Historical OSINT - Sub7 Crew Releases New Version on 11th Anniversary of The RAT

It's 2010 and I've recently came across to the following announcement at Sub7's Main Forum - the most ubiquitous trojan horse also known as Remote Access Tool circa the 90's on the upcoming release of a new version.

"People can buy unique FUD servers in the shop and custom clients can also be written to help you admin PC's remotely with your own features. These are selling well so be sure to grab your own custom version while we are offering them at this price. Please be advised there is currently a waiting list for this."

Sample detection rate:
- borlndmm.dll - Result: 0/42 (0%)
- EditServer.exe - Result: 10/42 (23.81%)
- Server.exe - Result: 18/41 (43.91%)
- SubSeven.exe - Result: 16/41 (39.03%)

Should The Scene the way we know it re-appear the way we know it? It appears that every then and now a new cybercrime-friendly tool is trying to materialize taking us back to what used to be The Scene circa the 90's. Continue reading →

Master of the Infected Puppets

In some of my previous posts, "What are botnet herds up to?", "Skype to control Botnets", "The War against Botnets and DDoS attacks", and "Recent Malware Developments", I was actively providing resources and updating my blog readers (thanks for the tips and the info sharing, I mean it!) related to one of the most relevant threats to the Internet ( more trends and bureaucracy ) - Botnets.





I recently came across a well researched report giving a very in-depth overview and summary of important concepts related to Botnets. Recommended bed time reading, and here's an excerpt :





"In this paper we begin the process of codifying the capabilities of malware by dissecting four widely-used Internet Relay Chat (IRC) botnet codebases. Each codebase is classified along seven key dimensions including botnet control mechanisms, host control mechanisms, propagation mechanisms, exploits, delivery mechanisms, obfuscation and deception mechanisms. Our study reveals the complexity of botnet software, and we discusses implications for defense strategies based on our analysis"





Some of the findings that I also came across in my "Malware - future trends" search worth mentioning are :







- "The overall architecture and implementation of botnets is complex, and is evolving toward the use of common software engineering techniques such as modularity." Namely, no one is interested in reinventing the wheel again, and the Simple Botnet/Malware Communication Protocol I've once mentioned (originally came across the concept here) could give the malware scene an impressive scale, but could it also put AV vendors and researchers in favorauble position where exploiting protocol weaknesses is more beneficial than current approaches?







- "Shell encoding and packing mechanisms that can enable attacks to circumvent defensive systems are common. However, Agobot is the only botnet codebase that includes support for (limited) polymorphism"







Smart! Mainly because of the fact that "The malware delivery mechanisms used by botnets have implications for network intrusion detection and prevention signatures. In particular, NIDS/NIPS benefit from knowledge of commonly used shell codes and ability to perform simple decoding. If the separation of exploit and delivery becomes more widely adopted in bot code (as we anticipate it will), it suggests that NIDS could benefit greatly by incorporating rules that can detect follow-up connection attempts."



-"All botnets include a variety of sophisticated mechanisms for avoiding detection (e.g., by anti-virus software) once installed on a host system."






Retention instead of acquisition of new zombies would tend to dominate from my point of view. Patching the hosts themselves, hiding presence, dealing with the easy to detect idle zombie's presence, TCP obfuscations, tests for debuggers, are among the current methods used.





Botnets will continue to dominate due to their concept and potential for growth, and while monitoring and doing active research is still feasible, encrypted communications as a logical development should also be researched as a concept, but how many *public* IRC servers, if such are used, support SSL encryption?







Technorati tags :
Security, Information Security, Malware, Botnets Continue reading →

Malware - future trends

I'm very excited to let you know that, I have finally managed to release my "Malware - future trends" publication. Basically, it will provide you with an overview of the current trends, the driving factors behind the scene, and some of the trends to come, from my point of view.

As factors contributing to the rise and success of malware I have pointed out :
- Documentation and howto's transformed into source code
- Vulnerabilities, even patches, easily turned into exploits
- Clear signs of consolidation on the malware scene
- The media as a fueling factor for growth
- Over 960M unique Internet users and their connectivity, or purchasing power
- The demand for illegal services

And as far as the trends themselves are concerned, I have indicated :
- Mobile malware will be successfully monetized
- Localization as a concept will attract the coders' attention
- Open Source Malware
- Anonymous and illegal hosting of (copyrighted) data
- The development of Ecosystem
- Rise in encryption and packers
- 0day malware on demand
- Cryptoviral extortion / Ransomware will emerge
- When the security solutions (antivirus etc.) ends up the security problem itself
- Intellectual property worms
- Web vulnerabilities, and web worms - diversity and explicit velocity
- Hijacking botnets and infected PCs
- Interoperability will increase the diversity and reach of the malware scene

Have an opinion? Feel I have somehow missed a point? Let me know, or directly comment on this post! Thanks folks!

Technorati Tags :
malware,antivirus,security,information security,malware trends,viruses Continue reading →