Blog ESEC Lab

Few weeks ago, preceding the 2009 SSTIC conference, the wonderful Stéphane Duverger proposed the SSTIC 2009 Challenge. It has been one of the most intersting reverse challenge I've seen these last months and I will take advantage of it to describe few use cases of Metasm.

I strongly encourage you to check the reference solution proposed by Raphael Rigo and Simon Marechal cause I will not detail how the challenge works, but rather how we have used Metasm to solve it. This will be a good opportunity to introduce simple usages of its nice functionalities (backtracking, code binding, symbolism).

Lire la suite

There are several way to trigger events when a PDF is viewed: pushing a button, resizing the document, closing it, reaching a page, when mouse pass on a zone, when an annotation is displayed/hidden, ... but the most interesting from an offensive point of view is when the document is open.

Here, we introduce several ways to trigger a JavaScript - but it could be any kind of action - when the PDF is opened ... A new sample is available in origami with all this code (see sources/samples/open/open.rb)

Lire la suite

While writing the previous article, I decided to run a simple test: hide a well-known virus in a PDF file, and let's see what happens. Results are beyond expectation!

Lire la suite

As we explained in the previous article, streams are a really important kind of object in PDF. Any data is represented as a stream. However, keeping raw data in a file can be inefficient (think about encoding or size issues for instance). So, this article shows how to create / manipulate streams and filters with origami. In the end, you should understand why it is easy to conceal JavaScript in a PDF file.

Lire la suite

PDF file format is now very common. It is regarded as secure because most people believe it is static. It is not. In order to prove it, we have developed a Ruby framework, origami designed to play with PDF files.

Lire la suite

Résumé des conférences de la 3ème journée du SSTIC 2009.

Lire la suite

Résumé des conférences de la 2nd journée du SSTIC 2009.

Lire la suite

Résumé des conférences de la 1ère journée du SSTIC 2009.

Lire la suite

Last week Julien and I were in Berlin to attend to the 18th EICAR conference.

Julien gave a talk on the analysis of a botnet. Based on a technical analysis of the infector and the pieces it drops, he, Damien and Christophe were able to get a discerning picture of the botnet architecture, and to understand how the author(s) monetize their creation with spam service or personal information robbing.

My talk was about a work that Jean-Baptiste and I have focused on during the beginning of the year. Our objective was to design an evaluation methodology for antivirus products that fits into the CSPN evaluation framework proposed by the DCSSI. During the talk, I presented our methodology and the results we obtained during a pilot evaluation we have carried out.

This year conference was once again quite interesting with many quality talks, including a caustic keynote by Fred Cohen. And by the way, Berlin is definitely a pleasant capital.

You can find our slides here (botnet analysis) and here (antivirus software evaluation methodology).

This article will explore a bit of the framework internals to show how decoding executable files and instructions is handled.

Lire la suite

This post will show the basic usage of the metasm framework as a disassembler, by following step by step the disassemble.rb sample script.

Lire la suite

La Gendarmerie Nationale organisait le 24 mars 2009 à Lille le 3e Forum International sur la Cybercriminalité. L'évènement a rassemblé près de 1500 participants et a été l'occasion pour Michèle Alliot-Marie, ministre de l'Intérieur, de l'Outre-mer et des Collectivités territoriales, d'annoncer de nouveaux moyens pour les investigations numériques. L'ESEC a tenu un stand lors du Forum et un de ses consultants a participé à une table ronde sur la gestion des flottes de téléphones mobiles. Voici un compte-rendu de certaines conférences ...

Lire la suite

Mardi 17 mars avait lieu à Paris la journée sécurité organisée par l'OSSIR, l'Observatoire de la Sécurité des Systèmes d'Information et des Réseaux. Julien et moi-même étions présents afin de présenter nos travaux sur les rootkits navigateurs. Voici un résumé de la journée.

Lire la suite

Le laboratoire de Recherche et Développement de l'ESEC organisait le 3 février 2009 un séminaire sur la Lutte Informatique Offensive. Après une introduction de David Bizeul sur les incidents de sécurité et de cybercriminalité dans le monde bancaire, les intervenants de l'ESEC ont traité des attaques de masse puis des attaques ciblées. Voici un résumé des différentes conférences ...

Lire la suite

Juste pour signaler la mise à disposition des transparents du séminaire du 3 février dernier :

• Les hébergeurs bullet-proof - A. Gazet et G. Campana - [PDF]
• Analyse d'un botnet venu du froid - D. Aumaître, C. Devaux et J. Lenoir [PDF]
• Contourner les produits de sécurité - JB. Bedrune et Y. Guillot [PDF]
• Les PDFs malicieux - G. Delugré et F. Raynal [PDF]
• Les rootkits navigateurs - C. Devaux et J. Lenoir [PDF]

Lire la suite