Sunday, March 25, 2007

Job hunters beware - "Please, pay Your attention!"

Sunday mornings are always fun for a bit of analysis, and my inbox greeted me readily. According to the little joyfest I received this morning, "because of our system has great changes, you have to install Monster.com certificated utility (click here) to be able to use monster.com database."
Not only have the content writers at Monster lost their mastery of written English ("Monster.com company greets you Russ McRee.") but they've got a new tool a wasn't aware of, namely servicetool2.exe.
All kidding aside, this is an interesting binary. Upon execution, the original file is cleaned up, and a directory called wsnpoem is dropped in system32 along with ntos.exe. This is now ancient history by malware standards (November 2006) but it remains worthy of few comments.
1) A fantastic writeup on the original binary can be found at Secure Science Corporation: http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf
2) The attributes remain consistent with the SSC write-up including audio.dll and video.dll as dropped in the wsnpoem directory, so there's really nothing new to contribute here with the following exception.
This Trojan hit the street sometime in October/November 2006. Given its behavioral attributes, it is, and should be considered high risk...it'll steal you blind.
Do you think the AV vendor coverage has improved since SSC and Michael Ligh so capably analyzed it? Negative, Ghostrider. Symantec, McAfee, and Microsoft still don't identify it.
Others identify it rather generically, but most don't see it at all.
There's a simple lesson here. Antivirus coverage is essential, but often buys you very little in the face of emerging threats. Obviously, you can't depend on AV alone, and user awareness is worth its weight in gold. If your users don't "Click here", the bad guys don't own the machine.
Oh, were it so easy...all the users I help protect behave perfectly in the computing environment...

Job hunters beware - Digg Job hunters beware -

No comments:

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...