Security is a Journey, not a destination.

Archive for the ‘Research’ Category

So you got: Clampi/Ilomo

Posted by admin On June - 18 - 2010

So you got one of the most interesting pieces of Malware I have every had the displeasure of doing IR on…

Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

Featured, Research, Updates

Portable Power: Fun with SD Cards

Posted by Richard E. Baker On June - 12 - 2009

I have been reading a support article by Apple about the SD slot on the new MacBook Pro’s (LINK), and I think I have come up with an excellent way to use it.

Most netbooks feature a SD card slot that can be booted from… why not load an OS onto the SD card that is tweaked for both the boot camp/fusion/parallels environment and the native netbook. Then you can take the netbook for IR and such… collect your data… and then easily come back to a more powerful rig for analysis.

Also with the ease of swapping SD cards you can keep different responses separate and cataloged for future review…

Its all just floating in my head… but more will come of this…

Let me know what you think in the comments.

In Progress, Research, Updates

Degrees of Vulnerability

Posted by Richard E. Baker On June - 3 - 2009

The Path to Information Security sometimes seems like the road to hell. Security is not something that has a completely flat path. There are layers, not like the desirable parfait, but like an onion. Like the hell that Dante discribed at each layer lives an even worth threat, a worse sin committed.

Threats and vulnerabilities do not seem to be categorized the same way. LOW, MEDIUM, HIGH… RED, YELLOW, GREEN… It doesn’t mean anything. Threats should be categorized and ranked based on the ease of exploit, the level of automation available, and the ease of remediation.

And thats where HELL comes in…
The rings of HELL
Nine Levels with the center being the dreaded 0-day… with limbo or level 1 populated by 100% automated attacks… things “script kiddies” use and should always be plugged because its super easy. Each level gets harder. Each level of attack requires a increasing level of skill to accomplish, but can also have a higher degree of remediation. I propose such a scale due to the complaints Ive seen, and heard about some testers ignoring “script kiddie” stuff, or claiming “you don’t test for that, because anyone can do it”… But thats the point… If any one can do it you need to fix it first, you need to fix it faster, and then you get to move onto the “l33t” hacks. 30 minutes to hack with a super “l33t” 0-day or 5 minutes with a script…

Its Up to us the InfoSec community to make these issues meaningful to the suits and systems admins we work with. Its our JOB to do the basic’s, because there are plenty of people who will try the basic’s on us.

In Progress, Research

About Us

Path Security is run by Richard E. Baker. Richard has been working with computers since he found an old Apple IIe in the bin outside of his elementary school. One man trash and all, the video connector was soon fixed and soon consumed more time on the TV then the Nintendo. Who else remembers Apple Basic? He is currently refocusing on the Information Security Path. Come and walk the Path.

Recent Posts

Recent Comments