Skip navigation.
Home

dannyquist's blog

iTunes Anti-debugging Circumvention

David Maynor at Erratasec has written an article about how to circumvent the debugging prevention inside of iTunes.

"..I noticed iTunes kept crashing, predictably and reliably in the same place. I decided to use gdb to see what the hubbub was all about. However I got dissed and iTunes would not allow itself to be debugged."

http://erratasec.blogspot.com/2009/04/ode-to-50cent.html

Conficker Causes Global Meltdown and Thermonuclear War

As usual, Brian Krebs from the Washington Post has done some fine reporting bringing us news about the Conficker Worm Strike. Here are some choice excerpts of the horror that is raining down upon the world:

"A nuclear missile installation near Elmendorf Air force Base outside of Anchorage, Alaska briefly went on a full-scale military alert after technicians manning the bunker suspected that several of their control systems were infected with Conficker."

"According to local news reports, shortly after midnight local time, an ATM in the capital city of Reykjavik began spewing 100-Krona notes."

It's time to auger in with an AR-15 and your favorite dog Will Smith "I Am Legend" style.

Analysis of Conficker C

Phillip Porras, Hassen Saidi, and Vinod Yegneswaran from SRI has publicly posted an excellent overview of the Conficker malware. They even have a great analysis of the C variant as well. I highly recommend reading this excellent work.

"Conficker is one of a new interesting breed of self-updating worms that has drawn much attention recently from those who track malware. In fact, if you have been operating Internet honeynets recently, Conficker has been one very difficult malware to avoid. In the last few months this worm has relentlessly pushed all other infection agents out of the way, as it has infiltrated nearly every Windows 2K and XP honeypot that we have placed out on the Internet. From late November through December 2008 we recorded more than 13,000 Conficker infections within our honeynet, and surveyed more than 1.5 million infected IP addresses from 206 countries."

Why Full Disclosure is an Important Tool

This latest Adobe vulnerability has created a stir on some of the closed mailing lists regarding full disclosure. While I would have liked to think that this debate was over a long time ago, I now realize that everyone has disagreed to disagree. On one side we have the people that are doing remarkable work by researching these flaws, disclosing them with appropriate warning to the vendors, and letting the public know about the problems. On the other side of the argument are the limited disclosure people.

The advocators of limited disclosure are excellent researchers who I know and respect. It floors me to think that it is acceptable for vulnerabilities to be left unpatched for a serious amount of time. I consider 90 days to be entirely too long to patch a vulnerability. The fact that Adobe said that a patch would be issued 18 days after the public disclosure is highly irresponsible.

You can disagree with full disclosure, but it is a useful motivational tool. Microsoft responded well to their problems. They created a security development process that is unparalleled in the world. Adobe, it's time for you to step up as well. Limited or closed disclosure creates complacency, which amounts to willful neglect.

I wish there was some other way than full disclosure to motivate vendors. Unfortunately it is the only method available that has a proven track record of working.

Conficker Unpacking and Analysis

Lurene Grenier from Sourcefire's Vulnerability Research Team has a good writeup on a technique to unpack the Conficker worm DLL. Thanks for going through the pain of malware analysis Lurene.

"The goal was to take the dll, and make it spit out some dns traffic so we could test our SO rule conficker dns detection engine which was written with a generation algorithm provided through the MAPP program in conjunction with Microsoft. We'd paired it down a good bit, and some information about randomness from other write-ups around the net conflicted with what was provided to us."

Shmoocon 2009

Tired of being hustled around by thousands of people at the summer Vegas conventions? Do you live on the wrong side of the United States? Do you really want to fill the time in the winter with hacking and interesting technical discourse? Do you like getting pelted by foam balls emblazoned with a strange animal? Come to Shmoocon!

The Shmoo Group puts on a great conference in DC called Shmoocon. Last year I spoke at it and was impressed by the low-key attitude and technical content enough to be an attendee this year. Tickets are a bit hard to come by but if you can get them I strongly recommend you go.

See you there!

Danny

Tracking Waledac

Jeremy from Sudosecure has built a really impressive tool for tracking the Waledac worm. The primary communication system is via the fast-flux method, and Jeremy has built in a system to track countries, origins, and other domains. He also provided a large collection of the Waledac executables.

Sudosecure Blog Post About the Tracker
Sudosecure Waledac Tracker

New Classmates.com Malware Campaign

While reading through my spam folder, I found a new sample. There is a new malware sample being spread posing as a Classmates.com reunion message. The sample I have is MD5 895377d01833dfd01dfccb523b2d3026. I haven't done anything to analyze this file yet.

UPDATE: Here's a new copy of the executable 393473bd4a1da563ec086cff7d9c50f6

Here's the original email from my spam folder:

Received: from [78.2.19.242] by hoemail1.alcatel.com; Tue, 13 Jan 2009 18:09:56 +0100
From: "Committee members" <alumni@classmates.com>
To: <DANNY'S EMAIL ADDRESS>

Blog Spam on OC

Last week we had a problem where some spammers figured out how to flood our blogs with spam. I'd like to apologize the inconvenience this caused. To fix the problem we have moved to a moderation system for blog posts. We will still accept external content, but will not allow spam posts.

Just to be very clear: Offensive Computing is not going into the World of Warcraft gold trading business. :)

Memoryze Memory Forensics Tool

Peter Silberman from Mandiant has written an article at OpenRCE about the new tool Memoryze.

Introduction:

The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with Memoryze. A good place to familiarize yourself with Memoryze is the user guide included in the installer.

Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing.

Syndicate content