It’s been about a year and a half since I wrote about a behavioural approach to automated unpacking, and I figured it was time to add some more functionality to unpack.py. This time, I’m going to look at malware decrypting/decompressing code from within itself, and process hollowing, and see if we can capture the decrypted/decompressed/newly written memory. Let’s spruce unpack.py up a tad. Continue Reading
It’s been two years since I launched malwaremusings.com, and a good time to launch malwearmusings — wearable malwaremusings. That is, t-shirts, albeit geeky ones. Continue Reading
With malware beginning to search for documents, images, and other file types, often to encrypt them or to delete them, I began to wonder if there could be a simple way to protect your files. What if we made different file types look like types of farm-yard animals, without making them unusable?
I was conjuring up a physical world which had the same level of tracking and logging as the Internet does — a preposterous world because nobody would expect the same level of tracking to occur once they left their computer and went outside right?
Little did I know that my preposterous world isn’t that far from becoming a reality, and that there could soon be any number of people who know what you did last summer. Continue Reading
Well it has been a year since I started this blog, and this is just a quick post to let you know that despite not posting anything for the last three months, I haven’t abandoned the blog nor my desire to try new things in the field of malware analysis. Whilst not blogging, I have had some thoughts about what I’d like to blog about should I once again find enough time to do so.
I always cringe when I hear people telling others to ‘just accept the certificate’ when their browser warns them that it is invalid, so I’m going to attempt to use a Billy Joel song and an old TV commercial asking if you’ve ‘ever hired a movie that just wasn’t quite ‘right’, to attempt to explain what browser certificate warnings actually mean and why accepting an invalid certificate could cast rather a gloom over the evening. Continue Reading
To analyse the cna12 MySQL attacks, I had to install MySQL Express Server as the attacks were prematurely exiting when connecting to Dionaea. Extracting the binary files from the libpcap files was annoying, so I decided to change Dionaea so that it would automatically extract the binary files used in the cna12 attacks. Continue Reading
What do you do when you notice MS-SQL connections topping the list of top ten destination ports hitting your honeynet? You install an MS-SQL server, give the sa user a week password, and see what happens of course (don’t try this at home). Continue Reading
Sometimes in life you find yourself wanting to have a quiet afternoon in front of a computer, extracting login credentials and SQL commands from captured MS-SQL TCP connections. Other times you may find yourself needing to do so to analyse some MS-SQL attacks. Whatever your reason, this post explains how to use my parsetds.py script to extract such information.
‘Remember the days of the old school yard?’ Or rather of the old school computer lab. Now that I’ve got this blog thing going, I couldn’t let the 06th of March go by without reminiscing about the Michelangelo virus, and rambling on about viruses ‘back when I was a lad’. Continue Reading