Malware Statistic Summary
While waiting for approval to release certain statistics, I figured I would release some high level information I found interesting from my malware dataset. To help put things into perspective I will...
View ArticleGeneric Filter May Be Specific
In my last post I highlighted what I felt to be interesting characteristics on malicious PDF files compared to my random dataset. Towards the end of the post I mentioned the following potential filter...
View ArticleScoring PDFs Based on Malicious Filter
Using the filter I created in the previous postings, I decided to port it over to something more useful. Having a SQL statement is fine on database data, but it is not the most practical method of...
View ArticleReleased Malware Statistics and Scoring Tests
Before I get to the interesting news, I wanted to point out that I released the Malware database snapshot. This is essentially the same thing as the random dataset, but the content is derived from...
View ArticleNew CVE to the List of Malware
Today I went through and ran the newly collected malware I found through a couple scanners. For the most part all the vulnerabilities exploited seemed to match with the existing samples I already had....
View ArticleLooking for New Data Storage Methods
Over the past few days I have been grabbing more and more characteristics from this malware and I have reached a problem. The data is quite dynamic on multiple levels which makes it hard to store in a...
View ArticleMalware Sample Format in MongoDB
I finally got a chance to sit down and work on the format for a malicious sample that would then get inserted into MongoDB. I am not certain if this is exactly how the final format will be...
View ArticleComplete Malware Sample Dump in MongoDB (50 malicious PDF objects)
Since releasing the malpdfobj tool (~24 hours), I have been running and testing it. I found a couple bugs that caused issues when inserting some samples into the database, but those are all now fixed...
View ArticleMalicious PDF Files do not Appear to Share Objects
I wanted to wait on releasing this until I made some more queries, but that may take a few days, so here it is now. The night I got all my malicious files into my MongoDB instance I started to query....
View ArticleIf I were an attacker: Third-party JS libraries
I was taking a look at a case today where the potentially malicious site had a bunch of JS that looked a little weird. As I was going through my files I notices thar jQuery was being used on the site...
View ArticleClik here to view.
New Sample, Old Exploit.
Last night I pulled down a PDF off the network, ran it through my PDF X-RAY (unreleased - still waiting on the conference feedback) tool and was happy to see another new entry that could be added to...
View ArticleClik here to view.
Post Thoughts on the Analysis of Malicious Documents Dojo at CanSecWest 2011
When I heard there was going to be a PDF-based training at CanSecWest I jumped on board and anticipated what we might talk about. Unlike most of the classes, this one was a single day and was set to...
View ArticleClik here to view.
Malicious PDF Payloads: Size really does matter
Back when I was looking at averages of information collected across random/malicious documents, I noted that filesize seemed to be a helper in narrowing down whether or not a file could be suspicious...
View ArticleClik here to view.
Eleonore is One Ugly Mistress
While taking a break from malicious PDFs, I decided it would be a good idea to start breaking down some of these well-known exploit kits. I have seen a couple good write ups on how the kits are...
View ArticleClik here to view.
Toying With MS11-050
Update 06/29/2011 - 3:46PM I have modified a local copy of the exploit file I have to run safetly (no shellcode) and still get a crash. Initially I suspected that the final aspects of the JavaScript...
View ArticleClik here to view.
Kim Jong-il PDF Malware
Update: See also http://blog.trendmicro.com/kim-jong-il-malicious-spam-found/comment-page-1/#c... This is just meant to be a quick post and not a full analysis. After checking PDF X-RAY this morning I...
View ArticleClik here to view.
Googling Malware Makes Sense
A couple weeks ago I submitted a sitemap containing thousands of PDF X-RAY report URLs to Google Webmaster tools. The thought behind this was that Google would index the decoded, decrypted PDF content...
View ArticleClik here to view.
Smart Hash Google Gadget
Hashes and malware go together. When you get a new piece of malware the first thing you should do is create a hash and search for any information available on it. In some cases you may turn up nothing...
View ArticleClik here to view.
Demystifying zfkeymonitor.exe
Update: Upon further analysis of this and other files that appeared releated, this dropper appears to be a modified version of zxshell. Thanks to Binjo for the translation help and Nick Bloor for...
View ArticleQuick Update on ~I32SUN.EXE
After my initial excitement died down, I sat down and took a look at the ~I32SUN.exe file and was saddened to find it looked just like CMD.exe. Hoping for something modified or different, I threw both...
View Article
