Persianov on Security
[Blog] [Projects] [Bugtrack] [Challenges] [Contact] [RSS]

Blog: Latest articles

[How to block Internet access for programs on Linux]

There are times when we may need to block a specific program from accessing the Internet. I’m not saying while analysing some malicious executable, for that you should use a virtual environment (for starters). What if you want to block a text editor like Visual Studio Code? It is SCARY to look at the Wireshark/tcpdump output while executing it! Before even loading my file, it already made several DNS requests and established 4 TCP connections; and that’s with disabled analytics/metrics reports.

[How to import .vmdk to Proxmox (qemu)]

This is a short post on how to easily and quickly import a .vmdk disk type into your qemu powered virtualization manager (like Proxmox). While the solution may look VERY simple, this actually took me about half of a day to research/test/fail/troubleshoot/etc., so I really hope it may help other people (and me in future, when coming back to this post).

[Install Docker on CentOS 8]

CentOS 8 is already here with major updates. One of them being the replacement of well known yum with dnf package manager. All these updates make the upgrade from CentOS 7 to CentOS 8 difficult and it’s even not supported officially. So, in most cases people end up building new CentOS 8 servers and migrating the apps to new infrastructure, or try and upgrade it manually risking running an unsupported version of the OS. You can find more details on this forum thread.

[Cyber side of Coronavirus. WSHRAT 'Corona' Campaign]

Everybody is talking about the coronavirus pandemic, caused by Covid-19. Media is all about it, news published every minute, interviews with top scientists are being held, multiple websites create to track the spread and governments sending emails/SMS notifications to population about latest measures. It’s everywhere. Besides all these, multiple security companies confirmed a spike in online scams, phishing attacks and “coronavirus” malicious files. There was a 667% spike in phishing attacks since February, 2020, due to coronavirus fears. Everybody is in rush, people stockpiling and cybercriminals adapting their tools and exploiting unsuspicious users, connected to Internet more than ever.

[Windows worms. Forbix worm analysis.]

Anyone heard about Forbix worm? Good. Lots of us know how difficult is to remove a worm from an infected system or network. Of course it depends on multiple factors, like: the way it spreads, persistence mechanisms, disguise techniques used once machine is infected, reinfection methods, etc. These days, when someone says “Windows worm” we usually expect a highly sophisticated piece of malware, exploiting a 0-day/1-day vulnerability and “preferably” this vulnerability being in a service listening on a specific port exposed to the whole world. May be this is the case of the worm like ransomware WannaCry, but definitely not applicable to Forbix malware.

[Emotet malware analysis. Part 2.]

This is the Part 2 of my Emotet analysis. It covers phase 3 of the attack, specifically the PE file which is being dropped by infected websites, used in Phishing/Spam campaigns. Emotet is an advanced modular Trojan, predominantly used as Malware Distribution Platform, main goal being systems infection with other types of malware.

[Emotet malware analysis. Part 1.]

This is Part 1 of Emotet malware analysis I’m planning to post. It covers phases 1 and 2 of the attack, specifically phishing and establishing persistence in the infected system. Emotet is spread via phishing emails containing malicious links or attachments, and targets everyone (individuals, companies and governments).