Greetings and salutations. Today I’m going to be going over some malware I found in the wild. I found it after doing a search for ‘hack’ on the ‘rapidshare’ section of 4chan. With the name ‘SteamHackCount.exe’, being about 350 kb, and having the Apple icon? Totally legit right??? Opening the program in IDA showed the […]
Hello again! It’s been a busy week at work. Lots of unique malware. As you may or may not know, malware uses non-conventional things to stay hidden and throw off heuristic analysis. I see weird stuff. Instructions that make no sense in context like the ‘out’ instruction, blocks of code which perform floating point arithmetic […]
Hello loyal readers. Good news! I’ve been picked to speak at ToorCon in San Diego next month in October. I will be going over my findings in malware that manages to slip by FireEye undetected. A chink in the armor of one of the most powerful (and expensive) malware appliances out there. But enough about […]
Hello again loyal readers. I’ve had a lot of ideas rattling around in my head lately. Malware related things. For example, what if someone used Gopher for C&C? Who the hell uses gopher anymore? The API’s for handling gopher, while deprecated, are still around. Though you would probably have to load it from an older […]
Hello again loyal readers! I have a treat for you. I encountered an exploit kit while doing my malware thing and decided to try and get a better idea of what is going on start to finish. I Watched a machine get exploited and fired up WireShark to watch: GET http://68.178.166.11/2b01554de28f018745855a41166494db/lately-duplicate.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, […]
Hello again people! I’ve been busy lately with my awesome job giving me free time to code things up. I’ve constructed a raw TCP packet builder in C# for the hell of it. I coded this up using winpcap to test a topic I saw at Defcon this year. It was said a vulnerability exists […]
Hello fellow readers, Its been a while since I’ve posted. Today at work I was going over malware already flagged by McAfee and sent to the quarantined folder. The way McAfee encrypts / encodes its quarantined files is pretty basic – XOR (exclusive OR) on each byte by the value of 0x6a (106 in decimal). […]
Hello people! Long time, no update. I am sorry for that. I’ve been working at my new job and have been focusing my time on video games and women. The bane of all procrastination. I’ve been hammering away at my brutus app every time I get the chance. With the basic auth stub out of […]
Welcome loyal readers! It’s been a dogs age. I’ve been split on projects and time, playing lots of video games and writing lots of code. Recently I found a format string vulnerability in a video game. A popular one at that. Further research into this video game revealed this vulnerability is not new. I found […]
It happened again at work. This time twice the number of machines hit. The same people hit my company, and they took my advice when I last spoke to them – they obfuscated the executable to make it harder to perform a routine reverse engineering analysis. In this particular case, the obfuscation used was compiled […]