[unisog] zotob variant?

Jim Dillon Jim.Dillon at cusys.edu
Thu Oct 13 19:33:01 GMT 2005


I've had several questions, so rather than answer them all
individually...

The product being demonstrated was by Whole Security
(www.wholesecurity.com).  The Trojan they chose to use for the demo was
something called Beast.  Ugly "Back Orifice" remote control looking type
thing.  The two shareware/freeware tools used to modify malware source
code I do not recall, only that they allowed the user to choose from a
number of existing ways to modify the source w/o recompiling or doing
anything extremely difficult. In other words perfect kiddie ware.  The
simplest technique was to replace comment/text strings with a Hex
editor, but there were a number of other automated "compression" schemes
and the like.  All GUI and friendly like, even for a dumb auditor like
me.  The AV/Firewalls in use for the demo were Symantec products that
recognized the original malware, but not the one used for the attack.
The point was simple, signatures don't scale well, it is easy to modify
the signature and re-attack with the same source.  How effective the
product is of course is a buyer beware issue, but I would at least give
it a sniff test.

Regards,

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu
*****************************************
  

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Jim Dillon
Sent: Thursday, October 13, 2005 11:31 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] zotob variant?

I saw a demonstration from a non-signature based intrusion detection
vendor just a couple weeks ago where they modified known trojans, worms,
etc., with a freeware download, by hex editing or applying automatic
"compression" algorithms to the malware, and out pops an undetectable,
working attack, all using nice Windows GUI freeware tools.  Attach the
newly undetectable "Old" Trojan to a spreadsheet, send it through the
firewall and the signature based tools don't catch it.  It took just a
few minutes to execute the demo and very real, very nasty stuff got
through just fine.  Of course the kicker was that their behavioral based
detection engines caught the changes where signature based didn't - good
sales demo, I was sold, concept wise at least.

Anyway, the opportunity to see something new (a variant) is 5 minutes
and a couple of pieces of freeware away.  I can't imagine that we aren't
all succumbing to this type of attack far more than we think.  This
vendor claimed their tool was catching 99% of the attempts they lobbed
at it - this appears a bit more scalable than signature based tools.

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon at cusys.edu
*****************************************
 

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Thursday, October 13, 2005 10:44 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] zotob variant?

On Thu, 13 Oct 2005 08:25:12 EDT, Gary Flynn said:

> I'm running across an unknown piece of malware almost
> once a week. More often if I look for it.

And it isn't like Gary has a *huge* pool of machines to find malware on.
If he's finding that much new stuff in his little corner of the net, one
has to wonder how much *more* stuff is to be found on the networks of
some
of the larger cablemodem providers (although of course, *most* will
eventually
find their way to Gary's net as well).  Though if once a week, new stuff
is
dropping itself on Gary's net before the anti-floopware(*) vendors have
gotten
an ID for it yet, there's something wrong....

The phrase "not scalable" comes to mind.  Or as Dr Phil says: "And how's
that
working out for you?".

(*) anti-things-that-go-bump-in-the-night-ware is too long to type. ;)

_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list