Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

– HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

!Permit HTTP port 80 traffic
access-list 102 deny tcp any any eq 80
access-list 102 permit tcp any {proxy address} eq 80

!Permit HTTPS port 443 traffic
access-list 102 deny tcp any any eq 443
access-list 102 permit tcp any {proxy address} eq 443

Deny WAN DNS to all systems except DNS server:

access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!— insert any other previously applied ACL entries here
!— you must permit other protocols through to allow normal
!— traffic — previously defined permit lists will work
!— or you may use the permit ip any any shown here
access-list 101 permit ip any any

Does “IP helper-address” help to much?

! We want this protocol.
ip forward-protocol udp bootpc
!
! We don’t want these.
no ip forward-protocol udp biff
no ip forward-protocol udp bootps
no ip forward-protocol udp discard
no ip forward-protocol udp dnsix
no ip forward-protocol udp domain
no ip forward-protocol udp echo
no ip forward-protocol udp isakmp
no ip forward-protocol udp mobile-ip
no ip forward-protocol udp nameserver
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-ss
no ip forward-protocol udp non500-isakmp
no ip forward-protocol udp ntp
no ip forward-protocol udp pim-auto-rp
no ip forward-protocol udp rip
no ip forward-protocol udp snmp
no ip forward-protocol udp snmptrap
no ip forward-protocol udp sunrpc
no ip forward-protocol udp syslog
no ip forward-protocol udp tacacs
no ip forward-protocol udp talk
no ip forward-protocol udp tftp
no ip forward-protocol udp time
no ip forward-protocol udp who
no ip forward-protocol udp xdmcp

Thank you ahead of time.

[See post to watch Video]
Video not found!

Thats right we are trying for less then 0.8 seconds of down time per day.

Lets face it customers don’t care if its your fault that they cant reach you… they just cant reach you… They dont know if its your server or a router or your firewall or your internet WAN provider… all that they see is a service that cannot be connected to…

So…

Lets make some assumptions, average ping 50ms, from anywhere to anywhere, thats a 16 packet window… if only one user was utilizing the “stream”… thats insane… how do you guaranty that you wont lose 16 packets. Now I know any Company that thinks it needs a 5 9 service is going to have more then ONE user at a time…

So maybe 16 packets is so small that customers wont notice… but it still happened… and you’ve already blown your 9’s…

To often small and medium companies focus on making sure that their back end and servers have the 9’s but forget to factor in the rest of the world, the tubes that connect us all are not under our control… accidents and congestion happens… (occasionally black holes appear the suck up all the traffic from Youtube). Unless you’ve got the power and cash of Google your never gonna reach more then 3 9’s… if you’re moving a Million USD a minute then maybe you have a business case…

Downtime is never acceptable… but ask your self can you afford to be truly dressed to the 9’s?

I’m sorry this is such a stream of consciousness.

I welcome your comments, your ideas, please let me know what you think in the comments below.

I am a Security consultant. In the last two weeks I conducted my first official incident response and policy gap analysis. It wasn’t a glamourous pen testing gig, nor was it something worthy of bragging about, but it was a most excellent opportunity. During the time I was conducting these contracts I was offered a pretty decent desk job. The job presented its own opportunities, but I just couldn’t bring myself to accept it. It wasn’t what I truly wanted. I am still finding my niche in the security field, but I know Im not built to do the same job day in and out.

I look forward to future contracts, and the challenges that will come my way. A short post, but maybe someday my Path will inspire someone else.

Most netbooks feature a SD card slot that can be booted from… why not load an OS onto the SD card that is tweaked for both the boot camp/fusion/parallels environment and the native netbook. Then you can take the netbook for IR and such… collect your data… and then easily come back to a more powerful rig for analysis.

Also with the ease of swapping SD cards you can keep different responses separate and cataloged for future review…

Its all just floating in my head… but more will come of this…

Let me know what you think in the comments.