PDF analysis of Nuclear Pack EK and CVE-2010-0188/CVE-2010-2883

On Malwarebytes’ blog it’s recently been published a description about Nuclear Pack exploit kit, though there isn’t a description of the PDF exploit used, so we’ve decided to proceed with a more in-depth analysis. PDF analysis In order to start the analysis we have used peepdf: There are two objects that appear to be suspicious: so let’s start with… object […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 3

We are finally at the end of our Caphaw/Shylock analysis. This time we will deal entirely with the code injected into explorer.exe process, the context will be a little more complex than previous episodes because we will work within a multithreaded environment. The injected code will identify an active domain (DGA based) in order to download other […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 2

Welcome to the second part of our analysis of Caphaw/Shylock. In the first chapter we have gone through the dropping and unpacking stages of this malware. In this second part we will go through the remaining HSE:: Step(s) – in particular we will see how the previously gathered information will be used, the network interactions […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 1

In this essay we will perform an in-depth analysis (from the unpacking to explorer.exe code injection) of the most recent version of Caphaw/Shylock, a banking malware that, at the time of discovery, was ranked as FUD (Fully UnDetected) by VirusTotal. The article will cover the following topics: Analysis of the packer and related unpacking. Reverse […]

Malicious Java Applet Deobfuscation

On Sunday (13th January 2013), I’ve received an email from @it4sec with regards to a malicious Java applet that he had received. So I’ve decided to write about it since Java applet seems like a common thing used by ExploitKits recently. Recon Stage Since a .jar file is basically a sort of “container”, let’s use […]

Reverse Dxtory

It’s been a while since reversing of .NET applications began. I still remember the first tutorials on the subject and the first targets for which changing a few bytes with an hex editor was enough to fully remove the restrictions from. So much has changed: developers of both software and protections made the reversing process […]

How To Attack a WEP/WPA Protected Wireless Network

Updated on Jan/2013: Added WPS section Any help in completing this document is welcome, thanks! In this guide we’ll try to discuss the many vulnerabilities affecting the WEP and WPA protocols. We’ll also show you some techniques that can be used to break these protection schemes. Feel free to add any missing questions. Thanks 🙂 Greetings: […]

X64 Assembly

Links and References Introduction Essay Links And References AMD64 documentation Introduction This article is extracted from “Moving to Windows x64” by Daniel Pistelli (Ntoskrnl) Essay Now I’ll try to explain the basics of x64 assembly. I assume the reader is already familiar with x86 assembly, otherwise he won’t be able to make heads or tails […]