July 29, 2012 10:55 PM
Posted by: Dan O'Connor
anon,
anonymous,
anonymous hack,
anonymous release,
anti-sec,
security newsThis is pretty interesting;
http://www.theregister.co.uk/2012/07/28/anonymous_australia_posts_data/
I watched this TED video a couple weeks ago, and had a similar thought.
http://www.youtube.com/watch?v=Gv7Y0W0xmYQ
Well except the Aussie break was before the data retention law. But...
July 29, 2012 10:43 PM
Posted by: Dan O'Connor
Special release of BackTrack just for Blackhat.
http://thepiratebay.se/torrent/7486622
July 29, 2012 10:28 PM
Posted by: Dan O'Connor
The good news is the detection ratio is now up considerably since I first started working with this sample. Initially 2 of 41 scanners detected the sample when I first got a hold of it, now it's 28 of 41. The bad news is that I have been stepping it through a debugger and there is a couple SEH...
July 28, 2012 12:24 AM
Posted by: Dan O'Connor
I did a dump of the exe, and the good news is that I don't see any sign of a packer. The bad news is that I don't see any sign of it's ability to phone home. I was really hoping that this would be easy and a dns name or ip would be found in the exe.
Next thing is to run through it in a...
July 27, 2012 12:21 AM
Posted by: Dan O'Connor
Still no sign of out bound connections, and I am not sure if I will ever see on at this point.
My next step is to do some static analysis of the code and see if there is any hints in there.
I did have a thought, the suspect file came attached to an HTML email?
That could be an effective way to...
July 26, 2012 11:24 PM
Posted by: Dan O'Connor
Still no outbound connections that I have seen so far, but I did a bit of looking around and it does create a listener.
Listening on port 8000 TCP.
Connecting to it with netcat gives to a command shell.
That's good to know, what I really want to know is how they are going to connect to...
July 26, 2012 10:59 PM
Posted by: Dan O'Connor
backdoor,
command and control,
communication,
digital forensicsWow really I can't wait to get those.
I got a fake groupon email today with a zip attachment that had a an exe inside.
First thing was to get it copied on to my VM system ( and hope it does not do something silly while running in a VM ).
Then get a few of my favorite utils fired up. For...
July 25, 2012 7:26 PM
Posted by: Dan O'Connor
I am still working on getting the shellcode out so I can play with it, but in the mean time I hashed the file.
https://www.virustotal.com/file/51d0586cd16f1339674610b5e2d0eec810f647a40731ae551ad426699f333866/analysis/
We are on the right track, I might have to back burner this one for a bit.
July 24, 2012 7:35 PM
Posted by: Dan O'Connor
The js we got from the last part has a lot of functions that appear to be checking versions of various software, but there is a bit of gravy at the end.
function getShellCode() {
if (1) {
return "shellcode";
}
}
I truncated the shellcode, next we need to get...
