2011

View all on this date written articles further down below.
25 Dec 2011

[Quick notes] Metasploit payload types

To start with, a vulnerability is a weakness in the target system which creates a security risk - that it can be exploited.
 
An exploit is a way, a piece of code that can trigger & take advantage of a vulnerability.
A payload is the actual component in the attack which 'do' things for an attacker.
 
Therefore, a payload must have at least 2 components in it:

1. Communications capability - set up communication channel for the attacker
2. Functionality - defines what all actions an attacker can perform
 
Metasploit provides 2 types of payloads:

Read more

06 Aug 2011

Analyzing Malware – Manually unpacking the specimen

In continuation to reverse engineering malware series, this is the fifth post. I will recommend that you read my first, second, third and fourth posts to be in sync with whole exercise. In previous posts, we performed behavioral and code analysis of the malware specimen - slackbot. We identified that the bot executable was packed with UPX packer. Since UPX has native unpacking capabilities as well, we had unpacked the specimen exe and learnt more about its code & operations during code analysis. Subsequently we were able to gain control over the bot.

Read more

31 Jul 2011

Analyzing Malware – Patching in the way!

This is in continuation to my previous posts on reverse engineering malware. Therefore, I would strongly recommend that you go through the posts one, two, and three, before moving forth with this one. If you recall, in the last post, we used disassembling and debugging techniques on the specimen to our utility and successfully identified the correct IRC login password. But is there a way to simply modify or bypass this whole password protection mechanism in the bot? If authentication process can be controlled, that'd be awesome. So, here it is; this post will show you just that.

Read more

09 Jul 2011

Analyzing malware [ slackbot ] – II

This is in continuation with the part 1 of Analyzing Malware [ slackbot ]. Code Analysis In this phase of reverse engineering malware, we will look inside the code of the specimen. We will use IDA pro, a disassembler, to open the malware exe and attempt to understand the logic behind the flow of the execution. A disassembler translates machine language into assembly language.

Read more