Thursday, December 27, 2007

Storm keeps coming (4th variant)

They just keep coming...this one is very similar to the 3rd variant we reviewed, but some changes are apparent.
1) Hash: 1f362ad74d62262bff6bcb1d078cbf7d
2) Aside from yet again changing the domain and binary, the hidden files written upon execution are as follows:

Helios Rootkit Detector
Scanning File System For Hidden Files

[*] Scanning Drive C
1 C:\WINDOWS\system32\bldy.config Hidden From API
2 C:\WINDOWS\system32\bldy3a80-61.sys Hidden From API
Execute Duration (in seconds)=18

Loaded Drivers:
Driver File Company Name Description

Kernel31 Api Log
***** Installing Hooks *****
4012d8 CreateFileA(C:\WINDOWS\System32\bldy.config)
40117f CreateFileA(C:\WINDOWS\System32\bldy3a80-61.sys)

WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32\bldy.config
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\bldy3a80-61.sys
Modifed: C:\WINDOWS\system32\bldy3a80-61.sys

Better AV coverage again:

AntiVir - TR/Crypt.XDR.Gen
Authentium - W32/Dropper.gen6
Avast - Win32:Zhelatin-ASX
AVG - Dropper.Generic.TLX
BitDefender - Trojan.Peed.IRG
ClamAV - Trojan.Peed-66
DrWeb - Trojan.Spambot.2386
Fortinet - W32/Tibs.G@mm
F-Prot - W32/Dropper.gen6
F-Secure -
Kaspersky -
NOD32v2 - Win32/Nuwar.BA
Panda - Suspicious file
Prevx1 - Stormy:Worm-All Variants
Sophos - Mal/Dorf-H
Symantec - Trojan.Peacomm
VirusBuster - Trojan.DR.Zhelatin.AS
Webwasher-Gateway - Trojan.Crypt.XDR.Gen

Aside from the inherent value of keeping an eye on the ISC Diary, please refer to the US-CERT alert.
They'll keep coming, we'll keep watching.
Storm keep coming (4th variant) at Digg Storm keep coming (4th variant)

Wednesday, December 26, 2007

Holiday Storm Part 3

I know, I know...enough already. But our Storm friends have changed the game a bit for the third round, as discussed on the ISC Diary, in particular Update 3. The changed domain and binary name led me to ponder what else has changed. So...
1) New hash: BE22F894AC662C905C37CEFDE66DE065
2) Better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?). No more hanging out in the open, easily seen.
The Helios Rootkit Detector, now included in RAPIER, discovered darker voodoo than the last two versions:

Scanning File System For Hidden Files
[*] Scanning Drive C
1 C:\WINDOWS\system32\cleanmgr.exe Hidden From API
2 C:\WINDOWS\system32\clean.config Hidden From API
3 C:\WINDOWS\system32\clean6c9-3320.sys Hidden From API
4 C:\WINDOWS\system32\dllcache\cleanmgr.exe Hidden From API

SysAnalyzer says:

Loaded Drivers:
Driver File Company Name Description

Kernel31 Api Log
***** Installing Hooks *****
4012c1 CreateFileA(C:\WINDOWS\System32\clean.config)
40117f CreateFileA(C:\WINDOWS\System32\clean6c9-3320.sys)

WatchDir Initilized OK
Watching C:\WINDOWS
Created: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\clean.config
Modifed: C:\WINDOWS\system32\config\system.LOG
Modifed: C:\WINDOWS\system32
Created: C:\WINDOWS\system32\clean6c9-3320.sys
Modifed: C:\WINDOWS\system32\clean6c9-3320.sys

3) AV coverage is further improved for this version:

AntiVir - TR/Rootkit.Gen
Authentium - W32/StormWorm.R
Avast - Win32:Zhelatin-ASX
AVG - Dropper.Generic.TLF
BitDefender - DeepScan:Generic.Malware.FMH@mmign.55A134E9
ClamAV - Trojan.Zhelatin
DrWeb - Trojan.Spambot.2387
Fortinet - W32/Tibs.G@mm
F-Prot - W32/StormWorm.R
F-Secure -
Ikarus - Virus.Win32.Zhelatin.ASX
Kaspersky -
Microsoft - Backdoor:WinNT/Nuwar.B!sys
NOD32v2 - Win32/Fuclip.AW
Panda - Suspicious file
Prevx1 - Stormy:Worm-All Variants
Sophos - Mal/Dorf-H
Webwasher-Gateway - Trojan.Rootkit.Gen

How perfectly unpleasant, making things more difficult to spot. Here's my New Years wish for the Storm lamers. Bugger off (kept pleasant for the kids).

Holiday Storm Part 3 at Digg Holiday Storm Part 3

Malware analysis tools

I've been asked to share the tools I use for malware analysis, in particular API details.
The Malcode Analysis Software Tools from iDefense Labs are extremely useful. toolsmith featured the suite in the July 2007 column.
API-Logger can be used as a standalone tool or you can run the .exe through SysAnalyzer which includes API-Logger output.
Other important pieces in my sandbox included VMWare Server (Linux host, Windows VMs), PE Explorer, RAPIER 3.2, Wireshark, Mandiant Red Curtain (MRC), and the Systinternals tools.
Check the toolsmith page for articles on Wireshark, MRC, and RAPIER use as well.
Required reading from the "The Godfather of RE", Lenny Zeltser, includes his Reverse Engineering Malware paper.
Malware analysis tools at Digg Malware analysis tools

Tuesday, December 25, 2007

New Years Storm deja vu

Not content to settle for all the new bot's they got for Christmas, the RBN would like to wish you a Happy New Year as well with hxxp://
New hash, 5bb3606d36019142507043f30401c5d2, same malware as that we received when we fell for the Christmas strip show they offered us ;-).
Again, it copies itself to C:\WINDOWS as disnisa.exe, writes the same registry keys and config file, and follows the same network attributes as mentioned in previous post, but better AV coverage now that this variant's been around for a few days:

AntiVir - Worm/Zhelatin.ob
Authentium - W32/StormWorm.P
BitDefender - Trojan.Peed.IRE
CAT-QuickHeal - (Suspicious) - DNAScan
DrWeb - Trojan.Packed.263
eSafe - Suspicious File
eTrust-Vet - Win32/Sintun.AT
F-Prot - W32/StormWorm.P
F-Secure -
Kaspersky -
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob

I was further intrigued by the name they chose for the .exe, in particular, disnisa. Appears it was or is the name of a wine and spirits import company in Nicaragua, importers of Heineken, Chivas Reagal, Cuervo, Concha y Toro, and Moet & Chandon. Is there correlation given the time of year? Who knows.
Happy New Years from disnisa. Drink the product (responsibly), but don't open the ecard. ;-)

New Years Storm deja vu at Digg New Years Storm deja vu

Sunday, December 23, 2007

Storm-Bot stripshow analysis

Merry Christmas from the RBN. Now on a PC near you, a stripshow from Santa's helpers. Or not.
The ISC reported the expected Storm surge Christmas eve at 0000 GMT.
hxxp:// (modified to protect the innocent) yields a hash of 2BBA62FBC3B9AF85C3C7D64A82E1237C. Once executed it immediately copies itself as disnisa.exe to C:\WINDOWS and adds a startup registry key for the same.

Current AV detection includes:
Kaspersky stripshow.exe - Email-Worm.Win32.Zhelatin.pd.
eTrust-Vet - Win32/Sintun.AT
Microsoft - Trojan:Win32/Tibs.gen!ldr
Symantec - Trojan.Peacomm.D

After a quick time check to Microsoft's time server, this variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can achieve such lockdown, even though your hosts may suffer infection, they won't be communicating with their friends and neighbors.
From API analysis we see a few interesting tidbits:

w32tm /config /update
403014 Copy(c:\malware\stripshow.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
402ba0 WinExec(w32tm /config /syncfromflags:manual /,,100)
77e7d0b7 WaitForSingleObject(788,64)
402ba8 WinExec(w32tm /config /update,100)
40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()
40da1b bind(8c, port=26790)
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)

Nice, do a little time sync, allow ourselves through the firewall, then bind, listen, and wait.
First, add another registry entry,

0cd2d RegCreateKeyExA (HKLM\Software\Microsoft\Windows\ITStorage\Finders,)

then start connecting:

71a54cee LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
77e7ac53 CreateRemoteThread(h=ffffffff, start=71a519c4)
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )
40d9f1 connect( )

Once this little bugger hits the network, expect flood-like traffic.
My infected sandbox victim exhausted my 1.5mb DSL connection instantly, in part from a ton of inbound responses from peers being logged at my firewall:

SRC= DST= LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=59178 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC= DST= LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=60978 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC= DST= LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=4987 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC= DST= LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=6619 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC= DST= LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=13762 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC= DST= LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=18384 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC= DST= LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=19891 PROTO=UDP SPT=24045 DPT=26790 LEN=33

At last, the peer list referred to by the ISC, written to C:\WINDOWS (many more entries not included):


There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes.
User awareness, as always, is your strongest defense.
Cheers and happy holidays, except for you RBN a$$h0735.

Storm-Bot stripshow analysis at Digg Storm-Bot stripshow analysis

Monday, December 03, 2007

SANS Top 20 contribution

I was very pleased to contribute to the SANS Top 20 this year, working under the tutelage of Rohit Dhamankar, and cooperatively with Adam Safier, specifically on the P2P section.
Each year this list brings value to the global information security community, I am proud to have participated, and look forward to contributing again next year.
Bruce Schneier offers some excellent commentary on it, as well. A slightly different view can be found at SearchSecurity.
Ultimately, although I speak for myself, I am quite certain that SANS intends for this list to provide the impetus to aid enterprises in the endless challenge of tightening their security posture.
Use it in good stead! Cheers.
SANS Top 20 contribution at Digg SANS Top 20 contribution

Wednesday, November 21, 2007

Irony: incongruity between expectation and what actually occurs

Perhaps the 42 of you who read this blog might remember when, back in June, I teased my friend departing for Microsoft regarding the fact that he was taking what Popular Science considered one of the Worst Jobs in Science.
Well...last month I was invited to interview at MS, did so, was offered a job, and accepted. Some of you may find that ironic in and of itself, but imagine the change in my perception when, with Gmail account, Macbook, and Linux sticker-laden car in the parking lot, I was greeted for the interview loop with a technical acuity and respectful openness I'd not seen the likes of before.
Suffice it to say, that this is a business that gives security more due than any I've ever worked for, from the perspective of the consumer and the company. No, I didn't drink the Kool-Aid.
Call me contradictory if you will, but I am thrilled to be here. If this is the 6th Worst Job in Science, the folks at Popular Science may be smoking the very whale poo referred to in the 10th Worst Job in Science.
Irony: incongruity between expectation and what actually occurs at Digg Irony: incongruity between expectation and what actually occurs

Monday, October 29, 2007

RAPIER 3.2 update - QA testers invited

Joe S. from the RAPIER project has been working diligently, and version 3.2 is ready for some serious QA testing.
Please download the client and server versions and give them a try.
Ideally, join the project and leave feedback and ideas as you see fit.
The presentation including RAPIER as part of a larger discussion on malcode analysis at the SecureWorld Expo is available here.
An earlier article on version 3.1 is available here.
RAPIER 3.2 update - QA testers invited at Digg RAPIER 3.2 update - QA testers invited

Wednesday, September 12, 2007

People in Glass Countries Should not Throw Hackers

As a good friend of mine today said, "Oh, the tears of the wounded."
A senior Chinese official today "accused foreign intelligence agencies of causing "massive and shocking" damage to China by hacking into computers to ferret out political, military and scientific secrets." See Washington Post article here.
Of all the countries...puhlease. The country that defined nation-state internet espionage? The country of origin for hacker groups that best utilize targeted zero-day attacks against Microsoft products? The country of origin for IP blocks bloating firewall and IDS logs that I have reviewed at regular intervals for different businesses and interests for years? China, China, China.
And yet, "when the reports about Chinese hacking surfaced early this month, the Chinese Foreign Ministry roundly denied them, saying China would never resort to such tactics."
Right. Here's a reality check: everyone does it. "Most advanced militaries, as part of their effort to gain the ability to protect their own computer systems and disable those of adversaries, are believed to have an active information warfare program."
Welcome to the modern age of warfare and espionage.
People in glass countries should not throw hackers.

Bookmark People in Glass Countries Should not Throw Hackers at Digg People in Glass Countries Should not Throw Hackers

Thursday, September 06, 2007

Spyware mill Zango strikes out...again

In their relentless pursuit of legitimacy, Zango had sued Kaspersky Lab "to force the company to reclassify Zango's programs as "non-threatening" and to prevent Kaspersky's security software from blocking Zango's programs."

Zango just doesn't get it. The simple fact that everything Zango "offers" is spyware is indisputable. Why can't they just embrace reality? It's very much like Darl McBride and SCO's claim that they "own" Linux. Pure twaddle. That Zango might actually have a legitimate software offering is pure twaddle.

So, when "the U.S. District Court for the Western District of Washington ruled in favor of Kaspersky Lab, granting the security company immunity from liability in a suit filed by Zango" the Best Damn Spyware Company swung and missed again. I recall chuckling for hours when Zango founder Daniel Todd decided to step down last month, and Zango tried to spin it like it was news, and that Todd's contributions to Internet society were extraordinary. Oh, the illusions of grandeur. All the rebranding, repositioning, and regurgitating in the world won't change the facts: Zango is a spyware company.
And I have to look at them everyday, right across I90.

Quoth Bill the Cat..."Thbbbt!"

Bookmark Spyware mill Zango strikes out...again at Digg Spyware mill Zango strikes out...again

Tuesday, August 07, 2007

Another spammer bites the dust, again...

First, huge fines in the millions in January 2006 and then, well deserved jail time. It was with great pleasure that I read of the 30 year sentence received by Christopher “Rizler” Smith. US District Judge Michael Davis put away a man who was not only one of the Internet's most significant annoyances, but he was a complete @$$4073 to boot.
I can only hope this bodes well for the prosecution in the pending trial and sentencing of Robert Soloway in January 2008.

Notorious spammer Christopher “Rizler” Smith was sentenced to 30 years in prison by a federal judge on Wednesday.

US District Judge Michael Davis called Smith a “drug kingpin” before throwing the book at him. Smith was convicted on charges of conspiracy, illegal distribution of drugs, money laundering and operating a continuing criminal enterprise.

The Minneapolis Star Tribune reports that the judge was somewhat hesitant about the length of the prison term recommended by sentencing guidelines, but in the end, decided it was reasonable.

Smith hasn’t exactly been a darling to the court system. In addition to fleeing justice abroad, he didn’t exactly make pals with the prosecution by issuing a death threat to the children of a witness in the case.

Smith was nabbed in 2005 after stepping off a flight from the Dominican Republic, where he had been operating after a federal judge shut down his Minneapolis-based spamming operation. He had fled there, allegedly using a false passport, just four days after appearing in federal court to face charges. While in the Dominican Republic, he even withdrew money that had been frozen by a previous court order.

Well done, Judge Davis!

Another Spammer Bites The Dust  at Digg Another Spammer Bite The Dust

Thursday, July 05, 2007

The Breach Blog: What Have We Come To?

SC Magazine recently put The Breach Blog on line, a veritable wall of shame for almost daily information breaches. You'll find gems like the Bowling Green professor who kept students personally identifiable information (PII)on his USB stick, then lost or the Texas A&M-Corpus Christi professor who did exactly the same thing WITH EVERY STUDENT'S PII ON THE USB STICK! The losses are consistent: lost or stolen laptops, USB sticks, and backup tapes, along with the occasional server administration meltdown or ye good olde hack.
What's it going to take to convince universities to implement better policies and practices such as USB device management, including encryption and approved devices only?
When will Ohio state government managers realize that the intern you're paying $10.50 an hour is not the ideal caretaker for an unencrypted backup tape containing the PII of all 64,467 state employees?
Say it with me, people. Encryption. Best practices. Policy. Standards. Easier said than done, I know. But here are the simple facts. We are data custodians. Management, systems administrators, security analysts...we are all data custodians, and we must take better care of the information we manage. It's not our information. It belongs to our students, our customers, our veterans.
"First, do no harm." Failure to protect the information in our care is doing harm, as much as the criminal who stole it.
Kudos to SC for The Breach Blog, but it's a shame we even need it.

The Breach Blog: What Have We Come To?  at Digg The Breach Blog: What Have We Come To?

Friday, June 22, 2007

The Worst Jobs in Science - Number 6: Microsoft Security Grunt

As a now former co-worker stopped by my office to say farewell on his last day before joining Microsoft as a Security Program Manager, I thought to myself, "Should I tell him?" Should I let him know the sheer stature of his pending position? Should I advise him of the esteem held for his security staff peers in the Redmond ranks? After all, Popular Science's July 2007 edition had just put it all in perspective. Number 6 on the list of 2007's Worst Jobs in Science is Microsoft Security Grunt, described as "Like wearing a big sign that reads 'Hack Me'." You just can't win with press like that. For your consideration:

The people manning secure@microsoft .com receive approximately 100,000 dings a year, each one a message that something in the Microsoft empire may have gone terribly wrong. Teams of Microsoft Security Response Center employees toil 365 days a year to fix the kinks in Windows, Internet Explorer, Office and all the behemoth’s other products. It’s tedious work. Each product can have multiple versions in multiple languages, and each needs its own repairs (by one estimate, Explorer alone has 300 different configurations). Plus, to most hackers, crippling Microsoft is the geek equivalent of taking down the Death Star, so the assault is relentless. According to the SANS Institute, a security research group, Microsoft products are among the top five targets of online attack. Meanwhile, faith in Microsoft security is ever-shakier—according to one estimate, 30 percent of corporate chief information officers have moved away from some Windows platforms in recent years. “Microsoft is between a rock and a hard place,” says Marcus Sachs, the director of the SANS Internet Storm Center. “They have to patch so much software on a case-by-case basis. And all in a world that just doesn’t have time to wait.”

But after all, workplace etiquette got the best of me, and I simply wished my departing teammate best wishes and good luck. Both of which he'll need in his new endeavor. The worst job in science indeed...

The Worst Jobs in Science - Number 6: Microsoft Security Grunt  at Digg The Worst Jobs in Science - Number 6: Microsoft Security Grunt

Friday, May 18, 2007

Zango sues PC Tools, therapy suggested

Denial is a powerful tool in the arsenal of companies who refuse to accept who they are. Much like individuals in denial, the illusions of grandeur or the premise of being something they are not is pervasive. These situations often require therapy, so let's begin.
Such is the case with Zango, who this week decided to sue PC Tools for $35 million dollars, based on the pretense that their "software" isn't spyware and is thus being wrongly removed by PC Tools' Spyware Doctor.
Here's where reality sets in: Hey Zango! YOU ARE SPYWARE! YOU'VE ALWAYS BEEN SPYWARE! Rebrand yourselves all you wish. Change the name of the company. Deny the reality of the situation all you want. It won't change the simple truth.
Let's review from a technical perspective, shall we?
From BleedingEdge Threats (Bleeding Edge Snort) we find the harsh reality of the situation. Consider a few fine signature examples from Matt Jonkman and team. There are no less the 25!
Posted as recently as April 23, 2007 we find:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,
adware.180search.html; classtype: trojan-activity; sid: 2003610; rev:1;)

We'll cover the fundamentals here. flow:to_server, established means that we're monitoring traffic as leaves to report back to your server. Not unlike spyware, yes? And if I'm not mistaken, a tbRequest.add to a PHP platform is a POST. What might we be posting? User profiles perhaps, so you can invade their privacy and feed them BS? I think so.
Why not take a look at the reference URL as well:
Why would our friends at Symantec label you a medium risk as adware and eradicate you in their defintions? Hmm...I can hear your crack legal team warming up the machinations of litgation once more. Oh wait, they sued you (or at least Hotbar) a few years back. Nevermind.
But let's get back on track.
Instead of spending $35 million to sue PC Tools, keep you hard earned money and spend a bit of time working on corporate moral and an enterprise wide reality check. Embrace who you are. Accept that you are part of the "series of tubes" that is the Internet, and that you are knowingly filling those tubes. I'd go so for as to suggest hiring corporate counselors (not the legal kind) to aid your staff in accepting reality. I'd even go so far as invite Senator Ted Stevens to come for a day to rally the troops thus: "The Internet is not something you just dump something on. It's not a big truck. It's a series of tubes. And if you don't understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and it's going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material".
Just face the truth and we'll all be better for it. Soul searching serves us well. But when that fails, rename yourselves again. I suggest Best of luck in your endeavor.

Bookmark Zango sues PC Tools, therapy suggested  at Digg Zango sues PC Tools, therapy suggested

Thursday, March 29, 2007

MySQL installation for Aanval

I was recently asked if Aanval could be installed with a MySQL 5.0 database. Most often I've deployed on 4.x, but recently my teammate rebuilt one of our databases with quite a few sensors populating it, and it's working well with no issues. No scientific, benchmark comparisons to offer, but performance has been excellent. ISSA members can read up on Aanval and BleedingEdge Threats in March's toolsmith in ISSA Journal.

Sunday, March 25, 2007

Job hunters beware - "Please, pay Your attention!"

Sunday mornings are always fun for a bit of analysis, and my inbox greeted me readily. According to the little joyfest I received this morning, "because of our system has great changes, you have to install certificated utility (click here) to be able to use database."
Not only have the content writers at Monster lost their mastery of written English (" company greets you Russ McRee.") but they've got a new tool a wasn't aware of, namely servicetool2.exe.
All kidding aside, this is an interesting binary. Upon execution, the original file is cleaned up, and a directory called wsnpoem is dropped in system32 along with ntos.exe. This is now ancient history by malware standards (November 2006) but it remains worthy of few comments.
1) A fantastic writeup on the original binary can be found at Secure Science Corporation:
2) The attributes remain consistent with the SSC write-up including audio.dll and video.dll as dropped in the wsnpoem directory, so there's really nothing new to contribute here with the following exception.
This Trojan hit the street sometime in October/November 2006. Given its behavioral attributes, it is, and should be considered high'll steal you blind.
Do you think the AV vendor coverage has improved since SSC and Michael Ligh so capably analyzed it? Negative, Ghostrider. Symantec, McAfee, and Microsoft still don't identify it.
Others identify it rather generically, but most don't see it at all.
There's a simple lesson here. Antivirus coverage is essential, but often buys you very little in the face of emerging threats. Obviously, you can't depend on AV alone, and user awareness is worth its weight in gold. If your users don't "Click here", the bad guys don't own the machine.
Oh, were it so easy...all the users I help protect behave perfectly in the computing environment...

Job hunters beware - Digg Job hunters beware -

Wednesday, March 21, 2007

Updates on RAPIER 3.1

February's toolsmith in ISSA Journal covers RAPIER 3.1, the Rapid Assessment & Potential Incident Examination Report from Joe Schwendt and Steve Mancini of Intel. See toolsmith if you're an ISSA member.
One of the minor issues that recently popped up around keeping the RAPIER 3.1 install current is changes to ClamAV, where the new installation forces a C:\Program Files\ClamAV hierarchy. This is, of course, problematic for RAPIER, which is designed to be portable and not hierarchy dependent.
The version here solves the issue, so long as you have the Visual Studio 2005 dll's.
Email me a holisticinfosec at gmail dot com, if you need files or have questions.

Wednesday, January 03, 2007


Starting with October's issue of the ISSA Journal, I've been contributing a monthly column called toolsmith. It's afforded me the opportunity to spend more time with excellent infosec tools, an effort I enjoy immensely.
I'd like to mention a few projects here that I've written on or will be soon that you should take a look at, if you haven't already.

1) IDS Policy Manager v.2
"IDS Policy Manager was written to manage SNORT® IDS sensors in a distributed environment."
"Intel(R) Regimented Potential Incident Examination Report (RPIER) is a 1st handlers tool used to obtain volatile information from Windows OS computer systems."
3) Helix 1.8
"Helix focuses on Incident Response & Forensics tools. It is meant to be used by individuals who have a sound understanding of Incident Response and Forensic techniques."
4) BackTrack v.2
" BackTrack is the result of the merging of two Innovative Penetration Testing live Linux distributions - Whax and Auditor. BackTrack has been dubbed as the best Security Live CD."

Consider giving each of these a try at your leisure, and if you're an ISSA member you can download the column relevant to each.

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...