SIGNAL 11 services
We are a small company providing incident response (IR), digital forensics, malware analysis, cyber threat intelligence and APT hunting.
For more information contact us at info@signal11.eu.
Research blog of deresz @ signal11
- 2014-12-30
"Snake aka Uroburos - the big picture" @ SECURE 2014
My talk on Snake/Uroburos from Secure 2014 conference has been published. Slides available here.
- 2014-03-12
Snake aka Uroburos: analysis of a sophisticated rootkit used in cyber-espionage attacks.
This is an analysis that I have contributed to - it describes the kernel-mode centric variant of malware family used in Turla-related activity.
- 2013-10-01 maltego-misp interface
A small but useful script that can visualize MISP threat intel data via Maltego.
- 2012-12-16
funcap: quick capture of runtime debugger info to boost static analysis
A plugin for IDAPython that helps to add runtime information coming from an
automated debugging session to the IDA Pro analysis database file so that an
analyst can faster understand what the code does. The plugin has won a second place in
Hex-Rays plugin contest 2013. Github page available here.
- 2012-06-23
Reversing java and other type of VM bytecodes - do we have tools ?
Quick review of tools and techniques available for debugging bytecodes of different
virtual machines. Failure of finding a good way to debug Java VM code drives to an
idea of a tool to improve the situation.
- 2012-06-20
avwhy: reversing anti-virus detection signatures
This little article shows an approach on how to reverse-engineer the commercial
antivirus detection signatures. If your antivirus is detecting something and you
want to know why, you might be interested. The post includes a small script that
implements some of these ideas.
UPDATE: Support for McAfee and MS Security Essentials
- 2010-04-19 Targeted attacks:
from being a victim to counter-attacking
A paper presented at Black Hat Europe 2010 conference about how a victim of a
targeted attack can strike back against the attacker. It discloses a
vulnerability in one of the trojans used in targeted attacks, Poison Ivy, and
then describes a way of creating a stable and reliable exploit against it. Prior
to that, it shows how to analyze malicious payload, how to identify the type of
the trojan used, and how to deobfuscate the code. I have also published a video
from the presentation which is available here.
- 2010-02-15 Size matters for the AV products
This is (again) a story about how suprisingly easy is to fool some of the AV products.
- 2010-01-09 Yet another interesting PDF obfuscation
I found other nice tricks the bad guys use to obfuscate the malicious JavaScript content in the PDF files.
- 2009-11-25 Making malicious
PDF undetectable
Quick decription of a technique that can be used to change the generated malicious PDF file to make it undetectable
by the antivirus software.
- 2009-11-03 Deobfuscating
JavaScript
A quick howto on un-obfuscating the JS code served with the drive-by exploits.
As it turns out, the proper usage of severals tools makes it possible to break
even the most complicated obfuscation.
- 2009-06-27 Solaris NFS Server XDR
handling vulnerability
SIGNAL 11 discovered a serious Denial-of-Service vulnerability in Solaris NFS
Server, during the security assesment of Solaris network components.
This is a detailed analysis of the vulnerability and risks.
- 2009-06-27 Solaris NFS Client Module
Vulnerability
SIGNAL 11 discovered a serious Denial-of-Service vulnerability in Solaris NFS
Client, during the security assesment of Solaris network components.
This is a detailed analysis of the vulnerability and risks.