If some malware samples remain simple padding:5px 10px”> From: [email protected] To: [redacted] Subject: New Catalogue #2017 Date: 14 Mar 2017 03:12:51 -0700 Dear, FYI! Please submit the file to me asap. Thank you. Best Regards Rachel Lo Ufficio Commerciale Vimin Box S.r.l. Via Emanuele T. DAzeglio, 2 12030 Lagnasco – CUNEO – ITALY Tel. +39 …
Read more “Example of Multiple Stages Dropper, (Sat, Mar 18th)”
— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
For a while, one of the securitytrends is to integrate information from 3rd-party feeds to improve the detection of suspicious activities. By collecting indicators of compromize[1], other tools may correlate them with their own data and generate alerts on specific conditions. The initial goal is to share as fast as possible new IOCs with peers …
Today, Microsoft released its monthly security bulletins. Februarys delayed release was combined with this March release, which likely caused the large number of bulletins (18 total, which includes the Adobe Flash bulletin) You can review the patch summary here:https://isc.sans.edu/mspatchdays.html?viewday=2017-03-14or via our API. Probably the most scary set of vulnerabilities in this update are %%cve:2017-0143%%, %%cve:2017-0144%%, …
Read more “February and March Microsoft Patch Tuesday, (Tue, Mar 14th)”
Back in 2005, I wrote a perl script to calculate multiple cryptographic hashes for me. We had md5sum and sha1sum, but I wanted a single script that could calculate whichever one I wanted or all of them at the same time. Well, the weekend before last, I rewrote it in Python[1] and added SHA3 support. …
I sometimes I take the time to review my honeypot to see if it captured anything that might be worth looking at and found this VBE script that looked kind of interesting. I used Didier width:762px” /> A check against Virustotal identifies this script as a VBS Trojan downloader script[3]. Since I couldnt get a …
Read more “Honeypot Logs and Tracking a VBE Script, (Sun, Mar 12th)”
In our craft, there aremore than ample opportunities to occupy our time. There are so many things you CAN do. How canyouensure focus on the things that actually make the biggest impact?I suggest that often times you take on more workthan what you are able to complete. Many times there isso much work to do …
IP location, GeoIP or Geolocalization are terms used to describe techniques to assign geographic locations toIP addresses. Databases are built and maintained to link the following detailstoIP addresses: Country Region width:799px” /> If this looks very aggressive, in some cases, it can be useful if you want to protect online services used only by local …
Read more “The Side Effect of GeoIP Filters, (Fri, Mar 10th)”
On Monday, Apache released a patch for the Struts 2 framework [1]. The patch fixes an easy to exploit vulnerability in the multipart parser that is typically used for file uploads. A Metasploit module was released that same day, and some readers reported seeing already exploit attempts in the wild. You should be running Struts …
Read more “Critical Apache Struts 2 Vulnerability (Patch Now!), (Thu, Mar 9th)”
Everyday we hear about new pieces of malware which implement new techniques to hide themselvesand defeat analysts. But they are still people whowrite simple code that just do the job. The samplethat Im reviewing todayhad a very short lifetime because it was quickly detected by most antivirus. Its purpose is to steal information from the …
Read more “Not All Malware Samples Are Complex, (Wed, Mar 8th)”