signal 11

SIGNAL 11 services

We are a small company providing incident response (IR), digital forensics, malware analysis, cyber threat intelligence and APT hunting. For more information contact us at .

Research blog of

  • 2014-12-30 My talk on Snake/Uroburos from Secure 2014 conference has been published. Slides available .
  • 2014-03-12 Snake aka Uroburos: analysis of a sophisticated rootkit used in cyber-espionage attacks.
    This is an analysis that I have contributed to - it describes the kernel-mode centric variant of malware family used in Turla-related activity.
  • 2013-10-01 maltego-misp interface A small but useful script that can visualize MISP threat intel data via Maltego.
  • 2012-12-16 funcap: quick capture of runtime debugger info to boost static analysis
    A plugin for IDAPython that helps to add runtime information coming from an automated debugging session to the IDA Pro analysis database file so that an analyst can faster understand what the code does. The plugin has won a second place in Hex-Rays plugin contest 2013. Github page available here.
  • 2012-06-23 Reversing java and other type of VM bytecodes - do we have tools ?
    Quick review of tools and techniques available for debugging bytecodes of different virtual machines. Failure of finding a good way to debug Java VM code drives to an idea of a tool to improve the situation.
  • 2012-06-20 avwhy: reversing anti-virus detection signatures
    This little article shows an approach on how to reverse-engineer the commercial antivirus detection signatures. If your antivirus is detecting something and you want to know why, you might be interested. The post includes a small script that implements some of these ideas.
    UPDATE: Support for McAfee and MS Security Essentials
  • 2010-04-19 Targeted attacks: from being a victim to counter-attacking
    A paper presented at Black Hat Europe 2010 conference about how a victim of a targeted attack can strike back against the attacker. It discloses a vulnerability in one of the trojans used in targeted attacks, Poison Ivy, and then describes a way of creating a stable and reliable exploit against it. Prior to that, it shows how to analyze malicious payload, how to identify the type of the trojan used, and how to deobfuscate the code. I have also published a video from the presentation which is available .
  • 2010-02-15 Size matters for the AV products
    This is (again) a story about how suprisingly easy is to fool some of the AV products.
  • 2010-01-09 Yet another interesting PDF obfuscation
    I found other nice tricks the bad guys use to obfuscate the malicious JavaScript content in the PDF files.
  • 2009-11-25 Making malicious PDF undetectable
    Quick decription of a technique that can be used to change the generated malicious PDF file to make it undetectable by the antivirus software.
  • 2009-11-03 Deobfuscating JavaScript
    A quick howto on un-obfuscating the JS code served with the drive-by exploits. As it turns out, the proper usage of severals tools makes it possible to break even the most complicated obfuscation.
  • 2009-06-27 Solaris NFS Server XDR handling vulnerability
    SIGNAL 11 discovered a serious Denial-of-Service vulnerability in Solaris NFS Server, during the security assesment of Solaris network components. This is a detailed analysis of the vulnerability and risks.
  • 2009-06-27 Solaris NFS Client Module Vulnerability
    SIGNAL 11 discovered a serious Denial-of-Service vulnerability in Solaris NFS Client, during the security assesment of Solaris network components. This is a detailed analysis of the vulnerability and risks.