[unisog] zotob variant?

Wyman Miles wm63 at cornell.edu
Fri Oct 14 12:50:46 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NIST has a project called, variously, the National Software Reference 
Library that seeks to enumerate via MD5 and SHA1 hashes known commercial 
software.

I wrote something to index their hash distributions (around 4 CDs worth -- 
~10 million unique hashes), then compare a typical system to the references.

Owing as much to the magnitude of the project as the frequency of the 
updates (quarterly), a fresh, vanilla Windows XP install typically has a 
50% "unknown" rate.  That drops to the low 30s on a normal system.  And 
that's just OS and applications.  The technique is worthless with user 
data.  The 30% figure jives well with NIST's own presentations on the 
subject.  Performance, as you might expect, isn't so hot.

What it does offer, however, is a way to sieve through a typical machine 
and reduce the number of things to check for badness.

The best success I've had catching new things or well hidden things are 
decent heuristics-based scanners like BitDefender.  Couple that with an 
implicit mistrust of executable-packers and you're in OK shape.

On the wire?  It's *all* user data on the wire.  I don't see how a 
reference library of known-good would help a network IDS, even neglecting 
the performance issue.



- --On Thursday, October 13, 2005 2:30 PM -0700 John Stauffacher 
<stauffacher at chapman.edu> wrote:

> I've really always wondered why Anti-Floop (shameless..i know) vendors
> always want to "Enumerate Badness", wouldn't it be a whole lot easier to
> enumerate the good. I'm sure the avg user will have a pretty small
> "whitelist" of apps that they run. Rather than the overly ambiguous
> "blacklist" of stuff that maybe they don't want to run. Seems like a
> perfect candidate for default deny and then allow based upon
> whitelisting. But, thats all a pipedream, for now we rely on policy tools
> to make sure our computers are up to date and shaky "sig" based
> sollutions, with their hourly updates....I'd rather just writeprotect the
> C drive and be done with it....
>
> Jim Dillon wrote:
>
>> I've had several questions, so rather than answer them all
>> individually...
>>
>> The product being demonstrated was by Whole Security
>> (www.wholesecurity.com).  The Trojan they chose to use for the demo was
>> something called Beast.  Ugly "Back Orifice" remote control looking type
>> thing.  The two shareware/freeware tools used to modify malware source
>> code I do not recall, only that they allowed the user to choose from a
>> number of existing ways to modify the source w/o recompiling or doing
>> anything extremely difficult. In other words perfect kiddie ware.  The
>> simplest technique was to replace comment/text strings with a Hex
>> editor, but there were a number of other automated "compression" schemes
>> and the like.  All GUI and friendly like, even for a dumb auditor like
>> me.  The AV/Firewalls in use for the demo were Symantec products that
>> recognized the original malware, but not the one used for the attack.
>> The point was simple, signatures don't scale well, it is easy to modify
>> the signature and re-attack with the same source.  How effective the
>> product is of course is a buyer beware issue, but I would at least give
>> it a sniff test.
>>
>> Regards,
>>
>> Jim
>>
>> *****************************************
>> Jim Dillon, CISA, CISSP
>> IT Audit Manager, CU Internal Audit
>> jim.dillon at cusys.edu
>> *****************************************
>>
>>
>> -----Original Message-----
>> From: unisog-bounces at lists.sans.org
>> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Jim Dillon
>> Sent: Thursday, October 13, 2005 11:31 AM
>> To: UNIversity Security Operations Group
>> Subject: Re: [unisog] zotob variant?
>>
>> I saw a demonstration from a non-signature based intrusion detection
>> vendor just a couple weeks ago where they modified known trojans, worms,
>> etc., with a freeware download, by hex editing or applying automatic
>> "compression" algorithms to the malware, and out pops an undetectable,
>> working attack, all using nice Windows GUI freeware tools.  Attach the
>> newly undetectable "Old" Trojan to a spreadsheet, send it through the
>> firewall and the signature based tools don't catch it.  It took just a
>> few minutes to execute the demo and very real, very nasty stuff got
>> through just fine.  Of course the kicker was that their behavioral based
>> detection engines caught the changes where signature based didn't - good
>> sales demo, I was sold, concept wise at least.
>>
>> Anyway, the opportunity to see something new (a variant) is 5 minutes
>> and a couple of pieces of freeware away.  I can't imagine that we aren't
>> all succumbing to this type of attack far more than we think.  This
>> vendor claimed their tool was catching 99% of the attempts they lobbed
>> at it - this appears a bit more scalable than signature based tools.
>>
>> Jim
>>
>> *****************************************
>> Jim Dillon, CISA, CISSP
>> IT Audit Manager, CU Internal Audit
>> jim.dillon at cusys.edu
>> *****************************************
>>
>>
>> -----Original Message-----
>> From: unisog-bounces at lists.sans.org
>> [mailto:unisog-bounces at lists.sans.org] On Behalf Of
>> Valdis.Kletnieks at vt.edu
>> Sent: Thursday, October 13, 2005 10:44 AM
>> To: UNIversity Security Operations Group
>> Subject: Re: [unisog] zotob variant?
>>
>> On Thu, 13 Oct 2005 08:25:12 EDT, Gary Flynn said:
>>
>>
>>
>>> I'm running across an unknown piece of malware almost
>>> once a week. More often if I look for it.
>>>
>>>
>>
>> And it isn't like Gary has a *huge* pool of machines to find malware on.
>> If he's finding that much new stuff in his little corner of the net, one
>> has to wonder how much *more* stuff is to be found on the networks of
>> some
>> of the larger cablemodem providers (although of course, *most* will
>> eventually
>> find their way to Gary's net as well).  Though if once a week, new stuff
>> is
>> dropping itself on Gary's net before the anti-floopware(*) vendors have
>> gotten
>> an ID for it yet, there's something wrong....
>>
>> The phrase "not scalable" comes to mind.  Or as Dr Phil says: "And how's
>> that
>> working out for you?".
>>
>> (*) anti-things-that-go-bump-in-the-night-ware is too long to type. ;)
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog
>>
>>
>
>
> --
> John Stauffacher, CISSP
> Network Administrator
> Chapman University
> stauffacher at chapman.edu
> ph: 714.628.7249
> "It's amazing how much you take for granted when you already know what
> you are doing."
> "there is no /usr/local on my C:\ drive!"
>



Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBQ0+ppsRE6QfTb3V0EQJzzACgxd2vAQ+q15c+OLUsHOtUOmWQDa4Anis9
zdcRqgHs/FgqQZdf1vhaNLXL
=wQ3F
-----END PGP SIGNATURE-----



More information about the unisog mailing list