So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.


Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.


HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.


I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.

Its Microsoft's fault

August 26, 2008

So the WIN32 platform as you know is based on modern code libraries.  This is how large coding projects have evolved over the years through the development of reusable code called libraries.  The idea is you can create a check of code to do something, say draw a picture, and then every application developer can use that code if its part of the base operating system. 

This has grown and grown and grown over the years of Windows versions in the form the WIN32 API and its associated .DLLs that come with every OS.  Sounds great right?  Sure!  Programming exploded and you can google the stats for the impact of the Software industry and the billions of Windows programs that enabled our modern capitalist economy.  Well that’s awesome, the only problem was that when Windows was developed Security was not a driving issue, it was code functionality.  The same problem exists for *nix brands/distributions through the use of shared libraries.

This leads to the modern day problem of malware being able to basically do whatever the hell it wants to do and successfully hide from modern security software protections.  If you can run executable code on a machine you can hook / filter / patch / delete / modify any of these important DLLs and code at the user / kernel level or both.  Even in firmware code but thats a different story.  Some call this cracking, some call this necessary.  Case in point, tons of debuggers, disassemblers, security software, anti -virus anti-everything .et al require the ability to extend and hook into critical system libraries to do stuff, for example extend functionality, monitor things, or modify operations, or fix a problem. 

When a program is developed and compiled it is linked to DLLs that are loaded into the process space when it is executed.  These DLLs implement function but unfortunatly Microsoft has 6 ways to Sunday to do DLL injection or code injection into process spaces and modify the function address which then malware uses to add hostile functionality such as bypass host base intrustion detection and firewalls, and proxies.  Typical processes that get injected are the web browser, winlogon process, explorer.exe and any other .exe that can get executed especially at run time via registry startup hooks.  O yea there are about a thousand of those so good luck checking all that. 

The REAL problem though is do you REALLY want to be able to do this on production systems?  This stuff should be done in secure development environments.  Microsoft has tons of code called , and (think hotpatching) VERY POWERFUL that can modify your system at will, not to mention hostile code which can do the same.  SO step back a minute.  So your telling me that no matter what I do my systems can basically be told what to do without my knowing if someone can run code on them, and you want me to entrust my business model or personal information (COKE formula, cancer cure, invention) to that kinda of a RISK model??   

There really should be someway to have a production configuration of the OS build not be able to be extensible and hookable in this manner.  I believe VISTA has attempted to harden the OS against these types of attacks with Signed drivers/code/libararies and all but there are definately ways around that and many times like exploit prevention mechanisms easy to circumvent and voluntary such as the optional compiler protection bits.

So you see my point.  ROOTKITS are a special set of software malcode that can basically hide everything from everything and do even more than that.   Rootkits are usually dropped and installed by malware to protect it from being discovered (think how much time an attack window is needed to walk with the crown jewels with our highly connected, large bandwidth pipes and the size of our modern storage device capacity.)

There is tons of ANTI-ROOT kit scanner software out there, most of it templated me too crap that you can find at .  You can find Rootkit software at and there is couple of great books on it as well for the developer minded.  Keep in mind to be a power Anti-Rootkit you actually need to insert your own monitoring hooks sometimes as some of this software does, but good ones unhook things after they are done being used.

My two personal recommendations are and both developed by Russians.  These two products do a TON of stuff including the ability to remove and fix hooks, do secure deletes, force processes to kill themselves by erasing their process space memory, and can enumerate through every conceivable area that a product can hook into the system.  Some rootkits are specifically attacking these software packages if they are present on the systems.  So they have methods to protect themselves from modification using code signing techniques.  Most people seem to LOVE Rootkit Revealer by SysInternals/Microsoft which is an outdated not very functional piece of crap that you can’t even run from the command line.  This is an important functionality for corporate wide scanning.  Infact, Microsoft actually hired the developed that wrote Rootkit Unhooker.  Not sure if he is still with them though. 

RookKit Unhooker


Tons of great stuff coming out of Blackhat.  A company called now has a engine for Cisco routers.  Check out the . Pretty awesome.  Several years ago based on from a guy named and the Phenolit group, a guy named Michael Lynn that PWNs Cisco routers based getting around Heap memory checking and was able to execute code.  

It caused crazy controversy and Mike left his job with IBM and CISCO ripped out the material from the Blackhat media and threatened all kinds of lawsuits.  It was actually pretty funny.  Anyways, the research area of exploiting embedded hardware and non-Wind0z type OS platforms has got the best and brightest in the world on the case.  Felix works now at Recurity doing some awesome RE stuff.  This will not be the last time this area of comes up.  Now they are talking .  Researchers like at are even taking this stuff even down the rabbit hole.

O and if that isn’t enough there is a huge stink right now with the FBI and others CISCO devices.  This poses a potential huge .  Now is on the !

One of the most promising areas of innovation from a blackhat whitehat standpoint in research is the area of hardware based virtualization.  So basically after the 5 year trend of software based virtualization VMware, VirtualPC ectera, AMD and Intel and others implemented hardware support for virtual machines.  One physical box hosts multiple OS versions or Guest OS’s with emulated calls to the abstracted hardware layer yet all machines can share access to the underlying hardware functionality.  The term hypervisor came into being that basically shrunk, and optimized the software used to manage virtual machines, and added a bunch of enterprise management and security features. 

Security researchers have primarily four goals, creation of virtualization rootkits, escaping the Virtual machine to affect other virtual machines or the host OS/hypervisor, makeing the hypervisor undetectable to malware and malware being able to detect that its running in a virtualized environment. 

One of the leading researchers in this field is

Joanna Rutkowska is the babe brains behind the operation and is sort of an international wunderkind.  I spent most of my formative years doinking around with games.  heh, gotta catch up..


Get every new post delivered to your Inbox.