MALWARE ANALYSIS |
| 2019-11-23 | Guy Bruneau | Local Malware Analysis with Malice |
| 2019-06-14 | Jim Clausing | A few Ghidra tips for IDA users, part 4 - function call graphs |
| 2019-04-17 | Jim Clausing | A few Ghidra tips for IDA users, part 2 - strings and parameters |
| 2019-04-08 | Jim Clausing | A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code |
| 2019-04-03 | Jim Clausing | A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters |
| 2018-10-21 | Pasquale Stirparo | Beyond good ol’ LaunchAgent - part 0 |
| 2018-08-31 | Jim Clausing | Quickie: Using radare2 to disassemble shellcode |
| 2018-06-01 | Remco Verhoef | Binary analysis with Radare2 |
| 2017-07-09 | Russ McRee | Adversary hunting with SOF-ELK |
| 2016-04-21 | Daniel Wesemann | Decoding Pseudo-Darkleech (Part #2) |
| 2014-07-05 | Guy Bruneau | Malware Analysis with pedump |
| 2013-10-28 | Daniel Wesemann | Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities |
| 2013-06-18 | Russ McRee | Volatility rules...any questions? |
| 2013-05-11 | Lenny Zeltser | Extracting Digital Signatures from Signed Malware |
| 2013-01-08 | Jim Clausing | Cuckoo 0.5 is out and the world didn't end |
| 2012-09-14 | Lenny Zeltser | Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan |
| 2012-06-04 | Lenny Zeltser | Decoding Common XOR Obfuscation in Malicious Code |
| 2012-03-03 | Jim Clausing | New automated sandbox for Android malware |
| 2011-02-01 | Lenny Zeltser | The Importance of HTTP Headers When Investigating Malicious Sites |
| 2010-07-21 | Adrien de Beaupre | autorun.inf and .lnk Malware (NOT 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198) |
| 2010-05-26 | Bojan Zdrnja | Malware modularization and AV detection evasion |
| 2010-03-26 | Daniel Wesemann | Getting the EXE out of the RTF again |
| 2010-01-14 | Bojan Zdrnja | PDF Babushka |
| 2010-01-07 | Daniel Wesemann | Static analysis of malicious PDFs |
| 2010-01-07 | Daniel Wesemann | Static analysis of malicous PDFs (Part #2) |
| 2009-11-25 | Jim Clausing | Updates to my GREM Gold scripts and a new script |
| 2009-09-25 | Lenny Zeltser | Categories of Common Malware Traits |
| 2009-07-26 | Jim Clausing | New Volatility plugins |
| 2009-07-02 | Daniel Wesemann | Getting the EXE out of the RTF |
| 2009-01-18 | Daniel Wesemann | 3322. org |
| 2009-01-02 | Rick Wanner | Tools on my Christmas list. |
| 2008-11-17 | Jim Clausing | Finding stealth injected DLLs |
| 2008-07-07 | Pedro Bueno | Bad url classification |
MALWARE |
| 2020-02-14/a> | Xavier Mertens | Keep an Eye on Command-Line Browsers |
| 2020-02-07/a> | Xavier Mertens | Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript |
| 2020-02-03/a> | Jan Kopriva | Analysis of a triple-encrypted AZORult downloader |
| 2020-01-16/a> | Jan Kopriva | Picks of 2019 malware - the large, the small and the one full of null bytes |
| 2020-01-10/a> | Xavier Mertens | More Data Exfiltration |
| 2020-01-09/a> | Xavier Mertens | Quick Analyzis of a(nother) Maldoc |
| 2020-01-02/a> | Xavier Mertens | Ransomware in Node.js |
| 2019-12-24/a> | Brad Duncan | Malspam with links to Word docs pushes IcedID (Bokbot) |
| 2019-12-12/a> | Xavier Mertens | Code & Data Reuse in the Malware Ecosystem |
| 2019-11-23/a> | Guy Bruneau | Local Malware Analysis with Malice |
| 2019-10-18/a> | Xavier Mertens | Quick Malicious VBS Analysis |
| 2019-10-03/a> | Xavier Mertens | "Lost_Files" Ransomware |
| 2019-09-19/a> | Xavier Mertens | Agent Tesla Trojan Abusing Corporate Email Accounts |
| 2019-09-12/a> | Xavier Mertens | Rig Exploit Kit Delivering VBScript |
| 2019-09-06/a> | Xavier Mertens | PowerShell Script with a builtin DLL |
| 2019-09-05/a> | Xavier Mertens | Private IP Addresses in Malware Samples? |
| 2019-08-30/a> | Xavier Mertens | Malware Dropping a Local Node.js Instance |
| 2019-08-28/a> | Xavier Mertens | Malware Samples Compiling Their Next Stage on Premise |
| 2019-08-22/a> | Xavier Mertens | Simple Mimikatz & RDPWrapper Dropper |
| 2019-08-18/a> | Didier Stevens | Video: Analyzing DAA Files |
| 2019-08-16/a> | Didier Stevens | The DAA File Format |
| 2019-08-12/a> | Didier Stevens | Malicious .DAA Attachments |
| 2019-07-18/a> | Xavier Mertens | Malicious PHP Script Back on Stage? |
| 2019-07-11/a> | Xavier Mertens | Russian Dolls Malicious Script Delivering Ursnif |
| 2019-07-02/a> | Xavier Mertens | Malicious Script With Multiple Payloads |
| 2019-06-14/a> | Jim Clausing | A few Ghidra tips for IDA users, part 4 - function call graphs |
| 2019-06-10/a> | Xavier Mertens | Interesting JavaScript Obfuscation Example |
| 2019-05-29/a> | Xavier Mertens | Behavioural Malware Analysis with Microsoft ASA |
| 2019-05-13/a> | Xavier Mertens | From Phishing To Ransomware? |
| 2019-05-03/a> | Jim Clausing | A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments |
| 2019-05-01/a> | Xavier Mertens | Another Day, Another Suspicious UDF File |
| 2019-04-19/a> | Didier Stevens | Analyzing UDF Files with Python |
| 2019-04-17/a> | Jim Clausing | A few Ghidra tips for IDA users, part 2 - strings and parameters |
| 2019-04-17/a> | Xavier Mertens | Malware Sample Delivered Through UDF Image |
| 2019-04-08/a> | Jim Clausing | A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code |
| 2019-04-03/a> | Jim Clausing | A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters |
| 2019-03-30/a> | Didier Stevens | "404" is not Malware |
| 2019-03-10/a> | Didier Stevens | Malicious HTA Analysis by a Reader |
| 2019-03-10/a> | Didier Stevens | Quick and Dirty Malicious HTA Analysis |
| 2019-02-14/a> | Xavier Mertens | Old H-Worm Delivered Through GitHub |
| 2019-01-06/a> | Didier Stevens | Malicious .tar Attachments |
| 2019-01-05/a> | Didier Stevens | A Malicious JPEG? Second Example |
| 2019-01-04/a> | Didier Stevens | A Malicious JPEG? |
| 2019-01-02/a> | Xavier Mertens | Malicious Script Leaking Data via FTP |
| 2018-12-09/a> | Didier Stevens | Quickie: String Analysis is Still Useful |
| 2018-12-08/a> | Didier Stevens | Reader Malware Submission: MHT File Inside a ZIP File |
| 2018-11-27/a> | Xavier Mertens | More obfuscated shell scripts: Fake MacOS Flash update |
| 2018-11-26/a> | Xavier Mertens | Obfuscated bash script targeting QNap boxes |
| 2018-11-22/a> | Xavier Mertens | Divided Payload in Multiple Pasties |
| 2018-11-06/a> | Xavier Mertens | Malicious Powershell Script Dissection |
| 2018-10-23/a> | Xavier Mertens | Diving into Malicious AutoIT Code |
| 2018-10-22/a> | Xavier Mertens | Malicious Powershell using a Decoy Picture |
| 2018-10-21/a> | Pasquale Stirparo | Beyond good ol’ LaunchAgent - part 0 |
| 2018-10-12/a> | Xavier Mertens | More Equation Editor Exploit Waves |
| 2018-09-28/a> | Xavier Mertens | More Excel DDE Code Injection |
| 2018-09-22/a> | Didier Stevens | Suspicious DNS Requests ... Issued by a Firewall |
| 2018-09-16/a> | Didier Stevens | 20/20 malware vision |
| 2018-09-13/a> | Xavier Mertens | Malware Delivered Through MHT Files |
| 2018-09-05/a> | Xavier Mertens | Malicious PowerShell Compiling C# Code on the Fly |
| 2018-08-31/a> | Jim Clausing | Quickie: Using radare2 to disassemble shellcode |
| 2018-08-30/a> | Xavier Mertens | Crypto Mining Is More Popular Than Ever! |
| 2018-08-26/a> | Didier Stevens | "When was this machine infected?" |
| 2018-08-26/a> | Didier Stevens | Identifying numeric obfuscation |
| 2018-08-24/a> | Xavier Mertens | Microsoft Publisher Files Delivering Malware |
| 2018-08-21/a> | Xavier Mertens | Malicious DLL Loaded Through AutoIT |
| 2018-08-06/a> | Didier Stevens | Numeric obfuscation: another example |
| 2018-08-04/a> | Didier Stevens | Dealing with numeric obfuscation in malicious scripts |
| 2018-08-02/a> | Brad Duncan | DHL-themed malspam reveals embedded malware in animated gif |
| 2018-07-26/a> | Xavier Mertens | Windows Batch File Deobfuscation |
| 2018-07-09/a> | Renato Marinho | Criminals Don't Read Instructions or Use Strong Passwords |
| 2018-06-07/a> | Remco Verhoef | Automated twitter loot collection |
| 2018-06-05/a> | Xavier Mertens | Malicious Post-Exploitation Batch File |
| 2018-06-01/a> | Remco Verhoef | Binary analysis with Radare2 |
| 2018-05-22/a> | Xavier Mertens | Malware Distributed via .slk Files |
| 2018-05-19/a> | Xavier Mertens | Malicious Powershell Targeting UK Bank Customers |
| 2018-05-09/a> | Xavier Mertens | Nice Phishing Sample Delivering Trickbot |
| 2018-05-07/a> | Xavier Mertens | Adding Persistence Via Scheduled Tasks |
| 2018-05-01/a> | Xavier Mertens | Diving into a Simple Maldoc Generator |
| 2018-02-20/a> | Renato Marinho | Statically Unpacking a Brazilian Banker Malware |
| 2018-02-17/a> | Xavier Mertens | Malware Delivered via Windows Installer Files |
| 2018-02-02/a> | Xavier Mertens | Simple but Effective Malicious XLS Sheet |
| 2018-01-28/a> | Didier Stevens | Is this a pentest? |
| 2018-01-26/a> | Xavier Mertens | Investigating Microsoft BITS Activity |
| 2018-01-25/a> | Xavier Mertens | Ransomware as a Service |
| 2018-01-11/a> | Xavier Mertens | Mining or Nothing! |
| 2017-12-19/a> | Xavier Mertens | Example of 'MouseOver' Link in a Powerpoint File |
| 2017-12-16/a> | Xavier Mertens | Microsoft Office VBA Macro Obfuscation via Metadata |
| 2017-11-29/a> | Xavier Mertens | Fileless Malicious PowerShell Sample |
| 2017-11-16/a> | Xavier Mertens | Suspicious Domains Tracking Dashboard |
| 2017-11-15/a> | Xavier Mertens | If you want something done right, do it yourself! |
| 2017-11-13/a> | Guy Bruneau | VBE Embeded Script (info.zip) |
| 2017-11-07/a> | Xavier Mertens | Interesting VBA Dropper |
| 2017-11-03/a> | Xavier Mertens | Simple Analysis of an Obfuscated JAR File |
| 2017-10-31/a> | Xavier Mertens | Some Powershell Malicious Code |
| 2017-10-29/a> | Didier Stevens | Remember ACE files? |
| 2017-10-24/a> | Xavier Mertens | BadRabbit: New ransomware wave hitting RU & UA |
| 2017-10-15/a> | Didier Stevens | Peeking into .msg files |
| 2017-09-09/a> | Didier Stevens | Malware analysis output sanitization |
| 2017-09-02/a> | Xavier Mertens | AutoIT based malware back in the wild |
| 2017-08-26/a> | Didier Stevens | Malware analysis: searching for dots |
| 2017-08-25/a> | Xavier Mertens | Malicious AutoIT script delivered in a self-extracting RAR file |
| 2017-08-23/a> | Xavier Mertens | Malicious script dropping an executable signed by Avast? |
| 2017-08-18/a> | Renato Marinho | EngineBox Malware Supports 10+ Brazilian Banks |
| 2017-07-21/a> | Didier Stevens | Malicious .iso Attachments |
| 2017-07-09/a> | Russ McRee | Adversary hunting with SOF-ELK |
| 2017-07-05/a> | Didier Stevens | Selecting domains with random names |
| 2017-06-22/a> | Xavier Mertens | Obfuscating without XOR |
| 2017-06-06/a> | Didier Stevens | Malware and XOR - Part 2 |
| 2017-06-05/a> | Didier Stevens | Malware and XOR - Part 1 |
| 2017-05-16/a> | Russ McRee | WannaCry? Do your own data analysis. |
| 2017-05-13/a> | Guy Bruneau | Microsoft Released Guidance for WannaCrypt |
| 2017-04-28/a> | Xavier Mertens | Another Day, Another Obfuscation Technique |
| 2017-04-19/a> | Xavier Mertens | Hunting for Malicious Excel Sheets |
| 2017-04-05/a> | Xavier Mertens | Whitelists: The Holy Grail of Attackers |
| 2017-03-18/a> | Xavier Mertens | Example of Multiple Stages Dropper |
| 2017-03-12/a> | Guy Bruneau | Honeypot Logs and Tracking a VBE Script |
| 2017-03-08/a> | Xavier Mertens | Not All Malware Samples Are Complex |
| 2017-02-05/a> | Xavier Mertens | Many Malware Samples Found on Pastebin |
| 2017-01-31/a> | Johannes Ullrich | Malicious Office files using fileless UAC bypass to drop KEYBASE malware |
| 2017-01-24/a> | Xavier Mertens | Malicious SVG Files in the Wild |
| 2017-01-06/a> | John Bambenek | Ransomware Operators Cold Calling UK Schools to Get Malware Through |
| 2017-01-05/a> | John Bambenek | New Year's Resolution: Build Your Own Malware Lab? |
| 2017-01-01/a> | Didier Stevens | py2exe Decompiling - Part 1 |
| 2016-12-13/a> | Xavier Mertens | UAC Bypass in JScript Dropper |
| 2016-11-11/a> | Rick Wanner | Benevolent malware? reincarna/Linux.Wifatch |
| 2016-10-30/a> | Pasquale Stirparo | Volatility Bot: Automated Memory Analysis |
| 2016-09-30/a> | Xavier Mertens | Another Day, Another Malicious Behaviour |
| 2016-09-13/a> | Rob VandenBrink | If it's Free, YOU are the Product |
| 2016-09-05/a> | Xavier Mertens | Malware Delivered via '.pub' Files |
| 2016-09-01/a> | Xavier Mertens | Maxmind.com (Ab)used As Anti-Analysis Technique |
| 2016-08-25/a> | Xavier Mertens | Out-of-Band iOS Patch Fixes 0-Day Vulnerabilities |
| 2016-08-24/a> | Xavier Mertens | Example of Targeted Attack Through a Proxy PAC File |
| 2016-08-23/a> | Xavier Mertens | Voice Message Notifications Deliver Ransomware |
| 2016-08-01/a> | Daniel Wesemann | Are you getting I-CANNED ? |
| 2016-07-27/a> | Xavier Mertens | Analyze of a Linux botnet client source code |
| 2016-07-25/a> | Didier Stevens | Python Malware - Part 4 |
| 2016-07-16/a> | Didier Stevens | Python Malware - Part 3 |
| 2016-07-12/a> | Xavier Mertens | Hunting for Malicious Files with MISP + OSSEC |
| 2016-06-20/a> | Xavier Mertens | Ongoing Spam Campaign Related to Swift |
| 2016-06-18/a> | Rob VandenBrink | Controlling JavaScript Malware Before it Runs |
| 2016-05-15/a> | Didier Stevens | Python Malware - Part 1 |
| 2016-05-13/a> | Xavier Mertens | MISP - Malware Information Sharing Platform |
| 2016-05-05/a> | Xavier Mertens | Microsoft BITS Used to Download Payloads |
| 2016-05-02/a> | Rick Wanner | Fake Chrome update for Android |
| 2016-04-21/a> | Daniel Wesemann | Decoding Pseudo-Darkleech (#1) |
| 2016-04-21/a> | Daniel Wesemann | Decoding Pseudo-Darkleech (Part #2) |
| 2016-04-10/a> | Didier Stevens | Handling Malware Samples |
| 2016-03-07/a> | Xavier Mertens | Another Malicious Document, Another Way to Deliver Malicious Code |
| 2016-02-24/a> | Xavier Mertens | Analyzis of a Malicious .lnk File with an Embedded Payload |
| 2016-02-18/a> | Xavier Mertens | Hunting for Executable Code in Windows Environments |
| 2016-02-11/a> | Tom Webb | Tomcat IR with XOR.DDoS |
| 2016-01-24/a> | Didier Stevens | Obfuscated MIME Files |
| 2016-01-15/a> | Xavier Mertens | JavaScript Deobfuscation Tool |
| 2016-01-01/a> | Didier Stevens | Failure Is An Option |
| 2015-12-26/a> | Didier Stevens | Malfunctioning Malware |
| 2015-12-16/a> | Xavier Mertens | Playing With Sandboxes Like a Boss |
| 2015-12-06/a> | Mark Hofman | Malware SPAM a new run has started. |
| 2015-11-09/a> | John Bambenek | Protecting Users and Enterprises from the Mobile Malware Threat |
| 2015-09-29/a> | Pedro Bueno | Tricks for DLL analysis |
| 2015-09-28/a> | Johannes Ullrich | "Transport of London" Malicious E-Mail |
| 2015-09-21/a> | Xavier Mertens | Detecting XCodeGhost Activity |
| 2015-04-24/a> | Basil Alawi S.Taher | Fileless Malware |
| 2015-04-09/a> | Brad Duncan | An example of the malicious emails sometimes sent to the ISC handler addresses |
| 2015-03-18/a> | Daniel Wesemann | New SANS memory forensics poster |
| 2015-03-14/a> | Didier Stevens | Maldoc VBA Sandbox/Virtualization Detection |
| 2015-03-08/a> | Brad Duncan | What Happened to You, Asprox Botnet? |
| 2015-02-19/a> | Daniel Wesemann | Macros? Really?! |
| 2014-10-03/a> | Johannes Ullrich | CSAM: The Power of Virustotal to Turn Harmless Binaries Malicious |
| 2014-09-22/a> | Johannes Ullrich | Fake LogMeIn Certificate Update with Bad AV Detection Rate |
| 2014-08-06/a> | Chris Mohan | Free Service to Help CryptoLocker Victims by FireEye and Fox-IT |
| 2014-07-22/a> | Daniel Wesemann | Ivan's Order of Magnitude |
| 2014-07-19/a> | Russ McRee | Keeping the RATs out: the trap is sprung - Part 3 |
| 2014-07-18/a> | Russ McRee | Keeping the RATs out: **it happens - Part 2 |
| 2014-07-18/a> | Russ McRee | Gameover Zeus reported as "returned from the dead" |
| 2014-07-16/a> | Russ McRee | Keeping the RATs out: an exercise in building IOCs - Part 1 |
| 2014-07-05/a> | Guy Bruneau | Malware Analysis with pedump |
| 2014-06-22/a> | Russ McRee | OfficeMalScanner helps identify the source of a compromise |
| 2014-06-08/a> | Guy Bruneau | efax Spam Containing Malware |
| 2014-04-06/a> | Basil Alawi S.Taher | "Power Worm" PowerShell based Malware |
| 2014-04-05/a> | Jim Clausing | Those strange e-mails with URLs in them can lead to Android malware |
| 2014-03-04/a> | Daniel Wesemann | XPired! |
| 2014-02-28/a> | Daniel Wesemann | Fiesta! |
| 2014-01-19/a> | Rick Wanner | Anatomy of a Malware distribution campaign |
| 2013-12-24/a> | Daniel Wesemann | Mr Jones wants you to appear in court! |
| 2013-12-23/a> | Daniel Wesemann | Costco, BestBuy, Walmart really want to send you a package! |
| 2013-12-07/a> | Guy Bruneau | Suspected Active Rovnix Botnet Controller |
| 2013-11-02/a> | Rick Wanner | Protecting Your Family's Computers |
| 2013-10-31/a> | Russ McRee | Happy Halloween: The Ghost Really May Be In The Machine |
| 2013-10-30/a> | Russ McRee | SIR v15: Five good reasons to leave Windows XP behind |
| 2013-10-28/a> | Daniel Wesemann | Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities |
| 2013-10-24/a> | Johannes Ullrich | False Positive: php.net Malware Alert |
| 2013-09-30/a> | Adrien de Beaupre | Twitter DM spam/malware |
| 2013-09-12/a> | Daniel Wesemann | 37.58.73.42 / 95.156.228.69 / 195.210.43.42, anyone? |
| 2013-09-10/a> | Swa Frantzen | Macs need to patch too! |
| 2013-08-29/a> | Russ McRee | Suspect Sendori software |
| 2013-07-04/a> | Russ McRee | Celebrating 4th of July With a Malware PCAP Visualization |
| 2013-06-18/a> | Russ McRee | Volatility rules...any questions? |
| 2013-05-21/a> | Adrien de Beaupre | Moore, Oklahoma tornado charitable organization scams, malware, and phishing |
| 2013-05-17/a> | Daniel Wesemann | e-netprotections.su ? |
| 2013-05-16/a> | Daniel Wesemann | Extracting signatures from Apple .apps |
| 2013-05-11/a> | Lenny Zeltser | Extracting Digital Signatures from Signed Malware |
| 2013-05-01/a> | Daniel Wesemann | The cost of cleaning up |
| 2013-04-10/a> | Manuel Humberto Santander Pelaez | Massive Google scam sent by email to Colombian domains |
| 2013-03-22/a> | Mark Baggett | Wipe the drive! Stealthy Malware Persistence - Part 4 |
| 2013-03-20/a> | Mark Baggett | Wipe the drive! Stealthy Malware Persistence - Part 3 |
| 2013-03-19/a> | Johannes Ullrich | Scam of the day: More fake CNN e-mails |
| 2013-03-15/a> | Mark Baggett | AVG detect legit file as virus |
| 2013-03-14/a> | Mark Baggett | Wipe the drive! Stealthy Malware Persistence - Part 2 |
| 2013-03-13/a> | Mark Baggett | Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1 |
| 2013-02-25/a> | Johannes Ullrich | Mass-Customized Malware Lures: Don't trust your cat! |
| 2013-01-08/a> | Jim Clausing | Cuckoo 0.5 is out and the world didn't end |
| 2012-12-18/a> | Rob VandenBrink | All I Want for Christmas is to Not Get Hacked ! |
| 2012-12-03/a> | Kevin Liston | Mobile Malware: Request for Field Reports |
| 2012-11-02/a> | Daniel Wesemann | Lamiabiocasa |
| 2012-11-01/a> | Daniel Wesemann | Patched your Java yet? |
| 2012-10-14/a> | Pedro Bueno | Cyber Security Awareness Month - Day 14 - Poor Man's File Analysis System - Part 1 |
| 2012-09-21/a> | Guy Bruneau | Storing your Collection of Malware Samples with Malwarehouse |
| 2012-09-14/a> | Lenny Zeltser | Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan |
| 2012-07-21/a> | Rick Wanner | OpenDNS is looking for a few good malware people! |
| 2012-07-05/a> | Adrien de Beaupre | New OS X trojan backdoor MaControl variant reported |
| 2012-06-27/a> | Swa Frantzen | Online Banking Heists |
| 2012-06-26/a> | Daniel Wesemann | Run, Forest! (Update) |
| 2012-06-25/a> | Rick Wanner | Targeted Malware for Industrial Espionage? |
| 2012-06-25/a> | Swa Frantzen | Belgian online banking customers hacked. |
| 2012-06-22/a> | Daniel Wesemann | Run, Forest! |
| 2012-06-21/a> | Raul Siles | Print Bomb? (Take 2) |
| 2012-06-21/a> | Russ McRee | Analysis of drive-by attack sample set |
| 2012-06-19/a> | Daniel Wesemann | Vulnerabilityqueerprocessbrittleness |
| 2012-06-04/a> | Lenny Zeltser | Decoding Common XOR Obfuscation in Malicious Code |
| 2012-04-26/a> | Richard Porter | Define Irony: A medical device with a Virus? |
| 2012-04-25/a> | Daniel Wesemann | Blacole's obfuscated JavaScript |
| 2012-04-25/a> | Daniel Wesemann | Blacole's shell code |
| 2012-04-12/a> | Guy Bruneau | HP ProCurve 5400 zl Switch, Flash Cards Infected with Malware |
| 2012-04-12/a> | Guy Bruneau | Apple Java Updates for Mac OS X |
| 2012-03-25/a> | Daniel Wesemann | evilcode.class |
| 2012-03-03/a> | Jim Clausing | New automated sandbox for Android malware |
| 2012-02-24/a> | Guy Bruneau | Flashback Trojan in the Wild |
| 2012-02-20/a> | Rick Wanner | DNSChanger resolver shutdown deadline is March 8th |
| 2012-02-20/a> | Pedro Bueno | Simple Malware Research Tools |
| 2012-01-14/a> | Daniel Wesemann | Hello, Antony! |
| 2011-12-28/a> | Daniel Wesemann | .nl.ai ? |
| 2011-12-10/a> | Daniel Wesemann | Unwanted Presents |
| 2011-12-07/a> | Lenny Zeltser | V8 as an Alternative to SpiderMonkey for JavaScript Deobfuscation |
| 2011-11-04/a> | Guy Bruneau | Duqu Mitigation |
| 2011-10-20/a> | Johannes Ullrich | Evil Printers Sending Mail |
| 2011-09-07/a> | Lenny Zeltser | Analyzing Mobile Device Malware - Honeynet Forensic Challenge 9 and Some Tools |
| 2011-08-29/a> | Kevin Shortt | Internet Worm in the Wild |
| 2011-06-15/a> | Pedro Bueno | Hit by MacDefender, Apple Web Security (name your Mac FakeAV here)... |
| 2011-05-25/a> | Daniel Wesemann | Apple advisory on "MacDefender" malware |
| 2011-05-19/a> | Daniel Wesemann | Fake AV Bingo |
| 2011-05-14/a> | Guy Bruneau | Websense Study Claims Canada Next Hotbed for Cybercrime Web Hosting Activity |
| 2011-05-03/a> | Johannes Ullrich | Update on Osama Bin Laden themed Malware |
| 2011-05-02/a> | Johannes Ullrich | Bin Laden Death Related Malware |
| 2011-04-23/a> | Manuel Humberto Santander Pelaez | Image search can lead to malware download |
| 2011-03-01/a> | Daniel Wesemann | AV software and "sharing samples" |
| 2011-02-07/a> | Pedro Bueno | The Good , the Bad and the Unknown Online Scanners |
| 2011-02-01/a> | Lenny Zeltser | The Importance of HTTP Headers When Investigating Malicious Sites |
| 2010-12-29/a> | Daniel Wesemann | Malware Domains 2234.in, 0000002.in & co |
| 2010-12-29/a> | Daniel Wesemann | Beware of strange web sites bearing gifts ... |
| 2010-10-26/a> | Pedro Bueno | Cyber Security Awareness Month - Day 26 - Sharing Office Files |
| 2010-09-09/a> | Marcus Sachs | 'Here You Have' Email |
| 2010-07-21/a> | Adrien de Beaupre | Dell PowerEdge R410 replacement motherboard firmware contains malware |
| 2010-07-21/a> | Adrien de Beaupre | autorun.inf and .lnk Malware (NOT 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198) |
| 2010-07-06/a> | Rob VandenBrink | Bogus Support Organizations use Live Operators to Install Malware |
| 2010-07-04/a> | Manuel Humberto Santander Pelaez | Malware inside PDF Files |
| 2010-06-17/a> | Deborah Hale | FYI - Another bogus site |
| 2010-06-14/a> | Manuel Humberto Santander Pelaez | Rogue facebook application acting like a worm |
| 2010-06-07/a> | Manuel Humberto Santander Pelaez | Software Restriction Policy to keep malware away |
| 2010-06-02/a> | Rob VandenBrink | New Mac malware - OSX/Onionspy |
| 2010-05-26/a> | Bojan Zdrnja | Malware modularization and AV detection evasion |
| 2010-05-23/a> | Manuel Humberto Santander Pelaez | e-mail scam announcing Fidel Castro's funeral ... and nasty malware to your computer. |
| 2010-05-21/a> | Rick Wanner | IBM distributes malware at AusCERT! |
| 2010-04-30/a> | Kevin Liston | The Importance of Small Files |
| 2010-04-19/a> | Daniel Wesemann | Linked into scams? |
| 2010-04-18/a> | Guy Bruneau | Some NetSol hosted sites breached |
| 2010-04-13/a> | Johannes Ullrich | More Legal Threat Malware E-Mail |
| 2010-03-30/a> | Pedro Bueno | Sharing the Tools |
| 2010-03-26/a> | Daniel Wesemann | Getting the EXE out of the RTF again |
| 2010-03-09/a> | Marcus Sachs | Energizer Malware |
| 2010-03-04/a> | Daniel Wesemann | salefale-dot-com is bad |
| 2010-03-03/a> | Johannes Ullrich | Reports about large number of fake Amazon order confirmations |
| 2010-02-21/a> | Patrick Nolan | Looking for "more useful" malware information? Help develop the format. |
| 2010-01-14/a> | Bojan Zdrnja | PDF Babushka |
| 2010-01-07/a> | Daniel Wesemann | Static analysis of malicious PDFs |
| 2010-01-07/a> | Daniel Wesemann | Static analysis of malicous PDFs (Part #2) |
| 2009-12-17/a> | Daniel Wesemann | overlay.xul is back |
| 2009-12-17/a> | Daniel Wesemann | In caches, danger lurks |
| 2009-12-16/a> | Rob VandenBrink | Beware the Attack of the Christmas Greeting Cards ! |
| 2009-12-07/a> | Rick Wanner | Cheat Sheet: Analyzing Malicious Documents |
| 2009-12-04/a> | Daniel Wesemann | Max Power's Malware Paradise |
| 2009-12-02/a> | Rob VandenBrink | SPAM and Malware taking advantage of H1N1 concerns |
| 2009-11-25/a> | Jim Clausing | Updates to my GREM Gold scripts and a new script |
| 2009-09-25/a> | Lenny Zeltser | Categories of Common Malware Traits |
| 2009-09-25/a> | Deborah Hale | Conficker Continues to Impact Networks |
| 2009-09-25/a> | Deborah Hale | Malware delivered over Google and Yahoo Ad's? |
| 2009-09-04/a> | Adrien de Beaupre | Fake anti-virus |
| 2009-08-29/a> | Guy Bruneau | Immunet Protect - Cloud and Community Malware Protection |
| 2009-08-26/a> | Johannes Ullrich | Malicious CD ROMs mailed to banks |
| 2009-07-26/a> | Jim Clausing | New Volatility plugins |
| 2009-07-03/a> | Adrien de Beaupre | Happy 4th of July! |
| 2009-07-02/a> | Bojan Zdrnja | Cold Fusion web sites getting compromised |
| 2009-07-02/a> | Daniel Wesemann | Getting the EXE out of the RTF |
| 2009-06-16/a> | John Bambenek | Iran Internet Blackout: Using Twitter for Operational Intelligence |
| 2009-06-16/a> | John Bambenek | URL Shortening Service Cligs Hacked |
| 2009-06-04/a> | Raul Siles | Malware targetting banks ATM's |
| 2009-06-04/a> | Raul Siles | Targeted e-mail attacks asking to verify wire transfer details |
| 2009-06-01/a> | G. N. White | Yet another "Digital Certificate" malware campaign |
| 2009-05-20/a> | Pedro Bueno | Cyber Warfare and Kylin thoughts |
| 2009-05-07/a> | Deborah Hale | Malicious Content on the Web |
| 2009-05-04/a> | Tom Liston | Facebook phishing malware |
| 2009-04-24/a> | Pedro Bueno | Did you check your conference goodies? |
| 2009-03-13/a> | Bojan Zdrnja | When web application security, Microsoft and the AV vendors all fail |
| 2009-02-23/a> | Daniel Wesemann | Turf War |
| 2009-02-23/a> | Daniel Wesemann | And the Oscar goes to... |
| 2009-02-10/a> | Bojan Zdrnja | More tricks from Conficker and VM detection |
| 2009-02-09/a> | Bojan Zdrnja | Some tricks from Conficker's bag |
| 2009-02-04/a> | Daniel Wesemann | Titan Shields up! |
| 2009-01-31/a> | John Bambenek | Google Search Engine's Malware Detection Broken |
| 2009-01-24/a> | Pedro Bueno | Identifying and Removing the iWork09 Trojan |
| 2009-01-18/a> | Daniel Wesemann | 3322. org |
| 2009-01-15/a> | Bojan Zdrnja | Conficker's autorun and social engineering |
| 2009-01-12/a> | William Salusky | Downadup / Conficker - MS08-067 exploit and Windows domain account lockout |
| 2009-01-07/a> | Bojan Zdrnja | An Israeli patriot program or a trojan |
| 2009-01-02/a> | Rick Wanner | Tools on my Christmas list. |
| 2008-12-25/a> | Maarten Van Horenbeeck | Merry Christmas, and beware of digital hitchhikers! |
| 2008-12-25/a> | Maarten Van Horenbeeck | Christmas Ecard Malware |
| 2008-12-17/a> | donald smith | Team CYMRU's Malware Hash Registry |
| 2008-12-05/a> | Daniel Wesemann | Been updatin' your Flash player lately? |
| 2008-12-05/a> | Daniel Wesemann | Baby, baby! |
| 2008-12-04/a> | Bojan Zdrnja | Rogue DHCP servers |
| 2008-11-17/a> | Jim Clausing | Finding stealth injected DLLs |
| 2008-11-16/a> | Maarten Van Horenbeeck | Detection of Trojan control channels |
| 2008-11-12/a> | John Bambenek | Thoughts on Security Intelligence (McColo Corp alleged spam/malware host knocked offline) |
| 2008-11-11/a> | Swa Frantzen | Acrobat continued activity in the wild |
| 2008-11-10/a> | Stephen Hall | Adobe Reader Vulnerability - part 2 |
| 2008-10-07/a> | Kyle Haugsness | Good reading and a malware challenge |
| 2008-09-29/a> | Daniel Wesemann | ASPROX mutant |
| 2008-09-22/a> | Maarten Van Horenbeeck | Data exfiltration and the use of anonymity providers |
| 2008-09-18/a> | Bojan Zdrnja | Monitoring HTTP User-Agent fields |
| 2008-09-07/a> | Lorna Hutcheson | Malware Analysis: Tools are only so good |
| 2008-09-03/a> | Daniel Wesemann | Static analysis of Shellcode |
| 2008-09-03/a> | Daniel Wesemann | Static analysis of Shellcode - Part 2 |
| 2008-09-01/a> | John Bambenek | The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months |
| 2008-08-13/a> | Adrien de Beaupre | CNN switched to MSNBC |
| 2008-08-05/a> | Daniel Wesemann | The news update you never asked for |
| 2008-07-20/a> | Kevin Liston | Malware Intelligence: Making it Actionable |
| 2008-07-15/a> | Maarten Van Horenbeeck | Extracting scripts and data from suspect PDF files |
| 2008-07-14/a> | Daniel Wesemann | Obfuscated JavaScript Redux |
| 2008-07-07/a> | Pedro Bueno | Bad url classification |
| 2008-06-18/a> | Marcus Sachs | Olympics Part II |
| 2008-06-14/a> | Lorna Hutcheson | Malware Detection - Take the Blinders Off |
| 2008-06-10/a> | Swa Frantzen | Ransomware keybreaking |
| 2008-06-01/a> | Mark Hofman | Free Yahoo email account! Sign me up, Ok well maybe not. |
| 2008-05-28/a> | Adrien de Beaupre | Another example of malicious SWF |
| 2008-05-27/a> | Adrien de Beaupre | Malicious swf files? |
| 2008-05-26/a> | Marcus Sachs | Predictable Response |
| 2008-05-14/a> | Bojan Zdrnja | War of the worlds? |
| 2008-05-02/a> | Adrien de Beaupre | Hi, remember me?... |
| 2008-04-30/a> | Bojan Zdrnja | (Minor) evolution in Mac DNS changer malware |
| 2008-04-24/a> | Maarten Van Horenbeeck | Targeted attacks using malicious PDF files |
| 2008-04-16/a> | Bojan Zdrnja | The 10.000 web sites infection mystery solved |
| 2008-04-15/a> | Johannes Ullrich | SRI Malware Threat Center |
| 2008-04-14/a> | John Bambenek | A Federal Subpoena or Just Some More Spam & Malware? |
| 2008-04-07/a> | John Bambenek | Got Kraken? |
| 2008-04-07/a> | John Bambenek | Kraken Technical Details: UPDATED x3 |
| 2008-04-07/a> | John Bambenek | HP USB Keys Shipped with Malware for your Proliant Server |
| 2008-04-06/a> | Daniel Wesemann | Advanced obfuscated JavaScript analysis |
| 2008-04-04/a> | Daniel Wesemann | nmidahena |
| 2008-04-03/a> | Bojan Zdrnja | VB detection: is it so difficult? |
| 2008-04-02/a> | Adrien de Beaupre | When is a DMG file not a DMG file |
| 2008-03-27/a> | Maarten Van Horenbeeck | Guarding the guardians: a story of PGP key ring theft |
| 2006-08-31/a> | Swa Frantzen | NT botnet submitted |
| 2000-01-02/a> | Deborah Hale | 2010 A Look Back - 2011 A Look Ahead |
ANALYSIS |
| 2020-01-25/a> | Guy Bruneau | Is Threat Hunting the new Fad? |
| 2020-01-12/a> | Guy Bruneau | ELK Dashboard and Logstash parser for tcp-honeypot Logs |
| 2019-12-29/a> | Guy Bruneau | ELK Dashboard for Pihole Logs |
| 2019-12-07/a> | Guy Bruneau | Integrating Pi-hole Logs in ELK with Logstash |
| 2019-11-23/a> | Guy Bruneau | Local Malware Analysis with Malice |
| 2019-10-18/a> | Xavier Mertens | Quick Malicious VBS Analysis |
| 2019-06-27/a> | Rob VandenBrink | Finding the Gold in a Pile of Pennies - Long Tail Analysis in PowerShell |
| 2019-06-14/a> | Jim Clausing | A few Ghidra tips for IDA users, part 4 - function call graphs |
| 2019-04-17/a> | Jim Clausing | A few Ghidra tips for IDA users, part 2 - strings and parameters |
| 2019-04-08/a> | Jim Clausing | A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code |
| 2019-04-03/a> | Jim Clausing | A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters |
| 2019-03-31/a> | Didier Stevens | Maldoc Analysis of the Weekend by a Reader |
| 2019-02-27/a> | Didier Stevens | Maldoc Analysis by a Reader |
| 2018-11-18/a> | Guy Bruneau | Multipurpose PCAP Analysis Tool |
| 2018-10-21/a> | Pasquale Stirparo | Beyond good ol’ LaunchAgent - part 0 |
| 2018-08-31/a> | Jim Clausing | Quickie: Using radare2 to disassemble shellcode |
| 2018-06-01/a> | Remco Verhoef | Binary analysis with Radare2 |
| 2018-02-20/a> | Renato Marinho | Statically Unpacking a Brazilian Banker Malware |
| 2017-09-29/a> | Lorna Hutcheson | Good Analysis = Understanding(tools + logs + normal) |
| 2017-07-09/a> | Russ McRee | Adversary hunting with SOF-ELK |
| 2017-04-28/a> | Russell Eubanks | KNOW before NO |
| 2017-01-28/a> | Lorna Hutcheson | Packet Analysis - Where do you start? |
| 2016-12-24/a> | Didier Stevens | Pinging All The Way |
| 2016-10-30/a> | Pasquale Stirparo | Volatility Bot: Automated Memory Analysis |
| 2016-10-17/a> | Didier Stevens | Maldoc VBA Anti-Analysis: Video |
| 2016-10-15/a> | Didier Stevens | Maldoc VBA Anti-Analysis |
| 2016-05-14/a> | Guy Bruneau | INetSim as a Basic Honeypot |
| 2016-04-21/a> | Daniel Wesemann | Decoding Pseudo-Darkleech (Part #2) |
| 2015-05-03/a> | Russ McRee | VolDiff, for memory image differential analysis |
| 2014-07-05/a> | Guy Bruneau | Malware Analysis with pedump |
| 2014-04-21/a> | Daniel Wesemann | Finding the bleeders |
| 2014-03-13/a> | Daniel Wesemann | Web server logs containing RS=^ ? |
| 2014-01-14/a> | Chris Mohan | Spamming and scanning botnets - is there something I can do to block them from my site? |
| 2013-10-28/a> | Daniel Wesemann | Exploit cocktail (Struts, Java, Windows) going after 3-month old vulnerabilities |
| 2013-06-18/a> | Russ McRee | Volatility rules...any questions? |
| 2013-05-11/a> | Lenny Zeltser | Extracting Digital Signatures from Signed Malware |
| 2013-03-09/a> | Guy Bruneau | IPv6 Focus Month: IPv6 Encapsulation - Protocol 41 |
| 2013-02-03/a> | Lorna Hutcheson | Is it Really an Attack? |
| 2013-01-08/a> | Jim Clausing | Cuckoo 0.5 is out and the world didn't end |
| 2012-12-02/a> | Guy Bruneau | Collecting Logs from Security Devices at Home |
| 2012-09-19/a> | Kevin Liston | Volatility: 2.2 is Coming Soon |
| 2012-09-14/a> | Lenny Zeltser | Analyzing Malicious RTF Files Using OfficeMalScanner's RTFScan |
| 2012-06-21/a> | Russ McRee | Analysis of drive-by attack sample set |
| 2012-06-04/a> | Lenny Zeltser | Decoding Common XOR Obfuscation in Malicious Code |
| 2012-05-23/a> | Mark Baggett | IP Fragmentation Attacks |
| 2012-03-03/a> | Jim Clausing | New automated sandbox for Android malware |
| 2012-02-07/a> | Jim Clausing | Book Review: Practical Packet Analysis, 2nd ed |
| 2011-05-20/a> | Guy Bruneau | Sysinternals Updates, Analyzing Stuxnet Infection with Sysinternals Tools Part 3 |
| 2011-04-14/a> | Adrien de Beaupre | Sysinternals updates, a new blog post, and webcast |
| 2011-02-01/a> | Lenny Zeltser | The Importance of HTTP Headers When Investigating Malicious Sites |
| 2010-08-09/a> | Jim Clausing | Free/inexpensive tools for monitoring systems/networks |
| 2010-07-21/a> | Adrien de Beaupre | autorun.inf and .lnk Malware (NOT 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198) |
| 2010-05-26/a> | Bojan Zdrnja | Malware modularization and AV detection evasion |
| 2010-04-11/a> | Marcus Sachs | Network and process forensics toolset |
| 2010-03-26/a> | Daniel Wesemann | Getting the EXE out of the RTF again |
| 2010-02-13/a> | Lorna Hutcheson | Network Traffic Analysis in Reverse |
| 2010-01-14/a> | Bojan Zdrnja | PDF Babushka |
| 2010-01-07/a> | Daniel Wesemann | Static analysis of malicous PDFs (Part #2) |
| 2010-01-07/a> | Daniel Wesemann | Static analysis of malicious PDFs |
| 2009-11-25/a> | Jim Clausing | Updates to my GREM Gold scripts and a new script |
| 2009-11-03/a> | Bojan Zdrnja | Opachki, from (and to) Russia with love |
| 2009-09-25/a> | Lenny Zeltser | Categories of Common Malware Traits |
| 2009-07-26/a> | Jim Clausing | New Volatility plugins |
| 2009-07-02/a> | Daniel Wesemann | Getting the EXE out of the RTF |
| 2009-04-15/a> | Marcus Sachs | 2009 Data Breach Investigation Report |
| 2009-03-13/a> | Bojan Zdrnja | When web application security, Microsoft and the AV vendors all fail |
| 2009-02-10/a> | Bojan Zdrnja | More tricks from Conficker and VM detection |
| 2009-02-09/a> | Bojan Zdrnja | Some tricks from Conficker's bag |
| 2009-01-18/a> | Daniel Wesemann | 3322. org |
| 2009-01-15/a> | Bojan Zdrnja | Conficker's autorun and social engineering |
| 2009-01-07/a> | Bojan Zdrnja | An Israeli patriot program or a trojan |
| 2009-01-02/a> | Rick Wanner | Tools on my Christmas list. |
| 2008-12-13/a> | Jim Clausing | Followup from last shift and some research to do. |
| 2008-11-17/a> | Jim Clausing | Finding stealth injected DLLs |
| 2008-11-17/a> | Marcus Sachs | New Tool: NetWitness Investigator |
| 2008-09-03/a> | Daniel Wesemann | Static analysis of Shellcode - Part 2 |
| 2008-07-07/a> | Pedro Bueno | Bad url classification |
| 2006-10-02/a> | Jim Clausing | Reader's tip of the day: ratios vs. raw counts |
| 2006-09-18/a> | Jim Clausing | Log analysis follow up |
| 2006-09-09/a> | Jim Clausing | Log Analysis tips? |
| 2006-09-09/a> | Jim Clausing | A few preliminary log analysis thoughts |
