Malware Musings

Thoughts on malware and malware analysis

  • Home
  • About
  • Scriptery
    • Python
    • UNIX Shell Scripts
  • Scripts
    • dupext.bat: Duplicate file extension association and rename files
    • misql.py: A Cuckoo Package for MySQL Commands
    • parsemysql.py: Extract SQL commands from MySQL TCP data streams
    • parsetds.bro: Extract SQL commands and login credentials from TDS (MS-SQL) TCP data
    • parsetds.py: Extract SQL commands and login credentials from TDS (MS-SQL) TCP data
    • unhex.awk: Convert hex encoded strings to ASCII characters
    • unpack.py (v2013.02.26): Script using WinAppDbg to automatically unpack malware
    • unpack.py: Script using WinAppDbg to automatically unpack malware
  • Supporting Files
    • b64decode.py: A Base64 Decoder
    • bashwrapper.c: Check environment variables for shellshock exploit
    • dionaea-mysql.py.diff: Patch for dionaea to capture cna12 MySQL binaries
    • dionaea-mysql.py.diff (base64)
    • dionaea-shellshock.diff: A Dionaea Patch to Download ShellShock URLs
    • dionaea-shellshock.diff (base64)
    • logstartup.diff
    • memtst.s
    • Reverse Engineering Challenge #1: file
  • malwearmusings (t-shirts)
    • Don’t follow me, I’m going phishing
    • some assembly required
  • GitHub
    • CRAB
    • Unpacker
  • Reference
  • Skills
    • Skill:MalwareAnalysis:Static
    • Skill:ReverseEngineering:Static
    • Skill:Debugger:IDAPro
    • Skill:Honeynet
    • Skill:Programming:Assembly:80×86
    • Skill:Networking
    • Skill:API:Win32
    • Skill:Scripting:UNIX
    • Skill:Innovation
    • Skill:Assembler:gcc
    • Skill:Application:MySQL
    • Skill:Scripting:Python

Analysing CryptoLocker with unpack.py: The unpacked payload (part 2)

Posted by Karl on March 30, 2016
Posted in: Malware Analysis. Tagged: CryptoLocker, dynamic analysis, malware analysis. Leave a comment

This is the second part in a series of posts showing how we can use my unpack.py script to find quite a bit of useful information about a CryptoLocker variant. This post will analyse the unpacked payload that we found in part one. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Analysing CryptoLocker with unpack.py: Initial Analysis (part 1)

Posted by Karl on March 8, 2016
Posted in: Malware Analysis. Tagged: CryptoLocker, malware analysis. 1 Comment

My automated unpacking script (which really needs a sensible name!) is a few years old now, so I was interested to see how it would go with some malware that was developed after it was. That is, I wanted to answer the question ‘is my script still useful?’. It turns out it is still useful, and this post is the first of a few posts that aim to demonstrate why. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

An Exercise in Deobfuscating MS Word Macros Using Linux

Posted by Karl on February 21, 2016
Posted in: Malware Analysis. Tagged: downloader, macro, VB, Word. Leave a comment

… and without touching Perl I might add. So, someone has just handed you a collection of Microsoft Word documents that they believe are malicious and you’re keen to investigate them to see if you can get your hands on some more malware to analyse. Here is how you can analyse Microsoft Word documents in a Linux environment, without using Microsoft Word (and without using Perl). Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

My Malware Analysis Setup

Posted by Karl on January 31, 2016
Posted in: Malware Analysis. Tagged: environment, lab, malware analysis. Leave a comment

I was just in the middle of doing a post on analysing a malware sample and I thought that I should start it off by documenting my setup. It then occurred to me that doing so was making my post somewhat longer, and since the setup would apply pretty much to all of my malware analysis work, I should document it separately. So here it is — my malware analysis setup. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Geek Week T-shirt promotion

Posted by Karl on January 16, 2016
Posted in: malwearmusings, t-shirts. Leave a comment

My t-shirt provider (RedBubble) is having a 15% off site-wide promotion to celebrate Geek Week, making this a good time to try out some of my malwear t-shirts. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Traffic Analysis: OpenSSH with an Interactive Shell

Posted by Karl on July 13, 2015
Posted in: OpenSSH, Traffic Analysis. Tagged: OpenSSH, Traffic analysis. Leave a comment

SSH’s TCP forwarding feature allows users to tunnel arbitrary TCP connections over an encrypted SSH connection, which in turn can allow them to make connections to internal hosts from outside your network — connections which can be hard to detect as SSH traffic is encrypted. So, is it possible to infer what an SSH connection is being used for when you don’t have access to the unencrypted data?

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

ANZAC — 100 Year Anniversary: Artillery Shells and Command Shells

Posted by Karl on April 25, 2015
Posted in: General Information, Muse Food. Leave a comment

It is a hundred years to the day since the Australian and New Zealand Army Corps (ANZACs) landed on a beach at Gallipoli, Turkey, to fight in a war — not a ‘cyber’ war, where people often lose web servers, but the type of war where people often lose mates, comrades, loved ones, and their lives. This is a change from my usual technical writing, and given the sensitive subject matter, the lack of sleep that I got last night, and the fact that I’m more comfortable writing about my technical endeavours, I’m hoping that I don’t cock this up.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

MS15-034: Does the http.sys vulnerability only affect IIS?!

Posted by Karl on April 17, 2015
Posted in: Vulnerabilities and Exploits. Tagged: http.sys, MS15-034. Leave a comment

After trying to get a copy of http.sys to examine, I discovered that it appeared to be in use on my desktop. Looking in to it, I found three desktop services using the HTTP Service provided by http.sys. There may be more, less obvious, vulnerable services/systems than just web servers. This post also demonstrates a brute-force approach to finding dependent services, for when you can’t find the proper way of doing so quickly enough.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Building a Challenge-Response Authentication System with a Bourne Shell Script

Posted by Karl on April 10, 2015
Posted in: Muse Food, UNIX Shell Scripts. Tagged: Bourne shell, challenge-response, replay attack, shell script. 1 Comment

What do you do when you’re a university student who’s just learnt about network sniffing and how anyone can capture your (unencrypted) UNIX account credentials from the network and log in as you? You create a challenge-response authentication system using a Bourne Shell script to stop them of course. It is also how I almost locked myself out of my university UNIX account. Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Using Bro to extract data from MS-SQL TDS streams

Posted by Karl on March 6, 2015
Posted in: Bro, Scriptery. Leave a comment

Remember my parsetds.py script to extract data from MS-SQL TDS streams? Well here is a bit of an introduction to the Bro Network Security Monitoring software which implements my parsetds.py functionality using Bro‘s scripting language.

If you find monitoring networks for security related artefacts interesting, or it’s your job, then read on as I demonstrate some of Bro‘s scripting flexibility by using it to extract MS-SQL commands and login information from network traffic.

Continue Reading

Share this:

  • Email
  • LinkedIn
  • Reddit
  • Twitter
  • Facebook

Like this:

Like Loading...

Posts navigation

← Older Entries
Newer Entries →
  • Merchandise

    My RedBubble Shop
  • Search

  • Categories

  • Recent Posts

    • Malwear Musings (my merchandise) Sale
    • Recovering from a WordPress Plugin Exploit
    • Creating a Citrix Gateway Honeypot
    • #Life2.0
    • Bee Forensics
  • Archives

  • Subscribe to RSS Feeds

    RSS Feed RSS - Posts

    RSS Feed RSS - Comments

  • Follow Malware Musings on WordPress.com
  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Blogroll

    • DeepEnd Research
    • FireEye Blog
    • Internet Storm Center's StormCasts
    • Lenny Zeltser on Information Security
    • MalwareTech Blog
    • McAfee Labs
    • Naked Security (Sophos)
    • Sophos Labs
  • DFIR Challenges

    • Ali Hadi's Digital Forensics Challenge Images
  • Dynamic Analysis Tools

    • Cuckoo Sandbox
    • dsniff
    • eventlog-to-syslog
    • Netcat
    • Wireshark and tshark
  • Static Analysis Tools

    • GNU Binutils
  • Social

    • View malwaremusings’s profile on Twitter
    • View malwaremusings’s profile on GitHub
  • DFIR Challenges

    • Ali Hadi's Digital Forensics Challenge Images
  • RSS My Github activity

    • An error has occurred; the feed is probably down. Try again later.
Blog at WordPress.com.
Malware Musings
Blog at WordPress.com.
  • Follow Following
    • Malware Musings
    • Already have a WordPress.com account? Log in now.
    • Malware Musings
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: