Behrang
Analysis of a UDP worm
Introduction From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate. Anti-Virus coverage was 15/43 (35.7%) based on a virustotal.com report and Norman sandbox did not detect any suspicious activity as shown in the report below:
Norman sandbox report did not show any registry or network activity. This might be due to the use of virtual CPU or sandbox bypass techniques by the malware. Sunbelt sandbox was down at the time of the analysis.
Decrypting Symantec BackupExec passwords
BackupExec agent is often among common services found on the internal pen tests. The agent software stores an encrypted “logon account” password in its backend MS SQL database (LoginAccounts table). These accounts include the “system logon account” which is used to run agent services and an optional number of active directory accounts that are used to access resources over the network. The following scenarios can result in access to encrypted passwords:
QoW: Software Reversing and Exploitation
I’ve developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been coded in c and compiled by VC++ 2008. This is a three step challenge:
Step 1- Find the correct “passphrase” format to logon to the server and get the “Access Granted” message. (You may use a debugger like Ollydbg to do Live RE for this step).
Step 2- Do vulnerability research on the server software. There is at least one exploitable bug but there could be more bugs or error conditions. Try to spot a memory corruption bug and write a denial of service exploit for it.
“Hooker” approach to break-in!
Interesting post on cost/benefit analysis of hacker and hooker attacks…. behrang
Adobe APSB08-15 Patch Reversing
APSB08-15 is the latest adobe security advisory regarding a memory corruption vulnerabilty in Acrobat Reader versions <8.1.2
As expected, the advisory does not include technical details about the attack vector, So let’s try to reverse the related Adobe patch to find more about this vulnerability. I’m going to use IDA 5.2 with patchdiff2 plugin (thanks to kris hint on this plug-in).
The patch is released as a MSI file. I used Greg Duncan’s Less MSIèrables tool to examine the content of this patch:
Prev
Page 2 of 2