Welcome to SecurityDocs

A collection of 8,050 IT security white papers, carefully curated by professionals like yourself

Web Malware 101

by Anish

Lets see an example of obfuscated script. The target here is Storm worm. This worm started spreading in January 2007. It used e-mail messages with subject lines about weather disasters in Europe, hence the name. Lets inspect the javascript which has the obfuscation function shall we.

Nov. 29, 2017 0 comments malwarecrypt.blogspot.mx Detection & Response

Illusion Gap - Antivirus Bypass

by Kasif Dekel

During our research, CyberArk Labs encountered a strange behavior in the file scanning process of Windows Defender. This problem may possibly exist in other anti-viruses, which we have not yet tested. This behavior led us to investigate the Antivirus scanning process over SMB shares and the outcome is a surprising cause for concern.

Nov. 25, 2017 0 comments www.cyberark.com Detection & Response

Guide to Cyber Threat Information Sharing

This publication provides guidelines for establishing and participating in cyber threat information sharing relationships. This guidance helps organizations establish information sharing goals, identify cyber threat information sources, scope information sharing activities, develop rules that control the publication and distribution of threat information, engage with existing sharing communities, and make effective use of threat information in support of the organization’s overall cyberse...

Nov. 25, 2017 0 comments nvlpubs.nist.gov Detection & Response

PandaLabs Annual Security Report 2017

by Luis Corrons

Cybercrime is an attractive and profitable business. Attackers are making use of more, and better, digital and economic resources than ever before, allowing them to develop attacks that are increasingly sophisticated. Almost anyone can launch an advanced attack thanks to the democratization of technology, the black market, and open source tools. As a consequence, it must be assumed that all companies could become the target of an advanced attack to start working on effective securi...

Nov. 24, 2017 0 comments www.pandasecurity.com Detection & Response

Kelihos Analysis

In the recent years I’ve noticed a shift in the malware economy from botnets to ransomware, which is likely due to the AV industry employing more aggressive tactics against botnets resulting in a drop in profitability. As I’ve said before: ransomware is about as interesting to me is watching oil dry and they’re so basic that they aren’t worth reversing, so I decided to look at something old but gold, Kelihos.

Nov. 23, 2017 0 comments www.malwaretech.com Detection & Response

Rekall v1.7 - Forensic and Incident Response Framework

The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems. The Rekall distribution is available from: http://www.rekall-forensic.com/ Rekall should run on any platform that supports Python Rekall supports investigations of the following 32bit and …

Nov. 23, 2017 0 comments www.pentestingexperts.com Detection & Response

Digital Forensics - Artifacts of Interactive Sessions


In this article I would like to go over some of the digital forensic artifacts that are likely to be useful on your quest to find answers to investigative questions. Specially, when conducting digital forensics and incident response on security incidents that you know the attacker performed its actions while logged in interactively into a Microsoft Windows systems. Normally, one of the first things I look is the Windows Event logs. When properly configured they are a treasure trove of informa...

Nov. 23, 2017 0 comments countuponsecurity.com Detection & Response

Steganography: A Safe Haven for Malware

by Dave McMillen

Steganography, or the practice of concealing a file, message, image or video within another file, message, image or video, may be an older technique, but it continues to be an incredibly versatile and effective method for obscuring or hiding information in plain sight. In 2017, IBM X-Force has identified three different malware samples in network attacks containing cryptocurrency CPU-mining tools hidden within fake image files.

Nov. 23, 2017 0 comments securityintelligence.com Detection & Response

Cyber Threat Intelligence Support to Incident Handling

by Brian P. Kime

Recent research has shown increased awareness of Cyber Threat Intelligence (CTI) capabilities. However, CTI teams continue to be underutilized and have had difficulty demonstrating the value they can add to digital forensics incident response (DFIR) teams. Meta-analysis of multiple surveys will identify where the gaps in knowledge exist. The paper will suggest how CTI can support DFIR at each level of intelligence and operations – tactical, operational, and strategic – and during each ph...

Nov. 19, 2017 0 comments www.sans.org Detection & Response

Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did. (CVE-2017-11882)

by Mitja Kolsek

Really, quite literally, some pretty skilled Microsoft employee or contractor reverse engineered our friend EQNEDT32.EXE, located the flawed code, and corrected it by manually overwriting existing instructions with better ones (making sure to only use the space previously occupied by original instructions). How do we know that? Well, have you ever met a C/C++ compiler that would put all functions in a 500+ KB executable on exactly the same address in the module after rebuilding a modified ...

Nov. 18, 2017 0 comments 0patch.blogspot.mx Detection & Response

Stuxnet-style code signing is more widespread than anyone thought

by Dan Goodin

Researchers have presented proof that digitally signed malware is much more common than previously believed. What's more, it predated Stuxnet, with the first known instance occurring in 2003. The researchers said they found 189 malware samples bearing valid digital signatures that were created using compromised certificates issued by recognized certificate authorities and used to sign legitimate software. In total, 109 of those abused certificates remain valid. The researchers, who presented ...

Nov. 18, 2017 0 comments arstechnica.com Detection & Response

Tackling the Unique Digital Forensic Challenges for Law Enforcement in the Jurisdiction of the Ninth U.S. Circuit Court

by John Garris

The field of digital forensics continues to evolve at a rapid pace, adapting to explosive demands, including the increasing need for qualified digital forensics practitioners. These individuals must continuously adjust to regularly changing technologies while navigating complex and often varying legal requirements that sometimes impose significant limitations on the approaches and techniques they may legally apply

Nov. 18, 2017 0 comments www.sans.org Detection & Response

Banking Trojan IcedID Discovered by IBM X-Force Research

by Limor Kessem

IBM X-Force research follows developments in the financial cybercrime arena to map the events and trends that shape the threat landscape for organizations and consumers alike. After a year that has been very active in terms of banking malware, point-of-sale (POS) malware and rampant ransomware attacks, the X-Force team identified a new banking Trojan active in the wild dubbed IcedID.

Nov. 15, 2017 0 comments securityintelligence.com Detection & Response

Alina, the Latest POS Malware

The danger of having the data of thousands of credit cards recorded makes Point of Sale (POS) terminals a critical system, as well as an increasingly sought-after target of cybercrime. Attacking these devices anonymously online is relatively straightforward, and selling the data on the black market is profitable. We’ve recently detected infections at a significant number of bars and restaurants in the United States whose POS terminals were attacked by two variants of credit card theft malw...

Nov. 14, 2017 0 comments www.pandasecurity.com Detection & Response

Coupon fraud could be costing your business millions

Coupon fraud comes in a variety of flavors. Normally, coupon transactions are simply data changing hands between the consumer, coupon providers and an agent that sorts and audits the coupons. Because there are so many layers, only one needs to be vulnerable to affect the whole supply chain. The Balance noted that shoppers often participate in coupon fraud by making multiple copies of the coupon, using the discount for products that extend beyond those listed in the terms, stealing newspaper i...

Nov. 13, 2017 0 comments blog.trendmicro.com Detection & Response

New FakeNet-NG Feature: Content-Based Protocol Detection

by Matthew Haigh, Michael Bailey , Peter Kacherginsky

I (Matthew Haigh) recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and adapts to SSL so that any protocol can be used with SSL and handled appropriately by FakeNet-NG. We were motivated to add this feature since it was a feature of the original FakeNet and it was needed...

Nov. 13, 2017 0 comments www.fireeye.com Detection & Response

Fancy Bear Microsoft Word attacks infect PCs sans macros

by Dan Goodin

Fancy Bear, the advanced hacking group researchers say is tied to the Russian government, is actively exploiting a newly revived technique that gives attackers a stealthy means of infecting computers using Microsoft Office documents, security researchers said this week. Fancy Bear is one of two Russian-sponsored hacking outfits researchers say breached Democratic National Committee networks ahead of last year's presidential election. The group was recently caught sending a Word document th...

Nov. 12, 2017 0 comments arstechnica.com Detection & Response

Triaging Alerts with Threat Indicators

by Gregory Pickett

Enterprises see more and more alerts every day. They are continually flooded with alerts, and the numbers keep increasing. Because analysts don’t know which ones indicate a genuine threat, they have to be gone through one at a time to find out. With not enough time in the day, some get ignored (Magee, 2017). There just isn’t enough time to get to them all. What if analysts could skip over those alerts that aren’t a threat and just focus their time on those that are? If they were able to do th...

Nov. 12, 2017 0 comments 10 minute read Detection & Response

Reverse Deception Used by Advanced Persistent Threats

by Mary W

The art of deception has been in use since ancient times to achieve objectives on the battlefield, on the negotiating table, and in business. Deception has also been used as a source of assurance in helping businesses to protect themselves from cyber security threats and increase their ability to respond to unexpected. Reverse deception refers to any strategy used by information security experts or organizations in deceiving an adversary by gaining a competitive advantage over the adversary...

Nov. 11, 2017 2 comments 3 minute read Detection & Response

How to Install Suricata NIDS on Ubuntu Linux

by Hitesh Jethva

Suricata is a free and open source fast network intrusion system that can be used to inspect the network traffic using a rules and signature language. Suricata is funded by the Open Information Security Foundation and used for network intrusion detection, network intrusion prevention and security monitoring prevention. It is capable of handling multiple gigabyte traffic, display it on screen and also send alerts through email. Suricata’s architecture is very similar to Snort and relies on sig...

Nov. 11, 2017 0 comments komunity.komand.com Detection & Response


We'll send you a carefully curated list of the best IT security white papers to your mailbox every Friday.