TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... At the 2007 Black Hat Briefings in Las Vegas, TippingPoint DVLabs had five speakers presenting on a variety of topics.

Line Noise

It's been a while, so I have a tasty treat for all of you. A super long rendition of Line Noise! Links from our IRC to your monitor!


ThreatLinQ: Enabling Packed Executable Filters

This post highlights TippingPoint IPS filters that look for packed or compressed binaries. Once the bastion of many an anti-virus software, these filters provide decent first level protection for a lot of malware. We have seen statistics as high as 80% of all malware is packed in some fashion or another. While legitimate uses of packers for commercial software has grown as well, I feel that with a bit of tuning, these filters can offer excellent protection for your network. I would recommend put ...


MindshaRE: WinDbg Introduction

Everyone has their favorite debugger. Sometimes the debugger debate can become almost religious.  All that aside you must be familiar with a debugger. Honestly it's just a matter of preference. WinDbg, OllyDbg/Immunity Debugger, and GDB will all accomplish the basic tasks you'll need in 90% of cases. So today I'm going to just get you started using WinDbg since it's my preference.  A few commands to wet your whistle in the hopes you get motivated to practice until a debugger is second ...


ThreatLinQ: Spotlight on Filter 5682

On our last 'Spotlight' blog post we looked at a filter which is likely to hit thousands of times a day on your network, this time, we are going to focus on a filter which hits much more rarely, but which is still and important filter in to have in your arsenal: Filter 5682 "Suspicious Hexadecimal IP address in URL"In a nutshell, this filter detects an obfuscation technique in order to disguise the target of a link. In most cases, web sites either link to hostnames (http://www.example.co ...


MindshaRE: Live Analysis Markup

I have mentioned before that I am always trying to bridge the gap between static analysis and live analysis. I try to always reverse statically but lets face it, sometimes due to time constraints, complexity, or dynamic resolution of functions we need a little help from our favorite debugger. So today I'll demonstrate a little tool I use to help me easily pull the information I need from a debugger and still stay focused in IDA. My simple live analysis markup utility might help you in these situ ...


ThreaLinQ: A Look at Adobe Flash Policy Files

Over the past few weeks I have been looking at Adobe Flash 9, specifically the policy file changes that were introduced with this version. By default, cross-domain communication is not allowed by Adobe Flash. Cross-domain communication violates the single origin policy that should be enforced by Internet applications, such as web browsers and browser extensions, in order to protect users and servers from cross-site request ...


ThreatLinQ: Movers and Shakers

Alright, it's time for an installment ThreatLinQ: Movers and Shakers. Most every week we will use this space to point out any interesting and or sudden events we may see in the ThreatLinQ data. This week there are a couple of PHP File Include filters which popped up on the movers and shakers page which are worth talking about:First, Filter 4270 saw a sudden increase in traffic on 9/08/2009.  This was due entirely to a single attacker from New Jersey targeting various PHP file includ ...


ThreatLinQ: Taking Out the Trash

One of the often cited benefits of IPS is the ability to keep ancient attacks from 'polluting' your otherwise pristine network.  The fact is, attacks such as Code Red and SQL Slammer are still out there in force. And while there may be literally a 0% chance of these attacks being successful on a machine in your environment, there is simply no reason to let them into your network.  Of course, when we tell people this, the first question we often get asked is "are these attacks R ...


MindshaRE: Using Structures

This week on MindshaRE we take a quick look at structures. I often see new reverse engineers skipping the creation of structures they encounter when disassembling a binary. While it is true that they can be slightly time consuming to create, the payoff in the end can far outweigh the minimal time investment. The biggest benefit will be during such things as OO method invocation, file format parsing, or packet tracing.  Hopefully the examples I have will convince you to spend those extra 20 ...