Duqu still evolving

• Researchers have recently discovered a newly compiled driver for the Duqu worm
• Duqu is rather unique, as it appears to be a framework for building highly targeted malware to attack a specific target, as opposed to regular malware that is design to target as wide an array of victims as possible
• Researchers believe that the number of victims targeted by Duqu could be as few as 50
• The new mcd9x86.sys Duqu driver appears to be specifically designed to evade detection by the CrySysLab tool build by the Hungarian researchers who initially discovered Duqu
• The new driver does not appear to contain any new functionality, however in addition to changing the signature to make it harder to detect, the new driver may have been necessary as the code signing certificate used to sign the old driver has been revoked
• Researchers assisted by crowdsourced analysis and the reverse engineering sub reddit identified the language that parts of Duqu were written in as Object Oriented C, which is quite rare compared to C++
• Researchers speculate that this means the authors of Duqu are older programmers, brought up in traditional C and did not trust the abstracted memory management and other features of C++ and were more comfortable writing C and using an OO framework

Microsoft launches operation b71, leads raid against Zeus Botnet

• This week Microsoft lead a coalition raid against a set of Command and Control servers for the Zeus botnet
• Microsoft was joined by the FS-ISAC (Financial Services – Information Sharing and Analysis Center), NACHA (the Electronic Payments Association), the ABA (American Bankers Association)
• Microsoft and its co-plaintiffs filed for a temporary restraining order and a seizure order to confiscate the servers for the botnet
• The court ordered the US Marshals to seize the servers from two data centers in Chicago, IL and Scranton, PA
• The Marshals were accompanied by Microsoft’s lawyers and forensics experts to assist in identifying the machines and isolating the command and control systems
• The court also ordered the Marshals to collect 4 hours of internet traffic bound for the C&C servers before disconnecting them
• The court ordered all US based domain registrars associated with the domains microsoft identified as belonging to the botnet, to redirect them to a Microsoft controlled server
• This is the first known case of a company using the RICO act to seize servers and domain names
• Official Legal Filings
• Security Week
• Digital Underground – Interview
• Microsoft Digital Crimes Unit Newsroom

Feedback:

Q: Simon from Australia writes to ask about the security implications of the DNS AXFR command

Xonotic Server Info

• Name: JupiterColony / LAS Xonotic Server
• IP: 176.31.45.139:26000

War Story:

When Kids Attack

In summer 1999, around June, just before my son was born I was working in tech support with IBM at night and during the days I was doing some freelance IT jobs. One job that consistently came up was teaching the basics of networking with Windows systems in some local schools. The course I wrote up covered a lot of ground and took 2 four hour sessions to complete.

The curriculum I decided upon started off with about an hour covering the components of a PC and their basic functions. I explained how the BIOS on the motherboard was a kind of “proto operating system” that allowed the hardware to be manipulated at a very low level. The next portion covered how to install an operating system and then add in specific software drivers to allow the hardware to be used effectively. The operating system of choice at this point was Windows 98. Despite that I spent a good 40% of that topic covering how DOS was the best solution for when Windows breaks. As part of the operating system tour I would make sure to cover things like the startup folder, the “new” msconfig tool, the “run” keys and the “run once” keys in the registry and even how to create keys that would allow applications to be run as if they were “services” by adding keys for them. By the end of that 4 hour session, my aim was to have the students leave with a solid and practical understanding of the magical mysteries inside a PC case. Most of the kids were in their mid-teens so keeping their interest from topic to topic was a challenge.

When the second session came up I would roll out basic networking using real world examples in the hope that abstract theory could be simplified with visuals from all around us. To

As you can see from that lot, there were some fairly heavy topics getting crunched down into oversimplified day to day, real world examples but it seemed to work. I continued running the course this way for months and at one point I was asked to do some more advanced topics as follow ups for the more interested students. There were maybe three or four of those follow ups done and I was quite happy to see the depth of question coming from the classes.

Some time later, maybe near to November, I got a panic call from the school principal of a college that was located about 10 minutes drive from my house. Apparently every computer in their lab was “going crazy”. None of the students were able to help and the IT Teacher was actually a carpenter who did work around the college and also had some basic computer skills. I agreed to help out and drove over a couple of hours before work to take a look.

Upon my arrival I noticed that every PC when turned on would go through the POST process, boot up Windows 98, barely load the icons on the desktop and would instantly start to shutdown. I was starting to see why they thought their computers were now possessed by some vengeful spirit of a mailman who got lost in the maze of network circuits inside the computers. Unfortunately, the solution was a little more mundane. Once I got a box into safe mode I was able to start pulling apart what was happening as Windows booted to the desktop. It seemed that someone had installed a Windows Resource Kit to every computer which included a nifty little Shutdown application. The culprit had then created a batch file that called the shutdown application and added that batch file to another hidden batch file in the Windows directory. A run once registry key was being created that would call the hidden batch file and trigger the process. It seemed that the run once registry key was being created by yet another batch file that was named in the autoexec.bat file. The end result of this mess was that just as Windows booted to the desktop, the shutdown command would activate and a boot loop would ensue. Doing a little more digging I was able to find yet another batch file that was inserting another reg entry into the Run key hive thus providing two different ways for the loop to be initiated.

I tried to explain the whole thing to the principal and while he struggled to understand the technical details, he did grasp the concept that this was a well thought out act of IT sabotage. Each computer used the same generic log on and so that offered no solution in identifying the saboteur. Unless the IT Teacher was an oscar winning actor, I was pretty sure that he wasn’t the guy. The only thing I could think of was a student and I started to suspect that it would be one of the ones that I had trained. The attack showed a good grasp of batch files and Windows start up processes but I had never shown a class how to use batch files to insert registry keys. Whoever had wrecked Windows 98 on the 70 or so computers in the college had done some research for themselves. I figured that the work to take out that number of computers would probably have taken me four or five minutes per PC for each of the 70 computers meaning somebody had to have taken around six hours to do all the sabotage work. Everything was fine at the end of the previous school day and so it had to be an after hours job. From there we spoke with the teachers who ran the after hours classes and it didn’t take long to find a student who was supposed to be in the library until around 10pm the previous night. The last teacher leaving the school said that the student had hung around since around 3pm until lock up and was supposedly working on an end of term project. When the principal brought the student to the IT room I was taken aback that it was one of the kids from my basic class who always seemed disinterested. I was truly expecting one of the kids from my advanced class to have been the culprit.

After some conversation it turned out that the student had sabotaged the PCs because his Math teacher had given them a tonne of homework for the next weekend and it meant that he wouldn’t have been able to take a girl to see Star Wars Episode 1 which was having a final screening that Saturday. I managed to get some more information from him about how he carried out the hack and it was a combination of taking the DOS training I gave him along with the Windows lessons and speaking to the father of one of his friends who was working in Microsoft doing localisation of their products. The Microsoft guy taught the student how to take the DOS commands and batch files and have them interact with the registry. A hacker was born. The principal suspended the kid and that was pretty much the end of it. I detailed how to fix the problem and left the work for the IT teacher and his backup, the maths teacher to do. So in some small way, I helped the kid to punish the maths teacher. I figured that it was the least I could do.

I don’t really know too much about how the student progressed from that point but I can tell you that I ran into him three years ago and a Windows 2008 Server industry-only event in Dublin by Microsoft. He was running the IT security for the event as part of his role with Microsoft. From little acorns, large Oak trees are born. I never decided whether the kid turned to the dark side from being denied a viewing of Star Wars on the big screen or from not getting that girl to go there with him but either way, rage lead to anger, anger lead to revenge and revenge lead to a nice paycheck.

Maybe there is a nugget of wisdom in that somewhere, probably not since it sounds like contrived crap but I just like how this kid took some basic lessons in IT, found them to be a toolset he could expand upon and then used it to get himself jobs in the industry. Awesome.

Round Up:

• Defense contractor creates application to hack iphone pin in under 2 minutes
• EFF cautions against two new sweeping cyber security bills, calls for a better balance of the public interest rather than a focus on government control of the internet
• Major US ISPs support new FCC code of conduct to help fight botnets
• Rare ram based malware spotted in the wild
• FTC gets behind ‘Do Not Track’ setting, asks Google and Facebook
• Microsoft confirms that they censor links to ThePirateBay via the MSN Messenger service
• ‘Anonymous’ hackers plan to shut down the Internet this Saturday
• Errata Security: No, #Anonymous can’t DDoS the root DNS servers
• Root Server Technical Operations Assn