pietro.delsante's blog

Rumal, a web GUI for Thug

As you may know, Thug is a handy tool for studying exploit kits, as it emulates a real browser complete of a set of plugins like Adobe Reader, Flash and Java. When you feed Thug with the URL of a suspicious web page, it “crawls” it and starts fetching and executing any internal or external JavaScript, following redirects and downloading files just like a browser would do. When Thug encounters some files it cannot analyze by itself (like Flash, Java and PDF), it passes them to external tools. Thug’s results are then collected in a variety of formats, with the default one being a set of collections inside a MongoDB database. Thug works very well but the output can be challenging to navigate, the result often being the ability to only check if the exploit kit’s payload (e.g. an *.exe file) has been downloaded: if not, one may think that the URL is not malicious, or maybe that the exploit kit is dead. That’s where a web GUI would come handy, and that’s exactly what Thug’s Rumal was born for: there’s plenty of information that can be extracted from Thug’s output and that can help a correct analysis to determine the maliciousness of a web page.
Rumal was developed by Tarun Kumar during the Google Summer of Code 2015 program, and its goal is to provide a web GUI for Thug. Read more »

In-depth Interview: Lukas Rist

Lukas Rist (@glaslos) is a software engineer with Blue Coat Norway where he develops behavioral malware analysis systems. In his spare time, he creates web application and ICS/SCADA honeypots and botnet monitoring tools under the umbrella of the Honeynet Project. He recently developed an interest in industrial security and automated SQL statement classification. He will be giving a live demo on Conpot at the upcoming The Honeynet Project workshop in Warsaw, on May 13. Here are his answers to our questions: keep reading to get to know a bit more about him. Read more »

In-depth Interview: Maximilian Hils

Maximilian Hils (@maximilianhils) is a student of Information Systems at WWU Münster, Germany. He is one of the two core developers of mitmproxy, on which he started to work on during his Honeynet Google Summer of Code project in 2012. In his spare time, he develops web applications and slays SSL dragons whereever he finds them. Recently, he developed an interest in Cloud Storage Security and Security Usability. He will be giving a live demo about "slaying SSL dragons with mitmproxy" at the upcoming annual The Honeynet Project workshop in Warsaw on May 13. Here you have a nice way to discover something more about him and his work. Read more »

In-depth Interview: Sebastian Pöplau

Sebastian Pöplau (@poeplau) is the lead developer of the Ghost USB Honeypot, a detection system for USB malware. He is an IT security enthusiast and a full member of the Honeynet Project. He has studied in Bonn, Germany, and Santa Barbara, CA, and works with Lastline. He will be giving a live demo about code-loading techniques on Android during the annual The Honeynet Project Workshop in Warsaw on May 12. Here you have a good chance to get to know him a bit more. Read more »

Malware-serving theaters for your android phones - Part 1

Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater's official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player. I laughed loudly and showed them to my (again, totally non-nerd) friends saying that the site had been owned. One of them went on and opened the site with her own phone (Samsung Galaxy S Advance with Android 4.4.1 and the default Android WebKit browser). To make a long story short, after a few instants her phone was downloading a file without even asking her for confirmation. So: Chrome on my Nexus 4 was using social engineering to have me click on a link and manually download the file; Android's WebKit on her Galaxy S Advance was instead downloading the file straight away: interesting! However, we were a bit late and we had to run for the comedy, so I did not even bother to see what the heck she had downloaded, I only made sure she hadn't opened it. I thought it was just the usual exploit kit trying to infect PCs by serving fake Flash Player updates, seen tons of those. While waiting for the comedy to begin, I quickly submitted the compromised site to three different services, the first three ones that came to my mind: HoneyProxy Client, Wepawet and Unmask Parasites, then turned off my phone and enjoyed the show. Read more »

Syndicate content