Archive for 'August 2010'

    DLL Search Order Hijacking Revisited

    By M-Labs

    Since my last blog post on the topic of DLL Search Order Hijacking there has been a lot of community activity in this area. The purpose of this article is to differentiate the specific hijack technique I was describing from the one that is currently being discussed in the media as well as propose my own solution to the problem.

    Read more...


    Infiltrating Pushdo -- Part 2

    By Atif Mushtaq
    I am sure If historians ever write about botnet take downs, they wont forget to mention the pushdo botnet. It's the third time in last two years or so that there has been an attempt to take down this botnet. The first attempt was back in Nov 2008 when the McColo ISP shutdown crippled Pushdo along with other spam botnets like Srizbi and Rustock. The second attempt was earlier this year when FireEye got a hold of some Read more...


    Chasing CnC Servers - Part 1

    By Atif Mushtaq
    There are two general ways a complex problem can be solved, using a good approach or a bad one.  The only good thing about the bad approach is that it will usually be simpler to understand and implement, but in the long run one will find that shortcuts don't always work. The good thing with most humans is that they learn from their mistakes and move forward.  This is what we are Read more...


    Musings on download_exec.rb

    By Julia Wolf

    This is not anything new and exciting¹, and should hopefully be familiar to some of you reading this. Some time ago I reversed the shellcode from Metasploit's download_exec module. It's a bit different from the rest of the stuff in MSF, because there's no source code with it, and it lacks certain features that the other shellcode[s] have (like being able to set the exit function).

    Read more...


    Find Evil and Solve Crime, Part 1: Focus

    By Jason Luttgens

    This is part one of a series of posts I plan to make on what Mandiant does to "Find Evil and Solve Crime". These posts should help to make your organization better, faster and stronger at performing effective computer security incident investigations. And hopefully they will spark some good discussion about improving incident response. The first part is about focus.

    Read more...


    Reversing Malware Command and Control: From Sockets to COM

    By M-Labs

    On a Windows host there is more than one way for a program to communicate across the internet. When reverse engineering a piece of malware it is of critical importance to understand what API is being used and how it works so that you may gain an understanding of the data sent and received as well as command structure and internal protocol if applicable. The choice of networking API also effects how you craft your indicators (more on this later). I break Windows Malware Command and Control communications into four API categories: Sockets, WinInet, URLMon and COM. The primary focus of this article is COM, since it is the rarest, least understood and most difficult to reverse engineer.

    Read more...


    The Challenges to Remediating from the APT

    By Christopher Glyer

    MANDIANT has been involved in numerous widespread remediation efforts following intrusions at large organizations. We have seen nearly identical recurring challenges emerge at these large organizations, and we believe conveying these challenges may be important to developing your overall approach to remediation should you be compromised by advanced and persistent threats:

    Read more...