By my count, there were 12 people at the meeting last night. Not nearly a record, but the most we've seen at one meeting in quite a few months. I think there were three first-timers, too. It was great meeting you and we look forward to crossing paths again. As always, there were many good discussions on everything from encryption, steganography and programming to economics and geology.
I gave a quick demo on javascript malware analysis with some coding help from Andrew.
There are many places to find live samples of malware. I was using Malware Domain List. Use common sense, here. I can't stress enough that you should know what you are doing if you use any information on this page. I'd suggest using a virtual machine, the NoScript (or similar) plugin and/or a non-Windows operating system. Even still: no guarantees. Play safe, kids!
JSunpack can help you shake down certain kinds of packed javascript, and extract embedded files from it. Doesn't always work too well on heavily-obfuscated code, but can usually make better sense of it after you've got it looking more like javascript than a big array and a janky decode/eval function.
Most of the entry-level javascript malware de-obfuscation stuff I showed off at the meeting is covered in this round-up article on SANS ISC. You usually have to improvise, and obfuscated code is getting uglier and sneakier by the day, apparently.
Our next meeting will be on January 6th, and we may have a post-meeting chili supper at Chez ax0n, if I can get the misses to sign off on it.
No comments:
Post a Comment