Obviously if you want to enjoy the challenge then don’t read this article, go on the challenge page, download what’s necessary and go have some fun first!
I was reading a post from the contagio blog, which I highly recommend, Mila is providing a lot of samples and other very useful information. One of the latest post is related to exploit packs. Mila is actually compiling an exhaustive list of exploit packs and the vulnerabilities they are using.
I have recently start using Maltego, here again highly recommended, and when I downloaded the table of exploit packs I immediately thought that Maltego might be the perfect tool to represent the information slightly differently.
The release of the APT1 report from Mandiant has been one of the major recent event in the security world. I’m not going to review the report or to comment on it, even though the work that Mandiant did is really impressive and clearly demonstrate that governemental attacks are real. As I said in a previous post, cyber-espionage is on an increase trend and what Mandiant release is just the tip of the iceberg.
But what is really interesting in this report is the…appendix! Mandiant did include an awful lot of details such as FQDN, SSL Certificates and…Indicators of Compromise (e.g. IOC)! Let’s have a closer look at those IOCs. Continue reading “Indicator Of Compromise (IOC) – Part I”
Malware analysis usually involved the use of virtual environment (VM) such as VMware, VirtualBox and plenty of other virtualisation solutions. Mentioning the main virtualisation product is great but such products are also used in sandbox and other testing environment such as Virustotal, Anubis, etc. There is a lot of reason for using a virtual environment for such analysis. In particular it give the ability to run malicious code in a control manner. You can customize your VM to meet your needs, install vulnerable software, change configuration, etc. Not to mention the ability to start from scratch and restore a previous snapshot. You can do it the “old” way by running the malicious executable directly on your operating system but you will take a little more risk not to mention the time you will lose to restore your system.
After the (very) high-level introduction of the part I, we are going to start to go a little bit deeper in the subject. Let’s start by having a closure look to the memory (RAM) and the related registers (e.g. general purpose registers, segment registers, EFLAGS and EIP). The goal is not to make a complete overview of how RAM is working, but keep in mind the overall objective: malware analysis. Therefore we won’t review everything and we will reduce the scope to x86 (32 bits) architectures (as it’s the most common architecture).
This article is an attempt to introduce some of the key concepts of x86 Assembly Language. It will focus on how such language is used by malware analyst to understand what a malicious software is doing and how it has been programmed by its author. Before going into more details, this article will explain some of the general concept and why assembly code is used to do malware analysis.
Cuckoo is a malware analysis system. Based on the description on the website:
Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment.
It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine.
But it can do much more…
It’s up to you to discover what and how.
Some of the results that Cuckoo generates are:
- Trace of performed relevant win32 API calls
- Dump of network traffic generated during analysis
- Creation of screenshots taken during analysis
- Dump of files created, deleted and downloaded by the malware during analysis
- Trace of assembly instructions executed by malware process
In addition, Cuckoo allows you to:
- Automate submission of analysis tasks
- Create analysis packages to define custom operations and procedures for performing an analysis
- Run multiple virtual machines concurrently
- Script the process and correlation of analysis results data
- Script and automate the generation of reports in the format you prefer
Find below the latest graphs of the honeypot I’m running. Overall an increase in the number of connection with some huge speak at the end of April and beginning of May.
Note: due to a system restart, the honeypot was not running for a few days at the end of May beginning of June.
Note 2: this honeypot is a Dionaea instance. If you want to set up an instance on your server, follow the step-by-step guide on the Dionaea website.