I published the following diary on isc.sans.org: “Logical & Physical Security Correlation“. Today, I would like to review an example how we can improve our daily security operations or, for our users, how to help in detecting suspicious content. Last week, I received the following email in my corporate mailbox.
I published the following diary on isc.sans.org: “Nicely Obfuscated JavaScript Sample“. One of our readers sent us an interesting sample that was captured by his anti-spam. The suspicious email had an HTML file attached to it. By having a look at the file manually, it is heavily obfuscated and the payload
I published the following diary on isc.sans.org: “Searching for Base64-encoded PE Files“. When hunting for suspicious activity, it’s always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters “MZ” at the beginning of the file. But, to bypass classic controls, those
I published the following diary on isc.sans.org: “Example of Multiple Stages Dropper“. If some malware samples remain simple (see my previous diary), others try to install malicious files in a smooth way to the victim computers. Here is a nice example that my spam trap captured a few days ago. The
I published the following diary on isc.sans.org: “Retro Hunting!“. For a while, one of the security trends is to integrate information from 3rd-party feeds to improve the detection of suspicious activities. By collecting indicators of compromize, other tools may correlate them with their own data and generate alerts on specific conditions.
I published the following diary on isc.sans.org: “The Side Effect of GeoIP Filters“. IP location, GeoIP or Geolocalization are terms used to describe techniques to assign geographic locations to IP addresses.  Databases are built and maintained to link the following details to IP addresses: Country Region City Postal code Internet Service Provider Coordinates
I published the following diary on isc.sans.org: “Not All Malware Samples Are Complex“. Everyday we hear about new pieces of malware which implement new techniques to hide themselves and defeat analysts. But they are still people who write simple code that just “do the job”. The sample that I’m reviewing today had a very
I published the following diary on isc.sans.org: “How your pictures may affect your website reputation“. In a previous diary, I explained why the automatic processing of IOC’s (“Indicator of Compromiseâ€) could lead to false positives. Here is a practical example found yesterday. I captured the following malicious HTML page (MD5:
I published the following diary on isc.sans.org: “Analysis of a Simple PHP Backdoor“. With the huge surface attack provided by CMS like Drupal or WordPress, webshells remain a classic attack scenario. A few months ago, I wrote a diary about the power of webshells. A few days ago, a friend
Being a volunteer for the SANS Internet Storm Center, I’m a big fan of the DShield service. I think that I’m feeding DShield with logs for eight or nine years now. In 2011, I wrote a Perl script to send my OSSEC firewall logs to DShield. This script has been
