Saturday, February 05, 2011
El Jefe: The Boss Will See You Now
The February 2011 edition of the ISSA Journal includes toolsmith on the topic of El Jefe 1.1.
The boss, the big kahuna, El Jefe requires his due. From the folks at Immunity, El Jefe is a solution that intercepts native Windows API process creation calls, allowing you to track, monitor, and correlate process creation events.
Going many steps beyond tracking simple process creation, El Jefe provides a microscopic view of the binaries that are run: SHA1, PID, flags, sorted chronologically with spawned offspring while click-able for instant analysis.
You'll enjoy centralized storage; data which can be queried from the Django-based web app.
Setup is quite straightforward, making use of El Jefe equally so.
I experimented various malware types including Bifrost and Zeus on victim VMs and results were immediate.
Strings references were quickly revealed via Binary Information as seen in Figure 1.
Captured client logging includes evidence of intrusion based on suspicious entropy as seen from a Zeus infected VM in Figure 2.
I enjoyed researching El Jefe's capabilities to no end.
Well done and thanks to Immunity's Justin Seitz.
The article is posted for you here.
Speaking of things Zeus related, I'm presenting Malware-Proof: Building Resistant Web Applications at the RSA 2011 eFraud Network Forum (invitation only). See you there if you happen to be a signed-up attendee.
Enjoy and cheers.
del.icio.us | digg | Submit to Slashdot
Please support the Open Security Foundation (OSVDB)
When, in October and November 's toolsmith posts, I redefined DFIR under the premise of D eeper F unctionality for I nvestigators in R ...
It's rather hard to believe, unimaginable even, but here we are. This is the 120th consecutive edition of toolsmith; every mon...
Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho...
I'm a bit slow on this one but better late than never. Steph dropped her HIBPwned R package on CRAN at the beginning of June, and it...