Well it has been a year since I started this blog, and this is just a quick post to let you know that despite not posting anything for the last three months, I haven’t abandoned the blog nor my desire to try new things in the field of malware analysis. Whilst not blogging, I have had some thoughts about what I’d like to blog about should I once again find enough time to do so.
The last year has seen several Java vulnerabilities in the spotlight, followed closely by a number of exploits to take advantage of them. I had a look at a friend’s laptop after they expressed concern at a (legitimate) anti-virus alert that had popped up, and found and tracked an infection to a malicious Jar (Java ARchive) file that was (unknowingly) downloaded from a legitimate sounding website.
It used to be that the only web sites you really needed to be weary of were ones with dodgy sounding names, or ones offering software cracks, porn, or otherwise trying to tempt users to visit them. However, looking at some of the URLs triggering alerts on sites like http://www.urlquery.net/ is suggesting that you need to be weary of even legitimate sounding sites these days (and there go three passive voice clauses in one paragraph, which I’m going to ignore because it’s 23:44 and I’ve been up since 04:50 and need to get some sleep).
The browsing history of the infected laptop that I examined suggested that its user had used an Internet search engine to find a site, clicked on the link of a legitimate web site, and next thing they know their browser is going off to some third-party web site, downloading some malicious Java, and launching the Java plugin to run it.
Java isn’t the only problem either, with Adobe PDF reader and Shockwave Flash plugins completing a trio of browser plugins that could make your Internet browsing experience somewhat more interesting than you’d first imagined.
It is now even more important to make sure that you are up to date with the latest version and patches for both your operating system (Windows/MacOS/Android/Linux etc.) and your applications and browser plugins, as it turns out that it isn’t just your own browsing habits that can lead to your computer/mobile phone being infected, but also the security of the web site which you are visiting.
Poorly secured web sites, or web sites running content management systems with vulnerabilities in their code (or that of their plugins), are being compromised, with malicious JavaScript (usually) being inserted in to the site’s web pages. This malicious JavaScript causes your browser to download malicious Java/PDF/flash files from other web sites.
As a result of this, and the fact that it has the potential to affect so many unsuspecting users, I’d like to investigate the possibility of automating the analysis of such incidents using tools such as WinAppDbg and Cuckoo.
I’d also like to do some more work on my unpack.py script to extend its capabilities, and do some more analysis and reverse engineering of some of the malware samples that my honeynet has been collecting.
Lots to think about, lots to do, but now that I actually have a full-time job (which isn’t malware analysis related) again, I’m finding it hard to find time to work on this stuff, as the lack of a blog post in the last three months demonstrates.
Anyway, I’m still here, I’m still thinking about malware, things that it could get up to, and ways in which we could try to stop it. Hopefully I’ll get to try some of them out soon and tell you about it, but in the mean time, I’ll leave you with this modified lyric from a well-known nursery rhyme:
It’s lovely out on the net today, but safer to stay at home.
Good to see you back!