Skip navigation.
Home

blogs

OfficeMalScanner released

OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.

http://www.reconstructer.org/code/OfficeMalScanner.zip

Enjoy!

Cyber Security Act of 2009

The Cyber Security Act of 2009 submitted by US senators John Jay Rockefeller and Olympia Snowe looks like it is geared up to be some poor US policy. Joe Stewart has written up a response to it. Joe makes some very valid observations.

To recap the criticism of the bill, there are two big complaints: First is that it gives the president the power to turn off the Internet in an emergency. Second it requires mandatory licensing for "Infosec professionals." The second point is the one I take the most issue with.

Requiring mandatory licensing for a field as dynamic and changing as ours is just a bad idea. There are already a couple of government entities that require the CISSP as a condition of employment. Side-stepping a long winded rant about the CISSP, it is not an accurate measure of knowledge. There has been a concerted effort to liken our field to others such as electricians and general contractors. The problem is that things are changing so fast, any certification is basically worthless as soon as it is issued.

So if you're a US citizen please write your senators and encourage them to revise this bill.

Searching offensive computing

Hi every one,

I'm not sure how many of you have tried the search capability on the right side of this webpage. I tried it many times, the problem is that it does not return any results, i.e. the answer is always "no match" no matter if there is actually a content including the search terms or not.

I think it would be useful if this is fixed.

By the way I use the "Search for sum or name" and it works.

Thanks

Detecting Packers in Network Streams with Pynids and Pefile

To step away from using snort as a base for detecting binary packers, I decided to go with a more direct approach and use a library that handled stream reassembly within python. I then simply took the data once the connection had closed, and scanned the data with PeFile. The python script, which I call nPeID (network peid), can either scan a pcap if passed in as an argument, or sniff on an interface (default is eth0).

http://www.malforge.com/node/12

moth

Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for Testing Web Application Security Scanners, Testing Static Code Analysis tools (SCA) and Giving an introductory course to Web Application Security

The motivation for creating this tool came after reading "anantasec-report.pdf" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability that exists in the wild, there is a test script available in moth.

More information and download:
http://www.bonsai-sec.com/en/research/moth.php

Talk on "Analyzing exploitable file formats" at PH-Neutral

Thorsten Holz and me are giving a talk at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis.

I hope to meet a lot of interesting people again this year!

Cya on 29th and 30th May 2009 in Berlin!

Vista Wireless Power Tools

Josh Wright from Inguardians has written a paper on Vista's wireless stack. He describes the NDIS6 command line interfaces and how to use them in a pentest. From the paper:

"With the introduction of Windows Vista, Microsoft has put forth considerable effort in revamping the IEEE 802.11 wireless stack through the Network Driver Interface Specification (NDIS) 6 model. With considerably greater functionality and capability than was provided in Windows XP, Vista's wireless capabilities shine with new freedom for developers, a robust development framework, rich information sources for wireless analysis and end-user tools for analyzing and controlling wireless parameters."

I'm looking forward to doing some wifi research again and this paper certainly provides a healthy kick in the pants to do so.

conficker.e analysis

http://extraexploit.blogspot.com

On the Legitimacy of Obfuscated Code

Chris Wysopal has written an article about different uses of obfuscation inside of executables. Malicious or not, it is a useful tool for hiding or at least raising the bar on reverse engineering effort required. It's a good article and I recommend you read it. It did get me to thinking about a couple of things in reverse engineering.

One thing that Chris mentions is that users should be able to decide whether or not they want obfuscated code on their system. In many ways this is similar to the open vs. closed source debate. I have long argued that having the assembly for a program is equivalent to having the source code for a skilled reverse engineer. Looking at enough assembly and work with different compiler variations and one can work out what the original code looked like.

Regarding the question about whether obfuscation is a bad thing, Rolf Rolles recently commented that Bitdefender decided wholesale that the VMProtect packer is malware and anything obfuscated with it should be removed. Now the Bitdefender developers are smart guys, and maybe they decided that any legitimate software has no need to use this. Other anti-virus software takes a similar tactic. During the Race To Zero contest at Defcon last year, the winning team noticed that removing all the imports from an executable caused multiple AV vendors to automatically flag an executable as being suspicious.

The choice about the legitimacy of packers and obfuscation has already been made for us by the AV community: It's bad. This may be narrow sighted but hey, that's what the industry is all about.

iTunes Anti-debugging Circumvention

David Maynor at Erratasec has written an article about how to circumvent the debugging prevention inside of iTunes.

"..I noticed iTunes kept crashing, predictably and reliably in the same place. I decided to use gdb to see what the hubbub was all about. However I got dissed and iTunes would not allow itself to be debugged."

http://erratasec.blogspot.com/2009/04/ode-to-50cent.html

Syndicate content