ISC StormCast for Monday, January 31st, 2022
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 31 January 2022
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, January 31st, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:14.7 | Xavier wrote up an interesting HTML file on Friday. It's not just an HTML file, but it also includes an ISO. |
| 0:24.0 | Now, typically we associate ISO files with these large multi-gigabyte DVD or CD images, but |
| 0:33.1 | well, in this case, it's actually not all that big about 50 kilobytes and entirely included inside the HTML file. |
| 0:42.5 | The way this works is that there is a little obfuscated JavaScript that will dynamically create the ISO file from a base 64 encoded string and then offer it for a download. The intention here is obvious |
| 0:57.5 | in that it attempts to bypass any filters that are looking for isophiles being delivered via |
| 1:05.2 | email. The basic mail scanner would just see an HTML file, and of course, HTML is pretty standard. |
| 1:14.8 | The JavaScript may give it away inside an email, but still at the time when Xavier looked at |
| 1:20.9 | the file, virus total scores were pretty low. Now, they have been improved somewhat since Xavier published the diary. |
| 1:30.9 | The isophile has somewhat better virus total recognition, so if you end up saving at the disk, |
| 1:37.9 | it may actually get detected, but if you do launch the code inside the ISO file, you will download additional malware. |
| 1:48.0 | Now if you see something odd like an ISO file inside an HTML file, |
| 1:53.0 | you may be tempted to write a YARA signature |
| 1:56.0 | in order to recognize these files |
| 2:00.0 | and, well, not sure if you had a chance, but in the Holiday |
| 2:03.6 | Hack Channel, there was actually a real interesting sort of Yara challenge as well. |
| 2:10.3 | The bugging Yara signatures can be a little bit painful, but the upcoming version 4.2 of |
| 2:16.1 | Yara may make this a little bit easier. |
| 2:19.2 | And D.D. wrote about the console module that's being included here. |
| 2:24.8 | A release candidate is available and it allows you to basically debug Yara rules by outputing various constants and such to the console and help with debugging. |
| 2:39.1 | Microsoft has a nice blog writing up a recent attack that they have observed |
| 2:45.0 | where attackers are registering devices with organizations Asia AD. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.