[unisog] zotob variant?

Jim Dillon Jim.Dillon at cusys.edu
Thu Oct 13 17:31:28 GMT 2005

I saw a demonstration from a non-signature based intrusion detection
vendor just a couple weeks ago where they modified known trojans, worms,
etc., with a freeware download, by hex editing or applying automatic
"compression" algorithms to the malware, and out pops an undetectable,
working attack, all using nice Windows GUI freeware tools.  Attach the
newly undetectable "Old" Trojan to a spreadsheet, send it through the
firewall and the signature based tools don't catch it.  It took just a
few minutes to execute the demo and very real, very nasty stuff got
through just fine.  Of course the kicker was that their behavioral based
detection engines caught the changes where signature based didn't - good
sales demo, I was sold, concept wise at least.

Anyway, the opportunity to see something new (a variant) is 5 minutes
and a couple of pieces of freeware away.  I can't imagine that we aren't
all succumbing to this type of attack far more than we think.  This
vendor claimed their tool was catching 99% of the attempts they lobbed
at it - this appears a bit more scalable than signature based tools.


Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Thursday, October 13, 2005 10:44 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] zotob variant?

On Thu, 13 Oct 2005 08:25:12 EDT, Gary Flynn said:

> I'm running across an unknown piece of malware almost
> once a week. More often if I look for it.

And it isn't like Gary has a *huge* pool of machines to find malware on.
If he's finding that much new stuff in his little corner of the net, one
has to wonder how much *more* stuff is to be found on the networks of
of the larger cablemodem providers (although of course, *most* will
find their way to Gary's net as well).  Though if once a week, new stuff
dropping itself on Gary's net before the anti-floopware(*) vendors have
an ID for it yet, there's something wrong....

The phrase "not scalable" comes to mind.  Or as Dr Phil says: "And how's
working out for you?".

(*) anti-things-that-go-bump-in-the-night-ware is too long to type. ;)

More information about the unisog mailing list