Saturday, December 19, 2009

The Botnet Helpdesk

So, you're planning on building your own botnet and despite all the how-to videos on YouTube you're still having problems building your botnet malware agent and getting your command & control to work like the videos said ti would. What do you do? Well, if you purchased your DIY botnet creation kit from one of several "commercial" botnet providers, you'd contact their help-desk.

I kid you not. Several crimeware service providers go beyond 24x7 IRC and email support - now offering full online help-desks; complete with ticketing systems for tracking your "incident" and live virtual advisers.

For a full analysis of one of these botnet service providers - check out my latest blog entry over on the Damballa site - The Botnet Distribution and Helpdesk Services.

Thursday, December 17, 2009

Anti-antivirus Testing Services


If you're a professional botnet operator, the malware agents you use are critical. To guarantee successful operation of the botnet agent and avoid detection on the victims computer, it needs to be tested. Today there is a growing service industry focused on providing anti-antivirus detection and malware QA to cybercriminals.

I been playing around with anti-antivirus testing services and posed a new blog entry covering Virtest.com over on the Damballa site - Malware QA and Exploit Testing Services

Tuesday, December 8, 2009

Extracting CnC from Malware

I've been asked quite a bit about the risks and value of automatic malware analysis within the enterprise over the last few months. There are of course a lot of technologies that enterprise can purchase and deploy withing their network to take in suspicious samples and classify them as benign or malicious.

Most of these technologies use a mix of signature and behavioral engines, although there's been a greater push recently to use virtual/sandboxing technologies as well (or as a replacement). I'm not convinced this is such a smart idea. The tools being used to create new families and serial variants of malware tend to be more sophisticated nowadays that whats being used to thwart them at the perimeter network. In fact practically anyone with the ability to use Google and permissions to install software on a computer can download many of the DIY malware construction kits and start generating crimeware thats guaranteed to defeat most of these commercial VM/Sandboxing technologies - some will even enable the would-be cybercriminal to use exploits to break out of the sandbox.

Anyhow, I've pulled together a whitepaper discussing the use of such technologies in obtaining botnet command and control information - and the limitations of such technologies within the enterprise.

"Extracting CnC from Malware" is now available on the Damballa web site.

Saturday, December 5, 2009

Couple of NASA.Gov Sites Hacked

I was just browsing a few blogs this evening and saw that NASA's Instrument Systems and Technology Division and their Software Engineering Division web sites were hacked and found to be vulnerable to what looks like SQL Injection as well as poor access controls. There may be a few other things going on there, but the details were pretty sparse, and I wasn't really looking to start probing the sites myself to find out what they're precisely vulnerable to.

The screenshot to the left shows access to the page editing functions of the site. NASA needs to get these sites secure as soon as possible. Any script-kiddie could walk in there and start adding their favorite drive-by download exploits as it stands.

The admin credentials (35 of them) were lifted off both Web servers by "c0de.breaker"

Original posting is over at TinKode.

Note: I've been advised that these vulnerabilities have been remediated.