05.12.2013
Slides about an in depth analysis of CVE-2013-3906 exploiting a TIFF bug inside a Microsoft Office Winword file. This bug was exploited in a targeted attack in November 2013.
masTIFF - An in depth analysis of CVE-2013-3906.pptx
20.12.2011
Slides from the CAST forum speech in december 2011 about hunting malware with volatility 2.0. On 40 slides i will introduce the main features of this powerful forensic framework. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
Hunting malware with Volatility v2.0.pdf
20.01.2011
These are my slides from a talk at the Ruhr University of Bochum about "Hunting rootkits with Windbg". I'll introduce several ways to find well known rootkits like Rustock or TDL Versions 3+4 with Windbg and scripts. Enjoy!
Hunting rootkits with Windbg.pdf
30.07.2009
This paper describes all features of the OfficeMalScanner suite in detail. Further i've updated some features since my PH-Neutral talk, fixed bugs and replaced bin2code with MalHost-Setup. A much smarter way to analyze the inner workings of shellcode in a real life session. Both malicious samples described in the paper are included in the package. For sure additionally compressed and with extra password safety.
Analyzing MSOffice malware with OfficeMalScanner.zip
In addition to the paper which describes all features until version 0.431 assure to take a peek at my Hack.Lu 2009 slides as they describe how to use the new "inflate" feature, which is able to inflate and analyze the newer Office XML format.
New advances in Ms Office malware analysis.pdf
24.10.2008
Slides of my Hack.Lu 2008 speech "Rustock.C - When a myth comes true"
Rustock.C - When a myth comes true.pdf
14.02.2008
With "More advanced unpacking - Part II" i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. - 1. Manual unpacking + import fixing - 2. Manual unpacking + Auto import fixing - 3. Auto unpacking/import fixing - Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.
More advanced unpacking - Part II.zip
21.01.2008
This new unpacking tutorial goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!
More advanced unpacking - Part I.zip
21.09.2007
This paper is an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.
Peacomm.C - Cracking the nutshell.zip
17.07.2007
This COM reconstruction video tutorial aims to be a practical when it comes to COM code reconstruction. The analysed function of this malware dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. And as it makes heavy use of the COM interface, it was the perfect candidate to show you how this nasty code can be restored to a far better readable code. Enjoy!
Practical COM code reconstruction.swf
21.01.2007
This paper is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!
A Journey to the Center of the Rustock.B Rootkit
13.12.2006
This flash movie covers how to manual unpack and Auto-IAT fix UPX and Aspack packed binaries. It might be useful for people who are new to malware analysis and don't have a clue how to unpack and repair a binary. The introduced technique works for many other easy executable packers like FSG too. For best view use a resolution of 1024x768 or higher and select fullscreen (F11) in your browser.
Manual unpacking and Auto-IAT fixing UPX and Aspack
18.03.2006
My first paper is a step by step guidance how to use the world's best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points.