“Two xref tables and two %%EOF“? This alone is not an indication of a malicious PDF file. There can by two or even more instances of each, if the file was generated via the “incremental update” feature. (Each digitally signed PDF file is like that, and each file which was changed in Acrobat and saved … Read more
This vulnerability was definitely a heap overflow. How can writing 0XFFFFFFFE bytes (4 GB!!!!) possibly not crash the program? It probably will, but on some occasions you got time to exploit before the crash happens (sometimes, you can get the program back to its normal execution and avoid the crash). When the memcpy() starts, the … Read more
Notice the replace call after the giant messy string: .replace(/#|\$|@|\^|&|\(|\)|\!/ig, ”). It removes most of the special characters, turning it into a normal URL: evil://dyndns-org.gamestop.com.mybestyouxi-cn.genuinehollywood.ru:8080/softonic.com/softonic.com/google.com/livejasmin.com/videosz.com/ (I manually changed http: to evil:) Note that the regex could have been simplified to .replace(/[#$@^&()!]/ig, ”) If you look at the script, you’ll see that it’s a very simple … Read more
The latest version of nmap has the ability to detect all (current) variants of Conficker by detecting the otherwise almost invisible changes that the worm makes to the port 139 and port 445 services on infected machines. This is (AFAIK) the easiest way to do a network based scan of your whole network without visiting … Read more
Sure. You’ll probably want to do something more useful than the following example though. $evilHashes = @( ‘4C51A173404C35B2E95E47F94C638D2D001219A0CE3D1583893E3DE3AFFDAFE0’, ‘CA1DEE12FB9E7D1B6F4CC6F09137CE788158BCFBB60DED956D9CC081BE3E18B1’ ) Get-ChildItem -Recurse -Path C:\somepath | Get-FileHash | Where-Object { $_.Hash -in $evilHashes }
You don’t “clean malware”. You level the machines and start over. Anything less is a disservice to your Customer and asking for trouble. As far as dealing with the “threat”, you don’t allow users to run with Administrator-level accounts (on Windows), and you don’t install untrusted software (inasmuch as is possible). It seems fairly simple … Read more
Have a look at the “Owner” tab under the “Advanced” properties of the “Security” properties page of the file’s properties sheet. Odds are good, though, that you’re going to see “Administrators” as the owner (which won’t be too helpful). The auditing functionality in Windows can help with this kind of thing, but it generates such … Read more
you want Software Restriction Policies. This underutilized feature of modern Windows allows the administrator to allow or restrict executables from running based on the path or even based on a cryptographic signature. By the way, you want more than just EXE’s. Software Restriction Policies has a list of 30 or 40 additional types of files … Read more
The problem is your Amavis setup. Your quarantine destination seems to be a mail address. So Amavis injects the virus mail back into Postfix to be delivered to that address. Postfix now decides to scan the mail first and delegates to Amavis. Amavis recognizes the virus and tries to quarantine it by delivering to the … Read more