Rustock is not the only botnet which suffered from the recent take down by Microsoft. It appears that Harnig (a.k.a Piptea), a close relative to Rustock, is retreating as well. There is no evidence that someone is trying to shutdown Harnig. It looks like a decision made solely by the bot herders. Why? I'll talk about it shortly.

Harnig is considered to be a very wide spread pay per install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system. In return for this favor, the owners of other malware families pay the bot herders a little sum, normally a few cents per machine. When it comes to pay per install networks, the type and amount of malware being dropped can't easily be determined. What matters is, who and when someone is paying the bot herders. But things between Harnig and Rustock were quite different. There has been a long term relationship between the Harnig and Rustock botnets. For the last 2 years or so, Rustock has almost always been seen being spread through Harnig. Very rarely will one see Rustock using some other infection vector or pay per install network to propagate itself.

One can see from the above screen shot that the Rustock installation is the result of a chain reaction:

Harnig --> Downloader.DigiPog (Rustock Installer in plain text)---> Rustock Spam Engine (semi-fake Password protected 'rar' file containing Rustock Driver file).

There are two general ways a complex problem can be solved, using a good approach or a bad one.  The only good thing about the bad approach is that it will usually be simpler to understand and implement, but in the long run one will find that shortcuts don't always work. The good thing with most humans is that they learn from their mistakes and move forward.  This is what we are seeing happen at the moment within the anti-malware industry.  Host based anti-virus products are shifting their focus from signature based detection to advanced behavioral analysis and memory forensics.  Network based sensors which used to rely heavily on DNS and IP black lists for detecting phishing attacks, SPAM emails and botnet command and controls are moving towards advanced protocol analysis and emulation.

The purpose of this series is to discuss limitations and challenges involved in using black lists (DNS & IP) for network based anomaly detections.  I will focus more on the problems of tracking botnets using their control server identities alone. I will also discuss if there are better techniques available to detect compromised (botted) machines and terminate CnC channels to prevent further damage.

This is not anything new and exciting¹, and should hopefully be familiar to some of you reading this. Some time ago I reversed the shellcode from Metasploit's download_exec module. It's a bit different from the rest of the stuff in MSF, because there's no source code with it, and it lacks certain features that the other shellcode[s] have (like being able to set the exit function).

When I started writing this blog post, the day before yesterday, I looked into the history of this particular scrap of code…

It's very similar to lion's downloadurl_v31.c (previously available here: http://www.milw0rm.com/shellcode/597 [archive] but now also here: http://www.exploit-db.com/exploits/13529/ and here: http://inj3ct0r.com/exploits/9712 and a zillion other places).

… Except that, that code seems to be a more recent version than the code in MSF. For example, that does the LSD-PL function name hash trick, rather than lug around the full function names for look-up (as the version in MSF does.)

So, lion was a major figure in the Chinese 红客 Honker scene — literally translated as Red Guest (or Red Visitor or Red Passenger). (Basically Hackers who are also Chinese nationalists.) His group was the Honker Union of China [HUC], http://www.cnhonker.com — this site seems to have been dead for a while. He wrote a lot of code back in 2003 and 2004. (我现在明白了一些在写这个汉字!)

I managed to dig up an older version of this 'downloadurl' code dated 2003-09-01 which is closer to the code in MSF. http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=41 [archive] The code credits ey4s (from XFocus I think) for the actual shellcode.

Anyway, big chunks of this code, like the whole PEB method, also look like they were directly copied from Skape's old stuff (Dec 2003) — which was copied from Dino Dai Zovi (Apr 2003) — which was copied from Ratter/29A (Mar 2002) etc. etc. Like I said, this is all very old stuff. None of it has really changed since 2002, and it's still in very common use.

pita's contribution to all this appears to be wrapping up the blob of code output by the lion program above into a MSF2 module:

http://www.governmentsecurity.org/forum/index.php?showtopic=18370

In my last post, I talked about some of the MITB attacks currently being used by modern banking trojans like URLZone and Zeus/Zbot. Although most modern-day banks have in place various security measures like multi-factor authentication to prevent online theft, based on my last article, we can see that most of these techniques are not enough to prevent MITB attacks.  These techniques are mostly there to make the credentials theft difficult, but not impossible.

Today I am going to describe some other techniques (just some random thoughts) that might be used to defend against common MITB attacks.

Disclaimer: Technique #2 as explained below may already be known in the security industry. It is not my intention to take any credit for inventing this technique if it is already known. Let's just critically analyze these techniques and do a cost and benefit analysis.

Becoming a millionaire has never been so easy but  there are some spam emails which tempt us to believe so. Here is the recent one from my SPAM trap.

Critical government, military, and civilian networks have been repeatedly infiltrated to steal our intellectual property and national secrets. So, how do we build a modern, national cyber security policy as we enter into the 44th Presidency? The Center for Strategic and International Studies' report weighed in on this topic, but I think they missed the point in their technical recommendations.

Before I go further, I should introduce myself. I'm Ashar Aziz, FireEye's CEO and founder. I'll be chiming in to write about the big picture security issues that are facing CIO/CISO's, businesses, our national cyber infrastructure, and essentially anyone who does anything on the Internet these days.

There's lots of talk these days about how URL based signatures are quickly becoming obsolete, but rarely you see real live proof of this.  Today I'll show you a couple quick examples to try to hammer the point home.