by Taneja Vikas
Phillip Porras, Hassen Saidi, and Vinod Yegneswaran from SRI has publicly posted an excellent overview of the Conficker malware. They even have a great analysis of the C variant as well. I highly recommend reading this excellent work.
"Conficker is one of a new interesting breed of self-updating worms that has drawn much attention recently from those who track malware. In fact, if you have been operating Internet honeynets recently, Conficker has been one very difficult malware to avoid. In the last few months this worm has relentlessly pushed all other infection agents out of the way, as it has infiltrated nearly every Windows 2K and XP honeypot that we have placed out on the Internet. From late November through December 2008 we recorded more than 13,000 Conficker infections within our honeynet, and surveyed more than 1.5 million infected IP addresses from 206 countries."
I had a presentation the other day at UNM on some of the work that I had done two years ago. It's fascinating that there is such a renewed interest.
A. Kozakiewicz, A. Felkner, P. Kijewski, and T. Kruk published a paper (4/2007) after my DefCon presentation entitled "Application of bioinformatics methods to recognitio of network threats." The conclusion of this paper was that these the bioinformatics techniques seem to have less resistance to polymorphism, however I maintain that was because of the simplicity of the scoring function they considered.
One of the starting papers in the field of using nature as a way to figure out how to do things correctly was a 1994 paper "Principles of a Computer Immune System" by A. Somayaji, S. Hofmeyr, and S. Forrest. This spends a lot of time considering the acquired immune system.
So, how does nature do things differently than anti mal*? There's a lot out there on this topic. I'd like to advance two points I've not seen elsewhere:
- Natural systems don't "root" the individual hosts, but the hosts provide enough information (via MHC II molecules) to an immutable status of what each host is doing. Anti-mal* is the opposite, wanting hooks into everything and itself being readily disabled.
- There is no hesitation to kill hosts that are suspected infected. Among many destruct mechanism is the FAS ligand activation pathway. Think of this as a lever on the outside that automatically shreds the cell and makes it easy for the acquired immune system to improve future defense. Note again that the cell is shredded; there is no "root" required for post mortem forensics.
These are just some ideas. I hope to be getting them together in a formal paper sometime soon. I look forward to comments.
This is something that I've ignored for entirely too long, so I finally just did it instead of trying to pretty up the release.
binBLAST is now available via google code (not SourceForge):
binBLAST source code
This is everything that was presented at DefCon.
This latest Adobe vulnerability has created a stir on some of the closed mailing lists regarding full disclosure. While I would have liked to think that this debate was over a long time ago, I now realize that everyone has disagreed to disagree. On one side we have the people that are doing remarkable work by researching these flaws, disclosing them with appropriate warning to the vendors, and letting the public know about the problems. On the other side of the argument are the limited disclosure people.
The advocators of limited disclosure are excellent researchers who I know and respect. It floors me to think that it is acceptable for vulnerabilities to be left unpatched for a serious amount of time. I consider 90 days to be entirely too long to patch a vulnerability. The fact that Adobe said that a patch would be issued 18 days after the public disclosure is highly irresponsible.
You can disagree with full disclosure, but it is a useful motivational tool. Microsoft responded well to their problems. They created a security development process that is unparalleled in the world. Adobe, it's time for you to step up as well. Limited or closed disclosure creates complacency, which amounts to willful neglect.
I wish there was some other way than full disclosure to motivate vendors. Unfortunately it is the only method available that has a proven track record of working.
Lurene Grenier from Sourcefire's Vulnerability Research Team has a good writeup on a technique to unpack the Conficker worm DLL. Thanks for going through the pain of malware analysis Lurene.
"The goal was to take the dll, and make it spit out some dns traffic so we could test our SO rule conficker dns detection engine which was written with a generation algorithm provided through the MAPP program in conjunction with Microsoft. We'd paired it down a good bit, and some information about randomness from other write-ups around the net conflicted with what was provided to us."
A new version of YARA have been released. This version introduces some bug fixes and new features, such as:
* Sub-string alternatives in hex strings.
* Global rules.
* Enhanced "of" operator and a new "for..of" operator
* Anonymous strings
* uintXX and intXX functions to read integers from a given offset
* yara-python improvements
I've also started to create some rules for packer identification based on PEiD's signatures, there are just a few for now, but I expect to include more in the future.
Tired of being hustled around by thousands of people at the summer Vegas conventions? Do you live on the wrong side of the United States? Do you really want to fill the time in the winter with hacking and interesting technical discourse? Do you like getting pelted by foam balls emblazoned with a strange animal? Come to Shmoocon!
The Shmoo Group puts on a great conference in DC called Shmoocon. Last year I spoke at it and was impressed by the low-key attitude and technical content enough to be an attendee this year. Tickets are a bit hard to come by but if you can get them I strongly recommend you go.
See you there!
Jeremy from Sudosecure has built a really impressive tool for tracking the Waledac worm. The primary communication system is via the fast-flux method, and Jeremy has built in a system to track countries, origins, and other domains. He also provided a large collection of the Waledac executables.