Good grief!

Charlie Brown Good GriefHaving just caught up on some of the conference “Source Boston”, I can’t help but call out some of the musings of Andrew Jaquith. Something of a more technical abstract can be read at the code project’s article by Jeffrey Walton (pay special attention to Robin Hood and Friar Tuck). If anybody doubt’s the current trend of sophistication in malware, I’m sure it is somebody who is currently penetrated. I’ve had the opportunity to devote specific analysis on occasion over the years to MAL code and its impact on the enterprise. I know FOR SURE the level of sophistication is on the rise. One thing I had to deal with recently, the extent of capability afforded by most desktop OS’s being so advanced, the majority of functionality desired by MAL code is pre-deployed. Unfortunately paving the way for configuration viruses and their ability to remain undetected in that all they are is an elaborate set of configuration settings. You can imagine, a configuration virus has the entire ability of your OS at its disposal, any VPN/IPSEC, self-(UN) healing, remote administration, etc… The issue is then, how do you determine if that configuration is of MAL intent, it’s surely there for a reason and valid in many deployments. The harm is only when connected to a larger entity/botnet that harm begins to affect a host. Some random points to add hard learned through experience;

  • Use a native execution environment
    • VMWare, prevents the load or typical operation of many MAL code variants
      • I guess VM vendors have a big win here for a while, until the majority of targets are VM hosts.
  • Have an easily duplicated disk strategy
    • MAC systems are great for forensics, target disk mode and ubiquitous fire-wire allows for live memory dumps and ease of off-line disk analysis (without a drive carrier).
    • I’m planning a hash-tree based system to provision arbitrarily sized block checksums of clean/good files, useful of diff’ing out the noise for arbitrary medium (memory, disk, flash).
  • Install a Chinese translator locally
    • As you browse Chinese hack sites, (I think all Russian site’s are so quiet these days due to the fact that they are financially driven, while Chinese are currently motivated by nationalistic motivators), you need to translate locally. Using a .com translation service is detected and false content is rendered, translate locally to avoid that problem.
      • Also, keep notes on lingo.. there are no translation-hack dictionaries yet. (I guess code pigeon is referring to a homing pigeon, naturally horse/wood code is a Trojan).

Unfortunately part of the attacker advantage is the relatively un-coordinated fashion defenders operate, not being able to trust or vet your allies to compare notes can be a real pain. One interesting aspect of a MAL system recently analyzed was the fact that that it had no persistent signature. It’s net force mobility so complete, that the totality of its functionality could shift boot-to-boot, so long as it compromised a boot-up driver it would rise again. The exalted C. Brown put it best, “Good grief!” http://www.codeproject.com/KB/cpp/VirusProtect.aspx http://www.sourceboston.com/blog/?p=25

Advertisements

11 Comments »

  1. […] blog got from images.google.com after Shane included a picture of the great Charlie Brown in his “Good Grief!” post…but I […]

  2. I wanted to thank you for this very good read!
    ! I absolutely enjoyed every bit of it. I have you saved as a favorite to look at
    new things you post…

  3. My brother suggested I might like this blog. He was totally right.
    This publish truly made my day. You can not consider just how so much time I had spent for this info!
    Thanks!

  4. When I originally commented I clicked the “Notify me when new comments are added” checkbox
    and now each time a comment is added I get three emails with the same comment.

    Is there any way you can remove me from that service?
    Thank you!

  5. garcinia cambogia

  6. Hi ther it’s me, I amm also visiting this site on
    a regular basis, this web page iis in fact gopod and tthe people are truly sharing good thoughts.

  7. I drop a leave a response when I especially enjoy a post on a website or if I have something to
    valuable to contribute to the discussion. Usually it’s
    a result of the fire displayed in the post I
    read. And after this article Good grief! | System of Systems.
    I was moved enough to leave a leave a responsea response 🙂 I actually do have a couple
    of questions for you if it’s allright. Is it just me or do a few of the comments come across as
    if they are left by brain dead folks? 😛 And, if you
    are writing on other places, I would like to keep up with you.
    Would you list all of your social pages like your twitter feed, Facebook page or linkedin
    profile?

  8. This is my first time pay a quick visit at here and i am actually happy to read all at single
    place.

  9. I do believe all the concepts you have offered in your post.
    They are very convincing and can definitely work. Still, the posts are very quick
    for beginners. May you please prolong them a bit from subsequent
    time? Thank you for the post.

  10. site said

    Heya i’m for the primary time here. I came across this board and I in finding It
    really helpful & it helped me out a lot. I’m hoping to
    present something back and help others like you aided me.

  11. GgSAdvara said

    Яркие рассказы проституток на нашем сайте волшебным образом раскрасят ваши будни головокружительными красками и подарят неописуемое наслаждение. Здесь элитные проститутки не только полностью удовлетворят ваш интерес, но и оправдают любые даже самые откровенные ожидания и фантазии. Истории проституток, которые вы здесь прочтете помогут почувствовать себя настоящим мачо в сексе. А фото проституток только дополнят ваше удовольствие. На нашем сайте проститутки Казани и проститутки Одессы откроют для вас дверь в мир сексуальных удовольствий, проститутки Воронежа и проститутки Днепропетровска помогут Вам ощутить себя обожаемым и всегда желанным мужчиной, проститутки Запорожья и проститутки Ростова расскажут самые эротичные истории из своей жизни, проститутки Тюмени и проститутки Николаева откроют для вас науку получения и доставления удовольствия от секса.
    Girls Room – Проститутки Москвы: проститутки нижнего

RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: