Thursday, August 18, 2011

Two files with the same name!

Question: Can you create two files with the same name in a Windows directory?


Answer:

http://blogs.technet.com/b/mmpc/archive/2011/08/10/can-we-believe-our-eyes.aspx

Not sure how many of you remember the right to left override trick that was found a few months back. Here is another play on that type of bypass. Very interesting.








Tuesday, August 16, 2011

To APT or not?

McAfee recently discovered a widespread series of exploits that they are calling Operation Shady Rat (http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat). This exploit compromised 72 companies around the world and seemed to lead back to China. McAfee concluded that this attack was an Advanced Persistant Threat or APT, other security Vendors such as Sophos claimed that this attack was not an APT becuase the malware was not sophisticated. As a result, I wanted to take the time to discuss this type of attack and get away from some of the marketing terms.

What is an APT? APT is the term used to describe an attack carried out over a fairly significant time, that is meant to gain a foothold deep into an organization's systems, staying in the network for a long period of time undetected, usually with the goal of collecting intelligence information such as troop movements in the case of an attack carried out against the government or intellectual property in the case of an atack carried out against a corporation. The main difference between an attacker that is considered an APT is that they are persistent and have resources such as a government or major corporation backing them.

Second, an APT is not a piece of malware, even though some seurity vendors would have you believe that for the sake of selling a product. For example FireEye claims they can stop APT's (http://www.fireeye.com/products-and-solutions/), really? Don't ge me wrong, I love the FireEye malware analysis product and I am not just picking on them as there are several others that advertise the same, but really do you expect me to believe you can shutdown hackers backed by a large government or the Russian Mafia on all attack vectors? Now, yes you maybe able to find the malware that is being planted, but that is only one part of the attack and even if you stop that piece of malware, the attackers will be back, they are persistent after all.

Ultimately what I want get across here is that, an APT is the attack as a whole, including; the attackers, the attackers' motives, and the methods used to compromise the network (it could be malware, or maybe a misconfigured server, etc.). An APT attack could be carried out by a group of attackers using something as old as Back Orifice, or by using no malware at all. To protect against APT's you, will need mroe than a product that claims to protect against APT's, you will need multiple products and you will also need people analyizing logs and network behavior for things that your tools missed.


NoVAH Hackers Talk

I would like to thank everyone at NoVAH hackers for having me tonight. I had a great time and learned some good things.

For those who couldn't make it, or those that were there and want the slides, I am adding them here. If you have any questions, don't hesitate to ask. I have some good links coming this week as well. Stay tuned.

Also guys, don't forget, if you want us to analyze a sample and post the steps, send it on! We generally try to find samples that are good learning samples. I have one that I'm sitting on now, but that's for another talk. I will release it then :)

Get the talk here: Curt NoVAH Talk 8-15-2011


Thursday, August 11, 2011

SANS Malware Analysis Challenge

I am working on a talk to present at NoVA Hackers August meeting. I will be posting the slides and a link to the video on the blog once the talk is complete. The subject is on how to utilize Indicators of Compromise (IOCs) found during malware analysis to find and fix infected machines and to protect others. If you are in the NoVA area stop by and check it out. The details can be found here:

http://novahackers.blogspot.com/

In the mean time, to keep your malware analysis learning going, check out the latest SANS Malware Analysis Challenge.

http://computer-forensics.sans.org/blog/2011/08/10/malware-analysis-challenge-to-strengthen-your-skills