Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

– HKCUSoftwareMicrosoftInternet ExplorerSettingsGateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCUSoftwareMicrosoftInternet ExplorerSettingsGateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

Thats right we are trying for less then 0.8 seconds of down time per day.

Lets face it customers don’t care if its your fault that they cant reach you… they just cant reach you… They dont know if its your server or a router or your firewall or your internet WAN provider… all that they see is a service that cannot be connected to…

So…

Lets make some assumptions, average ping 50ms, from anywhere to anywhere, thats a 16 packet window… if only one user was utilizing the “stream”… thats insane… how do you guaranty that you wont lose 16 packets. Now I know any Company that thinks it needs a 5 9 service is going to have more then ONE user at a time…

So maybe 16 packets is so small that customers wont notice… but it still happened… and you’ve already blown your 9′s…

To often small and medium companies focus on making sure that their back end and servers have the 9′s but forget to factor in the rest of the world, the tubes that connect us all are not under our control… accidents and congestion happens… (occasionally black holes appear the suck up all the traffic from Youtube). Unless you’ve got the power and cash of Google your never gonna reach more then 3 9′s… if you’re moving a Million USD a minute then maybe you have a business case…

Downtime is never acceptable… but ask your self can you afford to be truly dressed to the 9′s?

The list is always changing… but there are a few things that always seem to come up.  There are items on the list that are new, but still eat at the back of my thoughts.  Some I think everyone wishes they could do.

The list includes:

• Learn To Fly.
• Train for MMA, and then fight in at least one real fight.
• Get a degree (There will be hacking, more to come on this one).
• Teach SANS 401.
• Post to this blog once a day.
• Goto cooking school, something like the California Cooking Academy
• Learn a foreign language, something like Japanese or Chinese.
• Write a book.

Not a great list, nothing that will change the world, but other then monetary gains, buying a house and such, thats what I want to do… People say the best way to get things done is to tell others your going to do them, Now I have.  Watch for updates.

(P.S. If you can help me with any of these  let me know.)