Sunday, February 08, 2009

This week in security and forensics

Just a smattering of links this week.

Not that there wasn’t a lot going on….

  • Sample Analysis System - F-Secure Weblog – F-Secure is now offering a new way to submit malware samples (or suspected malware samples).  Users can register or submit anonymously…though being anonymous has its limits.  Registered users are able to access reports, track usage, and (it appears) retrieve reports on items they have turned in in the past.  This might encourage dedicated contributors as well as help organize regular users’ data.

  • How Do They Make All That Malware? – Larry Seltzer at eWeek does a short post that outlines how malware writers bulk-create their naughty-naughties as well as how the A/V companies leverage web-based scanning services to bulk up on their own DAT signatures.  It’s a constant arms race with many being caught and protected against, but like those little swimmers, it just takes one to make it through.

  • Forensic Links – Windows Incident Response blog – Nice collection of links related to Windows forensics. Some memory and registry review linkage.

  • TimeLine Analysis  – Windows Incident Response blog – One of the challenges in forensics work is trying to lay out a time-line for events.  While one would think that with all the file-dating, file access dating, logging, and other excitement that Windows is constantly doing, it would end up in a simple open-n-shut case.  Turns out that is much harder to do…at least do accurately and do well.  Different applications and systems record time data in different ways and formats. It takes a multitude of tools and skill from the examiner to slowly peel back all the layers and lay out a solid scenario of events.

  • The Security Shoggoth: Strings and update – The Security Shoggoth blog – Light but useful examination on the use of Strings from Sysinternals.  Specifically how some additional arguments on the command-line can pull either ASCII or UNICODE strings out of search parameters.

  • Browser Plugins, Add-Ons and Security Advisers – Hackademix blog. Giorgio Maone goes on an offensive defense of Firefox security when it comes to Add-ons and other things.  Yes, clearly all these elements make Firefox great, but also open the browser to security issues if a malicious add-on is adopted. Fortunately, as Giorgio shares, there is a whole lot of cross checking going on in the community.  As long as you are getting your Add-ons from trusted sources, you should be good.

  • OpenDNS to block Conficker - heise Security UK – This great DNS service on Monday will begin to block Conficker attempts to connect to potential control servers. Administrator alerts to the presence of the worm will be available and should help efforts to locate infected systems. The service is free to both businesses and home users, but will require registration to access the tracking and logging features. I use OpenDNS at home and have configured our router to use it as the DNS service.  Never had any issues.  It is an amazing service.

Breaking Update to post

  • Some tricks from Conficker's bag - SANS-ISC Handler’s Diary has some more information on the Conficker virus.  Interesting findings: First that is checks to see the way it was executed  Depending on what it finds, it acts accordingly.  Secondly, it patches (in memory) the MS flaw that allows it to attack a system in the first place.  This is to presumably prevent the system it is running on from being cross-attacked by other malware using the same exploit it is.  It’s not an altruistic move as it isn’t a permanent patch.  Finally (and this was new to me), it uses an Microsoft code element to delete all System Restore points for the system.  This prevents responders/users from going back to a previous “pre-infection” recovery point.  Mighty nasty!

  • Bits from Bill: Protection is Here for Win32/Conficker.A and .B – WinPatrol father Bill Pytlovany shares a few more news and tips regarding the Conficker headache.

--Claus V.

No comments: