research


We recently received a URL through Skype that caught our attention. It was a link belonging to LinkedIn, with our Skype ID as a parameter at the end of the URL. https://www.linkedin.com/slink?code=e2nsPHa#jpulusiv=victimskypeid   Usually, people would be wary when they receive links that look somewhat suspicious. But this link is from LinkedIn, the world’s largest networking site, so it would easy for anyone receiving this to quickly dismiss any thought of it being harmful. And the convincing personalized Skype ID at the... [Read More]
by RSS Nelson Ngu  |  Dec 06, 2016  |  Filed in: Security Research
The main issue with Hack.Lu this year was that there were too many interesting things in parallel: interesting talks, workshops, CTF... :) Talks 19 year old Filippo Valsorda talked about the setup of https://filippo.io/Heartbleed/ (heartbleed testing website) and his surprise at how many requests the website got. Several end-users also misunderstood the site and thought he would fix the issue, not just say if vulnerable. Attila Marosi presented his reverse engineering of some leaked Android FinSpy spyware. His tools to run a fake FinFisher server... [Read More]
by RSS Axelle Apvrille  |  Nov 10, 2014  |  Filed in: Security Research
If you have any interest in Android packers, or how to reverse mobile malware that use such packers, please don't miss Ruchna's upcoming talk at Hacktivity . Android Packers: Separating from the Pack - 11. October 2014. 11:20 - 12:05 If you feel like reading on this topic before, I suggest: our joint paper in Virus Bulletin : "Obfuscation in Android malware and how to fight back" (July 2014). With tools and tips to reverse obfuscated samples. Rowland Yu, "Android Packers: Facing the Challenges, Building the Solutions" at Virus Bulletin Conference,... [Read More]
by RSS Axelle Apvrille  |  Oct 09, 2014  |  Filed in: Security Research
A couple of days back, a game of Nerd Truth or Dare in the lab led to the shocking revelation that most of us were using our Facebook/Twitter accounts mainly to keep up with security blogs. Personally, being a twitter non-conformist until recently, I even created a twitter account for this sole purpose. And that led to the realization that FortiGuard Labs need to 'get with it' too. So here's introducing our Facebook and Twitter pages for your ease of following us. If you, like us, have tried every RSS aggregator there is under the sun, have been... [Read More]
by RSS Ruchna Nigam  |  Jun 20, 2011  |  Filed in: Security Research
In the past month changes in the SpyEye botnet kit have more or less stopped, after a very busy year in which many new versions were released. I was recently looking at all of the information I have from testing and analysis of these versions, when it occured to me that this lull in activity would be a good time to put some organized results together. Then when SpyEye returns, in some mutant, Zbot like form, we will have something like a guide to its workings, which should be useful. A good place to start this process is with the SpyEye botnet... [Read More]
by RSS Doug Macdonald  |  Feb 15, 2011  |  Filed in: Security Research
Tomorrow starts the quite famous - and ever sold-out - security conference Shmoocon, held in Washington DC until Sunday. The keynote this year will be filled by Peiter Mudge Zatko, inventor of L0phtcrack and early pioneer of buffer overflows. Among the talks filling the tri-tracks program (Build it / Break it / Bring it on), we're glad to find our Crypto Girl, Axelle, who will present a paper she co-wrote with Kyle Yang (another regular poster on this blog) on the infamous mobile phone malware Zitmo, that we discovered (simultaneously with Spanish... [Read More]
by RSS Guillaume Lovet  |  Jan 27, 2011  |  Filed in: Security Research
The W32/Seftad RansomWare has been spreading for a few days now, locking infected computers and trying to extort money for a recovery password. The infection is easily recognized by the text message below, which is displayed when the computer starts up, or rather fails to start. Your PC is blocked. All the hard drives were encrypted. Browse www.safe-data.ru to get an access to your system and files. Any attempt to restore the drives using other way will lead to inevitable data loss !!! Please remember Your ID: 773923, with its help your sign-on... [Read More]
by RSS Doug Macdonald  |  Dec 14, 2010  |  Filed in: Security Research
This month, Derek Manky, project manager, cyber security & threat research at Fortinet recorded an informative audio with Power Point presentation titled: “Threat Prevention: 2010 and Beyond.” This extremely enlightening discussion examines four real-world vulnerabilities (Dalai Lama, JBIG2 Zero-Day PDF, Operation Aurora and IE Zero Day) their timelines, what happened with these vulnerabilities, how the attacks occurred and what the payload was. Derek then concludes with examples of how you can best protect your network from becoming... [Read More]
by RSS Rick Popko  |  Jul 14, 2010  |  Filed in: Security Research
In January 2010, the Fortinet’s FortiGuard Labs threat researchers issued a report outlining their predictions for The Top 10 Security Trends for 2010. Now that we’re midway through the year, we thought it would be interesting to see how right (or wrong) we were and if anything completely unexpected has come up along the way. The following report spells out the trends the team predicted at the beginning of the year and concludes with comments on where each threat exists today. 1) Security, Virtually Speaking **January 2010: **“Preventing... [Read More]
by RSS Derek Manky  |  Jun 23, 2010  |  Filed in: Security Research
Although it is not a new idea to run an executable from within a PDF, the researcher Didier Stevens present a trick technique to make it more practical, "in the real world". In this post I will dissect a PDF document using this trick (MD5: 1dcd4a3f5d05433fcebf88d9138a1966), indeed found in the wild. As one of vendors affected, Adobe was investigating this issue and give a temporary solution. But no patch is available yet. In fact there maybe no patch at all... and although CVE number CVE-2010-1240 is assigned for this issue, Some people think it... [Read More]
by RSS Bin Liu  |  May 04, 2010  |  Filed in: Security Research