Static in the Ether » Malware

18 hours on we havent had a meltdown

Barry Irwin — Wed, 01 Apr 2009 07:58:43 +0000

Eighteen hours into the much hyped first days of Confickers new update cycle (started at 00h00 local time on the 1st of April), and surprisingly the Internet has not melted down. Masses of FUD have been spread, and probably a LOT of AV product has been sold. What has been a positive spinoff of this is that awareness has been created among the general public. What has snot been so positive is that people getting they information form the popular press have no way of actually stripping out the facts.

During a break after I presented a talk on Cyber warfare last night, I had a number of questions relating to the proported meltdown today -

“Should we keep our machines off?”
“How do we stop this?”
“How do I stop getting infected?”
“What antivirus must we buy?”

Here in deepest darkest africa, we have two unintended benefits that come form the general means of network engineering done here. Both stem in reality from the paucity of real bandwidth currently (and historically available). The first is that most organisations block direct port 80/tcp (http) and related port access to the Internet, forcing the requirements to use proxy servers. This cuts off confickers ability to update. In the resedential SOHO market, theoreticlaly direct end to end port 80 access is possible , but more often than not there is a transparent proxy in the way. I doubt ISPs are doing any domain filtering on these however. What works as a means of self limitation is that fact that should any massive wave of attacks spring forth from the SOHO /Residential type users, it will be cut short as they rappidly burn though their “bandwidth cap” – in most cases 1-3 Gig.

What is interesting is what the actual next move will be. I think its highly unlikley that this will be used for an all-out offensive and then disposed of. The authors have carefully engineered through four releases of the Hybridised Malware, and in essence have made a fairly substantial investment. The most likely scenario is that tis is yet another botnet for sale – albeit a potentially massive one.

Botnets themselves are nothign new, we have seen what Storm has done ( and is still doing).

For now we bunker down and wait…..

Visualizing Viruses

Barry Irwin — Thu, 12 Jun 2008 06:45:03 +0000

Wired has a article on the Artwork done by MIT Media Lab’s grad student Alex Dragulescu. Working under contract to MessageLabs he has produced a number number of pictures, showing images of Mydoom, Ghost Keylogger and other bits of Malware.
While all quite pretty there seems to be no detail of how they were created in the original post although the MalWarez link on his homepage describes the process as follows:

..For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity.

The Storm Worm is probably my favorite visualizations. He also has an interesting set of images entitled SpamPlants, based on input relating to the ASCII character frequency of spam messages.

Now this sounds like a great project for an aspiring security researcher with a graphical bent.

T2 Forensic Challenge

Barry Irwin — Wed, 04 May 2005 12:39:16 +0000

I found this going through a backlog of ISN mail.

DEVELOPERS AT F-Secure have issued a challenge to hackers to find an
embedded message in a .EXE file.

The challenge looks quite tricky, and the winner gets a free ticket to
the T2’05 info sec conference in Finland, but unfortunately only if
she or he lives in Finland.

As well as figuring out the message, and sending it to a pre-defined
email address, information about the methods and tools must be
supplied.

There’s more information, and the rules of the challenge, here

Even tho I cant win a trip to the con, it should be fun trying to extract the data out he provided file. Hopefully when the competition closes, a solution will be released.