Today I built a custom Debian CD from Knoppix. 

The cool thing about this is that you can boot any PC with it to do some troubleshooting. In particular you can mount an NTFS drive (Windows) and read / write to it.

Jerome Segura

Â

Our Sandbox has some cool new features:

- It collects rootkits that are totally invisible to Windows

- an XML event log is dynamically generated for automated adjudication

Jerome Segura

It’s been a while since I last posted. So here is what’s been keeping us busy at Paretologic:

- we’ve been working on live CDs as a way to eradicate rootkits. Well, the task is actually harder than it looks. There are many distros available that we are trying to customize to our needs.

- our ongoing heuristic research is showing some good results. We are developping technology capable of detecting malware without signatures. For example, brand new threats for which no vendor has had a chance to analyze can be proactively detected based on many static attributes. This is a more sophisticated way than MD5 matching but obviously there are more difficulties in deploying it.

- we have our own sandbox, which we call “logmachine”. Several improvements were done to it. It has in fact become a good resource for collecting more malware samples.

All in all, I’ve been really busy with all that stuff, which kept me off from reading my regular blogs or posting on this blog for that matter.
Also have a couple of security books on my bed side table that I’ve been reading late at night. I have a particular interest in honeypots, so this book is a good read: Virtual Honeypots: From Botnet Tracking to Intrusion Detection.

Jerome

What seems to be a spam comment on a YouTube video takes me to some places I didn’t want to go. 

I followed the link above and landed on a site that asks me to install a toolbar (in order to view a video featuring Miley Cyrus… or so it says…)

Which takes me to a very artistic page (to say the least).

Once the install is done, I can’t help but notice the checkbox to install the Search Assistant from Ask.com

Here is the toolbar, and another brightly coloured website.

 That toolbar is detected by many AV vendors as Adware.

 

Oh, and the original YouTube account that sent me the link so graciously has been suspended. Go figure…

 

Jerome

Â

…And Estdomains gets a midnight stay of execution on a technicality!

ICANN is “examining” the situation to try figure out what to do, as the criminal controlling interests in EstDomains has informed them that Vladimir Tsatsin is no longer the CEO.

I knew that the de-accreditation using a clause was a round-about way of achieving things. I guess I’ll put away my confetti, the party hat, and the little trumpet.

Jean “TinFoilHatMan Taggart

I have blogged on this in the past, and everyone in the security arena is also commenting on this presently. I am very pleased to see that EstDomains has been de-accredited by ICANN, the governing entity that coordinates the allocation and assignment of the three sets of unique identifiers for the Internet.

In short, they have pulled the plug on EstDomains ability to register websites.

The reason they invoked for the de-accreditation was that The CEO of EstDomains, Vladimir Tsastsin, has been convicted of credit card fraud, document forgery, and money laundering, and sentenced to 3 years of prison in Estonia. Apparently a criminal conviction violates a clause in the agreement that ICANN had with EstDomains, and allowed them to terminate the RAA (Registrar Accreditation Agreement).

This feels an awful lot like Al Capone being sent to jail for tax evasion, and not for the numerous other crimes he committed. That ICANN had to wait for something like this to take action, when EstDomains active participation in the cyber crime ecosystem has been the worst kept secret, for so long, clearly demonstrates that they intend to continue with their “we don’t police” approach to registrar accreditation.

Going to jail for tax evasion, as befell Al Capone, is still going to jail. Having your Registrar status revoked for having a criminal record, rather than for brazenly providing domain registrar services to the criminal element, is still having your registrar status revoked.

At least it is a step in the right direction. Mikko Hyppönen of F-secure has a very informative blog entry on exactly just how long this has been going on. http://www.f-secure.com/weblog/

And now, ICANN is looking for someone to take over the bulk of the sites that EstDomains managed.
http://www.icann.org/en/announcements/announcement-2-28oct08-en.htm

I don’t envy whoever gets this job, but I do have a few suggestions: Compare the approx 280,000 domains against all the major blacklists. Anyone on the list gets dropped. Examine the balance by parsing it through the Google safe browsing API, Drop whatever else turns up.

This may feel a little too much like “throwing away the baby with the bathwater” to some, but it beats the alternative of just pulling the plug on the whole lot. Besides, I suspect that the number of domains will be considerably smaller after that process…

Jean “TinFoilHatMan” Taggart

Once again, we see another rogue coming.

Fake “account suspended”

Fake 404 page, but real malware

The rogue in question:

Oh and another one also:

and the registrar for this domain is……

INTERNET.BS.CORP.

nice…

 

�

Today we got our hands on one of the first malware files (a Trojan) pushed successfully through the Microsoft vulnerability (MS08-067).

It’s an information stealer trojan which silently connects to different servers.

How bad is this going to be? Well, if users are not applying the patch they are at risk of letting unauthorised code execute, such as this information stealing Trojan.

 

Jerome Segura

Yes, there is a valid reason *everyone* is saying the same thing.
This is the official microsoft bulletin.

http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx

The concensus in the security arena is that, were it properly “weaponized”, this vulnerability could rival Sasser/Blaster/nachi/welchia.

In short, patch now.

Jean “TinFoiHatMan”

Our systems are receiving new malware samples every minute. What do we do with them? We analyze them of course

Those samples are processed with “LogMachines” where they are run and their behaviour is logged. We use custom made command-line tools to analyze the samples:

We populate the malware actions into our Database.

A third step involves verifying that we are capable of completely removing the malware without damaging the system. Machines are set up to be infected and them we run our removal tool.

Sometimes the payload from executing the malware changes, or we need to adjust our signatures in order to fully remove, say, a randomly generated malware sample:

We are not using VMware to analyze threats as malware authors know how to check for a “real” environment. By doing so, we are matching what end users have if they get infected.

Jerome