Tuesday, July 20, 2010


Thanks to Lenny Zeltser for including ViCheck on the Analyzing Malicious Documents Cheat Sheet.

It's probably a good time to introduce ourselves. ViCheck is a combination of cryptanalysis engine to detect encrypted executables embedded in documents, as well as multi-decoder for PDF to detect known exploits or Javascript obfuscation techniques. We also use a commercial sandbox to attempt to collect dynamic information from exploit documents, statically extracted and decrypted executables. We don't run our samples live on the internet, a honeynet captures requests for C2 domains internally.

Regarding our primary goal of detecting embedded executables in documents, we use an in house developed cryptanalysis engine to scan for and try leaked plaintext keys (a large amount of any executable file is zero-space which when encrypted with XOR algorithms leaks the key as plaintext), decrypt the executable and scan for imported libraries. We also detect mathematical substitutions and replacement ciphers, and combinations thereof.

Samples can be submitted via web form on ViCheck.ca from your local computer or a remote web url, or via email by forwarding suspicious emails to hereyougo at vicheck.ca

No comments:

Post a Comment