Tracking Moving Objects

A few images from the past few workdays of my life, and some explanation:

vulnerability tag cloud

To the left is a tag cloud associated with vulnerabilities. These are pouring into an ASERT-internal application we use to track activity in news and vuln reports, as well as malware reports from third parties. We have tagging built into it, and it even auto-tags things based on matching tags and words that it knows. Very useful. The tag cloud here easily demonstrates that informix, MS, exploits, and remote attacks dominate the picture this morning.

We spend some of our time analyzing malware so we can determine threats and such. We found that we couldn’t rely on external reports for enough detail. So, I used some of our internal tools over the weekend to analyze the new Mocbot that eployed the MS06-040 vulnerability. Below, you can find some some screenshots:

Here’s a screenshot of an ASERT-internal application that conducts active DNS tracking; I’m specifically observing some of the bot’s IRC servers and associated IPs. We can see that the authors are moving them around, and we have a good idea of when:

DNS Track of a Mocbot IRC Server

What about Mocbot’s internals? I used IDA Pro to discover some things for an ATF fingerprint that we published later that day, just in time for the world to start its work week. The bot’s not that interesting when you get down to it, aside from employing a new exploit vector:

Mocbot in IDA Pro

Mocbot modifies several Windows registry keys. Here’s a few, basically attempting to disable the firewall, networking, and AV. Once it’s in, it doesn’t want to go, and it doesn’t want anyone else there, either:

Mocbot in RegEdit32

These are just some of the tools we use – both internal and private as well as third-party tools – that help us stay abreast of the security threat landscape. There’s a lot of good research and work being done, and a ton o’ threats. Managing (and automating) that information flow has become paramount, primarily because we just don’t have the time to manually inspect everything, and part of being efficient is to develop tools to assist those efforts. I think we’re getting there.

Comments are closed.