While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here. Here’s the website I visited…looks suspicious already: There was a reference to an external Javascript file: The file is obfuscated Javascript which is a red flag: I found the malicious redirect, or so I thought… Long st
There are many times where I come across a drive-by download, especially malvertisements, and it takes me awhile to figure out which file on the compromised website is infected. I wrote Pinpoint to help me find the malicious objects faster so I can provide that info to webmasters for clean-up purposes. My hope is that this tool will be helpful to you as well. Pinpoint works like wget/curl in that
Per a couple of reader’s request, I’ll be covering how to deobfuscate Magnitude using the latest version of Converter. For those of you who don’t already know the history of Magnitude EK, you can catch up by checking out the following articles from two fine security researchers: Magnitude EK : Pop Pop Official PHP Website Hacked, Spreads Malware Infection From a source of mine, here’s what the pan
The latest version of Converter includes changes to the menus and several new features. You can download this version here. Filter Menu There’s two new functions added to the menu. The first is “Strip Whitespace” which removes spaces, tabs, CRs, LFs, etc from your input. Thanks to TW for this request. The second is called the “Position Filter”. With it you can extract characters with a fixed posit
Recently, a reader passed on to me a very active TDS link that redirected users to one of four exploit packs. These packs led to some form of ransomware being installed on the victim’s machine. Analysis of these packs have been covered elsewhere but I wanted to document the analysis here in case there are changes. Since there’s a lot to go through, I’ll only cover the important bits. Exploit Pack
The use of JJEncode in a drive-by download has been around for a couple of years but has been popping up a lot recently. A couple of readers have asked how to deobfuscate this so here’s a walkthrough with a live script. Here’s an automobile forum that’s been compromised: Viewing the source code, this link kicks off the infection: Then from alnera.eu, you end up getting this strange looking Javascr
I’ve been getting questions about how to use Revelo so this article will be a refresher on how to use it. You can find the tool here and play along if you like. We’ll be using Revelo to deobfuscate a simple script using free online Javascript obfuscators as practice. (I’m not hating on these tools, they are made by smart developers. All we are trying to do is practice our deobfuscation skills.) Be
I’ve been studying RedKit for a long time and trying to understand its components, methods, and infrastructure. It turns out this exploit pack is unlike anything I’ve seen before. Just recently, Fraser Howard over at Sophos wrote two great articles on RedKit here and here. I’ll try to write about things I learned that’s not covered there. Quick Overview In a typical drive-by download scenario, use
In a recent spearphish campaign, a malicious Word document was used to infect the email recipient. I was able to find an interesting tool and used it to recreate the Word document. Before we get to that, let’s do a quick analysis on the document… Here we see the Word document with an embedded object: Viewing the file with Notepad, we can see that this is an RTF file and definitely looks suspicious
I saw a tweet from MalwareCrusaders earlier today about another obfuscated Java applet so I thought I would have a look. Details about where the applet came from is rather slim. Something important may be needed along the way (e.g. applet parameters) so I prefer getting PCAPs but I’ll give it a try nonetheless. MalwareCrusaders will be posting more details on this soon so I won’t go too deep here.
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
処理を実行中です
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く