* You are viewing the archive for the ‘Malware Analysis’ Category

Volatility Framework 2.0 Released

Wow. This, in addition to MANDIANT’s recently released Redline tool, will amount to another devastating blow to HBGary Responder Pro sales and market share. How can you justify the $9000 USD cost for a Responder Pro license plus annual maintenance if one of these free tools works for the platforms you work on?

The following platforms are currently supported:
32bit Windows XP Service Pack 2 and 3
32bit Windows 2003 Server Service Pack 0, 1, 2
32bit Windows Vista Service Pack 0, 1, 2
32bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
32bit Windows 7 Service Pack 0, … Continue Reading


Win32 YARA Version Available

More outstanding work from Virustotal: It looks like a Win32 version of YARA has been posted on the YARA project’s page on code.google.com. Unlike classic YARA, no Python runtime support is required. Note the interesting PID argument to YARA.exe.

usage: yara [OPTION]… [RULEFILE]… FILE | PID
-t print rules tagged as and ignore the rest. Can be used more than once.
-i print rules named … Continue Reading


RAM Dump Analysis for Apple OS X Systems

Kudos to Kyeong-Sik Lee and the Korean Digital Forensic Research Center for providing what I believe is the first publicly available tool for doing RAM dump analysis for Apple OS X systems. The new tool – volafox – isn’t as evolved as it’s Windows counterparts (HBGary Responder, MANDIANT Memoryze/Redline, or the Volatility Framework), but it is a great start. Volafox can be obtained from the link below.


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement


Free MANDIANT Redline Malware Analysis Tool

MANDIANT might have just dealt another costly blow to HBGary’s Responder business with the release of their Redline memory dump and live system analysis tool. Considering what is available for free in this tool space (Volatility Framework 1.3 and 1.4, MANDIANT Memoryze, and now MANDIANT Redline) it is increasingly difficult to justify the $9000 USD upfront cost of HBGary Responder Pro plus the annual maintenance for Responder and HBGary DDNA (Digital DNA). It is awfully difficult to compete with free.

And unlike HBGary Responder Pro, I can actually reliably open up and analyze a Windows 7 RAM dump successfully … Continue Reading


Verizon Wireless’ Odd Use of Secure PDFs for eBilling Customers


I recently took a look at a suspected malicious email supposedly sent from Verizon Wireless.  Despite looking possibly malicious at first glance, it turns out that the email was legitimate.  Verizon Wireless is now offering a Secure eBill service that allows customers to elect to receive their bill in a secured PDF file.  The Verizon “Secure eBill” service is described here: http://www.verizonwireless.com/b2c/splash/secure_ebill.jsp.

If your organization are similarly considering using secure PDFs for any customer contacts, I would suggest not going down that path.  Some people might think this looks like a phishing attempt and might simply delete your emails.

Below are some screenshots of what this all looks … Continue Reading


Get $3500 iDefense Advanced Malware Class for Price of a Single Book

Get the benefit of the former $3500 Verisign iDefense Advanced Malware class for the price of a single book. The “Malware Analyst’s Cookbook” has been released, and it appears to be a much better value than it might seem at first glance. Michael Hale Ligh (formerly of iDefense, now Terremark) is one of the authors and he taught the well-regarded iDefense Malware analysis class that I am comparing this book to. He is also one of the top 10 malware reverse engineers in the world – and I do include the best among the intelligence services, military, … Continue Reading


How to Safely Test or Expand Shortened URLs Before Use

Need to find out what is on the other side of that bit.ly or tinyurl shortened link? Try http://longurl.org/ or http://sucuri.net/index.php?page=tools&title=check-url. They’re both free.email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity


Is Microsoft MS10-015 Detection Tool Mpsyschk.exe Effective?

Has anyone seen Microsoft MS10-015 mpsyschk.exe tool (http://support.microsoft.com/kb/980966) find a copy of Alureon/Tidserv? If so, please ping me at david @ sharpesecurity.com. I ran mpsyschk across a large population of machines last week and found nothing. Based on what I had observed in AV reporting, I had at least expected a couple hits.I took a look at the pass/fail logic in mpsyscheck.exe. The pseudocode for the function that makes the PASS or FAIL decision is below. It looks like the decision point is whether or not two 4 byte values at offsets 0x7FFE0308 and 0x7FFE030C in the … Continue Reading