| |
| Current Topic: Miscellaneous |
|
Automating AV signature generation « blog.zynamics.com |
|
|
|---|
| Topic: Miscellaneous |
11:13 am EST, Feb 23, 2010 |
Automating AV signature generation
By Thomas Dullien Hey all,
I finally get around to writing about our automated byte signature generator. It’s going to be a bird’s eye view, so if you’re interested you’ll have to read Christian’s thesis (in German) or wait for our academic paper (in English) to be accepted somewhere. First, some background: One of the things we’re always working on at zynamics is VxClass, our automated malware classification system. The underlying core that drives VxClass is the BinDiff 3 engine (about which I have written elsewhere). An important insight about BinDiff’s algorithms is the following:
The Zynamics guys always have a different way of thinking. Great work again! Automating AV signature generation « blog.zynamics.com |
|
Hex blog: An attempt to reconstruct the call stack |
|
|
|---|
| Topic: Miscellaneous |
10:52 am EST, Feb 23, 2010 |
An attempt to reconstruct the call stack
Walking the stack and trying to reconstruct the call stack is a challenge (especially if no or little symbolic information is present) and there are many questions to be answered in order to have a correct call stack:
Hex blog: An attempt to reconstruct the call stack |
|
Matasano Security LLC - Chargen - Exercises for a burgeoning Army of Ninjas |
|
|
|---|
| Topic: Miscellaneous |
10:24 am EST, Feb 23, 2010 |
At SourceBoston 2009 fellow New Yorker Dan Guido did a talk entitled “So You Want to Train an Army of Ninjas”. Dan’s talk was on his experience organizing the CSAW competitions at NYU:Polytechnic. If you are unfamiliar with the annual awesomeness that the ISIS program at NYU:Poly puts together, you can read more about the whole event here. To quote someone on twitter “If all of school was like [the program at NYU:Poly] maybe I wouldn’t have dropped out.”
This is a good read. I still think teaching yourself these skills as opposed to 'learning' them is a vital step. Matasano Security LLC - Chargen - Exercises for a burgeoning Army of Ninjas |
|
Abusing WCF to Perform Remote Port Scans - Gotham Digital Science |
|
|
|---|
| Topic: Miscellaneous |
10:48 am EST, Feb 22, 2010 |
Last weekend at Shmoocon, I demonstrated how an attacker can trick certain WCF web services into performing an unauthorized port scan of machines behind a firewall. For those that were not able to attend the talk, the slides are posted here. The part that covers the port scanning technique may not be clear in isolation, so I’ll try and explain it in detail. The problem is related to the WSDualHttpBinding, so in order to understand how the scanning technique works you must first understand some WSDualHttpBinding basics.
Abusing WCF to Perform Remote Port Scans - Gotham Digital Science |
|
Dailydave: XSS in viewstate |
|
|
|---|
| Topic: Miscellaneous |
10:07 am EST, Feb 22, 2010 |
http://www.hacking-lab.com/misc/downloads/ViewState_Afames.pdf This, on first glance, looks real to me. Does anyone have any comments on it? ViewState is pretty complex and fairly opaque. If I understand properly, MS does not publish the full specs to it? Maybe the Mono team found them somewhere?
Dailydave: XSS in viewstate |
|
Adobe Reader and The Unspecified Vulnerability - Blog - Blog & News - Company |
|
|
|---|
| Topic: Miscellaneous |
10:18 am EST, Feb 19, 2010 |
14:53 CET on the 19th February 2010. Entry written by Alin Rad Pop. Adobe Reader has been recently updated to version 9.3.1, fixing a vulnerability for which no details were provided. Quoting the vendor: "In addition, a critical vulnerability (CVE-2010-0188) has been identified that could cause the application to crash and could potentially allow an attacker to take control of the affected system."
Adobe Reader and The Unspecified Vulnerability - Blog - Blog & News - Company |
|
Microsoft Malware Protection Center : Restart issues on an Alureon infected machine after MS10-015 is applied |
|
|
|---|
| Topic: Miscellaneous |
9:57 pm EST, Feb 18, 2010 |
The Win32/Alureon family of malware is a complex set of components which perform various functions. These include the modification of DNS settings, search hijacking, and click fraud. Alureon has existed for several years and has undergone a number of evolutionary changes. The ability to “infect” the miniport driver associated with the hard disk of the operating system is a recent notable change. This functionality first appeared around August 2009. For the most common system configuration (for machines using ATA hard disk drives) , the ATA miniport driver ‘atapi.sys’ is the file which is targeted.
Microsoft Malware Protection Center : Restart issues on an Alureon infected machine after MS10-015 is applied |
|
Assured Exploitation training course at CanSecWest |
|
|
|---|
| Topic: Miscellaneous |
9:53 pm EST, Feb 18, 2010 |
Feb 17, 2010 Dino Dai Zovi and I are going to teach a two day training course at the CanSecWest conference in March of this year. Our course is titled Assured Exploitation and will focus on the advanced exploitation techniques required for developing state of the art exploits for Vista and Windows 7 systems.
Assured Exploitation training course at CanSecWest |
|
Hex blog: Scriptable Processor modules |
|
|
|---|
| Topic: Miscellaneous |
3:23 pm EST, Feb 17, 2010 |
If you like this feature, make sure to apply for the beta testing of next version when we announce it!
Hex blog: Scriptable Processor modules |
|
The Security Development Lifecycle : VC 2010 and memcpy |
|
|
|---|
| Topic: Miscellaneous |
12:54 pm EST, Feb 17, 2010 |
A year ago, I wrote a short post about us banning memcpy in the SDL for new code. Well, I’m happy to announce that in VC++ 2010, we have made it much easier to remove potentially insecure calls to memcpy and replace them with more secure calls to memcpy_s; it’s automagic, just like we do did for other banned functions!
The Security Development Lifecycle : VC 2010 and memcpy |
|
