image n/a
image n/a humor/ image n/a phish/ image n/a vulns/

Security Literature

image n/a Hacker Challenge Report (pdf)
image n/a ANI 0-day Analysis (pdf)
image n/a Firepass Security Advisory (pdf)
image n/a eDir Remote Code Exec (pdf)
image n/a ZERT & MS VML Patch (pdf)
image n/a Glamour Ransomware (pdf)
image n/a Python To Extract Malware (pdf)
image n/a Zeus Malware Case Study (pdf)
image n/a Torpig VMM/IDT Signatures (pdf)
image n/a Vmware Shellcode Injection (pdf)
image n/a Unpacking FSG (pdf)
image n/a Hacking the Packer (pdf)
image n/a Life and Times of Ddabx (pdf)
image n/a W0rd 0-day Dissassembly
image n/a Anatomy of a Phish IV (pdf)
image n/a PE Local DoS Vuln (pdf)
image n/a Cryptography of SSH2
image n/a Anatomy of a Phish III (pdf)
image n/a Upload Scripts & Toolkits
image n/a Red-Headed Browsers & WMF
image n/a Classic Trimode Exploit
image n/a ISC Malware Quiz 5 (pdf)
image n/a Access Log Analytics 2006
image n/a Assorted Incidentals 2005
image n/a Anatomy of a Phish II (pdf)
image n/a Anatomy of a Phish (pdf)
image n/a Scan of the Month 34
image n/a MS JVMs ByteVerify Trojan
image n/a Awstats Linux Rootkit
image n/a Tri-Mode Browser Exploits
image n/a Namibian TIBS Infection
image n/a Bestfriends and Sdbot Rootkit
image n/a Gwee Exploits Webmail
image n/a XSS, Triple-encoded Exploit
image n/a telnet:// used in IE Exploit
image n/a Investigating CHM Exploits
image n/a Investigating Netwin Malware
image n/a Short Security Discussions
image n/a Short Proof of Concepts
image n/a Stack Buffer Overflows
image n/a Attack Signatures and Analysis
image n/a Threats, Attacks, Defenses
image n/a First Trojan Tracking Journey

What Is MNIN.ORG

This is the homepage of Michael Ligh. I am a reverse engineer who specializes in vulnerability research and malware cryptography. I began my career working for a security-focused ISP for financial institutions. Later, I joined one of the nation's largest health care providers to locate and exploit flaws in their information infrastructure. I've developed forensic password recovery tools that are currently in use by law enforcement agencies around the world. I've worked with the (iDefense) intelligence group on the malicious code operations team for 3 years and have served as Chief of Special Projects at MNIN Security for about 8 years. I'm a co-author of (Malware Analyst's Cookbook), a developer of (The Volatility Project) and Director of Malware Research at (Terremark Worldwide).

Information on this web site is mostly from work that I did between 2003-2007. After that, I started dispersing articles on various other blogs and code repositories. If you're looking for something recent, please see one of the following:

My email address is michael*ligh @ mnin*org. Remove the spaces and replace the asterisks with periods in order to use it. I also have a:

Please use my (PGP Key) for any sensitive matters.

Presentations

Malware Analyst's Cookbook
Short Articles

Using IDT for VMM Detection image n/a
Google Hacking osCommerce image n/a
Self-Incriminating Anti-spyware image n/a
Cross-Site Scripting Primer image n/a
Chaos & Order: ADS Malware image n/a
Unpacking The Dumpster image n/a
Detecting Promiscuous NIC image n/a
Cross-breeding Mytob/Hellbot image n/a
Escaping the Dust - Notepad image n/a
Introduction To Steganography image n/a
Panning For Gold - Grep Wget image n/a
The Salami Attack Analogy image n/a
Nmap Versus Iptables Battle image n/a
Investigate HTTP Based Exploits image n/a
Gedza - Incomplete VB Worm image n/a
Elementary Virus & Antivirus image n/a
Trial By Fire - Tiger Teams image n/a
Into To Password Guessing image n/a
Fingerprinting the Fingerprint image n/a

Site design and layout with umm...a bash shell. Graphic by (Aaron Bieber)
Unless otherwise noted, this work is licensed with (Creative Commons Attribution License).