky Solitaire – Another Info Stealer
Marcus Murray gave a great talk at TechEd Berlin 2009: “Hack-Proofing Your Clients Using Windows 7 Security”. In one of his demos, he showed a trojaned Excel spreadsheet. The spreadsheet was a simple...
View ArticleClik here to view.
Quickpost: More Malformed PDFs
Here’s a heads up for some malicious PDF samples that are deliberately malformed to avoid detection. The most important case is the missing endobj keyword: Adobe Reader will happily parse a PDF where...
View ArticleClik here to view.
Free Malicious PDF Analysis E-book
The title says it all… This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the irony
View ArticleClik here to view.
LowerMyRights
Last year I posted about some techniques and tools to restrict the rights of applications on Windows XP when you run with admin rights. I mentioned a new tool, LowerMyRights, which I forgot to publish....
View ArticleClik here to view.
Searching With VirusTotal
Did you know that you can search VirusTotal? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to...
View ArticleClik here to view.
Update: virustotal-search
I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to...
View ArticleClik here to view.
Flame: Before and After KB2718704
You probably know Microsoft issued security advisory KB2718704 to revoke Microsoft certificates present in the certificate chain of a signed Flame component. Here are some screenshots of the signature...
View ArticleClik here to view.
Flame Authenticode Dumps (KB2718704)
There seems to be some interest in the Authenticode signature used in some components of Flame that chain up to Microsoft’s root CA. So I decided to post the full dump of this signature. I extracted...
View ArticleClik here to view.
XORSearch for OSX
I made a very small change to XORSearch’s source code (dropped malloc.h) so that it compiles on OSX. You can find the new version on XORSearch’s page.
View ArticleClik here to view.
VirusTotal: Searching And Submitting
This is an update for virustotal-search.py and a release of a new tool: virustotal-submit.py. I created this new tool because I needed to submit a sample stored in a password protected ZIP-file (not...
View ArticleClik here to view.
MSI: The Case Of The Invalid Signature
I found a suspicious file on a Windows XP machine. I was able to trace its origin back to a Windows Installer package (.msi). This package in c:\windows\installer had an invalid digital signature. Like...
View ArticleClik here to view.
Quickpost: Rovnix PCAP
Microsoft’s Malware Protection Center has a blogpost on a version of Rovnix that uses its own TCP/IP stack. I used Wireshark to capture the network traffic generated by this sample when it is executed...
View ArticleClik here to view.
Update: Suspender V0.0.0.4
Suspender is a DLL that suspends all threads of a process. This new version adds an option to suspend a process when it exits. Rename the dll to suspenderx.dll to activate this option (x stands for...
View ArticleClik here to view.
4 Times Faster virustotal-search.py
This is an important update to virustotal-search.py. Rereading the VT API, I noticed I missed the fact that the search query accepts up to 4 search terms. This new version submits 4 hashes at a time,...
View ArticleClik here to view.
Update: virustotal-submit.py V0.0.3
There is extra error handling in this new version. virustotal-search and virustotal-submit have their own page now: VirusTotal Tools. virustotal-submit_V0_0_3.zip (https) MD5:...
View ArticleClik here to view.
Forensic Use of CAT Files
I found this executable A0000623.sys with 6 detections on VirusTotal. Are these false positives or true positives? The file was found in the _restore system folder. It looks like it is a Windows system...
View ArticleClik here to view.
Handling McAfee Quarantine Files
Last time I opened a McAfee quarantine file (.bup) with a hex editor, I saw something I didn’t notice before: D0 CF 11 E0 The fileformat used for McAfee quarantine files is the Compound File Binary...
View ArticleClik here to view.
Stoned Bitcoin
There are reports of anti-virus false positive detections of Bitcoin files. More precisely for the old Stoned computer virus. I found the smoking gun! These reports should not be dismissed as hoaxes....
View ArticleClik here to view.
Update: Stoned Bitcoin
kurt wismer pointed me to this post on pastebin after he read my Stoned Bitcoin blogpost. The author of this pastebin post works out a method to spam the Bitcoin blockchain to cause anti-virus (false)...
View Article