Malware Musings

Thoughts on malware and malware analysis

  • Home
  • About
  • Scriptery
    • Python
    • UNIX Shell Scripts
  • Scripts
    • dupext.bat: Duplicate file extension association and rename files
    • misql.py: A Cuckoo Package for MySQL Commands
    • parsemysql.py: Extract SQL commands from MySQL TCP data streams
    • parsetds.bro: Extract SQL commands and login credentials from TDS (MS-SQL) TCP data
    • parsetds.py: Extract SQL commands and login credentials from TDS (MS-SQL) TCP data
    • unhex.awk: Convert hex encoded strings to ASCII characters
    • unpack.py (v2013.02.26): Script using WinAppDbg to automatically unpack malware
    • unpack.py: Script using WinAppDbg to automatically unpack malware
  • Supporting Files
    • b64decode.py: A Base64 Decoder
    • bashwrapper.c: Check environment variables for shellshock exploit
    • dionaea-mysql.py.diff: Patch for dionaea to capture cna12 MySQL binaries
    • dionaea-mysql.py.diff (base64)
    • dionaea-shellshock.diff: A Dionaea Patch to Download ShellShock URLs
    • dionaea-shellshock.diff (base64)
    • logstartup.diff
    • memtst.s
    • Reverse Engineering Challenge #1: file
  • malwearmusings (t-shirts)
    • Don’t follow me, I’m going phishing
    • some assembly required
  • GitHub
    • CRAB
    • Unpacker
  • Reference
  • Skills
    • Skill:MalwareAnalysis:Static
    • Skill:ReverseEngineering:Static
    • Skill:Debugger:IDAPro
    • Skill:Honeynet
    • Skill:Programming:Assembly:80×86
    • Skill:Networking
    • Skill:API:Win32
    • Skill:Scripting:UNIX
    • Skill:Innovation
    • Skill:Assembler:gcc
    • Skill:Application:MySQL
    • Skill:Scripting:Python

Malwear Musings (my merchandise) Sale

Posted by Karl on May 30, 2021
Posted in: General Information, malwearmusings, t-shirts. Tagged: malwearmusings, merchandise, redbubble, sale, t-shirt. Leave a comment

Malwear Musings is my t-shirt/merchandise shop, hosted by RedBubble. I was hoping to sell enough t-shirts to recover the cost of hosting my blog, but at an average of just over one t-shirt a year at the moment, this obviously isn’t happening.

I don’t like adverts on web pages, so I’ve been paying WordPress.com for the last seven and a half years to keep my blog advert free. It’s obviously been running at a loss, but I’ve maintained it regardless, despite not getting a lot of time to work on it (now that I’m working full-time again), in the hope that people will find it useful.

RedBubble are currently having a store-wide sale with 20%-60% off, until 01st June 2021 (see clickable image below), so I’m hoping that whether or not you find my blog posts useful, you’ll find my t-shirts amusing/entertaining and decide to buy some.

I’ve just added five new designs, which I’d been meaning to do for some time (see the ‘procrastination’ t-shirt!), and this sale seemed like a good time to finally get them out. I have some more designs that I want to add, but I also need to work on other stuff this weekend (like making some shortbread)!

You can find my RedBubble shop at https://malwearmusings.redbubble.com/ (that misspelling is a deliberate pun, albeit possibly a confusing one) and I hope you like my t-shirt designs — right now though, it’s shortbread time.

Classics

  • Some Assembly Required
  • Don’t Follow Me, I’m Going Phishing
  • My Favourite Strings

Cyber Security

  • Does this t-shirt/hoodie make my data look big? (new)
  • My parents went on the Internet and all I got was some lousy malware
  • DNT: 1
  • Do Not Track

Geeky/Techo

  • /me reminisces
  • Does this t-shirt/hoodie make my data look big? (new)
  • 417 Expectation Failed
  • My parents went on the Internet and all I got was this lousy t-shirt

Beekeeping

  • I’d quit smoking, but it calms my bees (new)
  • Beekeepers are smokin’ (new)

Music

  • My parents went to coda and all I got was this lousy t-shirt
  • Musicians do it in bars (new)

Unicycling

  • Do not overtake flailing vehicle
  • mount /dev/sad/admin /mnt/unicycle

General

  • Chronocidal Maniac
  • Five tips to avoid procrastination (new)
  • COVID-19: Social distancing — If you can read this, you’re too close

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Recovering from a WordPress Plugin Exploit

Posted by Karl on January 31, 2021
Posted in: Uncategorized. Tagged: Wordpress. 1 Comment

I was asked if I could look at a WordPress website which wasn’t displaying correctly. It was showing an index of files in the document root directory, rather than showing the home page. This suggested that the index.html (UNIX), index.htm (Windows), or in the case of WordPress, index.php file was missing. Read on and I’ll talk you through how I recovered the site.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Creating a Citrix Gateway Honeypot

Posted by Karl on March 31, 2020
Posted in: Uncategorized. Tagged: Citrix, Honeypot. Leave a comment

When I heard about the Citrix NetScaler vulnerability (CVE-2019-19781) I wanted to capture some exploits to see what they were doing. It turns out Citrix provide a downloadable version of Citrix Gateway (which was also vulnerable), but using it to capture exploits turned out to be trickier than I’d originally anticipated.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

#Life2.0

Posted by Karl on August 26, 2019
Posted in: General Information. Tagged: Life, Midlife Crisis?. 3 Comments

I’ve decided that it’s time to launch Life 2.0 and actually get serious about my career and put more effort in to achieving some of my other goals.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Bee Forensics

Posted by Karl on August 13, 2019
Posted in: Beekeeping, Forensics. Tagged: Beekeeping, bees, Forensics. Leave a comment

Usually when I’m dabbling in forensics work I’m analysing a compromised Windows system. This time, however, I was using my forensic skills to investigate a potential problem with one of my bee hives (for a shorter version, try my beekeepers club presentation).

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Mitigating the Effects of Ransomware: Hiding Your Files

Posted by Karl on May 16, 2017
Posted in: Muse Food. Tagged: Ransomware. Leave a comment

The WannaCry/WannaCrypt ransomware/worm struck late last week and wreaked havoc with a number of important files/documents being encrypted. Can a twenty year old idea of mine actually help to restrict the damage caused by ransomware by essentially ‘hiding’ your important files so that ransomware can’t find them?

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

April Fool?

Posted by Karl on April 1, 2017
Posted in: Muse Food. Leave a comment

After my tinkering with IT as a kid progressed to more of a hobby, followed by almost 22 years of full time employment as an IT engineer, I’m started to wonder if I’ve been a tad foolish.

I’m starting to think that there is more to life than IT (despite seeing more and more people that seem to think that it’s more important to walk around looking at the screen of their mobile phone rather than looking where they’re going), and with this realisation comes another realisation — that a life of IT has left me with very few practical life skills.

So now I find myself at a point where I want to do something that’s actually useful to people/society, but all I know how to do is IT.

I’m wondering how to implement ideas and make them a reality? How can I build (physical) things — how do you join pieces of wood for instance? How do businesses work?

How can I do something useful, and hopefully change lives — if not the world — when I don’t seem to be able to change a tap washer?!

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Michelangelo Virus Day — What have we done in the last 25 years?!

Posted by Karl on March 6, 2017
Posted in: A False Sense of Security, General Information. Tagged: Internet safety. Leave a comment

The 06th March is the day that the Michelangelo virus (a virus I came across back in the early nineties) would overwrite disk sectors, and it apparently caused quite a frenzy back in January 1992. I was thinking, here we are 25 years later, and what have we done? (Look out — this is another one of my non-technical posts!) Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

A Thousand Monkeys Writing a JavaScript Malware Downloader: De-obfuscating the JavaScript

Posted by Karl on January 19, 2017
Posted in: Malware Analysis, Reverse Engineering. Tagged: deobfuscation, downloader, JavaScript. Leave a comment

There’s a theory that a thousand monkeys typing away at a thousand typewriters will eventually reproduce the works of Shakespeare. I got home one day to find a JavaScript downloader semi-randomly creating dynamic functions until one of them worked and downloaded some malware that I hadn’t seen before. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Analysing CryptoLocker with unpack.py: Network Communications (part 3)

Posted by Karl on May 13, 2016
Posted in: Malware Analysis. Tagged: CryptoLocker, dynamic analysis, malware analysis. 1 Comment

Previous posts in this series have demonstrated how unpack.py, when used on a CryptoLocker variant, extracts the malicious PE file injected in to explorer.exe, and how it can also be used to analyse the injected PE file. This post demonstrates how unpack.py can now be used to analyse our CryptoLocker variant’s network communications by dumping the cleartext traffic sent over its HTTPS connections.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Posts navigation

← Older Entries
  • Merchandise

    My RedBubble Shop
  • Search

  • Categories

  • Recent Posts

    • Malwear Musings (my merchandise) Sale
    • Recovering from a WordPress Plugin Exploit
    • Creating a Citrix Gateway Honeypot
    • #Life2.0
    • Bee Forensics
  • Archives

  • Subscribe to RSS Feeds

    RSS Feed RSS - Posts

    RSS Feed RSS - Comments

  • Follow Malware Musings on WordPress.com
  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Blogroll

    • DeepEnd Research
    • FireEye Blog
    • Internet Storm Center's StormCasts
    • Lenny Zeltser on Information Security
    • MalwareTech Blog
    • McAfee Labs
    • Naked Security (Sophos)
    • Sophos Labs
  • DFIR Challenges

    • Ali Hadi's Digital Forensics Challenge Images
  • Dynamic Analysis Tools

    • Cuckoo Sandbox
    • dsniff
    • eventlog-to-syslog
    • Netcat
    • Wireshark and tshark
  • Static Analysis Tools

    • GNU Binutils
  • Social

    • View malwaremusings’s profile on Twitter
    • View malwaremusings’s profile on GitHub
  • DFIR Challenges

    • Ali Hadi's Digital Forensics Challenge Images
  • RSS My Github activity

    • malwaremuser starred MarioVilas/winappdbg February 22, 2023
Blog at WordPress.com.
Malware Musings
Blog at WordPress.com.
  • Follow Following
    • Malware Musings
    • Already have a WordPress.com account? Log in now.
    • Malware Musings
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: