Archive by Author

Pre-Pwned AMI Images in Amazon's AWS public instance store, (Fri, Sep 21st)

I keep getting reports about AMI images in Amazon’s AWS, which come “pre-pwned.” These images typically include for the most part crypto coin miners, but the also include backdoors or more subtle malicious modifications. One reason users fall for these images appears to be that they search for images without considering the “owner” of the image. […]

Leave a comment Continue Reading →

Hunting for Suspicious Processes with OSSEC, (Thu, Sep 20th)

Here is a quick example of how OSSEC[1] can be helpful to perform threat hunting. OSSEC  is a free security monitoring tool/log management platform which has many features related to detecting malicious activity on a live system like the rootkit detection or syscheck modules. Here is an example of rules that can be deployed to track malicious processes […]

Leave a comment Continue Reading →

Certificates Revisited – SSL VPN Certificates 2 Ways, (Wed, Sep 19th)

As a consultant that does lots of network “stuff”, I tend to build SSL VPN access for lots of clients.  And a few times per year, I get the “our certificate has just expired” call from one client or another. We covered off the “find / enumerate all the certificates for an organization ” 2 […]

Leave a comment Continue Reading →

iOS 12 is out today – Updates for Safari, watchOS, tvOS, iOS. Full details here https://support.apple.com/en-ca/HT201222, (Tue, Sep 18th)

=============== Rob VandenBrink Compugen (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a comment Continue Reading →

Dissecting Malicious MS Office Docs, (Mon, Sep 17th)

Looking back at the story I posted 2 weeks back, on getting target users to leak credentials using malicious UNC links in office (or other) documents ( https://isc.sans.edu/forums/diary/24062/ ) – how would you actually identify a malicious document of this type?  After a bit of digging, it turns out that there are a few ways to […]

Leave a comment Continue Reading →

20/20 malware vision, (Sun, Sep 16th)

In his diary entry “Malware Delivered Through MHT Files“, Xavier show some malicious VBA code with obfuscated strings. Often, in VBA code, when strings are obfuscated, each character to be obfuscated is replace with another character: a string of 7 characters remains a string of 7 characters when obfuscated. This can be seen in Xavier’s […]

Leave a comment Continue Reading →

User Agent String "$ua.tools.random()" ? :-) !, (Sat, Sep 15th)

For many years I’ve observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings: – “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MRA 4.4 (build 01334))” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)” “Mozilla/4.0 (compatible; Synapse)” Mozilla/5.0 “Mozilla/5.0 (Windows NT […]

Leave a comment Continue Reading →

Sextortion – Follow the Money Update, (Fri, Sep 14th)

This diary is an update to  Sextortion – Follow the Money which tracks some of the BTC addresses related the Sextortion campaign still in the wild, but seemingly tailing off at this time. First a little history.  Within a couple of days of the beginning of the campaign (July 10th), we were able to cobble together 20 BTC addresses to […]

Leave a comment Continue Reading →

Malware Delivered Through MHT Files, (Thu, Sep 13th)

What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other media. MHT files contain all the data related to a web page in a single place and are […]

Leave a comment Continue Reading →

So What is Going on With IPv4 Fragments these Days?, (Wed, Sep 12th)

)[Disclaimer: This article deals with legacy IPv4 networks. IPV6 has cleaned up some of the fragmentation issues, and it looks like IPv4 is backporting some of these changes] IP fragmentation has always been a tricky issue. Many operating systems had issues implementing it and RFCs have often been ignored (for more or less good reasons). […]

Leave a comment Continue Reading →