So the BBC did something pretty interesting.  They actually rented a botnet and did a bunch of stuff and got some great publicity.  Awesome work.  Would have been nicer if they used the command that most botnets have to either disable itself or delete itself on all machines.

and detection rates are plummeting for this stuff even though the vendors do their best.  Our government can figure out either what the hell it wants to do with a huge cyber turf war going on between the NSA and DHS.  I whole heartly endorse their idea of a , but if you can track these guys down and do something bad to them its kind of pointless.

I will repeat my point from earlier postings.

PEOPLE, YOUR SYSTEMS THAT YOU USE, BY DEFAULT ARE MEANT TO BE , , , , AND BY NATURE OF THE OS API CALLS AND THEIR DESIGN.  All while sometimes not even writing any files to the file system and running completely from a legitimate processes memory.

Thats why Live Forensics is such the rage now.  See Volitility, Mandiant, HBGary, and Recurity and other on this type of stuff.  Encase and Access data are also getting into the malware analysis in live memory game.

What is truly needed is a robust trusted secure interprocess communication mechanism.  Any process can be accessed, hooked, debugged, and malicious code written into is process space.  STOP,  THINK.  WHAT DOES THIS DO TO THE SANCTITY AND TRUST OF YOUR DATA AND OPERATIONS.  Malware uses this to its advantage and you wont know the difference until it is to late.

Here is the


Here is my response.

I completely applaud the BBC and their actions. They solved a good purpose illustrating the threats of these botnets to the mass public and probably cause many to be more aware of their personal computer security.

The fact of the matter is, the “industry” does not have the balls to infiltrate these underground organizations or technically disable these botnets, clearly establishes a causabelli for their business models. Ya Ya I know they do the best they can, hands tied by legal issues, whatever.

What is really needed is a security industry “zorro/robin hood” who basically technically takes these groups out or infiltrates the botnets and neuters them strategically via technical exploit means. It really should be the NSA or DHS that does that but neither of them have the balls to do it either.

We need a white hat underground, unattributable organization that can prioritize threats and met them head on with surgical precision attack capabilities. either that or track actors down and turn them informant with lots of money and then have them subvert their associates or the botnets themselves.

Everything I have seen in response to this issues conjoined with the data theft / espionage issue has been unimpressive completely from a criminal punishment/prosecution standpoint (major incident garner like 3 years), as well as being a useless repetitive exercise in arguably non-enforcement actions such as Monitoring, awareness, ineffective defense.

While I am constantly amazed at the advanced in malware evolution, and awed by the amount of compromises and data theft the industry has got to ask our selves if we are truly effective in our efforts and the answer here is NO.

Brian Krebbs (SANS) Symantec others are you freaking listening?? I like your reporting btw, however I said from day one, the Mcolo take down was pointless and worthless, and nothing changed and you served to ensure that malware authors further refine their code to be more resilient.

I won’t be impressed until people start taking these botnets out via good old fashion operations that intel and military agencies are used to doing against terrorist / organized criminal mafias and other Well defined and strategic threats to our nations security and safety.

Several researchers such as Fireeye, Arbor networks and Secureworks have gone right up to the edge in reverseing, monitoring, and exploiting Storm, Kraken, Conficker and other code but stopped short of doing anything useful. Nice try, no cigar.

Next time become unattributable, gather the resources covertly, go off the fucking grid and just do it. Get a backbone people. You have the expertise and capability and most will silently if not overtly cheer you for it.

Or how about this. Seed known systems with honeydocs or .exe’s and turn the malware authors world upside down. Who ever is the recipient of such booty would have to be extreme in protecting themselves or else they would have nice beacons straight back to their lairs. If data theft is the game, then dammit give them something to steal. O ya, if you hear a knock at the door. you better have an underground railroad escape hatch in your basement.

More of my views on

I don’t get much traffic here so and don’t actively market this as its a incubator for my own ideas, however I would love to see if there is some type of reponse to this or just plain ole standard crickets…..

Its Microsoft's fault

August 26, 2008

So the WIN32 platform as you know is based on modern code libraries.  This is how large coding projects have evolved over the years through the development of reusable code called libraries.  The idea is you can create a check of code to do something, say draw a picture, and then every application developer can use that code if its part of the base operating system. 

This has grown and grown and grown over the years of Windows versions in the form the WIN32 API and its associated .DLLs that come with every OS.  Sounds great right?  Sure!  Programming exploded and you can google the stats for the impact of the Software industry and the billions of Windows programs that enabled our modern capitalist economy.  Well that’s awesome, the only problem was that when Windows was developed Security was not a driving issue, it was code functionality.  The same problem exists for *nix brands/distributions through the use of shared libraries.

This leads to the modern day problem of malware being able to basically do whatever the hell it wants to do and successfully hide from modern security software protections.  If you can run executable code on a machine you can hook / filter / patch / delete / modify any of these important DLLs and code at the user / kernel level or both.  Even in firmware code but thats a different story.  Some call this cracking, some call this necessary.  Case in point, tons of debuggers, disassemblers, security software, anti -virus anti-everything .et al require the ability to extend and hook into critical system libraries to do stuff, for example extend functionality, monitor things, or modify operations, or fix a problem. 

When a program is developed and compiled it is linked to DLLs that are loaded into the process space when it is executed.  These DLLs implement function but unfortunatly Microsoft has 6 ways to Sunday to do DLL injection or code injection into process spaces and modify the function address which then malware uses to add hostile functionality such as bypass host base intrustion detection and firewalls, and proxies.  Typical processes that get injected are the web browser, winlogon process, explorer.exe and any other .exe that can get executed especially at run time via registry startup hooks.  O yea there are about a thousand of those so good luck checking all that. 

The REAL problem though is do you REALLY want to be able to do this on production systems?  This stuff should be done in secure development environments.  Microsoft has tons of code called , and (think hotpatching) VERY POWERFUL that can modify your system at will, not to mention hostile code which can do the same.  SO step back a minute.  So your telling me that no matter what I do my systems can basically be told what to do without my knowing if someone can run code on them, and you want me to entrust my business model or personal information (COKE formula, cancer cure, invention) to that kinda of a RISK model??   

There really should be someway to have a production configuration of the OS build not be able to be extensible and hookable in this manner.  I believe VISTA has attempted to harden the OS against these types of attacks with Signed drivers/code/libararies and all but there are definately ways around that and many times like exploit prevention mechanisms easy to circumvent and voluntary such as the optional compiler protection bits.

So you see my point.  ROOTKITS are a special set of software malcode that can basically hide everything from everything and do even more than that.   Rootkits are usually dropped and installed by malware to protect it from being discovered (think how much time an attack window is needed to walk with the crown jewels with our highly connected, large bandwidth pipes and the size of our modern storage device capacity.)

There is tons of ANTI-ROOT kit scanner software out there, most of it templated me too crap that you can find at .  You can find Rootkit software at and there is couple of great books on it as well for the developer minded.  Keep in mind to be a power Anti-Rootkit you actually need to insert your own monitoring hooks sometimes as some of this software does, but good ones unhook things after they are done being used.

My two personal recommendations are and both developed by Russians.  These two products do a TON of stuff including the ability to remove and fix hooks, do secure deletes, force processes to kill themselves by erasing their process space memory, and can enumerate through every conceivable area that a product can hook into the system.  Some rootkits are specifically attacking these software packages if they are present on the systems.  So they have methods to protect themselves from modification using code signing techniques.  Most people seem to LOVE Rootkit Revealer by SysInternals/Microsoft which is an outdated not very functional piece of crap that you can’t even run from the command line.  This is an important functionality for corporate wide scanning.  Infact, Microsoft actually hired the developed that wrote Rootkit Unhooker.  Not sure if he is still with them though. 

RookKit Unhooker



Get every new post delivered to your Inbox.