[unisog] zotob variant?

John Stauffacher stauffacher at chapman.edu
Thu Oct 13 21:30:20 GMT 2005


I've really always wondered why Anti-Floop (shameless..i know) vendors 
always want to "Enumerate Badness", wouldn't it be a whole lot easier to 
enumerate the good. I'm sure the avg user will have a pretty small 
"whitelist" of apps that they run. Rather than the overly ambiguous 
"blacklist" of stuff that maybe they don't want to run. Seems like a 
perfect candidate for default deny and then allow based upon 
whitelisting. But, thats all a pipedream, for now we rely on policy 
tools to make sure our computers are up to date and shaky "sig" based 
sollutions, with their hourly updates....I'd rather just writeprotect 
the C drive and be done with it....

Jim Dillon wrote:

>I've had several questions, so rather than answer them all
>individually...
>
>The product being demonstrated was by Whole Security
>(www.wholesecurity.com).  The Trojan they chose to use for the demo was
>something called Beast.  Ugly "Back Orifice" remote control looking type
>thing.  The two shareware/freeware tools used to modify malware source
>code I do not recall, only that they allowed the user to choose from a
>number of existing ways to modify the source w/o recompiling or doing
>anything extremely difficult. In other words perfect kiddie ware.  The
>simplest technique was to replace comment/text strings with a Hex
>editor, but there were a number of other automated "compression" schemes
>and the like.  All GUI and friendly like, even for a dumb auditor like
>me.  The AV/Firewalls in use for the demo were Symantec products that
>recognized the original malware, but not the one used for the attack.
>The point was simple, signatures don't scale well, it is easy to modify
>the signature and re-attack with the same source.  How effective the
>product is of course is a buyer beware issue, but I would at least give
>it a sniff test.
>
>Regards,
>
>Jim
>
>*****************************************
>Jim Dillon, CISA, CISSP
>IT Audit Manager, CU Internal Audit
>jim.dillon at cusys.edu
>*****************************************
>  
>
>-----Original Message-----
>From: unisog-bounces at lists.sans.org
>[mailto:unisog-bounces at lists.sans.org] On Behalf Of Jim Dillon
>Sent: Thursday, October 13, 2005 11:31 AM
>To: UNIversity Security Operations Group
>Subject: Re: [unisog] zotob variant?
>
>I saw a demonstration from a non-signature based intrusion detection
>vendor just a couple weeks ago where they modified known trojans, worms,
>etc., with a freeware download, by hex editing or applying automatic
>"compression" algorithms to the malware, and out pops an undetectable,
>working attack, all using nice Windows GUI freeware tools.  Attach the
>newly undetectable "Old" Trojan to a spreadsheet, send it through the
>firewall and the signature based tools don't catch it.  It took just a
>few minutes to execute the demo and very real, very nasty stuff got
>through just fine.  Of course the kicker was that their behavioral based
>detection engines caught the changes where signature based didn't - good
>sales demo, I was sold, concept wise at least.
>
>Anyway, the opportunity to see something new (a variant) is 5 minutes
>and a couple of pieces of freeware away.  I can't imagine that we aren't
>all succumbing to this type of attack far more than we think.  This
>vendor claimed their tool was catching 99% of the attempts they lobbed
>at it - this appears a bit more scalable than signature based tools.
>
>Jim
>
>*****************************************
>Jim Dillon, CISA, CISSP
>IT Audit Manager, CU Internal Audit
>jim.dillon at cusys.edu
>*****************************************
> 
>
>-----Original Message-----
>From: unisog-bounces at lists.sans.org
>[mailto:unisog-bounces at lists.sans.org] On Behalf Of
>Valdis.Kletnieks at vt.edu
>Sent: Thursday, October 13, 2005 10:44 AM
>To: UNIversity Security Operations Group
>Subject: Re: [unisog] zotob variant?
>
>On Thu, 13 Oct 2005 08:25:12 EDT, Gary Flynn said:
>
>  
>
>>I'm running across an unknown piece of malware almost
>>once a week. More often if I look for it.
>>    
>>
>
>And it isn't like Gary has a *huge* pool of machines to find malware on.
>If he's finding that much new stuff in his little corner of the net, one
>has to wonder how much *more* stuff is to be found on the networks of
>some
>of the larger cablemodem providers (although of course, *most* will
>eventually
>find their way to Gary's net as well).  Though if once a week, new stuff
>is
>dropping itself on Gary's net before the anti-floopware(*) vendors have
>gotten
>an ID for it yet, there's something wrong....
>
>The phrase "not scalable" comes to mind.  Or as Dr Phil says: "And how's
>that
>working out for you?".
>
>(*) anti-things-that-go-bump-in-the-night-ware is too long to type. ;)
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>


-- 
John Stauffacher, CISSP
Network Administrator
Chapman University
stauffacher at chapman.edu
ph: 714.628.7249
"It's amazing how much you take for granted when you already know what you are doing."
"there is no /usr/local on my C:\ drive!"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4870 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20051013/44d7c8a0/smime.bin


More information about the unisog mailing list