So you got one of the most interesting pieces of Malware I have every had the displeasure of doing IR on…

Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

– HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

I am a lucky man… I received NMAP Network Scanning as a gift, but at even double the sticker price this book is worth it. The author, Gordon “Fyodor” Lyon, can easily be described as an NMAP expert… he wrote the program the book is about after all.

The time taken by Fyodor to write not only a technical repository, but a instructional tool is amazing. Chapters on the history of NMAP, legal view points to be aware of, and not only how to use NMAP for discovery, but why this is useful. This amazing tome of information could never be called complete due to the ever changing nature of the open source software its based on, but its more then most will ever need.

NMAP Network Scanning has earned a place on the “books on my desk” shelf. It’s not just a must read, it’s a must OWN.

Ever had the boss walk into your office and ask “What do you do all day.” The dreaded line that can strike fear into any IT workers heart. In most organizations IT is like the janitor no one wants to see it. So if your doing your job right and no one notices the small downtime or other various issues, how do you prove that they need you. One Word:

Documentation

Most boss’ love metrics… TCO… ROI… Six Sigma CTQ’s… but how does IT fit in. In most cases ITIL is exactly what your looking for. “The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing information technology (IT) infrastructure, development and operations. (LINK)”

Unfortunately ITIL is also a beast. So how would you like 4 easy steps to get better then 90% of what ITIL is… well “The Visible OPS Handbook: Implementing ITIL in 4 Practical and Auditable Steps” Is exactly what your looking for. Wash, Rinse, Repeat, Condition… It is almost that easy. While following the four phase’ described you will build change management, normalized configurations, standard builds and make it easier to improve. The whole time you make you life easier and set yourself up to start baking security in from the beginning.

With process comes results. With results come numbers. With numbers you can give your boss solid metrics on how things work, and help prove you deserve that raise.