Security

Cyber Security, IT Security, Cyber Defence

Articles and presentations about Cyber Security

Here is a list of all articles and presentations I have published about Cyber Security so far.

Weaponized File Formats

This is a series of articles about file formats and related security issues. In 2003 I had presented an article in French about this subject at the SSTIC conference: [SSTIC03]. In the following articles I will provide an updated version in English with more information about common file formats.

How to detect most malicious macros without an antivirus

mraptor is a simple tool designed to detect malicious VBA macros in MS Office files, based on characteristics of the VBA code. This article explains how it works, and how it can be used in practice.

python-oletools - python tools to analyze OLE and MS Office files

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on my olefile parser. 

Anti-Analysis Tricks in Weaponized RTF

This article describes several anti-analysis tricks found in recent malicious RTF documents, and how I improved rtfobj to handle them.

8KB of malware crammed into a single command line in a macro

A few days ago, @Bry_Campbell told me about a strange sample with a malicious macro, that could not be fully analyzed with online sandboxes and the usual tools.

How to grill Malicious Macros - SSTIC15

Since 2014, malicious macros are coming back. And their success in recent campaigns demonstrates that it is still an effective way to deliver malware, sixteen years after Melissa.

This is a presentation that I gave to the SSTIC symposium in June 2015, translated to English. It explains what malicious macros can do, how their code can be obfuscated, and some of the anti-analysis tricks observed in recent cases. Then it shows several tools that can be used to analyze macros, including oledump and olevba.

Tip: how to find malware samples containing specific strings

It is sometimes useful to look for malware samples containing a specific string. For example, you might look for samples sharing similar code to analyze a malware campaign with different targets. Another use case is discovering the original version of a modified file, as described in my article "Unmasking Malfunctioning Malicious Documents".

Unmasking Malfunctioning Malicious Documents

From time to time, people report strange malicious documents which are not successfully analyzed by malware analysis tools nor by sandboxes. Let's investigate. (this is a follow-up to the post "Malfunctioning Malware" by Didier Stevens)

olefile - a Python module to read/write MS OLE2 files

olefile (formerly OleFileIO_PL) is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook MSG files, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.

Syndicate content