Private: The True Origins of Malware DNA

February 14, 2011

 Here is the link to my original presentation  

Here are my prior posting on the concept of Malware DNA

Post 1 Post 2 Post 3 Post 4 Post 5 Post 6 Post 7

The rest has been redacted due to a DCMA complaint filed to have the information removed. 


We received a valid DMCA Notice ( ) for the following material found on your blog:

If you do not have the legal rights to distribute the file/content/material, you are required to delete the post(s) and let us know when this has been done. The removal will then be verified, and the blog will be returned to normal.

Republishing the content without permission of its copyright holder – or continuing to publish material that results in DMCA notices – will result in a permanent blog suspension. Publishing such material is a direct violation of our Terms of Service ( ).

If you wish to formally challenge this DMCA notice, we will be happy to provide you with the details you need.


> The information has been removed, thanks for your quick response.  If
> possible, could you please set the post to public and reenable my posting
> abilities.

You are now able to access your dashboard and edit the postings as usual.

> Additionally, do I have the right to be given the information on who
> submitted the complaint and the reason for concern?  The content I posted
> was copied from open Internet resources that can be found in multiple
> places.

Yes, you absolutely have that right. Here is the DMCA notice that we received:


> > This law firm represents HBGary, Inc. One of the websites you are hosting,
> >  is
> > being used to distribute confidential trade secrets and copyrighted works that have been misappropriated from HBGary as part of a well-publicized criminal intrusion into their network. The stolen works and trade secrets at issue consist of emails posted as images and a link providing access to a database containing additional stolen email hosted on .
> >
> > In accordance with the DMCA notice requirements, we have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the HBGary, its agents, or the law. I swear, under
> > penalty of perjury, that the information in the notification is accurate and that I am authorized to act on behalf of HBGary, Inc., the rightful copyright holder.
> >
> > We trust that Layered Technologies does not support the use of its servers to facilitate misappropriation of trade secrets and copyright infringement and that you are committed to prohibiting this unlawful activity as part of your Terms of Service. Accordingly, we request your assistance in immediately taking down this site and preserving any logs or account information you may have associated with this site. Please let me know as soon as possible once you have received this message. I may be reached at the email address above. Thank you in advance for your prompt cooperation.
> >
> > Sincerely yours,
> >
> > Leota Bates
> >
> > [cid:[email protected]]
> >
> > Leota L. Bates
> > Zwillinger Genetski LLP
> > 1705 N. Street, NW
> > Washington, D.C. 20036
> >
> > (202) 706-5209 (direct)
> > (202) 296-3585 (main office)
> >
> >



ATTN: Leota L. Bates

I would like to request that you client substantiate that they have existing, and relevant established Prior Art on the concept of Malware DNA as stated by them as based on their collaborative work with McAfee dating back to 2006.  The recent incidents involving HBGarys loss of intellectual capital, while unfortunate, give credible credence that the aforementioned verbal affirmations that they have established prior work in this field prior to Sept 2008 remain unsubstantiated and open to considerable doubt, and cloud all previous communications on this subject with suspiciousness.  I acknowledge that in the field of technical development and research there are legitimate independent parallel discoveries and innovations and it is this issue I am trying to verify.  Proof of your clients previous work substantiating claims that they indeed worked on the Malware DNA concept and not some unrelated technical research area in malware would put these issues to rest.  I respectfully request that your clients clear the air of this issue so that they may continue reconstitute after such significant data breach. 

It is within my right, to challenge the assertions made by your client as the SOLE innovator and creator of this technology, when I have concrete knowledge that my research was shared and divulged to his company approximately 30 days before any significant developments in code were made, that were integrated as a key component in their flagship product.  The statements by your client that they had developed this research completely on their own without any outside support or funding contradicts what was verbally stated to multiple parties in their communications as well as to outside parties, and conflicts to any previous statements that this research was developed as a result of a collaborative and possibly funded effort with McAfee.

I look for to clearing the air on this issue in an open, friendly and timely fashion.

I can certainly provide a timeline of my research and examples if you would like to review them. 


One of the most destabilizing aspects of the HBGary data breach is the sheer amount malware samples, cybercrime and APT related there are as well as customer lists.  These customer’s generally buy products only after getting wacked by APT.  So gleaning through the data, there is a massive victim list which obviously most everyone knew already, however the fact that this is public makes it all the worse.  News will be pouring out of this archive for months. 

This is a gold mine of cyber intelligence and efforts being developed behind closed doors.

My prediction, some Defense contractor will buy at a fire sale price the IP of the company, its products and hopefully bring its true technical talent into its ranks and get rid of the executives.

Hunting for a Titan

December 4, 2010

Adobe needs to get their PDF implementation out the door PDQ.

A Russian, a Spaniard, and a Bulgarian walk into a bar……

So much press ado is being bandied about relating the recent botnet Takedowns.  Consider these efforts baby steps if you will.

– P2P baby, will rear its ugly head again.  This is Storm RBN, out the bastards already.  Do you need me to show you where it is on GoogleMAPS?  Saint Petersburg.

– … Spanish Amateurs?  – , weak laws, SPANISH SAID so. They got out of jail and went back to recovering the dam thing and the got rearrested!  Cyber Comedy ensues. 13 Million? psh. please, more like 700k.  useful only for FBI PR and Panda marketing.  NOTE: If your going to take the time to null route sinkhole a botnet, and you have reversed their command and control, at least give the goddam courtesy of hitting the kill switch on the way out.  For those that are not familiar, for some reason tons and tons of malware implements a KILL BOT command.  Simply deletes the bot.  If the botnet is properly reversed you should have a 99.99% successful chance of elminating the bots in the entire network with a single command.  that means Full massive remediation.   For the bots that are not online yet, as soon as they get online, they beacon, get the updated command and erase themselves as well.    —– OR how about this.  Every bot has a UPDATE command.  It needs to download a new copy, kill its process and restart with the new version.  Send it NOTEPAD via the update.  Voila! done.   —- OR how about this.  Send it a new version with a corrupted PE header.  Totally inoperable.  OR send it an encrypted copy of itself.  No key to unencrypt, no function.  OR just corrupt the key with a binary patch.  There are countless ways.  Afraid of the DOOOMSDAY Scenario thats always bandied about?  DENIAL of servicing a hospital thus causing a killing of senior citizens hooked up to Windows 98?  – First HIGHLY HIGHLY unlikely if you reverse the code write, second just go unattrib.  That’s the beauty of the Internet.

The point is that researcher have better ways of getting right to the point and actually doing something about botnets.  Not sitting back and allowing a notification and remediation nightmare while they reap the press glory of a Depeering event (uneffective) or a coordinated DNS domain suspension/sinkholing.

- So some mysterioso took down like 20 percent of the out there now.  Due to shear badassness and open sourcing we will see this for a LONG time to come.  from middle america businesses and organizations via ACH fraud.  These victims dont have a clue until its to late.  Time for legislation to put the entire financial responsiblity on banks.  THen things will change.  – the thing with Zeus is that the depeered ISP / ASN reconnected to the Internet in muther loving Russia. it has already reconsituted around 50 of the C&Cs it lost.  Guys. the lists them all right there.  Start with every one in the US and smash them out of existence.  Prove you have what it takes to cooridinate law enforcement internationally and do the same with the others.  Consider it  a case study in international cyber enforcement.  BTW Zeus has a command that .  Its already been used a few times.  Another actor that does not like you can wage an attack on you by infiltrating and wiping all your compromised systems.  This can be done in a targeted fashion based on Country code or other groupings due to have these advanced bots can segregate their hosts.  Dont you love GeoIP dbs?

- discovery by   Call it what it was. Zeus.  75GB of exfilled data on a server  Not too shabby of a find.  Idiots left an open directory.  What kind of doomkoff leaves 75GB of purloined data on a box.  If your gonna do it, do it right and take that shit off daily.  BTW Zeus goes way way back to the WSNPOEM days.  and it was just as effect stealing stuff then.  Look for the new hotness with and .  Memory scrapeing. nuff said.

So what is all this rambling on about?  I am waiting for the first bot to self remediate.  That would be a Game Changer serving as a seminal event. 

- then of course they would move toward Public/Private key based command integrity methods but thats a Case for Malware Evolution!.

Mirror, Mirror on the wall..

December 19, 2008

Whose the PWNiest of them all. 

For NUBs edification, most malware is not that advanced.  The secret is to get past all the BS perimeter and host defenses to run yer code.  How do they do it?  Crazy ass to get past all that stuff.  What do I mean, well a derivative of Software “Protection”  add a little poly and metamorphism and you get the picture.  Malware samples Skyrocket, Malware detection Drops through the floor, Identity theft explodes, Botnets proliferate, everyone gets the bejesus scared right out of them. 

O yea, Government , , then spends billions of dollars and Classifies every scrap of information attached to Cyber it can get its hands on, makeing research 10 times more difficult unless you can wait the 10 years plus to get a goddam alienXFiles clearance (read SCI Full Scope Polygraph).

So to the War Weapons that allow all this to happen.  Much malware just haxors existing packer open source code and adds some polymorphism to it.  Adds a slew of anti-dump, anti-analysis, anti-sandbox, , anti-vm, anti-tracking trix, and then bundle/bind all their little nastieness into a package then distrubute based on Massive sql injection attacks if they can seed via lovely 0-day mass exploits like the latest IE7 fiasco.

I will list some of the most difficult tools to generically unpack that are giving .  Obviously malware authors are cheep, like to roll their own protections oblivious to the fact that you can purchase professional shit and get much better output, or just plain dam lazy.  Another take is that its so easy to bypass today’s defenses so why even bother.  Im putting my bets on lazy and easy.

by   some .



by and

This thing is awesome, its basically malware running in its own Virtualization Engine.


 by  and - probably need to run it through babelfish if you cant read Italiano

More protectors to be added later

Fireeye is badass

December 16, 2008

This group is deep in the trenches attempting to detect and destroy botnets.  They have excellent intel and perform some great analysis.  My only beef is that they had around 450k of bots tied up by awesomely preregistering its fallback domains in conjunction with getting the main RBN-like-in-the-US host provider  and then and now the botnet controllers updated their C&C to servers outside the US (it was predictable).  McColo’s operations are tracked by many but here is a on them.

In my opinon the fact that this host provider hosted 80 percent of the C&C’s of the most prolific spam operations in the world which accounts for 90%+ of traffic, this was a major fuck up for law enforcement and Intelligence.  At least from the open source reporting side.  I only hope that enough intel was gathered prior to the pressure that security researchers placed on McColo’s internet peering providers that resulted in them getting .  These guys where freaking based in SanDiego.  I would expect with the link to child porn, ID theft and the shear amount of bad activities that all their servers and It equipment would be currently Boxed up by the Men in Black for forensics and a sturdy baton curtesies once they get ahold of the owners.  Once again,  we have not gotten to this level yet in our responses nationally so people will continue to suffer.  Already traffic is back to its previous pretakedown levels as predicted. 

SO I will say this again.  MAJOR OPPORTUNITY LOSS<> MAJOR FUCKUP.  try again next time.  I told this to an agent with the cybercrime squad from the Washington Field Office and he gave me a predictable line about “blah blah, how sometimes you dont want to take people down (inferred intelligence reasons)”  But guys Come on this what is called a Center of Gravity in military terms and you had the opportunity to drop a 2000 lb bomb and you let them fly out of jurisdiction like a fart in the wind.  This will be the last iteration before malware bots go full up P2P resilient with robust fallback mechanisms and harder to trace operations.  This will make things 10 x harder. 

Course with the piss ant sentences a botnet controller would get these days it really doesnt matter if they get caught or not. 

Great but misguided efforts by the security community.

Maybe someday Security researchers will have the balls to infiltrate and neuter or destroy these bots in place.  It has not become a main stream security response practice yet but hopefully it will.  Everybody is scared of the gaddamn lawyers but I say fuck  it.  Get a Unattributeable network in place and run a BlackOps operation.  Corrupt the Bots PE header, kill the process so as to keep it from running and move upon your merry way. 


Post a little message saying Yer ass has just been saved.

They also have Excellent analysis on other beasts such as ,  / , and the  all of which employ tons of anti-analysis and .


Get every new post delivered to your Inbox.