Having recently been left with several hours to kill with nothing but a laptop and my virtual lab I thought I’d try my hand at some rudimentary malware analysis. For a random live sample I selected the most recent submission to my Nepenthes Server. $ tail -n1 /opt/nepenthes/var/log/logged_submissions[2009-05-21T19:10:59] 90.130.169.175 -> 195.97.252.143 creceive://90.130.169.175:2526 93715cfc2fbb07c0482c51e02809b937 To start […]
Category archives: InfoSec
submissions2mysql.py
Utility script in a similar vein to submissions2csv.py, the script reads Nepenthes’ logged_submissions file from stdin and dumps the information into a MySQL database table. Initially this serves the same purpose as it’s CSV counterpart, importing the date into system with powerful search and filter functionality. However this may be useful if wanting to work […]
Quick and dirty spam analysis
I don’t normal bother with analysing spam, however two received yesterday caught my attention. Mostly they were noticeable as they avoided my usually bulletproof filters. Both spam emails are similar in subject, content, and sending options. Sender address was spoofed (surprise, surprise) in this case I supposedly sent the email myself, from the same account […]
Analysis of wireless statistics
As promised when the postman delivered the Alfa equipment, I’ve done some initial analysis of my first wireless capture. The data being analysed was collected during the evening commute back home, a trip that includes urban, sub-urban and rural areas so should be good representative sample group. Security The previous wireless post has already touched […]
Snort implementation on Debian
We’ve just completed the initial build for a new standalone IDS sensor running Snort. Having had previous experience (~1.5 years previously, manual source compile) I was amazed with the ease and speed with which the system was built, configured and operational. I’ll spare most of the details as installation requirements will vary from environment to […]
New Alfa wireless equipment
I’ve just taken delivery of, and started to experiment with, my new wireless equipment consisting of an Alfa AWUS036H and some additional antennas. My primary (official) motive for purchasing new hardware was that my primary incident response laptop only has 802.11b internal so can’t connect to newer networks (and I’ve just upgraded my home network […]
Booby-trapped Javascript
Fortinet have just released a nice blog post highlighting and analysing some changes in the obfuscated Javascript they are seeing. De-obfuscating javascript is (should be) straight forward as it is interpreted on the fly and you have the source code available (as opposed to a compiled malware binary requiring more advance RE techniques, as discussed […]
Sec610 Reverse Engineering Malware Demo
I spent a very interesting hour with Lenny Zeltser (and others) around a week ago with a live demo of part of Lenny’s Sec610 course. For those interested in taking the course, or malware in general, then I’d suggest that if the demo is a representative sample of the course then you’re likely to really […]
Example PCAP files
Just a quick one this time around, as it is mostly a reminder to take a closer look once I get some free time…. Included in Dave Hull’s recent blog post on the SANS forensic blog (well worth a read in it’s own right) Dave links to part of the Network Miner Sourcefire site that […]
Aggressive Network Self-defense
I’m a fan of ‘case study’ type research and analysis, so I think I hit pay-dirt when I found this book. I’ve had the book on my shelf for a couple of years now and keep coming back to it and re-reading whenever I’m looking for inspiration (or just a good read). The basis of […]