Hello and welcome to the Tuesday, May 26, 2006 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich and the time I'm recording from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in cyber security

leadership. Microsoft Access, well, that's a database. I had a couple of run-ins within the past,

in the distant past, luckily. Did he got interested into Microsoft Access now because, well, it may be used to actually execute

Visual Basic for application code. Yes, the dot MDB files that Microsoft Access runs on

may contain Visual Basic for applications, and with that could be used to infiltrate systems, to basically

execute malicious code, just like with any other Microsoft product that does execute VBA.

So in order to help us out here and help us analyze some of these scripts that may contain,

that may be contained in these dot MDB files, DDA is offering here some help,

a little bit sort of reverse analysis on the MDB files, how to extract some of these

Visual Basic for Application scripts. Microsoft does not offer really any documentation here,

and DDA will also in the future present a couple more complex examples,

how to extract the VBA code from these Microsoft Access Database files.

Well, and then we got more reverse analysis tricks here over the weekend, this time from

Xavier.

Xavier looked at, well, decoding stack strings.

Stack strings is an obfuscation technique that's often found in malware.

In order to avoid using specific strings that of course could easily be

identified with signatures. The attacker uses basically dynamically created strings where

one byte at a time is copied into the stack in order to assemble a particular string.

And that's of course a little bit of pain to analyze. So Xavier took a look at

...