image n/a
image n/a humor/ image n/a phish/ image n/a vulns/

Security Literature

image n/a Hacker Challenge Report (pdf)
image n/a ANI 0-day Analysis (pdf)
image n/a Firepass Security Advisory (pdf)
image n/a eDir Remote Code Exec (pdf)
image n/a ZERT & MS VML Patch (pdf)
image n/a Glamour Ransomware (pdf)
image n/a Python To Extract Malware (pdf)
image n/a Zeus Malware Case Study (pdf)
image n/a Torpig VMM/IDT Signatures (pdf)
image n/a Vmware Shellcode Injection (pdf)
image n/a Unpacking FSG (pdf)
image n/a Hacking the Packer (pdf)
image n/a Life and Times of Ddabx (pdf)
image n/a W0rd 0-day Dissassembly
image n/a Anatomy of a Phish IV (pdf)
image n/a PE Local DoS Vuln (pdf)
image n/a Cryptography of SSH2
image n/a Anatomy of a Phish III (pdf)
image n/a Upload Scripts & Toolkits
image n/a Red-Headed Browsers & WMF
image n/a Classic Trimode Exploit
image n/a ISC Malware Quiz 5 (pdf)
image n/a Access Log Analytics 2006
image n/a Assorted Incidentals 2005
image n/a Anatomy of a Phish II (pdf)
image n/a Anatomy of a Phish (pdf)
image n/a Scan of the Month 34
image n/a MS JVMs ByteVerify Trojan
image n/a Awstats Linux Rootkit
image n/a Tri-Mode Browser Exploits
image n/a Namibian TIBS Infection
image n/a Bestfriends and Sdbot Rootkit
image n/a Gwee Exploits Webmail
image n/a XSS, Triple-encoded Exploit
image n/a telnet:// used in IE Exploit
image n/a Investigating CHM Exploits
image n/a Investigating Netwin Malware
image n/a Short Security Discussions
image n/a Short Proof of Concepts
image n/a Stack Buffer Overflows
image n/a Attack Signatures and Analysis
image n/a Threats, Attacks, Defenses
image n/a First Trojan Tracking Journey

What Is MNIN.ORG

Recent posts can be found on my (Blog).
Malware RCE tools can be found on my (Google Code Site)

This is the homepage of Michael Ligh. I am a reverse engineer who specializes in vulnerability research and malware cryptography. I began my career working for a security-focused ISP for financial institutions in New England. Later, I joined one of the nation's largest health care providers to locate and exploit flaws in their information infrastructure. I've worked as a contractor to develop forensic password recovery tools that are currently in use by law enforcement agencies around the world. At the moment, I am employed by the (iDEFENSE) intelligence group on the malicious code operations team.

Most of my website is security chit-chat, technical suspense, or forensic horror stories. You will find an interesting article or two, should you happen to exercise the muscles in your pointer finger while hovering over a link. My (Malware RCE) presentation at Defcon 16 is coming up - it focuses on how to decrypt obscure c&c protocols, configuration files, and stolen data.

My email address is michael*ligh @ mnin*org. Remove the spaces and replace the asterisks with periods in order to use it. I also have a (LinkedIn Profile) for public affairs and a (PGP Key) for private matters. Thanks and have a great day.

External

2009 Forensics Wiki and e-fense Helix3 with malfind
2009 Internet Storm Center on Downatool.exe Research
2008 Internet Storm Center on Locating stealth DLLs
2008 Malware RCE: Debuggers & Decryptor Development
2007 GPCode Evolution and Ransomeware Decryptor (by SSC)
2007 Internet Storm Center on ANI Cursor Vulnerability
2007 CVE-2007-0186, CVE-2007-0187, CVE-2007-0188
2006 SSC & MNIN Encrypted Malware Case Study
2006 CVE-2006-5478 Stack Overflow in Novell eDirectory iMonitor
2006 Zeroday Emergency Response Team (ZERT)
2006 CVE-2006-4554 Compression Plus and Tumbelweed Overflow
2006 Buffer Overflow Against Novell eDirectory iMonitor
2006 Mal-aware Blog on Anatomy of a Phish Series
2005 Internet Storm Center Diary on Awstats Linux Rootkit
2005 University of Sunderland, U.K. Network Security Curricula
2005 Internet Storm Center Diary on Trimode Browser Attacks
2005 The Honeynet Project Scan of the Month 34 Winners
2005 GIAC Reverse Engineering Malware Analyst 0051
2005 Internet Storm Center Diary on Trojan Tracking
2005 Microsoft's Automated Web Patrol with Strider HoneyMonkeys
2005 Internet Storm Center Diary on Sony DRM Rootkits
2005 Bleeding-Snort Significant Signatures Contributions List
2005 Internet Storm Center Malware Analysis #5 Winner

Short Articles

Using IDT for VMM Detection image n/a
Google Hacking osCommerce image n/a
Self-Incriminating Anti-spyware image n/a
Cross-Site Scripting Primer image n/a
Chaos & Order: ADS Malware image n/a
Unpacking The Dumpster image n/a
Detecting Promiscuous NIC image n/a
Cross-breeding Mytob/Hellbot image n/a
Escaping the Dust - Notepad image n/a
Introduction To Steganography image n/a
Panning For Gold - Grep Wget image n/a
The Salami Attack Analogy image n/a
Nmap Versus Iptables Battle image n/a
Investigate HTTP Based Exploits image n/a
Gedza - Incomplete VB Worm image n/a
Elementary Virus & Antivirus image n/a
Trial By Fire - Tiger Teams image n/a
Into To Password Guessing image n/a
Fingerprinting the Fingerprint image n/a
Presentations
Manual Intrusion Detection image n/a
Debugging with CVE-2007-0038 image n/a

Last Updated: February 23 2009 mnin.org is |00000110| years old.
Site design and layout with umm...a bash shell. Graphic by (Aaron Bieber)
Unless otherwise noted, this work is licensed with (Creative Commons Attribution License).

Valid HTML 4.0! Valid CSS! Valid RSS 2.0! Creative Commons License