Top articles

  • Virus Profiling

    29 avril 2006 ( #METHODOLOGY )

    Processes:PID ParentPID User Path --------------------------------------------------3328 1252 C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosVirusVirus.exe Ports:Port PID Type Path --------------------------------------------------...

  • Postcard.gif profiling

    29 avril 2006 ( #METHODOLOGY )

    Processes:PID ParentPID User Path --------------------------------------------------380 512 C:Documents and SettingsInternet2Mes documentssyfilessyfileszipchast_ppostcards.gif.exe Ports:Port PID Type Path --------------------------------------------------...

  • HAXSPY Profiling

    21 mai 2006 ( #METHODOLOGY )

    The scan on VirusTotal: Creation of objects (service/driver, dll and registry entry) : Process memory injection in explorer.exe: Hooks in ntdll: Network connections: Some other actions: -the loaded driver and service: A summarize of the actions: The complete...

  • DLL Injection in Firefox.exe

    25 mai 2006 ( #METHODOLOGY )

    NB. The tool has been renamed for T.O.S reasons, but can be easily found for free. We launch the injector tool via CMD: We launch the command "kareldjagdll firefox hookdll_heap.dll" If we check the loaded modules of Firefox, we distinguish the new dll:...

  • PCFlank Leaktest

    04 juin 2006 ( #METHODOLOGY )

    This is the new version of the PCFlank Leaktest. Since there's no "allow/permit" rule for the browser (in our case Internet Explorer), we can't consider that it bypasses firewalls.In fact this leaktest just demonstrates a classical method of spying via...

  • PCFlank Leaktest part 2

    05 juin 2006 ( #METHODOLOGY )

    Processes:PID ParentPID User Path --------------------------------------------------272 1476 POSTE2:Administrateur C:Documents and SettingsAdministrateur.POSTE2Mes documentsMes vidéosPCFlankLeaktest.exe Ports:Port PID Type Path --------------------------------------------------...

  • MSN TESTS

    13 juin 2006 ( #METHODOLOGY )

    With MSN to CGI: This tool uses a kind of social engineering attack in order to delude the user.Firstly it terminates the real Messenger, and replaces it by a fake one; then the user is prompted to type its MSN ID (mail, password) which can after be sent...

  • MAN in the MIDDLE TEST with SSLAGY (R)

    14 juin 2006 ( #METHODOLOGY )

    This tool designed by a french specialist is a Proof of Concept wich illustrates HTTPS Man in the Middle attack via Internet Explorer.This tool has been renamed for TOS reasons, and is currently not detected by antivirus (false positives on the next screenshot):...

  • ROOTKIT TEST

    18 juin 2006 ( #METHODOLOGY )

    Here we just illustrate some rootkit behaviours and show detection by some well known or not anti-rootkit tools.For more information, it can be suited to take a look at the next version of my article which will be updated this summer. NB.Srip32.exe is...

  • MSN TEST 2

    19 juin 2006 ( #METHODOLOGY )

    With MSN Pass Sender: We configure this password stealer (here named roberto) and launch it: Here the fake process crss.exe is launched: Now the fake crss.exe install its windows hooks via msvbvm60.dll: hijack.exe launched via cmd trie to modify lsass.exe:...

  • GASPAR Hooker Test

    22 juin 2006 ( #METHODOLOGY )

    Result of online scans: the original file is detected by none AV on Virustotal, and the next image is related to the recompiled file as an .exe: This file is a Proof of Concept trojan designed to illustrate some firewall evasion methods: it hooks via...

  • ROOTKIT Test 2

    24 juin 2006 ( #METHODOLOGY )

    For the purpose of this test, we use two demonstrations which illustrate some rootkits methods, technology or behaviour. a.The first demonstration illustrates an hidden process method via Eprocess (physical memory access, ntoskrnl mapping etc).We use...

  • DefenseWall Test Part 2 - suite -

    27 juin 2006 ( #METHODOLOGY )

    Suite of Part 2 b) Worms and virus * With Feebs : The .hta file does launch IE on a false “hotmail.com secure mail server” link, mshta.exe is ‘untrusted too. Except the 100 % CPU annoyance, nothing happens once ‘untrusted processes are killed. Passed...

  • Oddysee Rootkit Test

    08 octobre 2006 ( #METHODOLOGY )

    This rootkit is a pure "hider" (intrusion or hacker tool): it acts as an hidden service/driver.But it does not hide its registry keys, that makes it easy to detect for users who know their system well.In this example, we purposefully take the side and...

  • METHODOLOGY Part 1

    30 décembre 2007 ( #METHODOLOGY )

    FIRST PART based on the behaviour (more screenshots here) 1a.Execution protection -with the TaskManager launched via Ctrl+Alt+Del -via start and execute menu -with srip32 launched by explorer.exe -with shellcode for running notepad.exe: and calc.exe (2...

  • METHODOLGY Part 3

    30 décembre 2007 ( #METHODOLOGY )

    CLIENT/SERVER SIDE ATTACKS and other tests: here we distinguish attacks which occur via browser from malwares which infect the system: NB.As some vulnerabilities could be patched as soon as possible, the tests are run on Windows XP2 updated until the...

  • METHODOLOGY Part 2

    30 décembre 2007 ( #METHODOLOGY )

    PART 2: IN THE WILD WITH REAL MALWARES 7) Boot Sector/Bios/MBR protection: MBR virus When a computer is not protected with a Bios password, and neither by an antivirus (only HIPS), an ill-intentioned person can easly boot the computer from external drives...

  • Rootkit test 3

    30 décembre 2007 ( #METHODOLOGY )

    Rootkit technologies detection and prevention: - with Rootkit Demo1.2: this russian demo uses is designed to hide its presence and to make speakers beeps.RKDemo does not use particular hidding method, but take advantage of Windows functions (returs an...

  • Data theft tests

    07 août 2006 ( #METHODOLOGY )

    Here we illustrate some data theft attacks which can really be used in the wild. a. with trojan demo: This demo illustrates an "in the fly data theft attack" : once executed, it launches calc.exe, lists My Documents folder files and reports them (HTML)...

  • data theft tests 2

    20 août 2006 ( #METHODOLOGY )

    Data theft via sniffing: f. with a command line sniffer (currently detected by none antivirus on Virus Total): We run (locally) the sniffer and connect to the web mail. g. with Sniffer (Renamed, not detected by antivirus on Virus Total): We run (locally)...

  • DEFENSEWALL TEST **INTRO**

    27 juin 2006 ( #HIPS TESTS )

    TESTS DEFENSEWALL ____________________________________ DefenseWall is an HIPS program, working on the « white-list » principle : It reduces the rights of the programs and executable files running outside of the trusted zone. The idea is to set the programs...

  • DEFENSEWALL TEST Part 1

    27 juin 2006 ( #HIPS TESTS )

    Part I Behaviour 1° Self-protection Intro : Execution protection DefenseWall doesn’t work on an execution-prevention principle. Then it won’t ever prevent Task Manager, Srip, notepad or calc.exe from being started (CreateProcessThread). It will just launch...

  • DEFENSEWALL TEST Part 2

    27 juin 2006 ( #HIPS TESTS )

    Part II In the wild with real malwares 7° Boot sector/Bios/MBR protection : MBR virus DefenseWall does not provide boot sector protection, and most of all, its service/driver is not a boot start but a system start: consequently, the protection during...

  • DEFENSEWALL TEST Part 3

    27 juin 2006 ( #HIPS TESTS )

    Part III Client/server side attacks and other tests 11° URL obfuscation DefenseWall doesn’t claim to protect against URL obfuscation. Failed . 12° Internet Explorer exploits a) WMF exploits Note : DefenseWall doesn’t claim to prevent exploits themselves,...

  • DefenseWall Test Part 3 Suite

    27 juin 2006 ( #HIPS TESTS )

    15° Man-in-the-middle (MIM) attack test : a. SSLSpoofer test: Since the file needs a service to work, it is stopped by DefenseWall. The spoofer has to be installed 'trusted to create and launch it's service, and to work; but as doing, DefenseWall is not...

1 2 > >>