Julia Wolf’s Favorites

New Post
A follow-up to my [Julia's] talk at the 27th Chaos Computer Congress: "OMG-WTF-PDF" Corrections, updates, and reactions. Continue »
New Post
The common DownloadURLToFileA(some EXE file) and WinExec(it) shellcode in use today hasn't changed much in eight years. (Probably because everyone just copies the code out of Metasploit for their exploits.) This is a byte by byte analysis of that shellcode. Continue »
New Post
Image
Acrobat will parse some very badly formed PDF files. It's possible to remove almost everything from a PDF file, and still launch Javascript. A minimum of 58 bytes are all that is required to execute Javascript within Acrobat. Continue »
New Post
Neosploit encodes into the URL, various bits of version information about a victim's browser and OS. It's using Java exploits, and is spread via malicious advertisements. Continue »
New Post
A reference table for Windows API Function Name Hashes, used in many shellcode examples. Also, daylight saving time is dumb. Continue »
New Post
Image
The "Yes Exploit System" is encrypts its "Black Energy"-like components. The crypto design used has a fatal flaw, which allows for someone to completely recover the plaintexts, without knowing the keys, or algorithm used, or even any information at all except for a small amount of known plaintext. Continue »
New Post
FireEye has a booth at RSA2010 Expo. Julia is going to the RSA Expo, and is giving a talk at PH-Neutral in May. Continue »
New Post
Neosploit and another toolkit are using a new PDF specific obfuscation technique to hide the Acrobat Reader exploit(s) from malware scanners. Continue »
New Post
Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash. Continue »
New Post
This is an additive stream cipher, which generates it's keystream by repeatedly taking the CRC32 sum of a shuffled string (the password). The shuffling algorithm takes the first byte of the password, and moves it to the end. Continue »
New Post
1. Filefix opens each file, and reads the last four bytes. If these four bytes satisfy a particular boolean formula, then the file is "corrupt", and the file is added to the to-decrypt list. 2. Filefix creates a new file, which is this four byte key repeatedly XOR'd over the victim-file. Think of it as XOR in ECB mode with a 32-bit key. Continue »
New Post
Personal Exposition I was recently sent a .pcap file of a bot's C&C communications. Every 182 seconds, the bot would download a GIF file from vazasaki-ji.info (91.211.65.180 as of Mar 11, 2009). These GIF files however are not well-formed — that is to say, it's a GIF89a header, followed by a lot of random gibberish. At last! Something interesting and clever (this will make a good blog post). I've been wondering why it took so... Continue »
New Post
This post will dive into the algorithm by which Srizbi decides which domain name to contact on a given day For this analysis, I [Julia] reverse engineered the following sample: MD5:8adb642389b8bf999e2017d731edcb00 bot.sys (Linked on Mon Dec 10 03:57:34 2007 — if the timestamps can be trusted.) Which is not only unpacked, but the author left the debugging symbols in. The original name for this project is revealed by: c:\reactor3\client\Release\client.pdb The bot (Srizbi) is loaded into... Continue »
New Post
On x86-64, it is much easier to find your current instruction pointer, just do this: LEA EAX, [RIP] And EAX will contain the address of the next instruction. Continue »