Thank you all for your support and feedback with the release of Revelo (finally, I know)! I wrote this program and tested it in Windows XP since I heavily use that in my VMs for analysis. For several of you, you are getting an error message when trying to run it in Vista or 7. My apologies! It was hard enough to write this let alone make it work on all platforms. 🙂 In this update, I removed an ou
I mentioned a new tool I’ve been developing to help with Javascript deobfuscation months ago. I’ve been working on it off and on but it’s taking me awhile. There’s still more to do but I think it’s ready for a public release. Consider this tool experimental! The purpose of this program is to assist the user in analyzing obfuscated Javascript code, particularly those that redirect the browser to ma
If you’re into malware analysis or incident response, I’m sure you’ve come across a number of malicious Java applets lately. And perhaps you’ve noticed some new tactics being employed which are quite clever and probably effective in getting past perimeter and desktop security. Here are three related articles that caught my eye: A unique ‘fileless’ bot attacks news site visitors An interesting case
Another week, another pack. But this one is using Dadong’s JSXX 0.41 VIP obfuscation script which makes the task of Javascript deobfuscation a more difficult than the others. We’ll get to that in a bit but let’s talk about the exploit pack itself first. This exploit pack calls up three exploits across several files. There’s numerous references to “gondad” in the script so we’ll call this “Gong Da
While it can be difficult to attribute exploit packs in many cases, I believe it’s safe to say that there are a few made by Chinese authors. Their style can be seen across packs from the script used for traffic analysis to variable names and methods. Chinese packs are different but arguably still befitting the definition of an exploit pack. Unlike traditional packs you’ve seen like Black Hole or I
PDFStreamDumper is a PDF analyzer developed by Sandsprite’s David Zimmer. He has added quite a bit of useful functions to make this an all-in-one, go-to tool as you’ll soon see. Here’s a spear-phish email that contains a malicious PDF file attachment: This PDF file is quite unusual. When you view it in Notepad, you normally can see readable strings and the magic bytes at the beginning. In this cas
This is a new exploit pack that is being offered for free. It also goes by the name, “Pay0C Pack”. The author seemed to have combined exploits and content from various other exploit packs. Here’s a list of the exploits said to be included: * Sun Java Calendar Deserialization Exploit * Sun Java JRE * Java RMIConnectionImpl Deserialization Privilege Escalation Exploit * Sun Java JRE AWT SetDiff ICM
Several readers sent me email asking how to decipher Javascript code without doing it manually. There are actually several tools out there that can help you. Malzilla, SpiderMonkey, and Rhino seem to be the most popular. But I found that there are some tools from Microsoft that can get at the deobfuscated code without breaking a sweat! Let’s have a look at a couple of little-known tools that you c
Looks like Incognito got updated yet again. Let’s reverse the Javascript exploit code… First let’s clean this up (the complete script is here)! You can see it’s now using p, div, and span tags to hold the obfuscated code which is different than the earlier versions. While the Javascript code at the bottom looks different than the previous version, there are several similiarities. What the Javascri
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
処理を実行中です
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く