botnet

Oct 7 2009   6:38PM GMT

IT services and The Three Chinese Curses

Posted by: Troy Tate
IT, information technology, professional, career, network analysis, service level, support, information security, infosec, trojan, bot, botnet, Security

In America, October is the time when haunting, evil spirits and curses come to mind. Earlier today I posted a blog entry titled Can IT education bring an end to the recession? I used a quote that is attributed to a series of Chinese curses that go in ascending order of severity. After I used it, I pondered on the other two curses and their applicability to IT services.

According to Wikipedia, the three curses are:

• May you live in interesting times.
• May you come to the attention of those in authority (sometimes rendered May the government be aware of you)
• May you find what you are looking for

Continued »

Aug 19 2009   6:21PM GMT

Can a botnet make me sexy?

Posted by: Troy Tate
botnet, infection, parasite, autoupdate, command and control, command, control, antivirus, configuration manager, systems center, Microsoft, mcafee

Ponder this question. Are there botnets that are sexy and make you more attractive? I got this idea from the Animal Planet (Discovery) show: Monsters Inside Me: Can a Parasite Make Me Sexy? Consider a good botnet (parasite) for a minute. Is something like the McAfee ePolicy Orchestrator or Microsoft’s Systems Center Configuration Manager something like a command and control system for a good botnet? Would that be considered a sexy parasite? Is this just a symbiotic relationship that is good for all?

So, think about it… what are you infected with today that’s doing you good?

Well… maybe it’s not always good to be infected with a parasite so that’s why I say: thanks for reading & let’s continue to be good network citizens.

Jun 24 2009   6:24PM GMT

Did you see this? - SYSTEM CLEANING: GETTING RID OF MALWARE FROM INFECTED PCS

Posted by: Troy Tate
malware, malicious software, Security, information security, integrity, availability, trojan, bot, botnet, registry, antivirus, anti-virus, av

I don’t know about you but I do get frustrated when a white paper is advertised and it has little or no meat to it. Most times it seems like the whitepapers offered by vendors today are light marketing fluff with little substance to help IT folks do their job better.

I came across a whitepaper/research document today that will help you do your job better if you manage systems that may become affected by malware. This means anyone that uses a computer could get some use from this document and website.

Check it out today. The whitepaper does not require any registration (another pet peeve of mine - check out bugmenot for Firefox if registrations bug you too!). The whitepaper is titled SYSTEM CLEANING: GETTING
RID OF MALWARE FROM INFECTED PCS.

Thanks for reading and let’s continue to be good network citizens.

Oct 10 2008   7:58PM GMT

Counterfeit Metrics - Type II Reverse Engineering

Posted by: Troy Tate
Security, Monitoring, reporting, IT education, Data security, malware, performance monitoring, botnet, Metrics, risk, research, awareness, vulnerability, dhs, analysis

If you are into metrics, you might find this article rather interesting. For Good Measure: Type II Reverse Engineering

A couple of the security metrics I find interesting:

Counterfeit hosts (zombied/botted): 30% (estimated)
Odds that neither end of a P2P session is øwned: 50–50
Bytes required to counterfeit a presidential candidate: 1

Dollar value of counterfeit Cuban
cigars: $100 million
Dollar value of counterfeit whisky: $700 million
Dollar value of counterfeit IT: $100 billion

Information like this really helps you understand why hackers and criminals do the things they do. I’m not endorsing it by any means.

Sep 19 2008   12:53PM GMT

Did you see this? - Encyclopedia of internal network security threats

Posted by: Troy Tate
Networking, forensics, Security, tools, Microsoft Windows, Monitoring, Browsers, web, reporting, WWW, antivirus, homeland security, Data security, malware, Policy, design, Firefox, Microsoft, website, troubleshooting, honeypot, botnet, risk, research, awareness, vulnerability, man-in-the-middle

Promisec has released an online encyclopedia of internal network security threats. This is available online for free. There is a lot of information to look through and decide how the risks affect your organization.

Take for example the entry describing GoogleTalk. The site rates it as one of the top 5 internal threats.

The more we know about these risks the better prepared we can be. Thanks for your time. Let’s be good network citizens together & practice safe networking!

Jul 8 2008   5:12PM GMT

Browser warnings - Danger Will Robinson! - or did it just cry “Wolf!”?

Posted by: Troy Tate
forensics, Security, Development, web, reporting, Google, WWW, IT education, antivirus, Data security, malware, Policy, Firefox, website, anti-virus, honeypot, botnet, online identity, Metrics, honeynet, policy enforcement, awareness

I sometimes browse the internet using Firefox. I say sometimes because Internet Explorer is the standard browser at my company and Firefox is not supported by IT. Well, since I work in IT, sometimes you have to test things on behalf of users and also to see how certain sites are different depending on the client browser.

Well, I recently upgraded Firefox to v3. It does seem much better than v2 although some of my useful addins are now broken (when will YSlow get fixed for v3?). One of the new features of Firefox v3 is the ability to report to the user if the visited website is a known potential malware site. This is a good feature! It provides the user with some useful information and education about the dangers on the internet. However, how accurate is this feature? What if you are visiting a trusted website that you frequently visit and now get this message?

For your information, this is the message that you will see when you attempt to visit a site deemed as risky.

Reported Attack Site!

This web site at certification.xxxxxxx.org has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

I blanked out the actual website address above. However, those of you with a bit of detective in you are likely going to figure it out.

What is interesting about this particular warning message is that it is referring to a website that has security as a guiding principle. When you see this message in Firefox, you have three options presented:

• Get me out of here!
• Why was this site blocked?
• Ignore this warning - in very tiny print at bottom of message.

I was curious as to why this site would be considered as a danger. I clicked on the Why was this site blocked? option. The report I received was interesting and as I mentioned earlier, could this be an example of someone crying “Wolf!”?

The report was as follows:

What is the current listing status for certification.xxxxxxx.org

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 6 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 07/06/2008, and the last time suspicious content was found on this site was on 07/06/2008.

Malicious software includes 1 scripting exploit(s). Successful infection resulted in an average of 3 new processes on the target machine.

Malicious software is hosted on 3 domain(s), including lokriet.com, clrbbd.com, catdbw.mobi.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including catdbw.mobi.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, certification.xxxxxxx.org did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.

This is great educational stuff, but did it really happen to this particular website? I don’t know, but apparently Google does. With the report of just one incident, does it make this site really worth the notification? How many incidents should it take before a site is considered malicious and who determines what malicious is?

Just something else to mull over in your copious time as you go perusing websites in Firefox.

Thanks for your time. Let’s be good network citizens together & practice safe networking!