Fuzzing Programs to find Windows Buffer Overflows – Bypass ASLR & DEP – Controlling and Overwritting EIP

Modern Windows Buffer Overflows and Techniques Most Windows applications are complied using Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) support, which makes the exploitation process a lot harder as we will have to bypass these internal security mechanisms. These memory protections were implemented in Microsoft Windows 7, (DEP) is a set of hardware, and software,… Read More »

Share Button

ANSWERS – Malware PCAP Traffic Analysis – Can you name the different types of malware? 2016-08-27

Here are the files that were executed to generate the traffic and pcap in the previous post:   Eorezo – sunnyday.exe https://malwr.com/analysis/YzcxYTM0MzYxNGUyNDBjZjkyZjdlYzAyNzdkMTg5OWU/ https://virustotal.com/en/file/d1ae1454cca36dce4a687846ec394c542b13e829755c40653fbd495d95b02197/analysis/1472172878/ Farfli – netstream.exe https://virustotal.com/en/file/969063116b1c717cd07015e04ecd6c2a6ad883da7dbcd2a4cd157100fa9c7b50/analysis/1472173093/ Citidel https://virustotal.com/en/file/0765a0d3e6349761704d837f0d0a873a50a7e91a6efda972d1e82cf18df0ecbd/analysis/1472173251/ SHA256:     0765a0d3e6349761704d837f0d0a873a50a7e91a6efda972d1e82cf18df0ecbd File name:     PROTESTO.exe Detection ratio:     40 / 54 Analysis date:     2016-08-26 01:00:51 UTC ( 0 minutes ago ) Banking Trojan… Read More »

Share Button

Malware PCAP Traffic Analysis – Can you name the different types of malware? 2016-08-27

Be careful, it might not all be malware, adware, PUPs and innocuous traffic is in play. Download PCAP : netstream VM executables used will be included in the next post.   2016-08-25 20:40:37.831293 IP 192.168.1.102.51776 > 37.187.148.135.80: Flags [P.], seq 0:267, ack 1, win 256, length 267: HTTP: GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1 E..3?…..~^…f%….@.P.._.p?..P…^…GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1 Content-Type:… Read More »

Share Button

ALERT! Very Active PHISHING CAMPAIGN still alive targetting Dropbox Users

I received the link via e-mail but also found it online through some redirects and a dropbox typeo domain name. The images and page look spot on ….but if you look at the URI like you should you’ll notice right away we got some problems here! http://glabalinvestment.tk/cost/DROP1/casts/   The campaign is stealing your Gmail, Yahoo,… Read More »

Share Button

BLACKHAT BLACK HAT 2016 USA VEGAS BRIEFING – HORSE PILL: A NEW TYPE OF LINUX ROOTKIT

HORSE PILL: A NEW TYPE OF LINUX ROOTKIT Michael Leibowitz  |  Senior Trouble Maker, Intel Location:  South Seas CDF Date: Thursday, August 4 | 12:10pm-1:00pm Format: 50 Minute Briefing Tracks: Malware Platform Security: VM, OS, Host and Container   What if we took the underlying technical elements of Linux containers and used them for evil? The result a… Read More »

Share Button