As expected, the Storm botnet maestros have queued up some pwnage for your 4th of July.
See the SANS diary for all the details.
Upon receipt of my first fireworks.exe sample this evening, I went through the standard routine and ran it through the analysis mill. Like the ISC said, not much new here, but if you'd like the nitty-gritty, I've put the analysis report here, the peers config list here, and the pcap here.
However, what I was really inspired to do this evening was visualize the pcap with Raffael Marty's AfterGlow. His new book, Applied Security Visualization, is coming out next month, so we can turn old Storm news into a celebration of the 4th and the pending release of Applied Security Visualization. By the way, Raffael's visualization workshop slides from the 20th Annual FIRST Conference in Vancouver, B.C. last week are here, and mine regarding Malcode Analysis for Incident Handlers are here.
So, a little AfterGlow magic,
tcpdump -vttttnnelr /home/rmcree/pcap/fireworks.pcap | ./tcpdump2csv.pl "sip dip ttl" | perl ../graph/afterglow.pl -c /home/rmcree/afterglow/src/perl/graph/color.properties -p 2 | neato -Tgif -o fireworks.gif, and the results look just like the fireworks we hoped they would.
Happy 4th of July everyone!
Except you Storm a$$hat$. ;-)
del.icio.us | digg
See the SANS diary for all the details.
Upon receipt of my first fireworks.exe sample this evening, I went through the standard routine and ran it through the analysis mill. Like the ISC said, not much new here, but if you'd like the nitty-gritty, I've put the analysis report here, the peers config list here, and the pcap here.
However, what I was really inspired to do this evening was visualize the pcap with Raffael Marty's AfterGlow. His new book, Applied Security Visualization, is coming out next month, so we can turn old Storm news into a celebration of the 4th and the pending release of Applied Security Visualization. By the way, Raffael's visualization workshop slides from the 20th Annual FIRST Conference in Vancouver, B.C. last week are here, and mine regarding Malcode Analysis for Incident Handlers are here.
So, a little AfterGlow magic,
tcpdump -vttttnnelr /home/rmcree/pcap/fireworks.pcap | ./tcpdump2csv.pl "sip dip ttl" | perl ../graph/afterglow.pl -c /home/rmcree/afterglow/src/perl/graph/color.properties -p 2 | neato -Tgif -o fireworks.gif, and the results look just like the fireworks we hoped they would.
Happy 4th of July everyone!
Except you Storm a$$hat$. ;-)
del.icio.us | digg
