Silicon Shecky

Infosec Practitioner

Connect

Attribution, why it can sink us

By Leave a Comment

Attribution is tough. We all know that. We all question it. Some of our jobs might depend on it. Yet, through it all, we have a lot to learn about it.

I bring this up because I feel it is an elephant in the room. We as infosec professionals and even amateurs have a desire to know the who, what, where, when, why and how security events/incidents occur. It helps us plan out our defenses. It allows us to show worth to those outside our field. Attribution needs to be done carefully. this article from SC Magazine has an interesting statement in it, and this will be our example to work with at the moment. About halfway through the article the following statement is made:

Malwarebytes took this a step further and reported BadRabbit was produced by the team behind Petya/NotPetya, although the security firm did not offer any evidence to back this theory.

Malwarebytes is a well known and respected company. Their software has been used by millions. They are also putting credibility on the line with this sort of statement. Everything that I have seen so far on BadRabbit is that it uses some methods similar to NotPetya (which I have not seen evidence or attribution to the original Petya author(s) before). It is not using much if any code from NotPetya. In fact, the biggest issue I have with this statement, as just a statement, is that they are offering no evidence for a very certain attribution. Now, imagine you are a news company like CNN, FOXNews, or any other of the well known ones that are not dedicated to infosec. You have people keeping track of cybersecurity feeds, looking for news to pick out of there. You see news about BadRabbit, and go to Malwarebytes for their take on it, knowing this is a trusted company. They give you the above statement, you run with it, and the general public now thinks it is all the same. Weeks/months down the line, the attribution is shown as false, a retraction is issued and now trust is broken. The other side effect is the general person asking why should they listen to the world of information security when we get attribution wrong? How many quickly attributed things wind up changing or are questioned as time goes on.

Think about it. Look at what is going on with Kaspersky and what sort of attribution is pointed at them by the U.S. Government, and yet no evidence has been shown publicly. Look at how our own community has reacted. Heck look at the Sony hack a few years ago and what went on over attributing it to North Korea? Look at the inside joke we have about everything being North Korea, China or Russia who is responsible for X malware/breach.

The human psyche is a strange creature, but a couple things are certain from what I have seen. First, we are an impatient species. We want everything now, immediate, otherwise it is no good. This is an evolution that has occurred because of how society has changed over the last few hundred years. Second, like computer systems, our world is built on trust. Who we trust, what information we trust. Once that trust is broken, it takes a long while to get it back, if it comes back at all. Basically the boy who cried wolf syndrome. This is true inside the infosec community and outside it. The more initial trust you have in someone/something the more likely you are to forgive blunders. After all nothing and no one is perfect. You go outside your community though and that trust level becomes thinner and thinner.

So how do we fix this? The simplest and easiest way is to not give into having to be first in claiming something. Take the race out of it. Allow time to gather all the facts and properly analyze them. Second, well, that is learn lesson one, and make sure that those above you understand that. Remember an ounce of prevention is worth a pound of cure.

Fake Software Viruses take a new turn

By Leave a Comment

We all know about the Fake AV, Fake Security Center, and similar malware. I’ve started running into a new variant, one that is a bit more of a pain.

I would say that 75% of my job winds up being removing malware from clients machines. I find it annoying, and really would love to find a way to rid the world of the scourge of malware, but that is a rant for another time.

I’ve watched the malware come in waves over the years. The spyware craze of the early 2000’s, the Melissa and I Love You viruses, the start of the Fake (Insert software here) malware. The Fake software ones have been merely annoying, and pretty easy to remove with standard tools, at least until now.

Over the last couple weeks, I’ve run into a new version of the Fake software malware. This one not only claims you have problems, but then turns around and at minimum hides folders on the machine so it seems that you’ve lost most everything. One variant even removes most of the system restore points, and hides essential folders. This second one, is the biggest pain to remove.

Combofix, Malwarebytes, and Superantispyware, will find and remove the malware, but the damage done to the machine between having to reset permissions, to unhiding folders ( and sometimes having to dig down to find what folder is still hidden), to repairing the system restore feature (got do %windir%\inf\sr.inf , right click and install to repair it) of XP is time consuming.

I know that the underworld of the internet makes a lot of money off malware, but this is just getting ridiculous. One would think that machines with up to date antivirus software should be able to stop this stuff, but obviously it doesn’t. It does make me wonder how different the variants are.

Malware everywhere with some new tricks

By 1 Comment

So as the malware war continues, I have found that the fake AV virus learned a new trick or two. The latest version I dealt with had a new rootkit in it that prevented combofix, malwarebytes and superantispyware from running. Of course it is not smart enough to stop those pieces of software from running if you change the name of their executables.

I suggest using combofix from bleepingcomputers.com first. Download it, rename the executable to comboxif.exe, and do not have it update. The autoupdate will have problems because of the infection. Just download the latest one available and run it.

Once combofix has run, all the other anti-malware programs should run without any issues or needing to rename them.