Word document analysis with oledump.py

It seems that macro based document are, again, used to spread malware. Even the Malware Protection Centre from Microsoft mentioned it recently. Seems like an old trick, but apparently works like a charm. Most probably users trust too much Office documents as they keep exchanging them multiple time per day as part of their business/private activities. Most malicious Office documents have a macro that actually download a malicious file. Let’s see a quick way to have a better view on what exactly is happening.

Continue reading Word document analysis with oledump.py

Mutexes and malware analysis

There is many way to investigate malware and to “find evil” in an unknown executable. There will be situation where looking at a list of running processes won’t give you information to raise a red flag. You can always go deeper and perform more manual analysis. Even though this might be fun it might also be very time consuming…and we don’t always have the  luxury of time neither the resources.

Analysis of mutexes (sometime called mutant) can be a pretty good way to continue your analysis and find more evidence of “evil”.

Continue reading Mutexes and malware analysis

Attribution of Cyber Attack

I’m not an expert in attribution neither in cyber war but in the light of the recent Sony hack and its “attribution” to North Korea, I did a little of research. The below article is a summary of what I found and a few thoughts as well.

Continue reading Attribution of Cyber Attack

sysmon form sysinternals

Microsoft has released an updated version of the sysinternals tools recently. This update include a tool named: sysmon. You can find all details from the TechNet website by following this link: http://technet.microsoft.com/en-us/sysinternals/dn798348.aspx

In short the tool will provides detailed information about process creations, network connections, and changes to file creation time. As you can guess this sounds like the perfect addition for your lab!

Continue reading sysmon form sysinternals

DFIR Challenge – ISSA 2013 – My Answers

Jack Crook has posted a new DFIR challenge a few days ago. Let’s have a look at the challenge and also to my answers.

Obviously if you want to enjoy the challenge then don’t read this article, go on the challenge page, download what’s necessary and go have some fun first!

Continue reading DFIR Challenge – ISSA 2013 – My Answers

Exploit Pack Overview using Maltego

I was reading a post from the contagio blog, which I highly recommend, Mila is providing a lot of samples and other very useful information. One of the latest post is related to exploit packs. Mila is actually compiling an exhaustive list of exploit packs and the vulnerabilities they are using.

I have recently start using Maltego, here again highly recommended, and when I downloaded the table of exploit packs I immediately thought that Maltego might be the perfect tool to represent the information slightly differently.

Continue reading Exploit Pack Overview using Maltego

Indicator Of Compromise (IOC) – Part I

The release of the APT1 report from Mandiant has been one of the major recent event in the security world. I’m not going to review the report or to comment on it, even though the work that Mandiant did is really impressive and clearly demonstrate that governemental attacks are real. As I said in a previous post, cyber-espionage is on an increase trend and what Mandiant release is just the tip of the iceberg.

But what is really interesting in this report is the…appendix! Mandiant did include an awful lot of details such as FQDN, SSL Certificates and…Indicators of Compromise (e.g. IOC)! Let’s have a closer look at those IOCs. Continue reading Indicator Of Compromise (IOC) – Part I

Virustotal.com Safari Extension

I have developed a Safari 6 extension in order to search virustotal.com (e.g. MD5 hash or keywords).

All the details and download links can be found here: http://www.simonganiere.ch/tools/

For any comments or bug report contact me on Twitter – @sganiere


Malware anti-VM technics

Malware analysis usually involved the use of virtual environment (VM) such as VMware, VirtualBox and plenty of other virtualisation solutions. Mentioning the main virtualisation product is great but such products are also used in sandbox and other testing environment such as Virustotal, Anubis, etc. There is a lot of reason for using a virtual environment for such analysis. In particular it give the ability to run malicious code in a control manner. You can customize your VM to meet your needs, install vulnerable software, change configuration, etc. Not to mention the ability to start from scratch and restore a previous snapshot. You can do it the “old” way by running the malicious executable directly on your operating system but you will take a little more risk not to mention the time you will lose to restore your system.

Continue reading Malware anti-VM technics

Honeypot Results

You can found the latest honeypot results at the following URL: http://honeypot.simonganiere.ch (or use the above link in the menu).

This page is updated on a daily basis with the latest stats from the honeypot. You will found the stats for the last 30 days for various protocols and other useful information such as Virustotal.com links, etc.

Enjoy and stay tuned for other news!