Didier Stevens

Tuesday 26 August 2008


Filed under: My Software,Puzzle,WiFi — Didier Stevens @ 0:06

My search for a radial WiFi plotting tool was unsuccessful, so a coded my own: wsrradial.py.

It’s easy to record activity in the 2.400–2.500 GHz ISM spectrum with a Wi-Spy adapter and a directional antenna. Here’s my 9 dBi Yagi antenna:

One low-tech way to quantify the electromagnetic radiation around you goes like this: point the Yagi antenna in one direction for 1 minute, then turn it 45° and repeat the procedure, until you’ve completed a full circle. Use wsrradial to generate radial plots of the recording made with Chanalyzer. It’s configured by default for 8 measurements (360° divided by 45°) of 1 minute each, but command-line options allow you to choose your own parameters.

The following radial plot shows the average amplitude for each sampled frequency. The frequency is set out on the radial axis (the lowest frequency is closest to the center, the highest is the most distant), the angular coordinate is just the orientation of the directional antenna. Amplitude is hue color-coded.

This was recorded a couple of meters away from an active access point operating at 2.432 GHz. You can clearly see that the access point is situated in the upper-left corner.

The second plot generated by wsrradial shows the maximum amplitude instead of the average amplitude. I believe this plot gives a better picture of nearby transmitters.

I tried to use matplotlib to generate the charts, but was only able to generate the same charts Chanalyzer produces. So I coded my own chart plotting routines with the Python Image Library. If you know how to use matplotlib to make radial spectrum plots, let me know.

FYI: my latest little puzzle showed an average amplitude plot of the same recording, but with an older version of my program featuring an easier to code color map.

Sunday 24 August 2008

One More Little Puzzle

Filed under: Puzzle — Didier Stevens @ 22:07

What’s this? Have a guess!

Thursday 21 August 2008

Removing Malware With a Live CD

Filed under: Malware — Didier Stevens @ 6:32

Since a month, I’ve been advising the use of the F-Secure Rescue CD to readers and friends. That makes it time for a little video, showing you how to use it.

YouTube, Vimeo (better quality) and XviD hires (even better quality).

Tuesday 19 August 2008

A Third SpiderMonkey Trick

Filed under: Malware,My Software,Reverse Engineering — Didier Stevens @ 22:51

This escaped my attention, but SpiderMonkey 1.7 has been released for some time now.

I patched this new version (download on my SpiderMonkey page), and decided to add another small trick: implement the window object with the navigate method:

Wednesday 13 August 2008

Fake MSNBC Breaking News or Fake CNN Custom Alert? Make Up Your Mind!

Filed under: Malware — Didier Stevens @ 18:16

I appreciate a good joke:

Monday 11 August 2008

Gmail Warns Against Fake CNN Alerts

Filed under: Malware,Update — Didier Stevens @ 18:47

Gmail identified the Fake CNN Alerts as SPAM from the beginning, but now warns against phishing too:

Sunday 10 August 2008

Sampling a Malicious Site

Filed under: Malware,My Software — Didier Stevens @ 21:59

Fake CNN alerts galore!

I seize the opportunity to publish a new video (warning: 8 minutes of command-line staring) (hires XviD version here) showing you how to use my tools to retrieve malware samples hosted on a website. If you just visit an infected website with Internet Explorer, you run the risk of infecting your machine. The safe way to retrieve samples is to work in a low-risk environment (e.g. non-root account on a Linux VM) and use tools that are unlikely to be the target of exploits hosted on said website.

The following tools are featured in the video:

The file numbering trick (01., 02., 03., …) allows me to document exactly how I obtained the sample.

Since I recorded the video, the malware seems to have been removed from the site. But be careful, it’s not uncommon that compromised websites get reinfected.

Friday 8 August 2008

Fake CNN Custom Alert

Filed under: Malware — Didier Stevens @ 8:33

Here’s a new social engineering trick I hadn’t seen in my spam mail before:

The Shia link actually points to a real CNN article about the olympics & terrorism. So you might be inclined to click on the full story link.

Like the CNN Top 10 malware, it has a fake Flash update:

Which happens to be malware.

Thursday 7 August 2008

Update: USBVirusScan 1.7.2

Filed under: My Software,Update — Didier Stevens @ 8:40

I release USBVirusScan version 1.7.2.

Two new features:
-s scan available removable drives when USBVirusScan is started
-r also start the command at drive removal, parameter %e indicates drive arrival ‘A’ or drive removal ‘R’


USBVirusScan_V1_7_2.zip (https)


SHA256: 0090C73D6A3725E75C3388387A7A9E869C5D6BEA83E0D4D612E1CB25458163F3

Tuesday 5 August 2008

How Is My Hacking? (.com)

Filed under: Announcement,Nonsense,Puzzle — Didier Stevens @ 17:50

My new stickers arrived today:

From now on, winners of my little puzzles can expect a little prize (I’ll contact winners of past puzzles)…

Next Page »

Blog at WordPress.com.