Naming of 4D5A Security

We often get asked, how did you name 4D5A Security? It’s named after a Windows executable. If you’re a programmer or a malware analyst you’re always inspect the portable executable “header” of a file looking for uppercase “MZ”. These two letters identify that file as an executable, on Windows, as originally developed by Mark Zbikowski (called a vanity header named after his own initials).

As IR experts we often look at lots of files looking for executables or things that “run” do perform actions, and then “hunt” those codes down and their actions, to get an understanding of what did what and how to stop it. Thus, identifying all the executables in questionable places, during an incident, is critical. We then map out dates, times, etc, working our way back upon a timeline to identify ‘Patient zero’ or where it all started, etc. MZ is critical in that process as we inspect files.

But where does 4D5A come from? MZ is the ASCII value, or what we see in a text editor for the vanity header. The hexadecimal value of MZ is, you guessed it, 4D5A, as shown below:

Windows PE headers
4D5A is Hex for MZ

One way to think of our company is “we know how to execute”; or we know our malware; or we know our code. All the geeks in the room immediately know this because they’re use to looking at code and seeing both the ASCII and hexadecimal values, like that shown in the screenshot above.

Leave a Reply

Your email address will not be published. Required fields are marked *