Tuesday, June 09, 2009

More Links

NetWitness announced on 8 June the availability of NetWitness Insight. This is a very interesting announcement, in part because, IMHO, NetWitness is the premier product available today when it comes to seeing and understanding what's happening on your network. In this case, collection of network traffic isn't the issue...it's the analysis and presentation, and that's where NetWitness products excel. The inclusion of InSight now gives the NetWitness suite of products what appears to be a DLP and vulnerability assessment capability, so that customers can find out where that sensitive data resides, as well as (according to the press release) locate vulnerable systems and prioritize remediation. As an incident responder, this is a fantastic capability...but what's missing is still the host-based response capability. Sounds like a job for F-Response!

I recently heard about a tool called MIR-ROR, put together originally by Troy Larson and then expanded by Russ McRee, both of Microsoft. Russ blogged about it here, and there's a toolsmith article available on it, as well. MIR-ROR is a batch file that is useful for running tools on a system as part of incident response; what I like about this is that Russ isn't sitting back hoping that someone does something like this, he's taking advantage of his knowledge and capabilities to put this together. And he's made it available to the public, along with instructions on how to run it. I like tools like this because they're self-documenting...properly constructed and commented, they serve as their own documentation. As always, the standard caveat applies...use/deploy tools like this as part of an incident response plan. If your plan says you need to acquire a pristine image of the drive first, you will want to consider holding off on using a tool like this...

Didier updated his disitool...I'm not even going to try to explain this one; instead, go to his blog and check it out.

Win32dd has been updated...according to Matthieu, there are some bug fixes, improvements, and some additional information about the memory state is displayed when the tool is used. Thanks, Matthieu, for the great work you've done with this tool!

While we're on the subject of memory collection and analysis, Brendan has updated VolReg to support BIG_DATA data types, due in part to Matthieu's blog post on Undocumented Vista and later Registry Secrets. Also, be sure to check out Brendan's Volatility Plugins page.

If you're a follower of Lon Solomon, at this point, you might be thinking, "SO WHAT?!?" Well, take a look at this write-up from Sophos...the part I like about this bit of malware is:

Rather than creating another file on disk, the dropper logic writes an entire PE file into the registry. The executable is stored under the key HKLM\SOFTWARE\Licenses with a randomly generated entry name.

Years ago while I was working for a security company in New Jersey, I wrote some code that would go out to a web site and grab what appeared to be a GIF image, but was in reality a PE file. The code would then disassemble the PE file into various Registry keys...the idea being that disassembling and writing it into the Registry would avoid detection by AV scanners. Then another piece of code would reassemble the PE file into the Recycle Bin and launch it. I thought that was pretty cool...but that was 8 years ago. Reminds me of that song Round and Round, by RATT..."what comes around goes around...". Hey, I wonder if we'll "see" a resurgence in the use of NTFS Alternate Data Streams, say, to hide PCI data?

No comments: