Thursday, March 29, 2007

MySQL installation for Aanval

I was recently asked if Aanval could be installed with a MySQL 5.0 database. Most often I've deployed on 4.x, but recently my teammate rebuilt one of our databases with quite a few sensors populating it, and it's working well with no issues. No scientific, benchmark comparisons to offer, but performance has been excellent. ISSA members can read up on Aanval and BleedingEdge Threats in March's toolsmith in ISSA Journal.

Sunday, March 25, 2007

Job hunters beware - "Please, pay Your attention!"

Sunday mornings are always fun for a bit of analysis, and my inbox greeted me readily. According to the little joyfest I received this morning, "because of our system has great changes, you have to install Monster.com certificated utility (click here) to be able to use monster.com database."
Not only have the content writers at Monster lost their mastery of written English ("Monster.com company greets you Russ McRee.") but they've got a new tool a wasn't aware of, namely servicetool2.exe.
All kidding aside, this is an interesting binary. Upon execution, the original file is cleaned up, and a directory called wsnpoem is dropped in system32 along with ntos.exe. This is now ancient history by malware standards (November 2006) but it remains worthy of few comments.
1) A fantastic writeup on the original binary can be found at Secure Science Corporation: http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2) The attributes remain consistent with the SSC write-up including audio.dll and video.dll as dropped in the wsnpoem directory, so there's really nothing new to contribute here with the following exception.
This Trojan hit the street sometime in October/November 2006. Given its behavioral attributes, it is, and should be considered high risk...it'll steal you blind.
Do you think the AV vendor coverage has improved since SSC and Michael Ligh so capably analyzed it? Negative, Ghostrider. Symantec, McAfee, and Microsoft still don't identify it.
Others identify it rather generically, but most don't see it at all.
There's a simple lesson here. Antivirus coverage is essential, but often buys you very little in the face of emerging threats. Obviously, you can't depend on AV alone, and user awareness is worth its weight in gold. If your users don't "Click here", the bad guys don't own the machine.
Oh, were it so easy...all the users I help protect behave perfectly in the computing environment...

Job hunters beware - Digg Job hunters beware -

Wednesday, March 21, 2007

Updates on RAPIER 3.1

February's toolsmith in ISSA Journal covers RAPIER 3.1, the Rapid Assessment & Potential Incident Examination Report from Joe Schwendt and Steve Mancini of Intel. See toolsmith if you're an ISSA member.
One of the minor issues that recently popped up around keeping the RAPIER 3.1 install current is changes to ClamAV, where the new installation forces a C:\Program Files\ClamAV hierarchy. This is, of course, problematic for RAPIER, which is designed to be portable and not hierarchy dependent.
The version here solves the issue, so long as you have the Visual Studio 2005 dll's.
Email me a holisticinfosec at gmail dot com, if you need files or have questions.