Sneaky Redirect to Exploit Kit | Kahu Security
While I was testing a Pinpoint update, I found a sneaky method to redirect unsuspecting users to Neutrino EK. This one was interesting to me so I thought I would document it here. Here’s the website I visited…looks suspicious already: There was a reference to an external Javascript file: The file is obfuscated Javascript which is a red flag: I found the malicious redirect, or so I thought… Long st
Pinpoint Tool Released | Kahu Security
There are many times where I come across a drive-by download, especially malvertisements, and it takes me awhile to figure out which file on the compromised website is infected. I wrote Pinpoint to help me find the malicious objects faster so I can provide that info to webmasters for clean-up purposes. My hope is that this tool will be helpful to you as well. Pinpoint works like wget/curl in that
Deobfuscating Magnitude Exploit Kit | Kahu Security
Per a couple of reader’s request, I’ll be covering how to deobfuscate Magnitude using the latest version of Converter. For those of you who don’t already know the history of Magnitude EK, you can catch up by checking out the following articles from two fine security researchers: Magnitude EK : Pop Pop Official PHP Website Hacked, Spreads Malware Infection From a source of mine, here’s what the pan
Converted v0.10 Released | Kahu Security
The latest version of Converter includes changes to the menus and several new features. You can download this version here. Filter Menu There’s two new functions added to the menu. The first is “Strip Whitespace” which removes spaces, tabs, CRs, LFs, etc from your input. Thanks to TW for this request. The second is called the “Position Filter”. With it you can extract characters with a fixed posit
Kore Exploit Kit | Kahu Security
Recently, a reader passed on to me a very active TDS link that redirected users to one of four exploit packs. These packs led to some form of ransomware being installed on the victim’s machine. Analysis of these packs have been covered elsewhere but I wanted to document the analysis here in case there are changes. Since there’s a lot to go through, I’ll only cover the important bits. Exploit Pack
JJEncode Script Leads to Drive-By | Kahu Security
The use of JJEncode in a drive-by download has been around for a couple of years but has been popping up a lot recently. A couple of readers have asked how to deobfuscate this so here’s a walkthrough with a live script. Here’s an automobile forum that’s been compromised: Viewing the source code, this link kicks off the infection: Then from alnera.eu, you end up getting this strange looking Javascr
Deobfuscating Javascript with Revelo | Kahu Security
I’ve been getting questions about how to use Revelo so this article will be a refresher on how to use it. You can find the tool here and play along if you like. We’ll be using Revelo to deobfuscate a simple script using free online Javascript obfuscators as practice. (I’m not hating on these tools, they are made by smart developers. All we are trying to do is practice our deobfuscation skills.) Be
Digging Deeper into RedKit | Kahu Security
I’ve been studying RedKit for a long time and trying to understand its components, methods, and infrastructure. It turns out this exploit pack is unlike anything I’ve seen before. Just recently, Fraser Howard over at Sophos wrote two great articles on RedKit here and here. I’ll try to write about things I learned that’s not covered there. Quick Overview In a typical drive-by download scenario, use
Dissecting a Malicious Word Document | Kahu Security
In a recent spearphish campaign, a malicious Word document was used to infect the email recipient. I was able to find an interesting tool and used it to recreate the Word document. Before we get to that, let’s do a quick analysis on the document… Here we see the Word document with an embedded object: Viewing the file with Notepad, we can see that this is an RTF file and definitely looks suspicious
Quick Java Applet Analysis | Kahu Security
I saw a tweet from MalwareCrusaders earlier today about another obfuscated Java applet so I thought I would have a look. Details about where the applet came from is rather slim. Something important may be needed along the way (e.g. applet parameters) so I prefer getting PCAPs but I’ll give it a try nonetheless. MalwareCrusaders will be posting more details on this soon so I won’t go too deep here.
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Exploit Delivery Networks | Kahu Security
The Resurrection of RedKit | Kahu Security
Analyzing DotkaChef Exploit Pack | Kahu Security
Wild Wild West – 12/2013 | Kahu Security
PHP Infector | Kahu Security
Chinese Exploit Pack Updated | Kahu Security
Deobfuscating the CK Exploit Kit | Kahu Security
Wild Wild West – 08/2013 | Kahu Security
Converter v0.8 Released | Kahu Security
Wild Wild West – 04/2013 | Kahu Security