The topic of web-based advertising is always a hot topic for discussion, debate, and outright argument. One realizes that the Internet in which we’ve grown accustomed to is reliant on ads; after all, Google is an advertisement company. In the recent past we’ve seen articles on malvertising targeted using Skype and more recently using the New York …
Happy New Years! As part of the new year, let’s make an effort to make your defensive posture better, especially through quicker and more effective malware analysis! A few years ago I created a sample malware analysis sandbox script to use for the analysis and reverse engineering that I performed on a daily basis. Let’s …
The second annual FLARE On is a reverse engineering challenge put forth by the FireEye Labs Advanced Reverse Engineering (FLARE). While accepted as a very advanced and tactical recruiting method, it resonates with those who love CTF challenges. In 2014 the inaugural FLARE On presented seven challenges. As a finisher, you can read my write-up here. …
The FireEye Labs Advanced Reverse Engineering (FLARE) challenge was causing a bit of a buzz when it was announced and launched in early July. It read like a recruitment campaign for a new division within FireEye, but still a fun challenge to partake in. The challenge started … and I was on-site at a client …
In the previous post I showed some dynamic analysis procedures for a variant of a trojan known to Symantec as Coreflood. Based on the dynamic analysis, we discovered that the analyzed sample contained very few strings of use. It decrypted an embedded executable, which was injected into memory for execution. It dropped an encrypted file to …
I had the honor of lecturing for Champlain College’s graduate level Malware Analysis course this week. One of the aspects of the lecture was showing off dynamic analysis with my Noriben script and some of the indicators I would look for when running malware. While every malware site under the sun can tell you how …
Disclaimer: This post is based upon experiences I found when sending malware via GMail (Google Mail). I’m documenting them here for others to: disprove, debate, confirm, or to downplay its importance. Update: In the comments below, a member of Google’s AntiVirus Infrastructure team provided insight into this issue. A third-party AV engine used by GMail …
This site, Ghetto Forensics, was started this year as the beginning of an effort to better document some of the side work that I do that I thought would be appealing, or humorous, to the overall industry. This content was originally posted to my personal web site, thebaskins.com, but really needed a site of its …
When I first start delving in memory forensics, years ago, we relied upon controlled operating system crashes (to create memory crash dumps) or the old FireWire exploit with a special laptop. Later, software-based tools like regular dd, and win32dd, made the job much easier (and more entertaining as we watched the feuds between mdd and …
It’s been a few months since the last official release of Noriben. The interim time has been filled with a few ninja-edits of updated filters, and wondering what to put in next. Noriben started out as a simple wrapper to Sysinternals procmon to automatically gather all of the runtime details for malware analysis within a …