Friday, December 11, 2009

Some New Stuff

In case you hadn't noticed, Matt posted recently that F-Response works on Google Chrome OS! Very cool! That's another one for Matt, and in this case, he wasn't even trying!

From the SANS Internet Storm Center, I found an interesting link on cheatsheets for analyzing malicious documents. This took me to Lenny Zeltser's site where he not only has the info up on a web page (click links to get the tools), but also PDF and DOCX versions of the sheet. Lenny also hosts a series of cheatsheets, some of which look quite useful.

In addition to the CyberSpeak and Forensic4Cast podcasts, Andy and friends have come out with Episode 0 of the Southern Fried Security podcast! The podcast faded in and out several times, but I have to say that I really enjoyed the fact that the guys discussed the business end of patch management...too often this sort of thinking is missed by purely technical guys, whether during incident response activities or pen tests.

In The "News"
I usually don't follow The Register, but I did see something come across a list recently that talked about "RAM scrappers" which, of course, caught my eye. A couple of things struck me as interesting about this article, in large part due to the fact that when I was working for a QIRA-certified organization conducting PCI forensic assessments, I (and others) saw incidents involving this sort of malware. These types of incidents involve extremely targeted attacks, as one of the malware components dumps the virtual memory of several specifically-named processes...which, from the card swipe at the P0S terminal through authorization and processing, is the only place where the track data is unencrypted. One of those things that isn't quite right in the article, however, is that you won't expect to find Perl scripts on the system, as Windows doesn't ship with Perl installed...what you'll find is a Perl script (used to parse the virtual memory dump for track data) "compiled" using Perl2Exe with no switches...that last part will make sense to anyone who is involved in IR/DF and has some knowledge of Perl2Exe.

It appears that at least some part of the article was based on this Verizon Business data breach investigations supplemental report (thanks to Jamie for the link!)...drop down to page 20 and you'll see what I'm referring to. Notice that the Case Example section lists four file names...three EXE and one BAT...and the Indicators section refers to "perl scripts". If this were the case, one would think that there would be at least one file listed with a .pl extension.

Don't get me wrong...I'm not knocking the article or the report at all. I think that this kind of thing is great to see, but I do think that to the discerning eye, this sort of thing does open up from some questions, as well as an opportunity for sharing...not only amongst analysts, but also with LE.

Speaking of sharing, let's not forget the ITB...the Into The Boxes e-zine coming out in the not-too-distant future!

No comments: