Posts

Showing posts from March, 2007

MySQL installation for Aanval

I was recently asked if Aanval could be installed with a MySQL 5.0 database. Most often I've deployed on 4.x, but recently my teammate rebuilt one of our databases with quite a few sensors populating it, and it's working well with no issues. No scientific, benchmark comparisons to offer, but performance has been excellent. ISSA members can read up on Aanval and BleedingEdge Threats in March's toolsmith in ISSA Journal.

Job hunters beware - "Please, pay Your attention!"

Image
Sunday mornings are always fun for a bit of analysis, and my inbox greeted me readily. According to the little joyfest I received this morning, "because of our system has great changes, you have to install Monster.com certificated utility (click here) to be able to use monster.com database."
Not only have the content writers at Monster lost their mastery of written English ("Monster.com company greets you Russ McRee.") but they've got a new tool a wasn't aware of, namely servicetool2.exe.
All kidding aside, this is an interesting binary. Upon execution, the original file is cleaned up, and a directory called wsnpoem is dropped in system32 along with ntos.exe. This is now ancient history by malware standards (November 2006) but it remains worthy of few comments.
1) A fantastic writeup on the original binary can be found at Secure Science Corporation: http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2) The attributes remain consistent with the SSC …

Updates on RAPIER 3.1

February's toolsmith in ISSA Journal covers RAPIER 3.1, the Rapid Assessment & Potential Incident Examination Report from Joe Schwendt and Steve Mancini of Intel. See toolsmith if you're an ISSA member.
One of the minor issues that recently popped up around keeping the RAPIER 3.1 install current is changes to ClamAV, where the new installation forces a C:\Program Files\ClamAV hierarchy. This is, of course, problematic for RAPIER, which is designed to be portable and not hierarchy dependent.
The version here solves the issue, so long as you have the Visual Studio 2005 dll's.
Email me a holisticinfosec at gmail dot com, if you need files or have questions.