IT Trenches


November 19, 2010  2:37 PM

Anatomy of a crimeware rootkit – scary stuff!

Troy Tate Profile: Troy Tate

I came across a recent tutorial on reverse engineering the ZeroAccess / Max++ / Smiscer Crimeware Rootkit. This is a very malicious rootkit that has features such as:

  • Modern persistence hooks into the OS – Make it very difficult to remove without damaging the host OS.
  • Ability to use a low level API calls to carve out new disk volumes totally hidden from the infected victim, making traditional disk forensics impossible or difficult.
  • Sophisticated and stealthy modification of resident system drivers to allow for kernel-mode delivery of malicious code.
  • Advanced Antivirus bypassing mechanisms.
  • Anti Forensic Technology – ZeroAccess uses low level disk and filesystem calls to defeat popular disk and in-memory forensics tools.
  • Serves as a stealthy platform for the retrieval and installation of other malicious crimeware programs.
  • Kernel level monitoring via Asynchronous Procedure Calls of all user-space and kernel-space processes and images, and ability to seamlessly inject code into any monitored image.

If those elements do not scare you, then consider this information from the same article:

Symantec reports that 250,000+ computers have been infected with this rootkit. If 100% of users pay the $70 removal fee, it would net a total of $17,500,000. As it is not likely that 100% of users will pay the fee, assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN (Russian Business Network) cybercrime syndicate.

There’s real money changing hands with malware today. It is no longer script kiddies or basement geeks getting jollies with causing issues on a few computers.

Thanks for reading & let’s continue to be good network citizens and track down & prosecute those that are not.

September 16, 2010  3:20 PM

PDF Search Engine – ebooks

Troy Tate Profile: Troy Tate

I recently came across a specialized search engine for PDF’s or ebooks. I know that there are Google hacks or search strings that you can use to narrow search scope, but at times it is nice to use a specialized tool to quickly isolate what you are searching for without using expert search strings.

Check out http://pdfcatch.net/ . See how you like it and let other ITKE readers know.

I found the recent search list on the webpage sidebar rather interesting.

Thanks for reading & let’s continue to be good network citizens!


September 10, 2010  5:05 PM

Is there an orange ball in information security?

Troy Tate Profile: Troy Tate

In Japan many retailers have what look like orange balls or waterballoons near checkouts. Bruce Schneier, a leading information security expert, recently blogged about these orange balls as anti-robbery devices. Could we find any type of orange ball to use for information security, to “mark” packets of attackers and then track them back down? What do you think?

Thanks for reading & let’s continue to be good network citizens!


September 10, 2010  3:56 PM

DLL hole also affects EXE files

Troy Tate Profile: Troy Tate

According to a Heise Media report, the DLL binary planting vulnerability is not just limited to DLL files but affects EXE files.

The example given: An HTML file is saved along with a copy of a file called EXPLORE.EXE. The HTML file is opened and has a URI link embedded with the address file://. This will cause the browser to attempt to open EXPLORE.EXE from the local folder.

The current Microsoft workarounds for the DLL vulnerability only apply to DLL’s, not EXE’s.

See this news posting for additional information.

Information security continues to be a struggle against function, features and stopping bad things from happening. What are your thoughts about where this is going?

Thanks for reading & let’s continue to be good network citizens!


August 27, 2010  5:49 PM

Did you see this? – Microsoft updates Security Compliance Management Accelerator toolkit

Troy Tate Profile: Troy Tate

In 2008, I blogged about Microsoft’s release of Security Compliance Management Accelerator toolkit. Now two years later Microsoft announces an updated Security Compliance Manager. The Microsoft Security Compliance Manager is the next evolution of the Microsoft Security Compliance Management Toolkit (SCMT) Series. Microsoft has taken extensive guidance and documentation and incorporated it into this new tool, enabling you to access and automate all of your organization’s security baselines in one centralized location.  Additionally, this tool provides security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies.  This is a free download that can be accessed from the location below:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e

According to the website:

Security Compliance Manager Overview
Take advantage of the experience of Microsoft security professionals, and reduce the time and money required to harden your environment. This end-to-end Solution Accelerator will help you plan, deploy, operate, and manage your security baselines for Windows® client and server operating systems, and Microsoft applications. Access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats-including XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP)-to export the baselines to your environment to automate the security baseline deployment and compliance verification process. Use the Security Compliance Manager to achieve a secure, reliable, and centralized IT environment that will help you better balance your organization’s needs for security and functionality.

Key Features and Benefits

  • Centralized Management and Baseline Portfolio: The centralized management console of the Security Compliance Manager provides you with a unified, end-to-end user experience to plan, customize, and export security baselines. The tool gives you full access to a complete portfolio of recommended baselines for Windows® client and server operating systems, and Microsoft applications. The Security Compliance Manager also enables you to quickly update the latest Microsoft baseline releases and take advantage of baseline version control.
  • Security Baseline Customization: Customizing, comparing, merging, and reviewing your baselines just got easier. Now you can use the new customization capabilities of the Security Compliance Manager to duplicate any of the recommended baselines from Microsoft-for Windows client and server operating systems, and Microsoft applications-and quickly modify security settings to meet the standards of your organization’s environment.
  • Multiple Export Capabilities: Export baselines in formats like XLS, Group Policy objects (GPOs), Desired Configuration Management (DCM) packs, or Security Content Automation Protocol (SCAP) to enable automation of deployment and monitoring baseline compliance.
  • The Security Compliance Manager Getting Started Guide is now available to download. Download this short guide to quickly set up and customize the Security Compliance Manager (SCM) tool. The guide also includes brief instructions on using the SCM tool to deploy and monitor security baselines for the latest server and client operating systems from Microsoft.

Let me and other ITKE readers know if you have tried this tool and how it worked if you did. Thanks for reading and let’s continue to be good network citizens!


August 27, 2010  2:12 PM

Friday fun: HEADLINE: Microsoft Windows glider crashes

Troy Tate Profile: Troy Tate

Well, the headline may be tongue-in-cheek but this is truly a fun story for a Friday. The Register reports the Microsoft Phoenix glider fails to show the “right stuff” in the recent Red Bull Flugtag competition in Long Beach, California. Guess the engineers didn’t do much end-user testing on the device. I just wonder how many man-hours went into the team choreography to the XP / Windows 7 mashup.

[kml_flashembed movie="http://www.youtube.com/v/CLkphZYt_Zk" width="425" height="350" wmode="transparent" /]

Have a great weekend! Thanks for reading and let’s continue to be good network citizens! And remember – Windows can’t fly.


August 27, 2010  1:35 PM

Hackers send exploit code to Microsoft

Troy Tate Profile: Troy Tate

Go ahead and report why your system crashed – send Microsoft the exploit code you are working on. As most Windows users know, you can send Microsoft details about what caused a system crash. In some cases hackers respond yes and their exploit code is sent to Microsoft according to a recent presentation at Microsoft Tech.Ed 2010.

I find this article humorous but at the same time frustrating with the comment about current threats:

… the top hacking methods of cross-site scripting and SQL injection had not changed in the past six years.

“One, it tells me that the bad guys go with what they know, and two, it says the developers aren’t listening”

How should this message be delivered to developers? Why are these threats still showing up in the top 5? If you are a developer or a CISO, let me and other ITKE readers know how you handle these security issues. Thanks for reading and let’s continue to be good network citizens.


August 26, 2010  6:08 PM

Online devices, applications and threats grow – predictions for 2013

Troy Tate Profile: Troy Tate

The Cisco 2010 Midyear Security Report shows some staggering statistics about the number of online devices, mobile applications and security threats projected to be around in 2013.

  • In 2007 there were 500 million connected devices or 1/10th of a connected device per person worldwide. In 2010, there are now 35 billion (5 connected devices per person). In 2013, Forester Research projects that there will be 1 trillion (140 per person) connected devices.
  • In 2007 there were about 3000 total mobile applications. In 2010, there are 265,000 mobile applications. Current growth trends estimate in 2013 there will be 1.5 million mobile applications.
  • In 2007 there were approximately 624,000 security threats (the document doesn’t specify what this really means). In 2010, there will be 2.6 million security threats. The Symantec and Cisco projection for 2013 predicts 5.7 million security threats.

It is amazing how much things in the IT world have changed in the past three years and taking that projection out another three years seems staggering. How is an organization supposed to handle the growing environment and the growing threats? Cisco offers some suggestions in this report:

  1. Close gaps in situational awareness. Be aware of the totality of the network.
  2. Focus first on solving “old” issues – and doing it well. Begin making improvements in the area of software updates and patches.
  3. Educate your workforce on security – and include them in the process. Remember in information sec-u-r-it-y, You Are IT (U-R-IT). Kinda cheesy I know but it is a basic truth. We are all responsible for IT security.
  4. Understand that one security border is no longer enough. Business has now become borderless and mobile.
  5. View security as a differentiator for your business. “How an enterprise approaches security and responds to trends such as social networking and mobility can have a direct impact on ability to hire and retain talent.”

What do you think is going to happen in the next 3 years with regards to devices, applications, and security threats? Is the Cisco on target, or off base? Let me and other ITKE readers know your thoughts. Thanks for reading and let’s continue to be good network citizens.


August 24, 2010  8:01 PM

Whak-a-mole testing for Microsoft DLL exploit

Troy Tate Profile: Troy Tate

HD Moore of Metasploit fame has created a tool to identify applications which exhibit the DLL hijack flaw about which Microsoft recently released a security advisory. This tool in HD Moore’s own words

will turn a desktop PC into a game of whack-a-mole by launching the file handlers for every registered file type, while recording whether or not a DLL was accessed within the working directory of the associated file.

To find out more about this DLL hijack exploit test kit and to get the tool see HD’s blog.

This could be a serious issue so I am waiting to see what develops out here now that Metasploit has released a working exploit plugin also.

What are your thoughts on this vulnerability? Do you have Windows developers which may have created risks for your organization by poor development practices? Let me and other ITKE readers know about your experiences with this vulnerability and if you have used the DLL hijack exploit test tool and how your testing went. Thanks for reading and let’s continue to be good network citizens!


August 23, 2010  6:32 PM

Investigation indicates trojan contributed to 2008 Spainair crash

Troy Tate Profile: Troy Tate

El Pais reports that a Spainair computer which tracks airplane maintenance and problem issues was infected by malicious software (trojans) that prevented it from operating properly. The computer should alarm when three failures happen on particular or related components. In this case, the trojan malware caused the computer to run so slowly that maintenance technicians were unable to file reports. So, maybe lack of speed can kill too!

This keeps us support folks ever mindful of maintaining robust secure systems that are capable of doing the required job. I wonder how much attention the IT support staff at Spainair will have now that this report has been released.

What do you think should happen to the IT support staff? How do US airlines handle client computer security to prevent a similar event from happening? Leave your comments for other ITKE readers. Thanks for reading & let’s continue to be good network citizens!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: