Skip navigation.

frank_boldewin's blog

RTFScan - Finding malicious traces in rtf documents

The new version of the OfficeMalScanner suite introduces RTFScan. As you might know, there are several samples in the wild, using the RTF format as OLE and PE-File container. So here is a very first version of RTFScan. It currently is able
to scan for malicious traces like shellcode, dumps embedded OLE and PE files and other data containers. Buffer decryption in RTFScan is not supported in this release, as OMS and RTFScan will be enhanced to a cryptanalysis feature to break keys up to 1024 bytes in seconds. The old brute force feature in OMS will be kicked then.

CAST Slides: Hunting malware with Volatility v2.0

Last week i had a speech at the CAST forum about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.

CSI:Internet series - Spyeye detection with Volatility v2 and kernel debugging the TDL4 rootkit

Just in case you missed my forensic analysis contributions for the CSI:Internet series on

CSI:Internet - A trip into RAM

CSI:Internet - Open heart surgery


Paper: Hunting rootkits with Windbg

Here are the slides to my talk "Hunting rootkits with Windbg" at the Ruhr University of Bochum yesterday. I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy! rootkits with Windbg.pdf

The Windbg script shown in the slides to grab Kernelcallbacks can be found here:

Analyzing MSOffice malware with OfficeMalScanner - Whitepaper

Finally i'm happy to release my paper Analyzing MSOffice malware with OfficeMalScanner. This paper describes all features of the OfficeMalScanner suite in detail. Further i've updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety.

Get the Paper Here


OfficeMalScanner released

OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.


Talk on "Analyzing exploitable file formats" at PH-Neutral

Thorsten Holz and me are giving a talk at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis.

I hope to meet a lot of interesting people again this year!

Cya on 29th and 30th May 2009 in Berlin!

Comments on NYT article: A sneaky security problem, ignored by the bad guys

Today I read an article on the New York Times website called A sneaky security problem, ignored by the bad guys

NY Times: A Sneaky Security Problem

I had a conversion by phone and mail with its author Robert McMillan from IDG News before and I've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article I would like to comment, as I disagree to most of his statements regarding rootkits.

Rustock.C - When a myth comes true - Slides online now

enjoy! talk on Rustock.C

On Thursday morning i will give talk on Rustock.C analysis at the in Luxembourg. After the conference is over, i will publish the slides on my site. I hope there will be some interesting speeches and good discussions on security and malware-analysis.

cu @ the conference!


Syndicate content