It's a key point for attackers to implement anti-debugging and anti-analysis techniques. Anti-debugging means the malware will try to detect if it's being debugged (executed in a debugger or its execution is slower than expected). Anti-analysis refers to techniques to detect if the malware is detonated in a sandbox or by a malware analyst. In such cases, tools run in parallel with the malware to collect live data (packets, API calls, files, or registry activity).
Tag Archives: SANS
Microsoft August 2023 Patch Tuesday, (Tue, Aug 8th)
Are Leaked Credentials Dumps Used by Attackers?, (Fri, Aug 4th)
Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned”[1] help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account on a website (ex: an online shop), and later, this website is compromised. All credentials are collected and shared by the attacker. To reduce this risk, a best practice is to avoid password re-use (as well as to not use your corporate email address for non-business-related stuff).
Do Attackers Pay More Attention to IPv6?, (Sat, Jul 29th)
IPv6 has always been a hot topic! Available for years, many ISP's deployed IPv6 up to their residential customers. In Belgium, we were for a long time, the top-one country with IPv6 deployment because all big players provided IPv6 connectivity. In today's operating systems, IPv6 will be used first if your computer sees "RA" packets (for "router advertisement" [1]) and can get an IPv6 address. This will be totally transparent. That's why many people think that they don't use IPv6 but they do!
Suspicious IP Addresses Avoided by Malware Samples, (Wed, Jul 26th)
Modern malware samples implement a lot of anti-debugging and anti-analysis techniques. The idea is to slow down the malware analyst's job or, more simply, to bypass security solutions like sandboxes. These days, I see more and more malware samples written in Python that have these built-in capabilities. One of them is the detection of “suspicious” IP addresses.
Apple Updates Everything (again), (Mon, Jul 24th)
JQ: Another Tool We Thought We Knew, (Mon, Jul 24th)
Shodan's API For The (Recon) Win!, (Fri, Jul 21st)
Ever been on a call with a client, and had that "I need a full set of nmap results for that host in 5 seconds" moment? Like when you're trying to scope out the size of a project (maybe a pentest project) and if you *just* had the list of open ports you'd have an answer other than "I'll call you back", because nmap will take 10 minutes?