August 4, 2010 | Jaime Blasco

Analysis of Trojan-SMS.AndroidOS.FakePlayer.a

Trojan-SMS.AndroidOS.FakePlayer.a is one of the first malicious programs detected on Android Smartphones.The program camouflages itself to look like a media player application and begins sending SMS to premium numbers without the user’s knowledge.To analyze the .APK android file we can use the android-apktool (http://code.google.com/p/android-apktool/) to decode the application resources…

July 26, 2010 | Jaime Blasco

Scada: New threat targets critical infrastructure systems

A new malware called Stuxnet is currently targeting Scada systems. This could be one of the thousands of pieces of malware used by criminals but I want to emphasize some of the characteristics that make this attempt important enough to think over.The malware is designed specifically to attack Siemens WinCC systems. This software controls and monitors industrial processes such…

Get the latest security news in your inbox.

Subscribe via Email

April 29, 2010 | Dominique Karg

How would you describe OSSIM?

We’re currently giving http://www.alienvault.com a minor facelift.What we want to feature there is nice things actual users can say about OSSIM. So if you’re a happy OSSIM user and don’t mind being quoted (anonymous references are welcome of course) on our frontpage, please comment on this post so that we can…

March 25, 2010 | Dominique Karg

Coming soon…

I’m not dead nor is the blog, it’s just that twitter is so much easier for busy/lazy peopleI intend to write four more tutorial series pretty soon, namelyNetflow stuffKismet stuffOpenVPN inter-component config, setup and tricksMultiuser samples/setupI hope to be able to bring out one every two weeks aprox, let’s…

March 15, 2010 | Dominique Karg

New life, new blog platform (again!)

I decided to move from the old blogging platform to blogger.com. (And now to Labs!!!)I did setup pyblosxom for http://www.alienvault.com/blog/dk but I noticed that I was getting more and more tired of having to edit the html manually, copy it to the host, preview it, move it to the right place, etc, etc… …

March 14, 2010 | Jaime Blasco

Troyak-AS and Peer activity

Last week Troyak-AS has been taken offline. The number of Zeus C&C servers has been decreasing steeply because of the coordinated operation.Hereyou can find a list of AS50215 Troyak-as peers that conform the neighborhood of one of the most active cybercrime networks.I want to share with you some graphs of these peers that shows the malicious…

February 20, 2010 | Dominique Karg

OSSIM 2.2 is out!

A quick saturday update. We just released OSSIM 2.2 with a ton of new features, have a look here. New screenshots and videos up on AlienVault too.This release is quite complex featuring a whole lot of new features as well as a rewrite of old ones. Please don’t hesitate posting on the forums if you’ve got any doubt…

February 12, 2010 | Dominique Karg

OSSIM at RSA '10. More news

Wow, almost March and my first post this year, need to care a bit more about this. Lot of things are happening around OSSIM, AlienVault and myself these months.First, we finished a big funding round early this year which finally will enable us to consolidate OSSIM as a leader in the SIEM space (at least that’s the…

December 29, 2009 | Jaime Blasco

Exploring Windows Objects ACL's

In the last post, we talked about mutex objects and how to enumerate them. Today we’ll learn how to check mutex access lists from WinDBG as well as from user-mode extending the EnumerateMutex example http://alienvault-labs-garage.googlecode.com/svn/trunk/mutex/EnumerateMutex.cs.Let’s see an example using WinDBG. First query the “\BaseNamedObjects” directory…

December 28, 2009 | Jaime Blasco

Malware: Exploring mutex objects

A mutex, also called a lock is a program object commonly used to avoid simultaneous access to a resource, such a variable.It’s used in concurrent programming to allow multiple program threads to share the same resource.Mutexs are usually used by malware creators to avoid the infection of a system by different instances of the same malware. …

December 24, 2009 | Jaime Blasco

Windows Kernel Objects

The Windows Kernel offers different resources to developers: Process, Socket, Thread, Mutex…A kernel object is a memory block which structure has different members containing information about the object. There are common members across all object types (like security descriptor) but each object type has its own specific members (like ID of a Process object).Let’s begin playing with…

December 21, 2009 | Jaime Blasco

Exploits: Analyzing a malicious PDF Document

In this post, I will explain a real case example of how to manually analyze a malicious PDF document.Some days ago I collected a malicious PDF file, usually, Wepawet does an excellent job and automatically analyze the malicious file for you.In this case, Wepawet said “No exploits were identified.” so probably the malicious PDF…

Watch a Demo ›
GET PRICE FREE TRIAL