[SecurityRatty] tag: rhetorical

The Commoditization of Anti Debugging Features in RATs

Wed, 03 Sep 2008 03:46:00 +0000

Is it a Remote Administration Tool (RAT) or is it malware? That's the rhetorical question, since RATs are not supposed to have built-in Virustotal submission for the newly generated server, antivirus software "killing" and firewall bypassing capabilities.

Taking a peek into some of commodity features aiming to make it harder to analyze the malware found in pretty much all the average DIY malware builders available at the disposal at the average script kiddies, one of the latest releases pitched as RAT while it's malware clearly indicates the commoditization and availability of such modules :

" - FWB (DLL Injection, The DLL is Never Written to Disk)
- Decent Strong Traffic Encryption
- Try to Unhook UserMode APIs
- No Plugins/3rd Party Applications
- 4 Startup Methods (Shell, Policies, ActiveX, UserInIt)
- Set Maximum Connections
- Built In File Binder
- Multi Threaded Transfers
- Anti Debugging (Anti VMware, Anti Sandboxie, Anti Norman Sandbox, Anti VirtualPC, Anti Anubis Sandbox, Anti CW Sandbox)"

Malware coders or "malware modulators"? With the currently emerging malware as a web service toolkits porting common malware tools to the web, drag and drop web interfaces for malware building are definitely in the works.

Reputation Damage & Measurement

Fri, 22 Aug 2008 10:33:56 +0000

Reputation damage can be one of the most difficult concepts to build measurements around. In fact, it can be difficult to develop the actual metrics for the measurements, as well. Damage to things like “corporate reputation” and “goodwill” and “brand equity” can be difficult to wrap even reasonable dollar estimates around (When I use FAIR, I really only care to use one metric when describing loss magnitudes - the almighty currency).

Complicating factors is the impact (or lack thereof) of incidents on stock price. Many researchers who identify themselves with the New School of Information Security (yours truly included) want to immediately look at stock price as a bell-weather metric for incident impact. I think this stems from our days of slinging FUD, back when we could scream “Buy a firewall or we’ll have an incident and you’ll be on the front page of the paper and the stock price will go down!” But these days notable incidents seem to suggest that the impact on stock price for an incident is short lived. With qualifications, of course.

So what would/should we make of this from Money.co.uk?

£12million ($24m) Wiped off Helphire Stock after Malicious Email Sent to Clients

Car hire firm Helphire have taken Google to court after a malicious email sent from a Gmail account saw their shares plummet £12million in a single day.

The Bath-based business who specialise in providing replacement cars to ‘no-fault’ drivers involved in accidents on behalf of car insurance companies, initiated legal proceedings against the search engine giant as part of their attempt to find out who is responsible for sending the defamatory mailing.

Google are now known to have complied with the court order and have controversially supplied details of the email account and ISP used by the meddler.

Written under the psudoname Peter Franks, the 1200 word email is know to have been sent from a gmail account that was opened specifically for this purpose and closed a few minutes after the damage had been done…

…The misdemeanour couldn’t have come at a worse time for the struggling firm who have undergone a £45million rights issue and seen a 75% drop in the value of their stock already this year.

That last paragraph, for me, explains some of the difficulty in tying reputation damage to stock decreases. It’s like when you read the headlines from Bloomberg about why the days stocks (or commodity) prices are up or down. You know, the “Oil closes $3 higher on news that a notable South American dictator has a rather unpleasant boil in a very uncomfortable area” type of headlines. You really do have to question the causality and correlation. So in the Helphire case above - is this new drop in stock really because of the email sent? If so, should we view that $24mil number as an independent data point to describe this sort of attack on reputation, or is the magnitude aggravated due to the long-term trend of stock price?

Even when we have “Objective Data” (an in-joke for Adam S.) like this decline in stock price, it is really difficult to provide any sort of precise estimate or measurement - about the future, present or past. The best we can do is use ranges, distributions, that are reasonable based on evidence and observation.

So it’s worth filing away this sort of datum for future use - while dutifully acknowledging the qualifiers we might place around it.

So the questions I ask here - what should we make of this new information, and how should we view the $24million drop - they’re not rhetorical. I am very interested in your views and welcome your comments!

The Shark Malware - New Version's Coming

Sun, 09 Dec 2007 17:44:58 +0000

Remember Shark, the DIY malware pitched as a Remote Administration Tool (RAT), whose publicity among script kiddies, and the press given the easy with which an undetected malware can be build with it, prompted the author behind the project to publicly announce that he's shutting down work on the RAT? However, as it looks like, the project is still under development, and the author's recent announcement of the upcoming version of Shark3 further confirms that the shut down announcement was valid by the time the publicity started to fade away. Here're some screenshots of what's to come in the new version :

Shark3 Window's Info

Shark3 Keylogger

Previous versions included features not so popular among RATs by default such as, built-in VirusTotal submission, process injection, and with the new version promoted to have a built-in rootkit capabilities, next to its Vista compatibility, let's ask the ultimate question - is it a RAT, or is it a malware? That's the rhetorical question.