It’s been about a year and a half since I wrote about a behavioural approach to automated unpacking, and I figured it was time to add some more functionality to unpack.py. This time, I’m going to look at malware decrypting/decompressing code from within itself, and process hollowing, and see if we can capture the decrypted/decompressed/newly written memory. Let’s spruce unpack.py up a tad. Continue Reading
It’s been two years since I launched malwaremusings.com, and a good time to launch malwearmusings — wearable malwaremusings. That is, t-shirts, albeit geeky ones. Continue Reading
With malware beginning to search for documents, images, and other file types, often to encrypt them or to delete them, I began to wonder if there could be a simple way to protect your files. What if we made different file types look like types of farm-yard animals, without making them unusable?
I was conjuring up a physical world which had the same level of tracking and logging as the Internet does — a preposterous world because nobody would expect the same level of tracking to occur once they left their computer and went outside right?
Little did I know that my preposterous world isn’t that far from becoming a reality, and that there could soon be any number of people who know what you did last summer. Continue Reading
Well it has been a year since I started this blog, and this is just a quick post to let you know that despite not posting anything for the last three months, I haven’t abandoned the blog nor my desire to try new things in the field of malware analysis. Whilst not blogging, I have had some thoughts about what I’d like to blog about should I once again find enough time to do so.
I always cringe when I hear people telling others to ‘just accept the certificate’ when their browser warns them that it is invalid, so I’m going to attempt to use a Billy Joel song and an old TV commercial asking if you’ve ‘ever hired a movie that just wasn’t quite ‘right’, to attempt to explain what browser certificate warnings actually mean and why accepting an invalid certificate could cast rather a gloom over the evening. Continue Reading
To analyse the cna12 MySQL attacks, I had to install MySQL Express Server as the attacks were prematurely exiting when connecting to Dionaea. Extracting the binary files from the libpcap files was annoying, so I decided to change Dionaea so that it would automatically extract the binary files used in the cna12 attacks. Continue Reading
What do you do when you notice MS-SQL connections topping the list of top ten destination ports hitting your honeynet? You install an MS-SQL server, give the sa user a week password, and see what happens of course (don’t try this at home). Continue Reading
Sometimes in life you find yourself wanting to have a quiet afternoon in front of a computer, extracting login credentials and SQL commands from captured MS-SQL TCP connections. Other times you may find yourself needing to do so to analyse some MS-SQL attacks. Whatever your reason, this post explains how to use my parsetds.py script to extract such information.