PathSecurity.com » Featured

So you got: Clampi/Ilomo

Rev. Richard E. Baker — Fri, 18 Jun 2010 21:43:25 +0000

So you got one of the most interesting pieces of Malware I have every had the displeasure of doing IR on…

Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

– HKCUSoftwareMicrosoftInternet ExplorerSettingsGateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCUSoftwareMicrosoftInternet ExplorerSettingsGateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

To the 9′s (my rant)

Rev. Richard E. Baker — Mon, 07 Dec 2009 02:00:27 +0000

System Uptime…
The 9′s…
We all know it…
We all love it…
But can we ever really reach the holy grail….
Can we get dressed up for all 5 mythical 9′s?
Let’s look at exactly what we are shooting for.

9′s Rating	Percentage Uptime	Annual Downtime	Downtime Per Day
2	99.000	3 days, 15 hours, 36 minutes	8.4 minutes
3	99.900	8 hours, 46 minutes	1.4 Minutes
4	99.990	53 minutes	8.7 seconds
5	99.999	5 minutes	0.8 Seconds

Thats right we are trying for less then 0.8 seconds of down time per day.

Lets face it customers don’t care if its your fault that they cant reach you… they just cant reach you… They dont know if its your server or a router or your firewall or your internet WAN provider… all that they see is a service that cannot be connected to…

So…

Lets make some assumptions, average ping 50ms, from anywhere to anywhere, thats a 16 packet window… if only one user was utilizing the “stream”… thats insane… how do you guaranty that you wont lose 16 packets. Now I know any Company that thinks it needs a 5 9 service is going to have more then ONE user at a time…

So maybe 16 packets is so small that customers wont notice… but it still happened… and you’ve already blown your 9′s…

To often small and medium companies focus on making sure that their back end and servers have the 9′s but forget to factor in the rest of the world, the tubes that connect us all are not under our control… accidents and congestion happens… (occasionally black holes appear the suck up all the traffic from Youtube). Unless you’ve got the power and cash of Google your never gonna reach more then 3 9′s… if you’re moving a Million USD a minute then maybe you have a business case…

Downtime is never acceptable… but ask your self can you afford to be truly dressed to the 9′s?

Review: NMAP Network Scanning

Rev. Richard E. Baker — Fri, 29 May 2009 00:50:55 +0000

I am a lucky man… I received NMAP Network Scanning as a gift, but at even double the sticker price this book is worth it. The author, Gordon “Fyodor” Lyon, can easily be described as an NMAP expert… he wrote the program the book is about after all.

The time taken by Fyodor to write not only a technical repository, but a instructional tool is amazing. Chapters on the history of NMAP, legal view points to be aware of, and not only how to use NMAP for discovery, but why this is useful. This amazing tome of information could never be called complete due to the ever changing nature of the open source software its based on, but its more then most will ever need.

NMAP Network Scanning has earned a place on the “books on my desk” shelf. It’s not just a must read, it’s a must OWN.

Review: The Visible OPS Handbook

Rev. Richard E. Baker — Tue, 26 May 2009 05:16:40 +0000

Ever had the boss walk into your office and ask “What do you do all day.” The dreaded line that can strike fear into any IT workers heart. In most organizations IT is like the janitor no one wants to see it. So if your doing your job right and no one notices the small downtime or other various issues, how do you prove that they need you. One Word:

Documentation

Most boss’ love metrics… TCO… ROI… Six Sigma CTQ’s… but how does IT fit in. In most cases ITIL is exactly what your looking for. “The Information Technology Infrastructure Library (ITIL) is a set of concepts and policies for managing information technology (IT) infrastructure, development and operations. (LINK)”

Unfortunately ITIL is also a beast. So how would you like 4 easy steps to get better then 90% of what ITIL is… well “The Visible OPS Handbook: Implementing ITIL in 4 Practical and Auditable Steps” Is exactly what your looking for. Wash, Rinse, Repeat, Condition… It is almost that easy. While following the four phase’ described you will build change management, normalized configurations, standard builds and make it easier to improve. The whole time you make you life easier and set yourself up to start baking security in from the beginning.

With process comes results. With results come numbers. With numbers you can give your boss solid metrics on how things work, and help prove you deserve that raise.