Here is a 1 hour youtube video explaining step-by-step the process of finding and exploiting buffer overflow vulnerabilities, how to exploit them, and finally how to write a metasploit module for it. Click Here.

I came across a great video series on rootkits today. The course is from opensecuritytraining.info and the link to the course details including download of the course materials is here.

The videos are here:

…and processing samples faster than ever. We’re up on the migrated server with a few gotchyas along the way, but the end result is Minotaur sped through over 3,000 samples yesterday while catching up from the downtime.

A while back I wrote a blog post on all the different virtualization technologies in us in Minotaur. This weekend, I’ve started consolidating the backend of Minotaur on Citrix’s XenServer. As you can guess, this is a large undertaking and while I expected the downtime to just last the weekend, it appears the controller may be down for several more days for conversion and migration. All the data on the frontend website should function as usual with the exception of the DNS system.

During the downtime I’ve taken the opportunity to simplify the system. I still had code running from the NUMAN days and still was running each sample through zerowine but not really doing anything with the results. The backend has been significantly reduced and optimized and should make my life of day-to-day administration (feeding the bull) much easier as well as make the system more reliable as a whole.

A recent sample [edit] was found using fling.com during backchannel communications. After searching for similar samples, several samples have been found to be exhibiting this behavior. The spreadsheet of these samples can be found here and all hashes can be looked up on minotauranalysis.com for the full report details. Nearly 70 samples have matched and this activity has been observed since december of last year.

UPDATE: It appears that the malware is using http://promos.fling.com/geo/txt/city.php for GeoIP capabilities. A request to that URL will return the city name of the infected computer’s IP address, and allow the malware authors to tailor ads and popups appropriately.

Minotaur has gotten a few new upgrades. Most notably on the web frontend is the addition of two new sections in the sample reports. Now, each sample’s traffic capture will be further analyzed for the URIs accessed and all DNS requests and responses.

One hope is that this analysis will provide for a rich dataset for further analytics based on URI patterns, and DNS anomalies.

As an example, the following backchannel requests popped up from sample 6da34a083feef6f9553e492e10537ca5:

Oh how I wish they all were so easy they put “logdata=infected” and “logdata=Executed%20payload” in the URI.

We’ve had quite a few upgrades to minotaur this weekend. First, and most noticeable on the homepage is a display of recently analyzed network communications of malicious samples. If you click on a particularly interesting map, it will take you to the report for that sample.

Next, you can now search for samples using the MD5, SHA1 or SHA256 hashes which will hopefully improve the usefulness of the search system.

Lastly, the backend that generates the videos, screenshots, tcpmaps and dynamic analyses had a major flaw in the way files were copied into the environment that was preventing some of the samples from having full data. This bug has been fixed which should lead to more consistent level of analysis of EXE files.

Hopefully many more updates on the way.

The anti-malware dns aggregator is back online on a completely new backend and statistics should be rolling in very shortly. I’m running the entire domain database through the new system, so there will be a large spike in detections over the next few days. Please, if you know of any more services we can add to this aggregator, let me know.

I will be at CarolinaCon this weekend, so if anyone wants to meet up, talk about minotaur or malware analysis in general, email me at info@novcon.net.

We are aware that the anti-malware DNS comparison engine is offline. We are working on a new version, and if you have any DNS vendors you would like to add to our list, please email info@novcon.net. We hope to restore this service shortly.