Havex Malware Analysis and Inside Malware C&C Server

  • Posted on: 19 August 2014
  • By: siteadm

In this article I'll analyze recent Havex malware. You can read more about this malware here.

First of all I want to thank Kyle Wilhoit for providing me all samples of Havex malware.

Ok, let's start... As far as I've seen all samples of this malware have a resource called ICT (in SCADA module it is called TYU) which contains encoded config file:

Tiny Malware PoC: Malware Without IAT, DATA OR Resource Section

  • Posted on: 13 August 2014
  • By: siteadm

Have you ever wondered about having an EXE without any entry in IAT (Import Address Table) at all? Well, I knew that it's possible, but never saw an actual exe file without IAT entry. So I developed an application which is 1,536 bytes and still does basic annoying malware things. So to summarize, this tiny app:

- Enumerates following APIs:


Freetime + RFID Reader = Linux RFID Pluggable Authentication Module

  • Posted on: 7 August 2014
  • By: siteadm

Hey everyone! I had some freetime last night and I noticed that I have several RFID cards and and RFID reader and I almost do nothing with them. After thinking a little bit about what I can do with RFID reader, I came up with an idea! NFC RFID Linux PAM (Pluggable Authentication Module)! So next time for logging into my computer, user should have an RFID card, otherwise, even entering correct username+password combination, will not work.

Basic Secure Web Application Programming Practices

  • Posted on: 6 August 2014
  • By: siteadm

When you learn that a company web server compromised because of a small programming mistake in PHP and it was possible to stop the attack by calling a function, you will want to learn more about all those "function calls".
Basically, in this post, I'll talk about possible attacks to web applications and how to stop them.

Infostealer MySayad Operation Saffron Rose Malware Analysis

  • Posted on: 5 August 2014
  • By: siteadm

I received a sample of Operation Saffron Rose malware and analyzed it. Here is details:
CRC32: 99CC79B7 MD5: A7813001063A23627404887B43616386 SHA-1: 1C52B749403D3F229636F07B0040EB17BEBA28E4

This application is a packed cabinet file and it is a self-extractor. Simply we extract files in it using winrar and we get two files:

Startup Companies and Web Security

  • Posted on: 4 August 2014
  • By: siteadm

When you talk to enterprise companies with several years of experience, possibly they know very well how important web security is. In case they haven't experienced any security breach, at least they have heard about other companies experiencing data leaks and security breaches. So I'm not talking to them in this post, they should have already learnt importance of IT security.

But when it comes to startup companies, they don't even know about IT security. A lot of them don't care about it, they never take it serious, you would hear responses like: