(Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

Hello paranoids   Following the previous post, i am now going to overview the analysis process for exploits within Office documents. You see, while with PDFs, you have a format and a reader (e.g. Adobe reader), with Office you have lots of acceptable formats and a reader. For instance, Word 2013 is capable of handling … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

Advertisements

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

Hello paranoids  Continuing our crusade through the world of malicious documents and following the previous  post, i will now describe the approach for Office Documents. One of the great things about these is that now we have a means to debug malicious code which makes the job easier. Once more, i will start by overviewing the … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

You allowed this remember?: Bypassing Office Macro Warnings by Leveraging Office’s Poor Memory

Hello paranoids   A couple of days ago i have come across a peculiar behaviour involving Office macros.  You are probably familiar with the "Enable Content" warning whenever you open a document containing a macro. In order to avoid asking the end-user for permission every time he opens the same document, the warning is disabled (i.e. … Continue reading You allowed this remember?: Bypassing Office Macro Warnings by Leveraging Office’s Poor Memory

(Not) All She Wrote (Part 1): Rigged PDFs

Hello paranoids  You know that moment when you get an email with an attached document and a promise of good fortune once you open it? Great, the following set of posts is for you. Lately i have been trying to learn how to speed up analysis of malicious documents (e.g. PDFs, Office, RTFs). Due to … Continue reading (Not) All She Wrote (Part 1): Rigged PDFs

PympMyBinary: Infecting Binaries

Hello paranoids  This post will be short comes quite late. I would like to introduce you my latest creation: PympMyBinary (GitHub URL). PympMyBinary is a binary infector with the purpose of injecting shellcode into legitimate binaries. The entrypoint for the binary is overwritten so that the shellcode is executed first. The execution is then passed … Continue reading PympMyBinary: Infecting Binaries

63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

Hello paranoids  As promised i am back to reverse stuff. This time, and following the previous sequence of posts, i have decided to pick an Android malware for analysis. Without further ado, let us begin. Malware Characteristics MD5: 882aef202a56008ad20a61c8960eb830 Family name: Ginmaster (GingerMaster) Obfuscation/Packing: Yes/No  GingerMaster was the first Android malware using GingerBreak exploit, an exploit that affects GingerBread … Continue reading 63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

Android Reversing Part 3: Tampering with Android Applications

Hello paranoids  So, after all those theory-related posts, it is time to actually do something. On this post, i will tamper with a simple application for Android. Let us begin: The Test Application  As referred on the post about tools there is a website from which you can download APKs, APKMirror. However, i will do the … Continue reading Android Reversing Part 3: Tampering with Android Applications

63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555

Hello paranoids Recovered from my previous post? No? Great! My overall objectives for the previous post were to: Show you how to unpack a malware Unpacking constructions (e.g. anti-debugging, shellcode, dynamic resolution of dependencies) On this post, i intend to: Go over some network/host tracks left by the malware Malware supported commands and features The … Continue reading 63 Problems But Malware Ain’t One: 8ca23d7bdf520c3e7ac538c1ceb7b555