Containing the Beast: Managing Inter Thread and Process Complexity

Hello paranoids  Lately I have been investigating Zeus Panda (MD5 82c6a5e05ceec286c79ae978bc746244 or check my repo) which, as one of its features, injects itself into two instances of svchost created by the malware itself. The injected code is then executed using CreateRemoteThread. This is not uncommon and it adds pain to the analysis since once the … Continue reading Containing the Beast: Managing Inter Thread and Process Complexity

Advertisements

(Not) All She Wrote (Part 3): Rigged RTF Documents

Hello paranoids  It seems we have reached the final post. Previously, i have addressed PDFs containing exploits and Office documents containing macros and exploits. This post will be lighter than the others since i won't be doing full analysis of documents. I have shown you before how you can analyse embedded shellcode once you have it so i … Continue reading (Not) All She Wrote (Part 3): Rigged RTF Documents

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

Hello paranoids   Following the previous post, i am now going to overview the analysis process for exploits within Office documents. You see, while with PDFs, you have a format and a reader (e.g. Adobe reader), with Office you have lots of acceptable formats and a reader. For instance, Word 2013 is capable of handling … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 2)

(Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

Hello paranoids  Continuing our crusade through the world of malicious documents and following the previous  post, i will now describe the approach for Office Documents. One of the great things about these is that now we have a means to debug malicious code which makes the job easier. Once more, i will start by overviewing the … Continue reading (Not) All She Wrote (Part 2): Rigged Office Documents (Part 1)

(Not) All She Wrote (Part 1): Rigged PDFs

Hello paranoids  You know that moment when you get an email with an attached document and a promise of good fortune once you open it? Great, the following set of posts is for you. Lately i have been trying to learn how to speed up analysis of malicious documents (e.g. PDFs, Office, RTFs). Due to … Continue reading (Not) All She Wrote (Part 1): Rigged PDFs

PympMyBinary: Infecting Binaries

Hello paranoids  This post will be short comes quite late. I would like to introduce you my latest creation: PympMyBinary (GitHub URL). PympMyBinary is a binary infector with the purpose of injecting shellcode into legitimate binaries. The entrypoint for the binary is overwritten so that the shellcode is executed first. The execution is then passed … Continue reading PympMyBinary: Infecting Binaries

63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

Hello paranoids  As promised i am back to reverse stuff. This time, and following the previous sequence of posts, i have decided to pick an Android malware for analysis. Without further ado, let us begin. Malware Characteristics MD5: 882aef202a56008ad20a61c8960eb830 Family name: Ginmaster (GingerMaster) Obfuscation/Packing: Yes/No  GingerMaster was the first Android malware using GingerBreak exploit, an exploit that affects GingerBread … Continue reading 63 Problems But Malware Ain’t One: 882aef202a56008ad20a61c8960eb830

Android Reversing Part 3: Tampering with Android Applications

Hello paranoids  So, after all those theory-related posts, it is time to actually do something. On this post, i will tamper with a simple application for Android. Let us begin: The Test Application  As referred on the post about tools there is a website from which you can download APKs, APKMirror. However, i will do the … Continue reading Android Reversing Part 3: Tampering with Android Applications