PDF Stream Filters – Part 2

It is very interesting to study the  obfuscation techniques used by the attackers in malicious PDF docs. As of my previous blog entry, one of the simplest, yet interesting obfuscation technique used is the cascading filtering. This basically means that the  malicious JavaScript code is embedded below the multiple layers of encoded stream. In this […]

PDF Stream Filter – Part 1

One of the challenges in analyzing malicious PDF document is stream filtering. Malicious contents in PDF file are usually compressed with stream filtering thus making  analysis a bit complicated. In a PDF document , stream object consists of stream dictionary, stream keyword, a sequence of bytes, and endstream keyword. A malicious content inside PDF file […]

Evolution of Phishing Website

Take a look at the following phishing website: Just another phishing website? Think again.. Take a look at the page source body { background-image: url(bg02.jpg); background-repeat: no-repeat; } The phisher is using image instead of HTML. And YES, this technique can bypass DontPhishMe. I’ve worked on new method to solve this problem and now, DontPhishMe […]

Analysis on Java Web Start Argument Injection Exploit

The recent discovery of Java Web Start Argument Injection vulnerability (CVE-2010-0886 and CVE-2010-0887) has opened a new opportunity for the bad guy to utilize it in drive-by download attack. Here is a short write up on the example (in the wild) found early today, which exploiting this vulnerability. The exploit was found on http://buckomre.com/ and […]

Referencing yourself with arguments.callee()

Obfuscation using arguments.callee() in java scripts is widely seen in  browser exploitation and malicious PDF attacks. This kind of obfuscation could be a bit tricky to handle for security analyst. The arguments.callee() call is used normally to prevent security analyst from modifying the malicious function. The variable that holds the arguments.callee will be validated in […]

Yara Rule For CVE-2010-0805

The Internet Explorer Tabular Data Control ActiveX Memory Corruption (CVE-2010-0805) exploit was recently ported to Metasploit, so we decided to release the detection rule for Yara. Yes it can also be used with JSunpack! rule MSIETabularActivex { meta: ref = “CVE-2010-0805” impact = 7 hide = true strings: $cve20100805_1 = “333C7BC4-460F-11D0-BC04-0080C7055A83” nocase fullword $cve20100805_2 = […]

pKaji: The PHP Analyzer

pKaji is a free service provided by MyCERT that allows one to analyze  PHP codes.  It facilitates detection of network activities and other potentially malicious activities within the code by using the ‘hooking’ technique. Basically, it uses the APD (Advance PHP Debugger) extension to hook the original PHP built-in function. Using pKaji To use pKaji, […]

Bashing The Wildcard

This is quick note about wildcard usage for the  Linux command line particularly on  how to select/include some files among the others. Let say you have a directory  that contains the following files: $ls mh apache-log.tar.gz.00 apache-log.tar.gz.01 apache-log.tar.gz.02 apache-log.tar.gz.03 apache-log.tar.gz.04 apache-log.tar.gz.05 apache-log.tar.gz.06 apache-log.tar.gz.07 apache-log.tar.gz.08 apache-log.tar.gz.09 apache-log.tar.gz.10 apache-log.tar.gz.11 apache-log.tar.gz.12 apache-log.tar.gz.13 To copy the first 10 files,  […]

/Info does give an info :)

Common PDF dictionary used inside malicious PDF are /Author, /Producer, /Title, and /Subject which use reference from this.info.author, this.info.producer, this.info.title, and this.info.subject respectively. The PDF dictionary mentioned above are located inside the /Info referenced object. This can be identified from the reference variable above (e.g: this.info.title) used inside JavaScript code. For instance; this /* means […]