There’s a theory that a thousand monkeys typing away at a thousand typewriters will eventually reproduce the works of Shakespeare. I got home one day to find a JavaScript downloader semi-randomly creating dynamic functions until one of them worked and downloaded some malware that I hadn’t seen before. Continue Reading

Previous posts in this series have demonstrated how unpack.py, when used on a CryptoLocker variant, extracts the malicious PE file injected in to explorer.exe, and how it can also be used to analyse the injected PE file. This post demonstrates how unpack.py can now be used to analyse our CryptoLocker variant’s network communications by dumping the cleartext traffic sent over its HTTPS connections.

Continue Reading

My automated unpacking script (which really needs a sensible name!) is a few years old now, so I was interested to see how it would go with some malware that was developed after it was. That is, I wanted to answer the question ‘is my script still useful?’. It turns out it is still useful, and this post is the first of a few posts that aim to demonstrate why. Continue Reading

… and without touching Perl I might add. So, someone has just handed you a collection of Microsoft Word documents that they believe are malicious and you’re keen to investigate them to see if you can get your hands on some more malware to analyse. Here is how you can analyse Microsoft Word documents in a Linux environment, without using Microsoft Word (and without using Perl). Continue Reading

I was just in the middle of doing a post on analysing a malware sample and I thought that I should start it off by documenting my setup. It then occurred to me that doing so was making my post somewhat longer, and since the setup would apply pretty much to all of my malware analysis work, I should document it separately. So here it is — my malware analysis setup. Continue Reading

SSH’s TCP forwarding feature allows users to tunnel arbitrary TCP connections over an encrypted SSH connection, which in turn can allow them to make connections to internal hosts from outside your network — connections which can be hard to detect as SSH traffic is encrypted. So, is it possible to infer what an SSH connection is being used for when you don’t have access to the unencrypted data?

Continue Reading

It is a hundred years to the day since the Australian and New Zealand Army Corps (ANZACs) landed on a beach at Gallipoli, Turkey, to fight in a war — not a ‘cyber’ war, where people often lose web servers, but the type of war where people often lose mates, comrades, loved ones, and their lives. This is a change from my usual technical writing, and given the sensitive subject matter, the lack of sleep that I got last night, and the fact that I’m more comfortable writing about my technical endeavours, I’m hoping that I don’t cock this up.

Continue Reading

After trying to get a copy of http.sys to examine, I discovered that it appeared to be in use on my desktop. Looking in to it, I found three desktop services using the HTTP Service provided by http.sys. There may be more, less obvious, vulnerable services/systems than just web servers. This post also demonstrates a brute-force approach to finding dependent services, for when you can’t find the proper way of doing so quickly enough.

Continue Reading

What do you do when you’re a university student who’s just learnt about network sniffing and how anyone can capture your (unencrypted) UNIX account credentials from the network and log in as you? You create a challenge-response authentication system using a Bourne Shell script to stop them of course. It is also how I almost locked myself out of my university UNIX account. Continue Reading