Category: Research

Website Review: Forbes.com

In this post, we review the web security posture of forbes.com Let’s first browse to the website and view the security headers returned on the main site as well as the trackers used. HTTP/2.0 200 OK cache-control: public, max-age=300 content-encoding: gzip content-type: text/html; charset=utf-8 server: istio-envoy x-envoy-upstream-service-time: 513 backend: dnsresolver x-backend: simple-site-prod x-yourttl: 300.000 accept-ranges:…


Portable Executable File Corruption Preventing Malware From Running

Important Disclaimer – YOU MUST READ FIRST! Portions of this article contain source code from the Windows Research Kernel. This code is the intellectual property of Microsoft Corporation. I am using this code under special license in this post under these grounds of the license agreement: You may distribute snippets of this software in research…


MalwareAnalysisForums.com is now Live

I enjoy posting these blog posts, but I want to really give back to the community that I’ve enjoyed learning so much from and I didn’t see a specific, dedicated, discussion board for malware analysis and research. I decided to create one and it is at https://malwareanalysisforums.com . It is currently invite-only but feel free…


Todd’s GIANT Intro of Windows Malware Analysis Tools

Purpose of this page This is a continuously updated page and it is never finished! I decided to go ahead and cover the tools I typically use for analyzing malware because although I’ve found lists elsewhere, I’ve found no real big collection with explanation and/or any type of discussion of these tools. It’s generally more…


Windows Special Folders: CSIDLs, KNOWNFOLDERID

Introduction As we’ve seen many times before, malware authors are always trying to get at important system folders on victim systems. Some reasons for this are: To locate and attack actual operating system files To impersonate or spoof system files or create files with similar names in an attempt to circumvent detection. For example –…


EquationGroup DoubleFantasy Part 1

Introduction EquationGroup has a malware called DoubleFantasy. Sounded interesting, so I decided to go ahead and attack it and find out what it’s all about. Supposedly Kaspersky said about EquationGroup, The Equation Group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we…


What is a Malware Analyst and Why will your organization need one very soon?

Introduction I predict within the next 5-10 years, the number of malware analyst, researcher, and reverse-engineer jobs is going to skyrocket. So what is a malware analyst, malware researcher, and/or malware reverse-engineer in the first place and why will they be in high demand? What is a Malware Analyst/Researcher/Reverse Engineer? First of all, the slashes…


PortEx Analyzer

I wanted to mention a tool that I’ve found very helpful in analyzing Portable Executable (PE) files: PortEx Analyzer by Karsten Hahn. Actually, the first very noticeable difference between this program and so many others is the level of documentation. PortEx Analyzer is fully documented by Hahn and has a thorough readme and wiki as…


Inline Hook of a System Call via AppInit_DLLs Part 2– The Hook

For an introduction, please refer to Part 1 of this analysis. The Installer Still inside the same Lab11-02.dll as before, we can return back to DllMain and locate one more subroutine call, which takes us to the hook code, but this is incomplete knowledge since we haven’t yet seen how the hook even gets installed…


Inline Hook of a System Call via AppInit_DLLs Part 1 – Decryption of XOR Cipher

  Introduction This will be a 2 part post. In part 1 I will demonstrate deciphering a simple XOR encryption used in Lab 11-02 of Practical Malware Analysis by Sikowski. This lab also demonstrates a technique called inline hooking, where malware installs itself onto the system as a code library file (DLL) and then redirects…