Mutexes and malware analysis

There is many way to investigate malware and to “find evil” in an unknown executable. There will be situation where looking at a list of running processes won’t give you information to raise a red flag. You can always go deeper and perform more manual…

Indicator Of Compromise (IOC) – Part I

The current threat landscape is made of highly complex viruses and/or stealth intrusions, very difficult to prevent, identify, detect, etc. Also the IT environment is vast, heterogeneous, not always managed, making it even more difficult to ensure that a breach is contained quickly and in effective manner. So what do we need? An easy and standard way to describe a breach or the describe a malware and its behaviors. Also we need the ability to share this description You guess it, Indicators of Compromise are the solution!

Malware anti-VM technics

Malware analysis usually involved the use of virtual environment (VM) such as VMware, VirtualBox and plenty of other virtualisation solutions. Mentioning the main virtualisation product is great but such products are also used in sandbox and other testing environment such as Virustotal, Anubis, etc. There…

Introduction to x86 Assembly Language – Part II

After the (very) high-level introduction of the part I, we are going to start to go a little bit deeper in the subject. Let’s start by having a closure look to the memory (RAM) and the related registers (e.g. general purpose registers, segment registers, EFLAGS…

Introduction to x86 Assembly Language – Part I

This article is an attempt to introduce some of the key concepts of x86 Assembly Language. It will focus on how such language is used by malware analyst to understand what a malicious software is doing and how it has been programmed by its author….

Cuckoo – Automated Malware Analysis

Cuckoo is a malware analysis system. Based on the description on the website: Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment. It’s mostly used…

Flame – Cyberwar in action?

The Flame virus has gone public during the last few days of May 2012. This discovery has been made two years after Stuxnet (June 2010) and less than a year after Duqu (Sept. 2011). Despite the fact that those three virus have different objectives, they have in common their complexity and the fact that they have been probably developed by people with “unlimited” resources. So where are we now? Is this cyberwar? or this is the natural evolution of cyber criminal?