Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 

Is contributing to a good infosec cause worth working for free?
iT News (blog)
But for the infosec professionals being asked to provide their expertise to the board free of cost, it's a tricky area to navigate. The backstory is that many of the big names in car manufacturing have been demonstrably vulnerable to cyber attack over ...

 

Very often I get questions on how to perform analysis on DLL files.

The reason being that it is easier to perform behavioral analysis on executables, either using external sandboxes or a vmware with tools like the ones from the Sysinternals suite.

For DLL, on most of times, you cant just run them, you can use windows applications like rundll32 with right the export, but sometimes it may not work.

At this point if you want something fast to perform some analysis on the DLL you can go for the static analysis, looking for the strings and trying to determine the nature of the malware.

The problem resides on fact that most malware these days are using custom packers, making your job more difficult.

The quick and dirty solution for this would be to force it to memory so it would unpack itself. That would make your job much easier by just using a process dump tool and then check the strings.

Something that I used to do to accomplish it was to use regsvr32 to load the DLL on memory. It will throw an error on most cases, but the DLL will be loaded, until you close the error message.

On that period of time, you can use your preferred dump tool and dump the regsvr32 process, and check the DLL strings.

Another way is to simply inject the DLL into a running process, like explorer.exe for example. This simple python script inspired by the Grey Hat Python book seems to do the job quite well!

Simply run it by passing the PID you want to inject the DLL and the DLL file as parameters and it will work.

For example:

python dll_inject.py 618 badll.dll

-- This will inject the baddll.dll into process ID 618.

To find the process ID you can either use tools like Sysinternals process explorer or Windows Task Manager.

Good luck!

------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
FreeBSD Security Advisory FreeBSD-SA-15:24.rpcbind
 
CVE-2015-7392 Heap overflow in Freeswitch json parser < 1.6.2 & < 1.4.23
 
Re: CVE-2015-3938 Remote Permanent LoV (Loss of View) in Mitsubishi Melsec FX3G-24M PLC
 
ESA-2015-151: RSA® OneStep Path Traversal Vulnerability
 
ESA-2015-152: RSA Web Threat Detection Multiple Vulnerabilities
 

Channelnomics

Report: More women could be answer to InfoSec talent shortage
Channelnomics
According to the non-profit's Women in Security: Wisely Positioned for Future of InfoSec report, produced in conjunction with Frost & Sullivan, women represent 10 percent of information security professionals. The report said more women joining the ...
Just 10% of Infosec Professionals Are WomenInfosecurity Magazine
Report: Women 'leaning in' in cyber workforceFedScoop
Viruses, bulletins, surveys, and gender: hashtag #VB2015We Live Security (blog)
Benzinga -SC Magazine
all 15 news articles »
 

Angie Messer of Booz Allen Highlights Need to Build Infosec Talent
GovConWire
“The adaptive nature of cyber threats demands a talent management strategy that will broaden the skillsets and knowledge of the information security profession,” Messer said in a Booz Allen press release announcing the release of a Frost & Sullivan ...

and more »
 

Is contributing to a good infosec cause worth working for free?
iT News (blog)
But for the infosec professionals being asked to provide their expertise to the board free of cost, it's a tricky area to navigate. The backstory is that many of the big names in car manufacturing have been demonstrably vulnerable to cyber attack over ...

 
Remote privesc and RCE in Kaseya Virtual System Administrator
 
CVE-2015-3938 Remote Permanent LoV (Loss of View) in Mitsubishi Melsec FX3G-24M PLC
 

EITHER/XOR

Security researchers have uncovered a network of infected Linux computers that's flooding gaming and education sites with as much as 150 gigabits per second of malicious traffic—enough in some cases to take the targets completely offline.

The XOR DDoS or Xor.DDoS botnet, as the distributed denial-of-service network has been dubbed, targets as many as 20 sites each day, according to an advisory published Tuesday by content delivery network Akamai Technologies. About 90 percent of the targets are located in Asia. In some cases, the IP address of the participating bot is spoofed in a way that makes the compromised machines appear to be part of the network being targeted. That technique can make it harder for defenders to stop the attack.

Read 3 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status