March 27, 2011

Its about time we turned the table on attackers by doing what we should have done long ago.  Making the data UNAVAILABLE to them.  I came up with this approach a while back doing response.

If hostile threat actors who fill up warehouses (WOW Gold Farming Style) banging on their keyboards, interacting with their encrypted reverse shells that the seeded your organization with, and filling up their encrypted RAR files with your crown jewels, then your just toast.  What is needed is to segregate and limit access to critical data to only the time periods during which the data is used by the user.

So all the CNE operators basically do their job across the pond directly opposite our time zone.  Their 9-5 is our nighty night time.   Well your organizations hosts (turned on at night because they cant SUFFER a REBOOT after patching in the morning –> users scream wAH.) DO NOT NEED access to data when you are not logged on or away from work.

If user data was either cryptographically locked and segregated from the host machine during a certain chain of events or predetermined time periods. Then it wouldnt matter if half of China was on your box.  They could not get access to it even if they wanted to.  Additionally I have recommended to my clients that they actually force their users to segregate all sensitive data on Removable USB encrypted harddrives that are disconnected at night.  This however only fixes the client data issue and not the compromised credentials ripping data off of portals or share drives.

This concept combines two mitigations into one.  Remove the data from the host, and make it unavailable when its not needed.  The beauty of this is that it would FORCE CNE operators to lose their beauty sleep because they would have to work during OUR business hours not theirs.  and o btw make them really cranky.  They would have to attack our data on our boxes while we are on them and while that data is in use.  Making it much easier to detect anonmolies, as well as allow for the highly skilled DAY SHIFTs in the SOCs to better detect and respond.

The other approach swings well with Green Policies and saves money.  Forcing systems to shutdown during logoff events would additionally remove the data from being targeted as the machine is OFF and save electricity to boot.  Your money saved can go toward that 3 million you will spend on your next APT compromise.  Traditionally patch managers freak out and say this will prevent patching from being done.  NO this will prevent patching from being done when They want to do it.  Change the game.  Fuck your adversary.

It makes sense to me and it should make sense to you to.  Vendors / Entrepreneurs get on it.  CISOs get educated, your getting robbed blind, think unconventional and protect yourselves.

So here is a little experiment.  I am going to run a monthly posting contest.  The purpose is to allow malware authors to hype their baddest ass skills and techniques as compared to some of the most insidious examples the research community has been dealing with.
Winners will recieve the dubious title of BADDEST ass code that does the BADDEST ass things.  O yea.  and the right to be represented by this Avatar.


There will be a chumpy award as well for code that thinks its bad ass enough to be ranked as the best but really is “old tired and busted” using stale and well know techniques.

They will get represent with this little digital Homage..

So here are the categories for assessment of who the baddest should be.

  • Best Hiding Techniques for (files, registry, process listing):
  • Best network or file based stenagraphy techniques:
  • Best innovative and destructive capabilities:
  • Most kleptoKrazy information stealing capabilities:
  • Most innovative functions: if you mention opening the CD drive bay door you get DDos’ed automajically:
  • Most enriching social engineering techniques: Sorry Bernie Madoff has the record so this place is automatic second place:
  • Most elegant code/resilency from detection:
  • Best polymorphic,metamorphic illusionist techniques:
  • Best code protection for code and logic integrity vs debugging, tracing, dumping:
  • Innovative and secure use of encryption:
  • (if you submit xor/rot/base64/rc4 or any other weak ass shit you get your remote files automatically encrypted with AES 256bit and the secret key Secure deleted from memory and the entire file system.  That’s after the secret key is encrypted. of course.
  • Best and most ievil undetectable Embedded attacks against third party file types. IE Office, Flash, PDF, CHM ectera:
  • Baddest and most comprehensive web page example with close to every drive by exploit out there:
  • Most Disruptive piece of code:
  • VISTA pwnage.  (most code rapes XP)  start evolving and compromise Vista systems if you have the balls: Special points for getting around Vista Security and specifically the 64-bit hardware enabled in BIOS DEP features.
  • Implementation of malicious VMs as a obfuscation technique or as a the payload itself by putting the target into the matrix without his knowing.

Requirements for submission are as follows:

  • Name of malware or self named or just plain found somewhere.
  • Why it deserves inclusion into the baddest ass hall of malware fame from a technique standpoint.
  • Description of its capabilities and its closest variants if any.
  • And for the do gooders, Who and what is to blame for this glaring technique and what can be done about it.
  • And O yea.  is it able to fully exploit and run on a Base build of Microsoft Vista SP1 SP2 out of the box.

Several CODE samples to compare your submission to for innovativeness and complexity.

Kraken, Storm, Conficker,Waldec, Rustock, Asprox, Pinch, Zeus, Bancos, Coreflood, Tigger/Syzoor

Participation by the research community and security vendors that might have the balls to discuss will get mad props for actually supporting research.

WELL let the games begin:

Awards and Ranking will be from 1 to 10.  If im impressed I will paypal monetary goodness maybe possibly if I actually feel something in my pants after reading.



Ultimate Phish

December 31, 2008

So some Dutch guys figured out how to create trusted certificates using that can pose as Ecommerce site certs.  Pretty awesome research.  Shame on the Root CA’s from using MD5 in the first place.  I would suspect that the Browser makers will update or disable the Root CA certs in their browsers for the offenders until such time that they can issue at least Sha-1 based certs.  Pretty awesome research if I do say so myself.  O yea.  The generated the collisions useing a whole room full of PS3 processors.


So with everyone losing and getting their laptops stolen, every organization under the sun is evaluating and looking at Data At Rest encryption typically AES if your smart, using Data Loss Prevention products. Basically it encrypts the entire hard drive, not just volumes, folders, and files like other products. Well basically rip the encryption key right out of physical memory and then mount your hard drive and unencrypt the data so it can all be stolen. Wonderful. Of course these products should use multi-factor biometric and smart card based authentication at the preboot level which could conceivably prevent this, MAYBE. Im investigating….. McAfee Safeboot here I come! If you want to read up more on it and try out the code check out the



Get every new post delivered to your Inbox.