New Bagle; RECon REPort; DC702 Summit

Published: 2005-06-26
Last Updated: 2005-06-27 13:12:05 UTC
by Cory Altheide (Version: 1)
0 comment(s)

New Bagle Variant

We're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this.

RECon Wrapup

I recently returned from the security conference in Montreal, Canada. RECon fills a fairly unique niche as security conferences go, as it's focus lies mainly on reverse engineering as it is used in security work in addition to more general infosec material. This was the first year of the conference, and in my opinion things went very well. I'd like to take the opportunity on this "slow news day" to discuss some of the more interesting presentations from RECon. Just to note - all of the talks were great, but I'm limited on time and space, so my apologies if I didn't include something you felt was worthwhile.

Todd MacDermid

Todd gave an enlightening presentation on the privacy-focused cross-platform IM/VoIP/file-sharing application,
. His presentation is available . Cutlass aims to be the answer to private communications even for people who aren't sure why they need private communications. By having encryption as the default setting, Todd hopes to make encrypted communication the norm, rather than the exception. It's a nice idea, and one that would hopefully prevent future .

Cédric Blancher

Cédric (of
fame) released an entertaining new tool called which allows for seamless hijacking of wireless connections via traffic injection. No longer do you have to rudely knock a legitimate user offline to ... "borrow" ... his or her connection. You can be a true gentlemanly [h|cr]acker and allow them continued usage of their/your connection! Slides, code, and links to dependencies are available at the above link.

Robert E. Lee & Jack Louis

guys had a great presentation which highlighted a few of the thousands of things wrong with the current state of web application security. They also demonstrated a useful open source web application fuzzer named "Cruiser" which found some remote code execution vulnerabilities in popular applications they were running on their production servers. Their slides are available . Cruiser should be available any day now from the page and will be part of the toolkit along with .

Jose Nazario

Jose Nazario gave a lightning-paced presentation on the simplicity of rapidly developing security tools "The Monkey Way" - aka "How To Be Leet Like Dug Song." He covers effectively using libpcap, libdnet, and libnids using various languages in order to develop the tools you need to do things that haven't been done yet. His slides are available

Pedram Amini

Pedram Amini of
demoed a fantastic new bug-hunting tool named . To summarize (and probably do the tool injustice), Process Stalking allows an exploit hunter/reverse engineer to quickly whittle away the uninteresting and unimportant functions, leaving only the "stalked" functions - functions executed while attached to the process stalker - highlighted. This radically reduces binary code auditing time, and allows the reverser to spend more time exploiting and less time fishing. Additionally (what, the awesome tool wasn't enough?) Pedram launched , an open community dedicated to supporting and sharing knowledge among reverse engineers. While the site is still under heavy development, it's already got some good content and looks to be coming along nicely.

Johnathan Levin

Johnathan gave an eye-opening presentation on the evils that can be easily perpetrated using Winsock 2
. These are essentially session-level plugins that can arbitrarily alter anything being passed into or out of Winsock. A benign example of this is the operation of the Google Desktop Search - search results from your local machine are injected into search results via a Layered Service Provider interface. Unfortunately, like many operating system features, this has a lot of potential to be abused (hellooooo spyware!). I can't located Johnathan's presentation online at the moment, but he'll apparently be presenting the material at DefCon as well, so if you're going to be in Vegas in a month, check it out. And, while you're there ...

DC702 Summit

Check out the
! It's a pre-DefCon shindig with the goal of affording easy access to various DefCon & Blackhat presenters along with other well known infosec personalities (including yours truly). This should be an intimate event with a hard limit of 200 attendees. In addition to being a great party with cool geeks, the Summit is also a fantastic fundraiser for the . They do a lot to protect (not manage) your digital rights, so this is the perfect way to give back. In the immortal words of , you've got to party for your right to fight. If you've got any questions about the Summit, please send them directly to me at

That's all for this diary, boys, girls, and prototype autonomous agents. I hope you enjoyed today's entry, and if you've got any questions or comments, you know where to reach us.


Cory Altheide

Handler Without A Cause


*"Hamfisted" is the nicest adjective I could come up with, honest.
0 comment(s)


Diary Archives