サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
アメリカ大統領選
www.kahusecurity.com
For the past two years, I’ve been involved with several cyber exercises and competitions from planning, training, as well as participating in them. I’ve written a dozen or so defensive and offensive tools for these cyber ranges. While there’s better tools out there that do the same thing, I wanted to customize my own for the 64-bit environment and battle-test them to work out any bugs. Rules for s
The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method. The technique of hiding/protecting registry keys using a non-ASCII character goes all the way back to over a decade ago. It’s remarkable in a s
Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention. Here are the tools I’ll be testing: Automated JSUnpack Javascript Deobfuscator (Firefox Add-On) SpiderMonkey Semi-Automated/Manual JSDet
Per a couple of reader’s request, I’ll be covering how to deobfuscate Magnitude using the latest version of Converter. For those of you who don’t already know the history of Magnitude EK, you can catch up by checking out the following articles from two fine security researchers: Magnitude EK : Pop Pop Official PHP Website Hacked, Spreads Malware Infection From a source of mine, here’s what the pan
I’ve been studying RedKit for a long time and trying to understand its components, methods, and infrastructure. It turns out this exploit pack is unlike anything I’ve seen before. Just recently, Fraser Howard over at Sophos wrote two great articles on RedKit here and here. I’ll try to write about things I learned that’s not covered there. Quick Overview In a typical drive-by download scenario, use
Thank you to all of you for your feedback, patience, and support! It now has the same functions as Data Converter as described here. In addition, I’ve added a couple more features. To help you understand how to use them, let’s try it out on the latest version of Blackhole. I grabbed a Blackhole landing page link from a favorite site of mine, malc0de.com/database. Be sure you check it out and subsc
Fellow researcher Denis Laskov shared the infection chain of a new exploit pack with an impressive bunch of security researchers. For some reason, I got called to help and was more than willing to contribute by analyzing the Java applet delivered by this pack. Before I jump in, be sure you check out Denis’ blog post on this exploit pack. Here is the applet we will be looking at. As Denis mentioned
Earlier this year, the CrimeBoss exploit pack was released in beta form. An updated version was recently seen in the wild. Here’s the panel’s login screen which looks just like Crimepack. But the rest of the pack is completely different. Here’s the landing page of the exploit pack: The second layer is a little more challenging: Once you deobfuscate the code, you’ll be rewarded with a neatly writte
Neosploit has been popping up every once and awhile, quietly infecting users without a whole lot of attention. This past week, its author(s) decided to update Neosploit with the latest Java exploit. It now joins the likes of Blackhole and “RedKit” which have also been updated. Here’s the obfuscated exploit page from Neosploit: When you tidy things up, you can see Neosploit’s signature div tags. Th
Since everyone knows about this, I can finally share my piece. Here’s the landing page which is all Javascript. The script is using “Dadong’s JSXX 0.44 VIP” Javascript obfuscator. This isn’t the first time Dadong’s obfuscator has been used with Chinese packs that carry the latest exploits. This apparently is the latest version. The tamper-proof script uses a technique that acts like callee on ster
A Korean news site was recently observed distributing malware. I thought it would be an opportune time to test out my program that attempts to locate malicious scripts on a website. Here’s an excerpt from the results: Looking at the screenshot above from the bottom up, we see some suspicious content from an IP address. That page gets called by an infected “popupmenu.js” file. And that file gets re
I’m trying out some new methods to improve Revelo. This version now includes the following: – Added ability to choose the direction of the replacement (e.g. top-down or bottom-up). This might be important if a key value is up at the top and Revelo keeps replacing the one at the bottom. – Added ability to choose action method (e.g. textarea, document.write, or alert). I modified the other choices a
11 DEC 2021 Tools Update It's been awhile but finally got to updating some of the tools I use frequently... 24 MAY 2020 Tools Update vs Latest Maldocs A couple of tools have been updated to make it easier to handle the latest malicious documents... 17 APR 2020 Another Way to Analyze XLM Macros XLM macros have been making a comeback so it's important to be able to analyze them. I wrote a proof of c
While it can be difficult to attribute exploit packs in many cases, I believe it’s safe to say that there are a few made by Chinese authors. Their style can be seen across packs from the script used for traffic analysis to variable names and methods. Chinese packs are different but arguably still befitting the definition of an exploit pack. Unlike traditional packs you’ve seen like Black Hole or I
In the previous article, I manually deobfuscated three malicious scripts. This time around, I’ll use publicly available tools to see which ones can tackle real-world obfuscated Javascript code. Here’s the criteria I used to select the tools: 1. Free 2. Windows-based 3. Easy to setup and use (i.e. aimed at the novice user) These are the tools I selected to test with: * Creme Brulee * Firebug – Fire
Looks like Incognito got updated yet again. Let’s reverse the Javascript exploit code… First let’s clean this up (the complete script is here)! You can see it’s now using p, div, and span tags to hold the obfuscated code which is different than the earlier versions. While the Javascript code at the bottom looks different than the previous version, there are several similiarities. What the Javascri
このページを最初にブックマークしてみませんか?
『Articles | Kahu Security』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
