Didier Stevens

Friday 28 December 2012

Crossbreeding Spiders: Baiduspider And Googlebot

Filed under: Networking — Didier Stevens @ 0:03

While reviewing my webserver’s logs with InteractiveSieve, I noticed a peculiar User Agent String:

Mozilla/4.0 (compatible; +Baiduspider/2.0;++http://www.baidu.com/search/spider.html +Googlebot/2.1;++http://www.google.com/bot.html)

Why would Baidu and Google share a spider?

They don’t. It’s a fake User Agent String. I’ve 12 IP addresses in my logs that use this User Agent String, all from China, but none resolving to a hostname, and certainly not to domains baidu.cn or google.com.

And this fake spider doesn’t make any requests for existing documents, not even robots.txt. It’s only looking for ways to attack my sites:

20121228-005548

Thursday 20 December 2012

ListModules V0.0.0.1

Filed under: My Software — Didier Stevens @ 0:00

ListModules is a new tool to analyze PE files, like my AnalyzePESig tool. In stead of analyzing all files you point it to, it takes a snapshot of all processes, and analyses the modules (.exe, .dll, …) loaded in these processes. The output is very similar to AnalyzePESig’s output.

Sysinternal’s tool ListDLLs is a similar tool, but ListModules provides more info and is open source.

It helped me a couple of times to find malicious DLLs loaded inside processes that the AV would not catch.

ListModules_V0_0_0_1.zip (https)
MD5: 56D6BD9479915E6FF1C29A9D9F8F7950
SHA256: 43DFAD3F18C2F317E283BCDD453311BB17F6216C6748C25D102778DF63021069

Wednesday 12 December 2012

PaulDotCom Security Weekly And The (ISC)² Audit

Filed under: Certification — Didier Stevens @ 16:24

Almost six years ago I blogged about submitting (ISC)² CPE points for listening to IT security podcasts.

Last week I submitted CPE points for listening to 6 months of PaulDotCom Security Weekly podcasts. This CPE points submission was promptly selected for an audit by (ISC)².

I received an e-mail that informed me about the audit process and asked me to provide more information about the points I submitted. I replied with a description of what the podcast was about and with an excerpt from my spreadsheet I keep. A few days later I received a reply to inform me that I passed the audit.

Tuesday 4 December 2012

Authenticode Tools Page

Filed under: Announcement,My Software — Didier Stevens @ 13:53

I’ve added a new page to document my Authenticode Tools like AnalyzePESig.

It has a small explanation for each field found in the output of AnalyzePESig. For example, the fields Issuer Unique ID and Subject Unique ID should always be 0. In the case of the Flame certificate, they are not, because the Issuer Unique ID field was used to help produce the MD5 collision:

Filename:                       WuSetupV.exe.vir
MD5:                            1f61d280067e2564999cac20e386041c
Entropy:                        6.79663
...
Issuer unique ID chain:         887
Issuer unique ID chain:         0
Issuer unique ID chain:         0
Issuer unique ID chain:         0
Issuer unique ID chain:         0

I also use this tool to periodically review new executables on my machines.

Blog at WordPress.com.