CyberSecurity Malaysia Chapter Status Report For 2012

CyberSecurity Malaysia Chapter Status Report For 2012

List current chapter members and their activities.
• Adnan Mohd Shukor (adnan[at]
• Lee Ling Chuan (lc.lee[at]
• Mahmud Ab Rahman (mahmud[at] - Current Chapter Lead
• Mohd Hafiz Md Thabrani (hafiz[at]
• Nur Mohammad Kamil Bin Mohammad Alta (kamil[at]
• Tan Kean Siong (tankeansiong[at]
• Lim Jun Yi (junyi[at]
• Shahrir shafie (shahrir.shafie[at]
• Dzul Nizam Mahmud Pauzi (dzulnizam[at]
• Kamal hilmi othman

List changes in the structure of your chapter (alumnus).
• Salahudin Wan Khairuzzaman
• Adli Abdul Wahid
• Alip Aswalid Asri
• Ahmad Azizan Idris

List current technologies deployed.

The following are some of the components that are currently being deployed
• RFIPot - for capturing web based attacks
• Dionaea for malware collection and incident handling (CERT Part).
• Gallus for malicious pdf detection and collection


• Our chapter continues research on reverse engineering android malware. Please check for presentations links. We provided a class for reversing android malware training during Honeynet Workshop 2012.
• We worked on new research on windows kernel fuzzing specifically on font GDI engine system. Please read our research paper at here: Newly improve research and presentation will be presented at The code for fuzzer is released too.
• G-Yara is new tool we released to help yara lover testing their rules. G-Yara is a Web Base (PHP) yara rule editor. It's a handy way to test yara rule as you write the.
• We continue to spend our time shellcode analysis project. we improved minor patch for pylibemu. . Thanks to angelo of sysenter chapter and mark of Giraffe chapter. Of course, big thank to markus koetter for libemu.
• We continue to analyze on malicious document with focusing more on malicious flash. We conducted training during Honeynet Workshop 2012.


1. Duqu attack vector is said via vulnerability inside GDI engine (see CVE-2012-3402 (MS11-087)). We investigate the claim and many to reproduce the similar method by exploiting CVE2012-3402 embedded with Microsoft Word document. Video for the PoC is here:

2. Writing yara rules can be so frustrating. G-yara is try to address this issue.

3. ROP gadget is getting common now day on exploits released in the wild. We normally having hard time to keep on configuring/establishing environment require to properly analyzing the shellcode used within the exploit. We're in the midst of to improve the situation by working on project called "rkaji". The project will depend on pylibemu and libemu for code emulation.

List published papers and presentations.
1. GDI Fuzzing for fun :
2. Reversing Crypto and obfuscation inside Android Malware

List interactions with the security community.

1. Presentation on Android Malware analysis with Taiwan Honeynet Chapter

List possibilities to interact with your chapter (e.g. chapter web page).
2. we always at #honeynet irc. :)

List the goals the chapter meets for the past year.
1. We managed to finish the research on GDI Font fuzzing. Will focus on different type of font such as OpenType
2. We'll try to improve on ROP shellcode analysis. So far the idea to implement this idea is utilizing libemu emulator with importing ROP gadget from database (address + code).

3. We managed to research on malicious flash file.

State your chapter goals for the next year.

1. Kernel and Font type vulnerability analysis improvement
2. Malicious Flash document analysis
3. ROP shell code analysis improvement
4. Dynamic android analysis


Tan Kean Siong spending his time on GSOC 2012 administration.