Irregular Expressions:

July, 2012


July 29, 2012  11:04 PM

Wafer Thin Card Skimming



Posted by: Dan O'Connor
atm, atm pin pad

Here comes the next step in the ATM arms race. https://krebsonsecurity.com/2012/07/atm-skimmers-get-wafer-thin/ If there is something just out of reach people will find a way to get to it. I'll be honest I make a point not to use ATM's.

July 29, 2012  10:55 PM

Large Aus Data Release



Posted by: Dan O'Connor
anon, anonymous, anonymous hack, anonymous release, anti-sec, security news

This is pretty interesting; http://www.theregister.co.uk/2012/07/28/anonymous_australia_posts_data/ I watched this TED video a couple weeks ago, and had a similar thought. http://www.youtube.com/watch?v=Gv7Y0W0xmYQ Well except the Aussie break was before the data retention law. But...


July 29, 2012  10:43 PM

BackTrack 5 R3 – Blackhat Edition



Posted by: Dan O'Connor

Special release of BackTrack just for Blackhat. http://thepiratebay.se/torrent/7486622


July 29, 2012  10:28 PM

Discount Gift Certificates – Part 5



Posted by: Dan O'Connor

The good news is the detection ratio is now up considerably since I first started working with this sample. Initially 2 of 41 scanners detected the sample when I first got a hold of it, now it's 28 of 41. The bad news is that I have been stepping it through a debugger and there is a couple SEH...


July 28, 2012  12:24 AM

Discount Gift Certificates – Part 4



Posted by: Dan O'Connor

I did a dump of the exe, and the good news is that I don't see any sign of a packer. The bad news is that I don't see any sign of it's ability to phone home. I was really hoping that this would be easy and a dns name or ip would be found in the exe. Next thing is to run through it in a...


July 27, 2012  12:21 AM

Discount Gift Certificates – Part 3



Posted by: Dan O'Connor

Still no sign of out bound connections, and I am not sure if I will ever see on at this point. My next step is to do some static analysis of the code and see if there is any hints in there. I did have a thought, the suspect file came attached to an HTML email? That could be an effective way to...


July 26, 2012  11:24 PM

Discount Gift Certificates – Part 2



Posted by: Dan O'Connor

Still no outbound connections that I have seen so far, but I did a bit of looking around and it does create a listener. Listening on port 8000 TCP. Connecting to it with netcat gives to a command shell. That's good to know, what I really want to know is how they are going to connect to...


July 26, 2012  10:59 PM

Discount Gift Certificates



Posted by: Dan O'Connor
backdoor, command and control, communication, digital forensics

Wow really I can't wait to get those. I got a fake groupon email today with a zip attachment that had a an exe inside. First thing was to get it copied on to my VM system ( and hope it does not do something silly while running in a VM ). Then get a few of my favorite utils fired up. For...


July 25, 2012  7:26 PM

Side Quest — Part 4



Posted by: Dan O'Connor

I am still working on getting the shellcode out so I can play with it, but in the mean time I hashed the file. https://www.virustotal.com/file/51d0586cd16f1339674610b5e2d0eec810f647a40731ae551ad426699f333866/analysis/ We are on the right track, I might have to back burner this one for a bit.


July 24, 2012  7:35 PM

Side Quest — Part 4



Posted by: Dan O'Connor

The js we got from the last part has a lot of functions that appear to be checking versions of various software, but there is a bit of gravy at the end. function getShellCode() { if (1) { return "shellcode"; } } I truncated the shellcode, next we need to get...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: