SecuObs.com

SecuObs.com http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com Anti-Analysis Tricks in Weaponized RTF2016-04-12 22:05:52 - Decalage : This article describes several anti-analysis tricks found in recent malicious RTF documents, and how I improved rtfobj to handle them read more http://www.secuobs.com/revue/news/603554.shtmlhttp://www.secuobs.com/revue/news/603554.shtml 8KB of malware crammed into a single command line in a macroSecuobs.com : 2016-02-22 22:37:02 - Decalage - A few days ago, Bry_Campbell told me about a strange sample with a malicious macro, that could not be fully analyzed with online sandboxes and the usual tools read more http://www.secuobs.com/revue/news/599029.shtmlhttp://www.secuobs.com/revue/news/599029.shtml How to grill Malicious Macros - SSTIC15Secuobs.com : 2016-02-01 21:33:07 - Decalage - Since 2014, malicious macros are coming back And their success in recent campaigns demonstrates that it is still an effective way to deliver malware, sixteen years after Melissa This is a presentation that I gave to the SSTIC symposium in June 2015, translated to English It explains what malicious macros can do, how their code can be obfuscated, and some of the anti-analysis tricks observed in recent cases Then it shows several tools that can be used to analyze macros, including oledump and olevba read more http://www.secuobs.com/revue/news/597065.shtmlhttp://www.secuobs.com/revue/news/597065.shtml Tip how to find malware samples containing specific stringsSecuobs.com : 2016-01-24 15:21:10 - Decalage - It is sometimes useful to look for malware samples containing a specific string For example, you might look for samples sharing similar code to analyze a malware campaign with different targets Another use case is discovering the original version of a modified file, as described in my article Unmasking Malfunctioning Malicious Documents read more http://www.secuobs.com/revue/news/596356.shtmlhttp://www.secuobs.com/revue/news/596356.shtml Unmasking Malfunctioning Malicious DocumentsSecuobs.com : 2016-01-13 18:18:54 - Decalage - From time to time, people report strange malicious documents which are not successfully analyzed by malware analysis tools nor by sandboxes Let's investigate this is a follow-up to the post Malfunctioning Malware by Didier Stevens read more http://www.secuobs.com/revue/news/595575.shtmlhttp://www.secuobs.com/revue/news/595575.shtml Tools to extract VBA Macro source code from MS Office DocumentsSecuobs.com : 2014-11-06 11:55:47 - Decalage - This article presents several tools that can be used to extract VBA Macros source code from MS Office Documents, for malware analysis and forensics It also provides an overview of how VBA Macros are stored read more http://www.secuobs.com/revue/news/544083.shtmlhttp://www.secuobs.com/revue/news/544083.shtml olefile formerly OleFileIO_PL - a Python module to read write MS OLE2 filesSecuobs.com : 2014-10-01 18:29:35 - Decalage - olefile formerly OleFileIO_PL is a Python module to read write Microsoft OLE2 files also called Structured Storage, Compound File Binary Format or Compound Document File Format , such as Microsoft Office 97-2003 documents, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc read more http://www.secuobs.com/revue/news/537975.shtmlhttp://www.secuobs.com/revue/news/537975.shtml olemeta - a tool to extract all standard properties metadata from OLE files such as MS OfficeSecuobs.com : 2014-08-29 17:56:13 - Decalage - olemeta is a script to parse OLE files such as MS Office documents eg Word, Excel , to extract all standard properties present in the OLE file It is part of the python-oletools package read more http://www.secuobs.com/revue/news/532191.shtmlhttp://www.secuobs.com/revue/news/532191.shtml oletimes - a tool to extract creation and modification timestamps of all streams and storages in OLE filesSecuobs.com : 2014-08-29 17:56:13 - Decalage - oletimes is a script to parse OLE files such as MS Office documents eg Word, Excel , to extract creation and modification times of all streams and storages in the OLE file It is part of the python-oletools package read more http://www.secuobs.com/revue/news/532190.shtmlhttp://www.secuobs.com/revue/news/532190.shtml olevba - a tool to extract VBA Macro source code from MS Office documents OLE and OpenXML Secuobs.com : 2014-08-29 17:56:13 - Decalage - olevba is a script to parse OLE and OpenXML files such as MS Office documents eg Word, Excel , to extract VBA Macro code in clear text It is part of the python-oletools package read more http://www.secuobs.com/revue/news/532189.shtmlhttp://www.secuobs.com/revue/news/532189.shtml OleFileIO_PL Experimental write featuresSecuobs.com : 2014-08-01 19:06:41 - Decalage - Since version 032, OleFileIO_PL comes with experimental write features For now it is possible to write sectors, and to write over an existing stream More features will be added over time read more http://www.secuobs.com/revue/news/528014.shtmlhttp://www.secuobs.com/revue/news/528014.shtml File Scanning Frameworks for Malware Analysis and Incident ResponseSecuobs.com : 2014-07-21 14:08:41 - Decalage - This article presents several new open source frameworks meant to simplify static file scanning for malware analysis and incident response MASTIFF, Viper, IRMA and a few others Their goal is to provide an extensible framework to integrate many existing scanning tools read more http://www.secuobs.com/revue/news/526159.shtmlhttp://www.secuobs.com/revue/news/526159.shtml How to convert Signsrch Clamsrch signatures to YaraSecuobs.com : 2014-03-30 01:32:58 - Decalage - This article explains how I converted Signsrch signatures to Yara rules, in order to include them in my tool Balbuzard Signsrch signatures are useful for malware analysis, to detect standard constants used in many encryption and compression algorithms, and also some anti-debugging code read more http://www.secuobs.com/revue/news/505530.shtmlhttp://www.secuobs.com/revue/news/505530.shtml Balbuzard - malware analysis tools to extract patterns and crack obfuscationSecuobs.com : 2014-02-28 22:39:39 - Decalage - Balbuzard is a package of open-source python tools for malware analysis balbuzard is a tool to extract patterns of interest from malicious files, such as IP addresses, URLs, embedded files and typical malware strings It is easily extensible with new patterns, regular expressions and Yara rules bbcrack uses a new algorithm based on patterns of interest to bruteforce typical malware obfuscation such as XOR, ROL, ADD and various combinations, in order to guess which algorithms keys have been used bbharvest extracts all patterns of interest found when applying typical malware obfuscation transforms such as XOR, ROL, ADD and various combinations, trying all possible keys It is especially useful when several keys or several transforms are used in a single file bbtrans can apply any of the transforms from bbcrack XOR, ROL, ADD and various combinations to a file read more http://www.secuobs.com/revue/news/500570.shtmlhttp://www.secuobs.com/revue/news/500570.shtml rtfobj - a python tool to extract embedded objects from RTF filesSecuobs.com : 2013-05-03 00:29:27 - Decalage - http://www.secuobs.com/revue/news/443275.shtmlhttp://www.secuobs.com/revue/news/443275.shtml oleid - a python tool to quickly analyze OLE filesSecuobs.com : 2012-11-02 11:20:02 - Decalage - oleid is a script to analyze OLE files such as MS Office documents eg Word, Excel , to detect specific characteristics that could potentially indicate that the file is suspicious or malicious, in terms of security eg malware For example it can detect VBA macros, embedded Flash objects, fragmentation It is part of the oletools package read more http://www.secuobs.com/revue/news/409175.shtmlhttp://www.secuobs.com/revue/news/409175.shtml olebrowse - a simple python GUI to browse OLE files and extract streamsSecuobs.com : 2012-10-15 23:04:22 - Decalage - olebrowse is a simple GUI to browse OLE files eg MS Word, Excel, Powerpoint documents , to view and extract individual data streams It is part of the oletools package read more http://www.secuobs.com/revue/news/405717.shtmlhttp://www.secuobs.com/revue/news/405717.shtml oletools - python tools to analyze OLE filesSecuobs.com : 2012-10-15 22:12:13 - Decalage - oletools is a package of python tools to analyze Microsoft OLE2 files also called Structured Storage, Compound File Binary Format or Compound Document File Format , such as Microsoft Office documents or Outlook messages, mainly for malware analysis and debugging It is based on the OleFileIO_PL parser read more http://www.secuobs.com/revue/news/405701.shtmlhttp://www.secuobs.com/revue/news/405701.shtml pyxswf - a python tool to extract SWF Flash objects from documentsSecuobs.com : 2012-10-15 22:12:13 - Decalage - pyxswf is a script to detect, extract and analyze Flash objects SWF files that may be embedded in files such as MS Office documents eg Word, Excel , which is especially useful for malware analysis It is part of the oletools package read more http://www.secuobs.com/revue/news/405700.shtmlhttp://www.secuobs.com/revue/news/405700.shtml MS Office legacy binary formats security doc, xls, ppt, Secuobs.com : 2012-09-24 00:19:59 - Decalage - This article describes the Microsoft Office legacy binary file formats doc, xls, ppt , related security issues and useful resources WORK IN PROGRESS read more http://www.secuobs.com/revue/news/401306.shtmlhttp://www.secuobs.com/revue/news/401306.shtml iodeflib - a python library to create, parse and edit IODEF incident reportsSecuobs.com : 2012-04-12 02:52:22 - Decalage - iodeflib is a python library to create, parse and edit cyber incident reports using the IODEF XML format RFC 5070 read more http://www.secuobs.com/revue/news/369510.shtmlhttp://www.secuobs.com/revue/news/369510.shtml pywordform - a Python module to parse MS Word forms docx to extract field values and tagsSecuobs.com : 2012-03-05 10:39:03 - Decalage - pywordform is a python module to parse Microsoft Word forms in docx format, and extract all field values with their tags into a python dictionary read more http://www.secuobs.com/revue/news/361396.shtmlhttp://www.secuobs.com/revue/news/361396.shtml How to package a Python app and the Python interpreter in a single EXESecuobs.com : 2011-12-08 11:40:46 - Decalage - This article describes solutions to create a single executable file containing a Python application script and the Python interpreter DLL with all necessary libraries The executable file can then be launched on any system even if Python is not installed read more http://www.secuobs.com/revue/news/346060.shtmlhttp://www.secuobs.com/revue/news/346060.shtml OleFileIO_PL - a Python module to read MS OLE2 filesSecuobs.com : 2011-10-20 07:19:28 - Decalage - OleFileIO_PL is a Python module to read Microsoft OLE2 files also called Structured Storage or Compound Document File Format , such as Microsoft Office documents, Image Composer and FlashPix files, Outlook messages, This is an improved version of the OleFileIO module from PIL, the excellent Python Imaging Library, created and maintained by Fredrik Lundh The API is still compatible with PIL, but the internal implementation has been improved a lot, with bugfixes and a more robust design read more http://www.secuobs.com/revue/news/335899.shtmlhttp://www.secuobs.com/revue/news/335899.shtml CherryProxy - a filtering HTTP proxy extensible in PythonSecuobs.com : 2011-10-04 23:00:35 - Decalage - CherryProxy is a simple HTTP proxy written in Python, based on the CherryPy WSGI server and httplib, extensible for content analysis and filtering read more http://www.secuobs.com/revue/news/332690.shtmlhttp://www.secuobs.com/revue/news/332690.shtml Portable ExeFilterSecuobs.com : 2011-05-18 08:10:20 - Decalage - If you want to test or use ExeFilter on Windows but you cannot or you do not want to install a Python interpreter, Portable ExeFilter is a simple solution You just need to unzip it in any folder on a hard drive or a USB stick and it should run anywhere read more http://www.secuobs.com/revue/news/305530.shtmlhttp://www.secuobs.com/revue/news/305530.shtml tempfilemgr - a Python module to manage temporary filesSecuobs.com : 2011-02-22 23:39:13 - Decalage - tempfilemgr is a Python 2x module to easily create temporary files and directories, and to make sure that all of them are deleted after use It adds several useful features to the standard tempfile module read more http://www.secuobs.com/revue/news/287001.shtmlhttp://www.secuobs.com/revue/news/287001.shtml CanSecWest08 - ExeFilterSecuobs.com : 2011-02-12 22:38:51 - Decalage - This is a presentation at the CanSecWest08 conference about ExeFilter, an open-source tool and framework to filter files and active content read more http://www.secuobs.com/revue/news/284812.shtmlhttp://www.secuobs.com/revue/news/284812.shtml How to obtain the binary representation of an integer in PythonSecuobs.com : 2010-09-17 02:09:41 - Decalage - With Python 26 , that's quite simple print 0 b format i read more http://www.secuobs.com/revue/news/248039.shtmlhttp://www.secuobs.com/revue/news/248039.shtml My Python howtosSecuobs.com : 2010-09-17 02:09:41 - Decalage - Here is a collection of short articles I have written about how to do many useful things in Python read more http://www.secuobs.com/revue/news/248038.shtmlhttp://www.secuobs.com/revue/news/248038.shtml ExeFilter - an open-source tool and framework to filter files and active contentSecuobs.com : 2010-09-17 02:09:41 - Decalage - ExeFilter is an open-source tool and python framework to filter file formats in e-mails, web pages or files It detects many common file formats and can remove active content scripts, macros, etc according to a configurable policy read more http://www.secuobs.com/revue/news/248037.shtmlhttp://www.secuobs.com/revue/news/248037.shtml SSTIC10 - Visualization and Dynamic Risk Assessment for Cyber DefenceSecuobs.com : 2010-09-17 02:09:41 - Decalage - Paper and presentation about visualization and dynamic risk assessment for cyber defence, presented at the SSTIC symposium on June 9 2010 read more http://www.secuobs.com/revue/news/248036.shtmlhttp://www.secuobs.com/revue/news/248036.shtml Articles and presentations about IT SecuritySecuobs.com : 2010-09-17 02:09:41 - Decalage - Here is a list of all articles and presentations I've published about IT Security so far read more http://www.secuobs.com/revue/news/248035.shtmlhttp://www.secuobs.com/revue/news/248035.shtml My Python projectsSecuobs.com : 2010-09-17 02:09:41 - Decalage - Here is the list of my open-source Python projects read more http://www.secuobs.com/revue/news/248034.shtmlhttp://www.secuobs.com/revue/news/248034.shtml PDF Security IssuesSecuobs.com : 2010-09-17 02:09:41 - Decalage - This article describes the PDF file format, related security issues and useful resources WORK IN PROGRESS read more http://www.secuobs.com/revue/news/248033.shtmlhttp://www.secuobs.com/revue/news/248033.shtml How to create network servers in Python HTTP, FTP, SMTP, SOAP, syslog, Secuobs.com : 2010-07-29 09:27:51 - Decalage - This article lists solutions to create network servers in Python for different standard protocols HTTP, FTP, SMTP, SOAP, syslog, WebDAV, read more http://www.secuobs.com/revue/news/244957.shtmlhttp://www.secuobs.com/revue/news/244957.shtml Origapy - a Python module to sanitize PDF filesSecuobs.com : 2010-06-28 23:32:07 - Decalage - Origapy is a Python interface to Origami, a PDF parser written in Ruby It provides access to pdfcleanrb, in order to sanitize PDF files by disabling all active content javascript, launch actions, embedded files, etc read more http://www.secuobs.com/revue/news/235827.shtmlhttp://www.secuobs.com/revue/news/235827.shtml PDFiD - a Python module to analyze and sanitize PDF filesSecuobs.com : 2010-06-28 23:32:07 - Decalage - PDF files may be used to trigger malicious content, as described here PDFiD is a Python tool to analyze and sanitize PDF files, written by Didier Stevens Here is a version that I have slightly modified so that it can be imported as a module in Python applications originally for ExeFilter read more http://www.secuobs.com/revue/news/235826.shtmlhttp://www.secuobs.com/revue/news/235826.shtml OVALdi - an open-source local vulnerability assessment scannerSecuobs.com : 2010-06-28 23:32:07 - Decalage - OVALdi, also named the OVAL Interpreter, is an open-source tool developed by MITRE to demonstrate how the OVAL language may be used to scan a computer for vulnerabilities This article provides a few hints about how to use this tool read more http://www.secuobs.com/revue/news/235825.shtmlhttp://www.secuobs.com/revue/news/235825.shtml Using ExeFilter against PDF exploits and zero-days such as CVE-2009-4324Secuobs.com : 2010-06-28 23:32:07 - Decalage - This short article shows how ExeFilter can be used to disable JavaScript in PDF files, which is effective against many Adobe Reader exploits discovered in 2009, including the recent zero-day CVE-2009-4324 read more http://www.secuobs.com/revue/news/235824.shtmlhttp://www.secuobs.com/revue/news/235824.shtml Python crash courseSecuobs.com : 2010-06-28 23:32:07 - Decalage - This is a Python course I have written to quickly teach Python to my colleagues and students, made of slides and samples for hands-on exercises read more http://www.secuobs.com/revue/news/235823.shtmlhttp://www.secuobs.com/revue/news/235823.shtml File Formats Security IssuesSecuobs.com : 2010-06-28 23:32:07 - Decalage - This is a series of articles about file formats and related security issues In 2003 I had presented an article in French about this subject at the SSTIC conference SSTIC03 In the following articles I will provide an updated version in English with more information about common file formats read more http://www.secuobs.com/revue/news/235822.shtmlhttp://www.secuobs.com/revue/news/235822.shtml ExeFilter vs the Escape from PDF CVE-2010-1240 Secuobs.com : 2010-06-28 23:32:07 - Decalage - On the 29 March 2010, Didier Stevens revealed in his blog that he found a way to launch an executable file stored in a PDF document, without using any JavaScript or buffer overflow This short article shows how ExeFilter can be used to sanitize such PDF files to block this type of attack read more http://www.secuobs.com/revue/news/235821.shtmlhttp://www.secuobs.com/revue/news/235821.shtml SSTIC03 - Malware and file formatsSecuobs.com : 2010-06-28 23:32:07 - Decalage - This article explains how many common file formats DOC, XLS, PDF, HTML, XML, RTF, may hide or trigger malicious code virus, Trojan horse, using their native features such as active content macros, Javascript, etc It was presented at the SSTIC symposium and OSSIR in 2003 read more http://www.secuobs.com/revue/news/235820.shtmlhttp://www.secuobs.com/revue/news/235820.shtml pyxmldsig - a Python module to create and verify XML Digital Signatures XML-DSig Secuobs.com : 2010-06-28 23:32:07 - Decalage - pyxmldsig is a Python module to create and verify XML Digital Signatures XML-DSig This is a simple interface to the PyXMLSec library, aiming to provide a more pythonic API suitable for Python applications read more http://www.secuobs.com/revue/news/235819.shtmlhttp://www.secuobs.com/revue/news/235819.shtml EUSecWest 2010 - Fighting PDF malware with ExeFilterSecuobs.com : 2010-06-28 23:32:07 - Decalage - This is a presentation given at the EUSecWest 2010 conference in Amsterdam on the 16 June about recent PDF vulnerabilities and malware, showing how a tool such as ExeFilter may be used to provide additional protection as a complement to antivirus engines read more http://www.secuobs.com/revue/news/235818.shtmlhttp://www.secuobs.com/revue/news/235818.shtml