Come let us be friends for once. Let us make life easy on us. Let us be loved ones and lovers. The earth
Idea Transcript
Threat Level: GRE E N
Handler on Duty: Didier Stevensx
This website is using cookies.
We use them for standard session tracking to allow you to log in and to remember settings between pages. If you continue using our website, we'll assume that you are happy to receive all cookies on this website.
SANS ISC:
Internet Storm Center
Continue
Privacy Policy
Search Keyword, Domain, Port, IP or Header
Contact Us Diary Podcasts Jobs News Tools Data Forums Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group.
Log In or Sign Up for Free!
Last Daily Podcast (Tue, Jan 2nd):Analyzing Obuscated #RTF and #TNEF files; Record Number of CVEs; Sonos/Bose Vuln; More Backdoored Wo
Latest Diaries What is new? Published: 2000-01-01 Last Updated: 2018-01-01 11:13:13 UTC by Didier Stevens (Version: 1)
0 comment(s) How to best start the new year? How about a new tool: what-is-new.py. It's something I have to do often, and I'm sure you do too: you make lists at regular intervals (for example every week), and you want to know what is new, e.g. what haven't you seen before. This is what my tool what-is-new.py helps you with: you give it text files, and it reports every line it hasn't seen before (it keeps a database). For example, I use this tool to review the User Agent Strings of the HTTP(S) requests to my web servers. Every week I produce a list of User Agent Strings found in my web server logs, and feed this to what-is-new: this gives me a list of User Agent Strings not seen before. Detail: the problem is that User Agent Strings contain version numbers, and that makes for a long list of "new" User Agent Strings every week. I solve this problem by using a custom, canonical representation of the User Agent String: I only keep the letters. For example, User Agent String "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30 CyanogenMod/10.2/grouper" becomes "Mozilla X Linux x AppleWebKit KHTML like Gecko Version Safari CyanogenMod grouper". By using this representation, I have about 50 new User Agent Strings every week. Here are some interesting ones found in the last months: Nikto: Canonical:
Actual:
And apparently, someone visited my site from a Cray supercomputer :-) "Mozilla/0.3 (Cray UNICOS) Lynx/2.0.113.0" Some visitors cherish their privacy explicitly: "Mozilla/5.0 (have a guess) recent but undisclosed" "Wouldn't You Like To Know!" And finally, since cryptocurrencies have become so popular: "whoismining.com Bot/1.0" This is from a web site that checks if web sites use your browser to mine crypto currencies:
Best wishes from the Internet Storm Center! Didier Stevens Microsoft MVP Consumer Security blog.DidierStevens.com DidierStevensLabs.com
Keywords: user agent string
0 comment(s) Join us at SANS!
SANS SEC546: IPv6 Security Essentials. Implementing IPv6 should not happen without carefully considering the security impact of the new protocol. Learn what you need to know!
Analyzing TNEF files Published: 2017-12-31 Last Updated: 2017-12-31 09:25:50 UTC by Didier Stevens (Version: 1)
0 comment(s) Yesterday I came across a file type I rarely have to analyze: "Transport Neutral Encapsulation Format". It's an attachment file format used by Outlook and Exchange. Here is how the file command identifies it:
There are different free and opensource programs and libraries that can parse this file format. There's a Python module tnefparse that comes with a parsing program:
So this TNEF file contains one attached file: an .iso file. tnefparse can extract this .iso file:
I've covered the analysis of .iso files before in this diary entry. With 7-zip, I can look into the .iso file:
And extract the .exe (MD5 d71e537c1ca1aba1f6854c0cb7b71835) file:
Didier Stevens Microsoft MVP Consumer Security blog.DidierStevens.com DidierStevensLabs.com
Keywords: maldoc tnef
0 comment(s) Join us at SANS!
SANS SEC401: Security Essentials Bootcamp Style. Learn the most effective steps to prevent attacks and detect adversaries with actionable techniques that you can directly apply when you get back to work.
If you have more information or corrections regarding our diary, please share. Top of page
Recent Diaries 2017, The Flood of CVEs Dec 30th 2017 2 days ago by Xme (0 comments)
What are your Security Challenges for 2018? Dec 27th 2017 6 days ago by Guy (0 comments)
View All Diaries Õ Top of page
Latest Discussions My log Reports not displaying reported entries created Dec 22nd 2017 1 week ago by Tony (0 replies)
StormCast RSS feed not supporting older SSL? created Dec 15th 2017 2 weeks ago by Anonymous (0 replies)
Yara Sweeper created Dec 13th 2017 2 weeks ago by Anonymous (0 replies)
KRACK Attack created Dec 5th 2017 3 weeks ago by AMB (0 replies)
r w ere “ still very created Dec 5th 2017 3 weeks ago by Anonymous (0 replies)
View All Forums Õ Top of page
Subscribe to the daily podcast via RSS or iTunes
Latest News View All News Õ Top of page
Top Diaries Wide-scale Petya variant ransomware attack noted Jun 27th 2017 6 months ago by Brad (6 comments)
Using a Raspberry Pi honeypot to contribute data to DShield/ISC Aug 3rd 2017 4 months ago by Johannes (12 comments)
Detection Lab: Visibility & Introspection for Defenders Dec 15th 2017 2 weeks ago by Russ McRee (2 comments)
Second Google Chrome Extension Banker Malware in Two Weeks Aug 29th 2017 4 months ago by Renato (0 comments)
Maldoc with auto-updated link Aug 17th 2017 4 months ago by Xme (2 comments)