The new version of the OfficeMalScanner suite introduces RTFScan. As you might know, there are several samples in the wild, using the RTF format as OLE and PE-File container. So here is a very first version of RTFScan. It currently is able
to scan for malicious traces like shellcode, dumps embedded OLE and PE files and other data containers. Buffer decryption in RTFScan is not supported in this release, as OMS and RTFScan will be enhanced to a cryptanalysis feature to break keys up to 1024 bytes in seconds. The old brute force feature in OMS will be kicked then.
Last week i had a speech at the CAST forum about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
Just in case you missed my forensic analysis contributions for the CSI:Internet series on h-online.com...
CSI:Internet - A trip into RAM
CSI:Internet - Open heart surgery
Here are the slides to my talk "Hunting rootkits with Windbg" at the Ruhr University of Bochum yesterday. I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy!
http://www.reconstructer.org/papers/Hunting rootkits with Windbg.pdf
The Windbg script shown in the slides to grab Kernelcallbacks can be found here:
Finally i'm happy to release my paper Analyzing MSOffice malware with OfficeMalScanner. This paper describes all features of the OfficeMalScanner suite in detail. Further i've updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety.
OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.
Thorsten Holz and me are giving a talk at the next PH-Neutral. A 31337 invite-only conference from FX and the gang in Berlin. Thorsten and i will introduce several ways to analyze exploitable file formats, ranging from PDF and Flash to malicious Office files like PPT, DOC or XLS. We will show some of the popular tools used for analysis and will also present 2 new tools developed especially for malicious Office-file analysis.
I hope to meet a lot of interesting people again this year!
Cya on 29th and 30th May 2009 in Berlin!
Today I read an article on the New York Times website called A sneaky security problem, ignored by the bad guys
I had a conversion by phone and mail with its author Robert McMillan from IDG News before and I've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article I would like to comment, as I disagree to most of his statements regarding rootkits.
On Thursday morning i will give talk on Rustock.C analysis at the Hack.lu in Luxembourg. After the conference is over, i will publish the slides on my site. I hope there will be some interesting speeches and good discussions on security and malware-analysis.
cu @ the conference!