http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2015-03-13 14:01:58 - Unintended Results : Some weeks ago I started developing a binary diffing plugin for IDA Pro in IDA Python like Zynamics BinDiff, DarunGrim or Turbo Diff The reasons to create one more open source plugin for such task are various, but the following are the main ones We need an Open Source plugin tool that is updated, maintained and easy to http://www.secuobs.com/revue/news/563333.shtmlhttp://www.secuobs.com/revue/news/563333.shtml Secuobs.com : 2014-08-20 00:33:25 - Unintended Results - Two years ago I started a project, for fun, to try to catch as much malware and URLs related to malware as possible I have written about this before In this post I ll explain the heuristics I use for trying to classify URLs as malicious with Malware Intelligence the name of the system that generates http://www.secuobs.com/revue/news/530589.shtmlhttp://www.secuobs.com/revue/news/530589.shtml Secuobs.com : 2014-05-02 13:17:30 - Unintended Results - This is a history of fail I was analysing a piece of code, in assembly, that I thought would be vulnerable to a zero allocation bug allowing me to overwrite some bytes of heap space overwriting a structure with many function pointers However, after spending like 2 hours analysing statically the bug , and documenting it, http://www.secuobs.com/revue/news/511533.shtmlhttp://www.secuobs.com/revue/news/511533.shtml Secuobs.com : 2013-07-09 22:38:21 - Unintended Results - Auditing a product recently I noticed a curious scenario where I control the following Unix based The limited vulnerability allows one to create any file as root controlling the contents of that file I can even overwrite existing files Windows based The vulnerability allows one to execute an operating system command but doesn't allow, for http://www.secuobs.com/revue/news/455916.shtmlhttp://www.secuobs.com/revue/news/455916.shtml Secuobs.com : 2013-01-26 14:11:26 - Unintended Results - It's been a while since I started writing a first prototype to try to catch as much malware URLs and samples as possible Today I can say my project is all grown up as it's generating, daily, a feed with around 9000 malware URLs and with a low rate of false positives although there may http://www.secuobs.com/revue/news/424039.shtmlhttp://www.secuobs.com/revue/news/424039.shtml Secuobs.com : 2012-11-24 22:03:51 - Unintended Results - Today I was performing some tests in the random number generators of some browsers and found, by chance, this mail sent to Bugtraq by Michal Zalewsky called Unix entropy source can be used for keystroke timing attacks While the idea of Michal is very good, I failed to find a reliable way of doing it http://www.secuobs.com/revue/news/413206.shtmlhttp://www.secuobs.com/revue/news/413206.shtml Secuobs.com : 2012-11-14 23:10:57 - Unintended Results - From time to time I need to use some old binary created for older Linux versions like Redhat 62, for example The problem with those binaries is that they were compiled with a very old version of the glibc and they cannot be run 'like this' in newer systems Sometimes, just making a symbolic link http://www.secuobs.com/revue/news/411516.shtmlhttp://www.secuobs.com/revue/news/411516.shtml Secuobs.com : 2012-11-04 14:19:24 - Unintended Results - Some time ago I wanted to take a look to Skype to see how it works and get the classes diagram of this program but, surprise It's packed The Windows version, the last time I checked it, was protected with Themida However, as I expected, the Linux version was simply packed not protected and with http://www.secuobs.com/revue/news/409396.shtmlhttp://www.secuobs.com/revue/news/409396.shtml Secuobs.com : 2012-08-25 20:22:44 - Unintended Results - Some months ago I had the feeling that, probably, some social networks like Facebook or Twitter would be a good source to find both malware spam and, as so, I decided to write a quick honeypot to try to catch as much malware spam as possible as soon as they become available on http://www.secuobs.com/revue/news/395742.shtmlhttp://www.secuobs.com/revue/news/395742.shtml Secuobs.com : 2012-08-05 14:10:36 - Unintended Results - It's been a while since I started writing, as a personal 'research' project, a tool to automatically find bugs that could lead to vulnerabilities performing static code analysis and, even when it will take a very long while until I have something decent to release to the general public, I have some -I hope interesting- http://www.secuobs.com/revue/news/391736.shtmlhttp://www.secuobs.com/revue/news/391736.shtml Secuobs.com : 2012-05-06 10:42:23 - Unintended Results - Some time ago a friend asked in a private mailing list about possible ways to embed a shellcode in one executable file PE and ways to bypass AV detection I recommended him to use any Windows supplied PE file or any other 'goodware' PE file and patching some always called function with the shellcode It http://www.secuobs.com/revue/news/373979.shtmlhttp://www.secuobs.com/revue/news/373979.shtml Secuobs.com : 2012-04-29 14:28:36 - Unintended Results - Some time ago a friend and I were talking about how to create a tool to compare a set of malware samples and extract the binary patterns matched in all or most of the samples Searching for diffing algorithms I found out some very interesting books on the matter like O ND Difference Algorithm and its http://www.secuobs.com/revue/news/372608.shtmlhttp://www.secuobs.com/revue/news/372608.shtml Secuobs.com : 2011-12-04 19:12:41 - Unintended Results - Today I received a notification about an automated attack against this blog Nothing new, however, I was curious about how it exactly works and decided to take a brief look to the attack to answer various questions What vulnerability is this exploiting Am I vulnerable What does the payload Is this an automated attack or http://www.secuobs.com/revue/news/345265.shtmlhttp://www.secuobs.com/revue/news/345265.shtml Secuobs.com : 2010-10-23 00:24:11 - Unintended Results - Hi I plan to release in a month or so the newest version of ZeroWine focused on automation This new version consists in the following components A modified version of Wine 110 One XMLRPC Server One XMLRPC client tool WINE Changes Wine was patched to add more debugging channels and to remove noise from the http://www.secuobs.com/revue/news/259337.shtmlhttp://www.secuobs.com/revue/news/259337.shtml Secuobs.com : 2010-05-15 03:09:30 - Unintended Results - Virtual Columns is a new feature of Oracle 11g This feature allows to create table columns based on PL SQL functions While it s useful it can be dangerous too What happens if someone creates a table column based on a malicious PL SQL function What happens when someone selects data from a table with a virtual column that executes http://www.secuobs.com/revue/news/222404.shtmlhttp://www.secuobs.com/revue/news/222404.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - Product Description Oracle TimesTen provides a family of real-time infrastructure software products designed for low latency, high-volume data, event and transaction management Summary The Oracle January 2009 Critical Patch Update fixes a vulnerability which allows a remote preauthenticated attacker to execute arbitrary code in the context of the user running Oracle TimesTen server Affected versions Oracle TimesTen prior to version http://www.secuobs.com/revue/news/218306.shtmlhttp://www.secuobs.com/revue/news/218306.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - Update I released the new version now Download the prebuilt QEmu virtual machine or the source code from here Remember that the root s password is zerowine There is also another user account malware with password malware I recently added 3 new interesting features to Zerowine The very first one is the ability to dump the malware http://www.secuobs.com/revue/news/218305.shtmlhttp://www.secuobs.com/revue/news/218305.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - Single user version of Zerowine Yesterday I finished the surely last single-user version of Zerowine and added some interesting features to it Many Zerowine users told me that the reports were very confusing and, yes, that s true I fixed this problem by adding new debugging channels to the currently latest stable version of Wine 1110 and, http://www.secuobs.com/revue/news/218304.shtmlhttp://www.secuobs.com/revue/news/218304.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - Today, while analyzing a family of malwares the familiy called by some vendors as Krap I noticed a good and new, at least for me, antiemulation technique What do you think this sample code does some_func Do stuff start push offset some_func jmp edx What is this We re pushing the address of http://www.secuobs.com/revue/news/218303.shtmlhttp://www.secuobs.com/revue/news/218303.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - Working in a disassembler with code analysis to speed up graph analysis of malware dumps malware dumped from memory while running I decided to write a tool using this core oriented to malware analysis and the result is Pyew Pyew is a tool like radare or biew hiew It s an hexadecimal viewer, disassembler for IA32 and AMD64 http://www.secuobs.com/revue/news/218302.shtmlhttp://www.secuobs.com/revue/news/218302.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - Something I really hate to do when analyzing PDF malware exploits is to manually extract the streams and manually decode them to see the, typically, hidden JavaScript code, so I decided to extend the PDF plugin for Pyew to automatically see them Now, with the new version of the plugin download it from the http://www.secuobs.com/revue/news/218301.shtmlhttp://www.secuobs.com/revue/news/218301.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - From time to time, when reversing malware, I find new antiemulation techniques as they are widely used by malware to evade detection by AVs that uses emulation, however, it seems that no one wrote about them maybe because there are a lot or, maybe, because they aren t very interesting Anyway, a friend and I decided http://www.secuobs.com/revue/news/218300.shtmlhttp://www.secuobs.com/revue/news/218300.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - Sometimes, I receive so many malware samples that it turns out to be imposible or at least inhuman to analyze all the samples by hand and I need to automate the typical boring tasks Clusterization of the samples in smaller sets and initial and superficial analysis of the different samples For the first task I http://www.secuobs.com/revue/news/218299.shtmlhttp://www.secuobs.com/revue/news/218299.shtml Secuobs.com : 2010-05-03 20:36:46 - Unintended Results - MyNav is an Open Source IDAPython plugin for the commercial disassembler IDA Pro to be released on July 2010 The plugin adds a lot of new features only available in other products like in the well known Zynamics BinNavi or HB Gary s Inspector In this blog post I will show you some of the features http://www.secuobs.com/revue/news/218298.shtmlhttp://www.secuobs.com/revue/news/218298.shtml