This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

How to Mitigate Anonymous' Internet Shutdown March 31

In case you haven't heard, Anonymous plans to shutdown the internet March 31 to protest a multitude of issues which I'm not going to bother to get into right now.

The plan is to attack all 13 root DNS servers with Denial of Service (DoS) attacks.

By shutting down all 13 root DNS servers, a domino effect will be felt throughout the internet and eventually all DNS queries will begin to time out.

Their plan is pretty bold, and will require a tremendous number of computer systems attacking at once.

While it is unknown if Anonymous' plan can succeed, there are a few things you can do to mitigate this threat from affecting your organization.

1) Don't panic. This shutdown is on a Saturday, so the number of employees this affects will be minimal.  If your organization isn't even open on Saturdays, then this won't affect your organization at all.

2) If you are open on Saturday, consider putting one of your local DNS servers in caching mode if it isn't already, and increase the DNS caching time to live (TTL) to 86400 seconds (24 hours).  Any commonly used sites should remain cached throughout the attack.  It's a good idea to revert to your original settings Monday morning.

3) Finally, if you absolutely must have access to certain websites with static IP addresses, such as business partners or suppliers, consider making available to your on-call support staff a hosts file with critical domain names and IP addresses pre-loaded, so that they can drop this file on any organizational systems which start to have DNS problems.  Once again, revert to your original settings Monday morning.

These three simple tips should help keep your organization up and running, should Anonymous actually succeed in taking down one or more root DNS servers.

For home users, I would recommend checking your local weekend weather forecast Friday evening.  If it's going to be nice out, be ready to go outside for a change, get some exercise and have some fun.  If not, consider breaking out some board games for the kids, or find yourself a nice book to read.  It's only one day, if it even happens, and it's not the end of the world.

Executable and Linkable Format (ELF) Guide

Yesterday I found a very handy guide for understanding Linux ELF files.  Great for malware analysis!

Thought I would share it with everyone else.

http://www.acsu.buffalo.edu/~charngda/elf.html

Facebook Location Sharing Enabled by Default - Another Threat to your Privacy and Safety

I noticed something disturbing today.  Ever since about the 15th of March (noticed this on some of my Friends posts going back to the 13th), my Facebook posts have started including my location.  That's pretty disturbing, because I never enabled Facebook to share my location.  It would seem Facebook has enabled this setting by default.

In fact, if I wanted everyone to know where I am, I would have typed my location in my Facebook post.

This really becomes problematic if I were to use Facebook while on vacation.  Suddenly my posts will tell everyone I'm not home, and depending on my privacy settings, that's pretty much telling the world "hey, he's on vacation, go steal stuff from his house!".

I've noticed most of my friends posts are including this information as well.

Facebook does provide instructions on disabling location sharing (https://www.facebook.com/about/location) but it's not very clear if these settings stick.

I urge you the next time you post on Facebook, check to see if there is a small gray box below your post which includes your approximate location.  If there is, click the X inside that box to disable location sharing.

Share this message with your friends and family on Facebook, and help them be safe online too!

Flash Farce: The Dangers of Social Media Influencing Real World Actions

We're lucky it hasn't happened yet.  Or maybe it has and we don't know it.

We've all heard how "flash mobs", protests such as "Occupy Wall Street", and even revolutions such as Arab Spring can be organized through social media such as Twitter or Facebook.

Viral videos, trending Twitter hash tags, Change.org petitions, Facebook pages...all of these are "tools" used to help bring about social change.

But how many people actually check the origins of a social change campaign or movement? And would it even do them any good?  How would anyone know the true origins, or motivations, behind an online campaign?

Linux Processes – Memory Layout, exit, and _exit C Functions

This is a great article from TheGeekStuff.com.  Very relevant for those who analyze Linux malware.

"In this article, we will discuss about the memory layout of a process and the process terminating C functions."

Linux Processes – Memory Layout, exit, and _exit C Functions

Hutizu/Huituzi - Follow the Gray Rabbit

When typing Huituzi (the Chinese phonetic originally found in .ssyslog) into Google Translate, when performing phonetic typing for Chinese, huituzi translates into 灰兔子, which in Chinese apparently means "Gray Rabbit".

So, we now know the name of this amazing piece of malware.

According to Wikipedia, in Chinese literature, rabbits accompany Chang'e (the Chinese moon goddess) on the Moon. Also associated with the Chinese New Year (or Lunar New Year), rabbits are also one of the twelve celestial animals in the Chinese Zodiac for the Chinese calendar.

A very interesting note: This malware was discovered in 2011 - the Chinese year of the Metal Rabbit, or "Jīnshǔ tù" (金属兔).

The question remains - how deep does this rabbit hole go?

I'm updating all of my .ssyslog posts to include "Hutizu" since that is the official detection name.

Hutizu and Linux/Bckdr-RKC Detection Statistics

Let's take a look at current detection statistics for Linux/Bckdr-RKC.
The newer variant has been named the Hutizu backdoor by Antivirus vendors.

.xsyslog - The original file placed on my honeypot.
Commonly known as Linux/Bckdr-RKC or Linux/PKC

Metascan:
1/25 detection http://www.metascan-online.com/results/ue9v7uz2yv9wvb36mdwr2s9hg3hss792
Fortinet detects as Linux/PKC.A!tr.bdr

VirusTotal:
0/43 detection https://www.virustotal.com/file/ce62318acfb28e7ad5c915b0bb7cbc256b5c682097d33d1a002ff856b21d7324/analysis/1332284106/ 

VirScan:
3/36 detection http://r.virscan.org/report/a6769c90a8c3d519201c6cdee60eea5b.html 
Fortinet detects as Linux/PKC.A!tr.bdr
Kaspersky detects as Backdoor.Linux.PKC.a

Sophos detects as Linux/Bckdr-RKC


.ssyslog - The newer variant
Commonly known as "Hutizu"

Metascan:
3/25 detection http://www.metascan-online.com/results/szab3gp39d91byh3z3ebuz64utld97m0
ArcaVir detects as Linux.Hutizu.a
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu

VirusTotal:
7/43 detection https://www.virustotal.com/file/414a142016cab43d85c7b85a61426f0d3e3c2e04b9c3a9b94d88925593aaf49b/analysis/1332284644/ 
Comodo detects as UnclassifiedMalware
Emsisoft detects as Backdoor.Linux.Hutizu!IK
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A

VirScan:
8/36 detection http://r.virscan.org/report/dac52b25964a8614bb02e119e828575c.html
a-squared detects as Backdoor.Linux.Hutizu!IK
ArcaVir detects as Linux.Hutizu.a
Comodo detects as UnclassifiedMalware
Fortinet detects as Linux/Hutizu.A!tr.bdr
Ikarus detects as Backdoor.Linux.Hutizu
Jiangmin detects as Backdoor/Linux.ab
Kaspersky detects as Backdoor.Linux.Hutizu.a
Sophos detects as Linux/Hutizu-A

This is good news, as it means anti-virus vendors are starting to detect this malware.

But the bad news is, only a small fraction of AV vendors are detecting it!

Hutizu Under the Hood

Been looking at the STRINGS result of .ssyslog... Which is now detected by a small number of AV vendors as "Hutizu"

http://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/ssyslog/ssyslog-strings.txt

A few interesting items jumped out at me.


Mario 2012 - Help Raise Awareness!

Mario 2012 is a film and campaign by Caffeine Security that aims to make Mario the plumber famous, not to celebrate him, but to raise support for his arrest.

Please watch the video, and support this awareness campaign!

Linux/Bckdr-RKC Delivery Method Analyzed

You can tell a lot about an attacker based upon their methods of attack.
-Automated attacks happen rapidly, with no time for typing
-Manual attacks happen slowly, as the attacker has to type commands
-Typos and misspellings indicate a manual attack
-Connection string will give away what kind of operating system the attacker is using

Let's take a look at both pieces of the Linux/Bckdr-RKC malware I've received. 

Hutizu aka Linux/Bckdr-RKC and Duqu Links? Food for Thought.

I can't put my finger on it, but after looking at this article on the mystery of the Duqu Framework, and looking at my publicly posted decompilation of Linux/Bckdr-RKC, something strikes me as very familiar between the two.

I've sent this to Kaspersky, so we'll see if they get back to me on it.

Can you see any similarities?  If so, please share!

UPDATE: The virus in question is now being detected by limited AV programs as the "Hutizu" backdoor.

Have you checked out the free security magazines lately, available from Caffeine Security?

Have you checked out the Latest Free IT Security Magazines and Downloads box to the right?

There are some really nice offers available right now, and none of these downloads and magazines cost a dime!

They're just another free service offered by Caffeine Security.

Access some great resources today! -> -> -> ->

The full catalog of available resources is available here: Complimentary Industry Resources

Coming Soon: Android for the Paranoid Article Series

I've decided to write a series of articles titled "Android for the Paranoid".

The articles will be an in-depth look at some of the Android security related applications out there, and how they can be leveraged by you and your organization.

If you have any apps you would like me to specifically look at, please post in the comments section below!