Hello and welcome to the Monday, January 12, 2006 edition of the Sands Internet Storms Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undergraduate certificate program in applied

cyber security.

Got some diaries to talk about from this weekend.

First, Xavier, again, about Malver analysis tricks here in this particular case about malicious

process environment blocks.

The process environment block is a data structure that's maintained with Windows processes,

holding things like, for example, the command line being used to execute the process

and other metadata about the particular process.

Now, of course, the process was started by the user. This structure is read-writeable by the user,

which means that any process can manipulate that structure as well and leave bad information in this structure.

So Xavier is going a little bit over how to accomplish this, some proof

of concept code here, how to rewrite the particular structure for a process that user can get

a handle on, and well, then also how to hide this particular structure, not just to manipulate

it. So interesting post for anybody doing

malvernalysis. If you wonder how do you actually get the real structure? Well, the trick here,

as Xavier points out, is to actually log the structure on process creation before the process

gets a chance to manipulate it.

And D.D. wrote a quick diary about the latest version of Yara 1.11.0 and how it's adding hash

function warnings. What this means is that if you're matching a hash function in a Yara rule,

but the hash that you're using couldn't possibly match this particular hash function

...