Explore the world of threat intelligence and malware analysis in this 36-minute video from Derbycon 2012. Dive into topics such as redirection chains, user agent strings, and obfuscation techniques. Learn about monitoring modes, input modes, and browser-specific considerations for Internet Explorer and Firefox. Examine various obfuscation methods including concatenation, hexadecimal charcodes, arithmetic operations, string splitting, and base32 conversions. Analyze the Blackhole Exploit Kit, decode malware using Python, and interpret GFI Sandbox reports. Gain practical insights into payload analysis and registry key examination to enhance your skills in hunting and detecting malicious activities.
Overview
Syllabus
Intro
A STORY ABOUT BOB
AN MEAN DETECTION RATE 17%
WHY THREAT INTELLIGENCE?
REDIRECTION CHAINS
USER AGENT STRINGS / REFERER
FROM A COMPROMISED SERVER
BASIC MODE
MONITOR MODE
INPUT MODE
INTERNET EXPLORER
FIREBUG EXTENSION FOR FIREFOX
OBFUSCATION TECHNIQUES
CONCATENATION
HEXADECIMAL CHARCODES
ARITHMETIC ON THE CHARCODE
STRING SPLITTING
CHARACTER REPLACEMENT
BASE32 CONVERSIONS
FUNCTION REFERENCES
BLACKHOLE EXPLOIT KIT
DECODING WITH PYTHON
BLACKHOLE DECODED
VIM FOLDING TO THE RESCUE!
PAYLOADS
GFI SANDBOX REPORT
GFI SANDBOX - REGISTRY KEYS
QUESTIONS?
