It’s been about a year and a half since I wrote about a behavioural approach to automated unpacking, and I figured it was time to add some more functionality to This time, I’m going to look at malware decrypting/decompressing code from within itself, and process hollowing, and see if we can capture the decrypted/decompressed/newly written memory. Let’s spruce up a tad. Continue Reading

I was conjuring up a physical world which had the same level of tracking and logging as the Internet does — a preposterous world because nobody would expect the same level of tracking to occur once they left their computer and went outside right?

Little did I know that my preposterous world isn’t that far from becoming a reality, and that there could soon be any number of people who know what you did last summer. Continue Reading

Well it has been a year since I started this blog, and this is just a quick post to let you know that despite not posting anything for the last three months, I haven’t abandoned the blog nor my desire to try new things in the field of malware analysis. Whilst not blogging, I have had some thoughts about what I’d like to blog about should I once again find enough time to do so.

Continue Reading

I always cringe when I hear people telling others to ‘just accept the certificate’ when their browser warns them that it is invalid, so I’m going to attempt to use a Billy Joel song and an old TV commercial asking if you’ve ‘ever hired a movie that just wasn’t quite ‘right’, to attempt to explain what browser certificate warnings actually mean and why accepting an invalid certificate could cast rather a gloom over the evening. Continue Reading

To analyse the cna12 MySQL attacks, I had to install MySQL Express Server as the attacks were prematurely exiting when connecting to Dionaea. Extracting the binary files from the libpcap files was annoying, so I decided to change Dionaea so that it would automatically extract the binary files used in the cna12 attacks. Continue Reading

Sometimes in life you find yourself wanting to have a quiet afternoon in front of a computer, extracting login credentials and SQL commands from captured MS-SQL TCP connections. Other times you may find yourself needing to do so to analyse some MS-SQL attacks. Whatever your reason, this post explains how to use my script to extract such information.

Continue Reading