I published the following diary on isc.sans.org: “Diverting built-in features for the bad“. Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code… [Read more]
Category: SANS Internet Storm Center
[SANS ISC] Logical & Physical Security Correlation
I published the following diary on isc.sans.org: “Logical & Physical Security Correlation“. Today, I would like to review an example how we can improve our daily security operations or, for our users, how to help in detecting suspicious content. Last week, I received the following email in my corporate mailbox.
[SANS ISC] Nicely Obfuscated JavaScript Sample
I published the following diary on isc.sans.org: “Nicely Obfuscated JavaScript Sample“. One of our readers sent us an interesting sample that was captured by his anti-spam. The suspicious email had an HTML file attached to it. By having a look at the file manually, it is heavily obfuscated and the payload
[SANS ISC] Searching for Base64-encoded PE Files
I published the following diary on isc.sans.org: “Searching for Base64-encoded PE Files“. When hunting for suspicious activity, it’s always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters “MZ” at the beginning of the file. But, to bypass classic controls, those
[SANS ISC Diary] Example of Multiple Stages Dropper
I published the following diary on isc.sans.org: “Example of Multiple Stages Dropper“. If some malware samples remain simple (see my previous diary), others try to install malicious files in a smooth way to the victim computers. Here is a nice example that my spam trap captured a few days ago. The
[SANS ISC Diary] Retro Hunting!
I published the following diary on isc.sans.org: “Retro Hunting!“. For a while, one of the security trends is to integrate information from 3rd-party feeds to improve the detection of suspicious activities. By collecting indicators of compromize, other tools may correlate them with their own data and generate alerts on specific conditions.
[SANS ISC Diary] The Side Effect of GeoIP Filters
I published the following diary on isc.sans.org: “The Side Effect of GeoIP Filters“. IP location, GeoIP or Geolocalization are terms used to describe techniques to assign geographic locations to IP addresses.  Databases are built and maintained to link the following details to IP addresses: Country Region City Postal code Internet Service Provider Coordinates
[SANS ISC Diary] Not All Malware Samples Are Complex
I published the following diary on isc.sans.org: “Not All Malware Samples Are Complex“. Everyday we hear about new pieces of malware which implement new techniques to hide themselves and defeat analysts. But they are still people who write simple code that just “do the job”. The sample that I’m reviewing today had a very
[SANS ISC Diary] How your pictures may affect your website reputation
I published the following diary on isc.sans.org: “How your pictures may affect your website reputation“. In a previous diary, I explained why the automatic processing of IOC’s (“Indicator of Compromiseâ€) could lead to false positives. Here is a practical example found yesterday. I captured the following malicious HTML page (MD5:
[SANS ISC Diary] Analysis of a Simple PHP Backdoor
I published the following diary on isc.sans.org: “Analysis of a Simple PHP Backdoor“. With the huge surface attack provided by CMS like Drupal or WordPress, webshells remain a classic attack scenario. A few months ago, I wrote a diary about the power of webshells. A few days ago, a friend