On a recent forensics case, a coworker and I noticed some interesting logs on a Linux web server. TCPDump showed some strange traffic from a handful of IPs, but the access logs were not showing any visits from the offending addresses. The traffic was encrypted so it wasn't possible to see what was being sent, so we needed to do some additional digging. A lot is required to take ... READ MORE
Forensics
DLL Injection Part 2: CreateRemoteThread and More
Back for more? Good. I learned quite a bit doing the research for this portion of the series, and I have to give credit mostly to my sources. Check out the Open Security Research and Infosec Institute articles in the references. They go really in depth on this topic. I am not really expanding on their content, but I find that spending time explaining it helps me to better ... READ MORE
Real World Malware Analysis Part 3: Sandbox
In the first post, we created our own malware lab with some basic tools. Now we're going to use someone else's sandbox. The automated analysis provided by Malwr.com has been tremendously useful in the short time that I have been using it. It's a great tool for getting things done quickly. Keep in mind that even though a lot of the essentials are automated here, we'll stick to a ... READ MORE
DLL Injection Part 1: SetWindowsHookEx
The goal of DLL injection is to load a code into another running process’ address space. So how exactly do we go about accomplishing that? It turns out there are a couple of ways to do so in Windows. We are first going to examine "SetWindowsHookEx," a method for creating hooks in Windows. If by the end of this post you are hungry for more, check out the references at the ... READ MORE
DLL Injection Part 0: Understanding DLL Usage
As a result of my foray into static malware analysis, I decided I needed a better understanding of DLL injection. DLL injection allows us to run code in another process. This is useful because it allows us to hide malicious processes in other, benign processes. It also means not having to save anything to the disk, making detection and forensics that much more difficult. This ... READ MORE
Real World Malware Analysis: The Original Phishster
When my friend first told me that he was phished with a Word document, two infection methods came to mind: either it was a macro enabled in the document, or it was the recent MS14-064 vulnerability for Office. So let’s take a look! Here is what the offending document looks like when opened: Macros are the winner! What do they do? In Word go to View > Macros > View ... READ MORE
Real World Malware Analysis Part 1
Full Disclosure: Malware analysis isn't my area of expertise, but I have been looking for chances to learn more. Let's learn together! I was recently describing to a friend how phishing attacks work, one of the most common ways being word documents with a macro to run or download malicious code. Sure enough, several weeks later the same friend received a phishing ... READ MORE