DNSChanger resolver shutdown deadline is March 8th

Published: 2012-02-20
Last Updated: 2012-02-20 23:05:35 UTC
by Rick Wanner (Version: 1)
2 comment(s)

The ISC has written a number of diaries about DNSChanger in the past, including this excellent diary by a number of ISC Handlers, so I am not going to rehash the history.

With the FBI's March 8th deadline for disabling the DNSChanger resolvers rapidly approaching, the predictable fearmongering is beginning in the blogosphere and the regular press. Rest assured that DNSChanger infected a relatively small number of computers compared to most infections, and turning off the temporary resolvers will barely be blip on the Internet. There are some suggestions that the FBI may extend this deadline to permit companies to complete their cleanup. Frankly I am on the fence about whether or not an extension is a good idea.  I certainly don't want to entertain the possibility that the companies that I do business with, and entrust my personal information to, may take more than 4 months to cleanup a known malware infection.

The fact is that DNSChanger has provided us a rare opportunity.  DNSChanger itself never reached its full potential because of the FBI's intervention, but analysis of DNSChanger infected computers has revealed that computers infected with DNSChanger are nearly always infected with a range of other malware including malware that disables automatic updates and antivirus products.  Others have been found with credential stealing Trojans and rootkits. Certainly the detection of this sort of malware should result in immediately taking the computer off the network and rebuilding it.

The symptoms of a DNSChanger malware infection are relatively easy to detect. From shortly after the FBI's Operation Ghost Click was revealed, the DNSChanger Working Group (DCWG) provided instructions on how to determine if your computer is infected, and shadowserver.org has made reports available which permit anyone who owns their own address space to reliably detect the presence of DNSChanger infections, and by extension associated malware.

In the last month or so another way of detecting DNSChanger infected computers has been made available.  Several countries have launched eyechart sites which will tell you if the machine you are on is infected with malware. For the most part these sites follow the pattern of dns-ok.CC where CC is the country code of the hosting country.  Some that are available are dns-ok.us (U.S.), dns-ok.ca (Canada), dns-ok.de (Germany), dns-ok.be (Belgium) and I am sure many others.  They all follow a familiar pattern.  If the site is a friendly green your computer is not infected with DNSChanger, a not so friendly red requires further investigation.

One caveat.  It appears that in relatively rare circumstances, DNSChanger may infect SOHO routers.  So although the eyechart may be red, it may not be the computer you are on that is infected.  It may be the router.  Either way you know that some investigation is warranted.

Please consider using these available tools to cleanup malware infections on your network...before the FBI turns off the resolvers.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

2 comment(s)

Simple Malware Research Tools

Published: 2012-02-20
Last Updated: 2012-02-20 16:46:34 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

A lot of people ask me what kind of tools I use for malware research.

That's definitely a really broad question, because sometimes each malware may need a different approach. However, there are some simple tools that can help on a first approach and sometimes will give all the answers you need, without the need to go deeper on more complete debuggers and disassemblers as OllyDbg and IDA Pro, which by the way are two great tools!

For this diary I am not considering exploits, like pdf or java exploits, but just plain PE files ( EXE and DLLs). 

As part of my "first look kit" I use the pescanner python script from Malware Analysis Cookbook, which the authors made available here .

This script can give you some valuable information about the PE file, like the PE Sections, Version information (if available), and compilation date. Because there are some known bad indicators, the script will also print out the [SUSPICIOUS] word when it finds one of those indicators, such as strange compilation date, and strange entropy values found on the PE Sections.

Once you are used to the analysis, a simple look on this will help you to identify possible malicious files. Since it was based on Ero Carrera's pefile python module, you can modify and add additional features if you think is necessary. One addition I did on mine was to show if the file contains an overlay. On a few situations you should see valid overlay in files, and it is very common to find parasitic virus including its code as an overlay on the PE file.

Another great tool that I use is called HIEW (Hacker's View) hex editor. It is a really complete "old-style" tool. I mean old style because it uses a DOS window, there is no GUI...:)

It has a lot of features, from a complete HEX editor, an ASCII view of the file, and a "Decode" view, where you are presented with a disassembler. It also contains several shortcuts with pre-defined functions, as to show you the basic PE information, the number of sections, the entry point address and much more. 

It also allows you to go straight to section you want or jump to a specific address on the file, list the imports and exports and even edit the file.

It is a paid tool available here , but it contains a free version (6.50) which does not contain all features but can definitely give you a feel of it.

There was a open source product called Biew that had almost the same features of Hiew, but seems that it is not being updated since 2009.

Another tool that I've been checking lately is called HT Editor, that is a promissing project. It still doesnt have a lot of feaures but I like it. You may check it here



Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

0 comment(s)
ISC StormCast for Monday, February 20th 2012 http://isc.sans.edu/podcastdetail.html?id=2338

The Ultimate OS X Hardening Guide Collection

Published: 2012-02-20
Last Updated: 2012-02-20 02:04:54 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Many security professionals tend to use OS X systems. Maybe for the nice and shiny looks, or the Unix under pinnings that make it a great platform to run current tools. However, the operating system itself isn't exactly "secure out of the box" and like all operating systems can profit from some additional hardening tricks. 

I have recently looked over a number of OS X hardening guides, and found that not many specifically address the latest version of OS X (Lion, 10.7), nor are they necessarily well maintained. Instead of coming up with another (soon to be outdated) guide, I am trying to come up with a "meta guide". If you know of a good hardening guide for OS X: Please let me know. Also, if there are any tricks that you find useful (or things that fired back and didn't work at all): Let me know too. 

Most notably: Apple released a guide for each version of OS X up to Snow Leopard, but I can't find one for Lion. Does it exist?

Here are some of the guides that I have sound so far:

Apple: http://www.apple.com/support/security/guides/
NSA Guide: http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf
Mac Shadows: http://www.macshadows.com/kb/index.php?title=Hardening_Mac_OS_X
Univ. Texas: https://wikis.utexas.edu/display/ISO/Mac+OS+X+Server+Hardening+Checklist
Center for Internet Security: http://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.unix.osx



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

7 comment(s)


Diary Archives