« Archives in September, 2011

Hacker linked to attack on HBGary arrested

One of the hackers reportedly linked to the February attack on a Sacramento cybersecurity company was arrested today (Sept. 2, 2011) by Scotland Yard.

The cybersecurity company the article is referring to is none other than HBGary and HBGary Federal.

Read more…

U.S. Sources Exposed as Unredacted State Department Cables Are Unleashed Online

An encrypted WikiLeaks file containing 251,000 unredacted U.S. State Department cables is now widely available online, along with the passphrase to open it. The release of the documents in raw form, including the names of U.S. informants around the globe, has raised concerns that dozens of people could now be in danger.

Read more…

Pyew

To get the ball rolling again, let me introduce you to a nice little tool that I found and started playing with while I was traveling around the country.

Pyew is a python tool similar to radare. Pyew has many useful features for doing malware analysis. The tool is a work in progress but does show some promise. What I like about it is that I can do some quick static analysis on a file to determine what additional analysis needs to be done. The ability to use the PEiD database within the tool is nice. The integration of tools for PDF analysis are coming along as well.

Here’s a sample of what it looks like:

$ pyew b6bd1640dcbd7b81970f8e4606b215e1
PE Information

Sections:
UPX0 0x1000 0x40000 0
UPX1 0x41000 0x2f000 191488
.rsrc 0x70000 0x2000 7680

Entry Point at 0x2ede0
Virtual Address is 0x46f9e0
Code Analysis …

0000 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP………….
0010 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 ……..@…….
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 …………….
0040 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ……..!..L.!..
0050 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
0060 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
0070 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 in32..$7……..
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
0100 50 45 00 00 4C 01 03 00 EB BF 70 4B 00 00 00 00 PE..L…..pK….
0110 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 F0 02 00 …………….
0120 00 20 00 00 00 00 04 00 E0 F9 06 00 00 10 04 00 . …………..
0130 00 00 07 00 00 00 40 00 00 10 00 00 00 02 00 00 ……@………
0140 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 …………….
0150 00 20 07 00 00 10 00 00 00 00 00 00 02 00 00 00 . …………..
0160 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 …..@……….
0170 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 …………….
0180 48 1A 07 00 C4 01 00 00 00 00 07 00 48 1A 00 00 H………..H…
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01C0 98 FB 06 00 18 00 00 00 00 00 00 00 00 00 00 00 …………….
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …………….
01F0 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 ……..UPX0….

Check out pyew here.

Hello Again

It’s been a fast and furious month. It seems like I’ve been on travel more than I’ve been at work. That’s not always bad. During this time I’ve tried the Twitter route. OK, that didn’t go as well as I planned. Maybe I will do better with that in the future.