In an effort to detect malicious Javascript code, Microsoft is developing a tool named Zozzle, aimed to be embedded into the Javascript engine of a browser.
The authors claim that it is both fast and efficient with a very low rate of false positive.
Here is the report for more details.
That was so funny !
Analyzing the MBR is sometimes required during a forensic process, if you suspect a malicious activity that is not detected on-line. With static analysis, you may see if an obvious corruption happened, but you will need to debug to learn more.
$ dd if=<source> of=disk.img bs=65536 conv=noerror
Or :
$ ddrescue -n <source> <dest> file.log
Check the disk geometry using :
$ fdisk -luc disk.img
These values will be useful for step 5.
However, if you have an exotic disk, it may be much trickier. For example, I got some geometry errors with a flash disk when using Bochs at step 11. Special thanks to Gene Cumm from the bochs-developpers mailing list who gave me the tip to specify the geometry to dd :
$ dd if=input of=output bs=2064384 count=507
Refer to CHS if you wonder how to get these values.
$ dd if=<source> of=mbr.dump bs=512 count=5
ata0-master: type=disk, path="sdb.img", mode=flat, cylinders=507, heads=64, spt=63
Before going on, you may test that Bochs can use the image with these settings :
C:\>"c:\Program Files\Bochs-2.4.5\bochsdbg.exe" -f bochsrc -q
# Some constants SECTOR_SIZE = 512 BOOT_START = 0x7C00 BOOT_SIZE = 0x7C00 + SECTOR_SIZE * 4 BOOT_END = BOOT_START + BOOT_SIZE SECTOR2 = BOOT_START + SECTOR_SIZE MBRNAME = "mbr.img" IMGNAME = "sdb.img"
C:\> mbr update
You should now be able to go ahead and debug the MBR step by step.
Found on Full Disclosure, a weired but troubling connection of two security affairs : the OpenBSD backdoor rumor and the stuxnet worm.
Wow, this article and especially one of its comments saved my day.
My computer crashed and one of the VMware machine hosted on it could not start anymore :
“Cannot open the disk ‘path of vmdk’ or one of the snapshot disks it depends on.
Reason: the specific virtual disk needs repair.
Checking on the VMware forums, I quickly found the command that was supposed to help :
$ vmware-vdiskmanager -R /path/to/disk.vmdk The virtual disk, '/path/to/disk.vmdk', is corrupted but the repair process has failed.
Damned ! I almost resigned restoring the last backup and loosing a week of work when, by chance, I found the article mentioned above.
As recommended, I downloaded the Virtual Disk Development Kit 1.2 from VMware, untared it and still doubtfully launched :
$ ./bin64/vmware-vdiskmanager -R /path/to/disk.vmdk The virtual disk, '/path/to/disk.vmdk', was corrupted and has been successfully repaired.
Saved! Thanks so much to the guys. I would have never thought about trying it, I wonder how they could find it.
But how is it possible that the utility coming with vmware workstation 7.1 suck so much and is not on par with other versions ?
Well, following a suggestion from my wife, I decided to bring up a mascotte for this website.
I admit that it was a lot of fun playing with Gimp and Inkscape, which are really great tools.
So please welcome our new little spiky friend :
I hope that you have nothing against hedgehogs, which should be inspiring the security industry !