Microsoft Office Compatibility Pack tries to execute path without quotes

A couple of days ago i found a weird behaviour in my computer. When i double-clicked a .docx file, an error message appeared saying c:\Program couldn’t be executed. I don’t know when and why i had an empty file named “c:\Program” on my computer (i had been doing tests with %PROGRAMFILES% envar in my code and i guess the file derived of this).

I investigated a bit about it and it seems to be a bug of the “Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats”. It seems it keeps into a registry key a path to wordconv.exe without quotes, so when svchost.exe tries to execute c:\Program files\Microsoft office\Office12\Wordconv.exe, if c:\Program exists in the machine, it executes c:\Program.

It’s not an important bug and doesnt seem a security problem, because c:\Program is executed in the context of the currently logged user. However i decided to analyze the bug and you can find the analysis in this article.

Continue reading

Getting CryptoWall and CryptoDefense working without C&C

It’s common to find malware samples that need the C&C to work. This is the case of Cryptowall and CryptoDefense ransomwares. If you need to debug samples of these families you will usually find the C&C down and the ransom won’t work and won’t encrypt files. It only will try to connect to C&C continuously.

In this article i’m going to describe a way to create a fake C&C for CryptoWall and CryptoDefense families, and how to get samples of these families working into a vmware for example.

Continue reading

My first blog entry

Welcome to my very first blog post.

This is my personal blog where i’ll upload my own projects, articles, ideas, analysis, … In the stuff section, you can find some articles and PoC code. You can visit my github too, for some bigger projects.

I hope you enjoy it!