Showing posts from 2007

Storm keeps coming (4th variant)

They just keep coming...this one is very similar to the 3rd variant we reviewed, but some changes are apparent.
1) Hash: 1f362ad74d62262bff6bcb1d078cbf7d
2) Aside from yet again changing the domain and binary, the hidden files written upon execution are as follows:

Helios Rootkit Detector
Scanning File System For Hidden Files

[*] Scanning Drive C
1 C:\WINDOWS\system32\bldy.config Hidden From API
2 C:\WINDOWS\system32\bldy3a80-61.sys Hidden From API
Execute Duration (in seconds)=18

Loaded Drivers:
Driver File Company Name Description

Kernel31 Api Log
***** Installing Hooks *****
4012d8 CreateFileA(C:\WINDOWS\System32\bldy.config)
40117f CreateFileA(C:\WINDOWS\System32\bldy3a80-61.sys)

WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\bldy3a80-61.sys
Modifed: C:\WINDOWS\system32\bldy3a80-61.sys

Better AV coverage a…

Holiday Storm Part 3

I know, I know...enough already. But our Storm friends have changed the game a bit for the third round, as discussed on the ISC Diary, in particular Update 3. The changed domain and binary name led me to ponder what else has changed. So...
1) New hash: BE22F894AC662C905C37CEFDE66DE065
2) Better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?). No more hanging out in the open, easily seen.
The Helios Rootkit Detector, now included in RAPIER, discovered darker voodoo than the last two versions:

Scanning File System For Hidden Files
[*] Scanning Drive C
1 C:\WINDOWS\system32\cleanmgr.exe Hidden From API
2 C:\WINDOWS\system32\clean.config Hidden From API
3 C:\WINDOWS\system32\clean6c9-3320.sys Hidden From API
4 C:\WINDOWS\system32\dllcache\cleanmgr.exe Hidden From API

SysAnalyzer says:

Loaded Drivers:
Driver File Company Name Description

Kernel31 Api Log
***** Installing Hooks *****
4012c1 CreateFileA(C:\WINDO…

Malware analysis tools

I've been asked to share the tools I use for malware analysis, in particular API details.
The Malcode Analysis Software Tools from iDefense Labs are extremely useful. toolsmith featured the suite in the July 2007 column.
API-Logger can be used as a standalone tool or you can run the .exe through SysAnalyzer which includes API-Logger output.
Other important pieces in my sandbox included VMWare Server (Linux host, Windows VMs), PE Explorer, RAPIER 3.2, Wireshark, Mandiant Red Curtain (MRC), and the Systinternals tools.
Check the toolsmith page for articles on Wireshark, MRC, and RAPIER use as well.
Required reading from the "The Godfather of RE", Lenny Zeltser, includes his Reverse Engineering Malware paper.

New Years Storm deja vu

Not content to settle for all the new bot's they got for Christmas, the RBN would like to wish you a Happy New Year as well with hxxp://
New hash, 5bb3606d36019142507043f30401c5d2, same malware as that we received when we fell for the Christmas strip show they offered us ;-).
Again, it copies itself to C:\WINDOWS as disnisa.exe, writes the same registry keys and config file, and follows the same network attributes as mentioned in previous post, but better AV coverage now that this variant's been around for a few days:

AntiVir - Worm/Zhelatin.ob
Authentium - W32/StormWorm.P
BitDefender - Trojan.Peed.IRE
CAT-QuickHeal - (Suspicious) - DNAScan
DrWeb - Trojan.Packed.263
eSafe - Suspicious File
eTrust-Vet - Win32/Sintun.AT
F-Prot - W32/StormWorm.P
F-Secure -
Kaspersky -
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob

I was further intrig…

Storm-Bot stripshow analysis

Merry Christmas from the RBN. Now on a PC near you, a stripshow from Santa's helpers. Or not.
The ISC reported the expected Storm surge Christmas eve at 0000 GMT.
hxxp:// (modified to protect the innocent) yields a hash of 2BBA62FBC3B9AF85C3C7D64A82E1237C. Once executed it immediately copies itself as disnisa.exe to C:\WINDOWS and adds a startup registry key for the same.

Current AV detection includes:
Kaspersky stripshow.exe - Email-Worm.Win32.Zhelatin.pd.
eTrust-Vet - Win32/Sintun.AT
Microsoft - Trojan:Win32/Tibs.gen!ldr
Symantec - Trojan.Peacomm.D

After a quick time check to Microsoft's time server, this variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can achieve…

SANS Top 20 contribution

I was very pleased to contribute to the SANS Top 20 this year, working under the tutelage of Rohit Dhamankar, and cooperatively with Adam Safier, specifically on the P2P section.
Each year this list brings value to the global information security community, I am proud to have participated, and look forward to contributing again next year.
Bruce Schneier offers some excellent commentary on it, as well. A slightly different view can be found at SearchSecurity.
Ultimately, although I speak for myself, I am quite certain that SANS intends for this list to provide the impetus to aid enterprises in the endless challenge of tightening their security posture.
Use it in good stead! Cheers.

Irony: incongruity between expectation and what actually occurs

Perhaps the 42 of you who read this blog might remember when, back in June, I teased my friend departing for Microsoft regarding the fact that he was taking what Popular Science considered one of the Worst Jobs in Science.
Well...last month I was invited to interview at MS, did so, was offered a job, and accepted. Some of you may find that ironic in and of itself, but imagine the change in my perception when, with Gmail account, Macbook, and Linux sticker-laden car in the parking lot, I was greeted for the interview loop with a technical acuity and respectful openness I'd not seen the likes of before.
Suffice it to say, that this is a business that gives security more due than any I've ever worked for, from the perspective of the consumer and the company. No, I didn't drink the Kool-Aid.
Call me contradictory if you will, but I am thrilled to be here. If this is the 6th Worst Job in Science, the folks at Popular Science may be smoking the very whale poo referred to in the 10…

RAPIER 3.2 update - QA testers invited

Joe S. from the RAPIER project has been working diligently, and version 3.2 is ready for some serious QA testing.
Please download the client and server versions and give them a try.
Ideally, join the project and leave feedback and ideas as you see fit.
The presentation including RAPIER as part of a larger discussion on malcode analysis at the SecureWorld Expo is available here.
An earlier article on version 3.1 is available here.

People in Glass Countries Should not Throw Hackers

As a good friend of mine today said, "Oh, the tears of the wounded."
A senior Chinese official today "accused foreign intelligence agencies of causing "massive and shocking" damage to China by hacking into computers to ferret out political, military and scientific secrets." See Washington Post article here.
Of all the countries...puhlease. The country that defined nation-state internet espionage? The country of origin for hacker groups that best utilize targeted zero-day attacks against Microsoft products? The country of origin for IP blocks bloating firewall and IDS logs that I have reviewed at regular intervals for different businesses and interests for years? China, China, China.
And yet, "when the reports about Chinese hacking surfaced early this month, the Chinese Foreign Ministry roundly denied them, saying China would never resort to such tactics."
Right. Here's a reality check: everyone does it. "Most advanced militaries, as part …

Spyware mill Zango strikes out...again

In their relentless pursuit of legitimacy, Zango had sued Kaspersky Lab "to force the company to reclassify Zango's programs as "non-threatening" and to prevent Kaspersky's security software from blocking Zango's programs."

Zango just doesn't get it. The simple fact that everything Zango "offers" is spyware is indisputable. Why can't they just embrace reality? It's very much like Darl McBride and SCO's claim that they "own" Linux. Pure twaddle. That Zango might actually have a legitimate software offering is pure twaddle.

So, when "the U.S. District Court for the Western District of Washington ruled in favor of Kaspersky Lab, granting the security company immunity from liability in a suit filed by Zango" the Best Damn Spyware Company swung and missed again. I recall chuckling for hours when Zango founder Daniel Todd decided to step down last month, and Zango tried to spin it like it was news, and that Todd…

Another spammer bites the dust, again...

First, huge fines in the millions in January 2006 and then, well deserved jail time. It was with great pleasure that I read of the 30 year sentence received by Christopher “Rizler” Smith. US District Judge Michael Davis put away a man who was not only one of the Internet's most significant annoyances, but he was a complete @$$4073 to boot.
I can only hope this bodes well for the prosecution in the pending trial and sentencing of Robert Soloway in January 2008.

Notorious spammer Christopher “Rizler” Smith was sentenced to 30 years in prison by a federal judge on Wednesday.

US District Judge Michael Davis called Smith a “drug kingpin” before throwing the book at him. Smith was convicted on charges of conspiracy, illegal distribution of drugs, money laundering and operating a continuing criminal enterprise.

The Minneapolis Star Tribune reports that the judge was somewhat hesitant about the length of the prison term recommended by sentencing guidelines, but in the end, decided it was rea…

The Breach Blog: What Have We Come To?

SC Magazine recently put The Breach Blog on line, a veritable wall of shame for almost daily information breaches. You'll find gems like the Bowling Green professor who kept students personally identifiable information (PII)on his USB stick, then lost or the Texas A&M-Corpus Christi professor who did exactly the same thing WITH EVERY STUDENT'S PII ON THE USB STICK! The losses are consistent: lost or stolen laptops, USB sticks, and backup tapes, along with the occasional server administration meltdown or ye good olde hack.
What's it going to take to convince universities to implement better policies and practices such as USB device management, including encryption and approved devices only?
When will Ohio state government managers realize that the intern you're paying $10.50 an hour is not the ideal caretaker for an unencrypted backup tape containing the PII of all 64,467 state employees?
Say it with me, people. Encryption. Best practices. Policy. Standards. Easier sa…

The Worst Jobs in Science - Number 6: Microsoft Security Grunt

As a now former co-worker stopped by my office to say farewell on his last day before joining Microsoft as a Security Program Manager, I thought to myself, "Should I tell him?" Should I let him know the sheer stature of his pending position? Should I advise him of the esteem held for his security staff peers in the Redmond ranks? After all, Popular Science's July 2007 edition had just put it all in perspective. Number 6 on the list of 2007's Worst Jobs in Science is Microsoft Security Grunt, described as "Like wearing a big sign that reads 'Hack Me'." You just can't win with press like that. For your consideration:

The people manning secure@microsoft .com receive approximately 100,000 dings a year, each one a message that something in the Microsoft empire may have gone terribly wrong. Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth’s other produ…

Zango sues PC Tools, therapy suggested

Denial is a powerful tool in the arsenal of companies who refuse to accept who they are. Much like individuals in denial, the illusions of grandeur or the premise of being something they are not is pervasive. These situations often require therapy, so let's begin.
Such is the case with Zango, who this week decided to sue PC Tools for $35 million dollars, based on the pretense that their "software" isn't spyware and is thus being wrongly removed by PC Tools' Spyware Doctor.
Here's where reality sets in: Hey Zango! YOU ARE SPYWARE! YOU'VE ALWAYS BEEN SPYWARE! Rebrand yourselves all you wish. Change the name of the company. Deny the reality of the situation all you want. It won't change the simple truth.
Let's review from a technical perspective, shall we?
From BleedingEdge Threats (Bleeding Edge Snort) we find the harsh reality of the situation. Consider a few fine signature examples from Matt Jonkman and team. There are no less the 25!
Posted as recen…

MySQL installation for Aanval

I was recently asked if Aanval could be installed with a MySQL 5.0 database. Most often I've deployed on 4.x, but recently my teammate rebuilt one of our databases with quite a few sensors populating it, and it's working well with no issues. No scientific, benchmark comparisons to offer, but performance has been excellent. ISSA members can read up on Aanval and BleedingEdge Threats in March's toolsmith in ISSA Journal.

Job hunters beware - "Please, pay Your attention!"

Sunday mornings are always fun for a bit of analysis, and my inbox greeted me readily. According to the little joyfest I received this morning, "because of our system has great changes, you have to install certificated utility (click here) to be able to use database."
Not only have the content writers at Monster lost their mastery of written English (" company greets you Russ McRee.") but they've got a new tool a wasn't aware of, namely servicetool2.exe.
All kidding aside, this is an interesting binary. Upon execution, the original file is cleaned up, and a directory called wsnpoem is dropped in system32 along with ntos.exe. This is now ancient history by malware standards (November 2006) but it remains worthy of few comments.
1) A fantastic writeup on the original binary can be found at Secure Science Corporation:
2) The attributes remain consistent with the SSC …

Updates on RAPIER 3.1

February's toolsmith in ISSA Journal covers RAPIER 3.1, the Rapid Assessment & Potential Incident Examination Report from Joe Schwendt and Steve Mancini of Intel. See toolsmith if you're an ISSA member.
One of the minor issues that recently popped up around keeping the RAPIER 3.1 install current is changes to ClamAV, where the new installation forces a C:\Program Files\ClamAV hierarchy. This is, of course, problematic for RAPIER, which is designed to be portable and not hierarchy dependent.
The version here solves the issue, so long as you have the Visual Studio 2005 dll's.
Email me a holisticinfosec at gmail dot com, if you need files or have questions.


Starting with October's issue of the ISSA Journal, I've been contributing a monthly column called toolsmith. It's afforded me the opportunity to spend more time with excellent infosec tools, an effort I enjoy immensely.
I'd like to mention a few projects here that I've written on or will be soon that you should take a look at, if you haven't already.

1) IDS Policy Manager v.2
"IDS Policy Manager was written to manage SNORT® IDS sensors in a distributed environment."
"Intel(R) Regimented Potential Incident Examination Report (RPIER) is a 1st handlers tool used to obtain volatile information from Windows OS computer systems."
3) Helix 1.8
"Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques."
4) BackTrack v.2…