.

Don't drink the water.

<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Wed Aug 26, 2009 5:46 pm

Don't drink the water.

So a member of my local DC group is a system admin for a military group that is stationed in Afgan.  Long story short, their whole infrastructure got jacked with a virus.  They are having a heck of a time removing it (generally just wiping).  Heh, good part?  He sent us back the files!  Wooo!  So, if any of you are interested in a fun Afgani comp virus, pm me and I will see about hooking you up.  :P  That is...if I trust you and you arn't totally new to the group.  I don't feel quite comfortable giving virus code to those who havent' been in the group for a bit.  Should be a fun thing to take appart though, which is what we'll probably be doing in our DC group for next month's meeting.

-4sh
"Bad.. Good?  I'm the guy with the gun"
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Aug 26, 2009 6:08 pm

Re: Don't drink the water.

Not going to ask for a copy, because I fall under the new clause. I wouldn't know what to do with it if I had it anyway.

I'm just wondering if it would be possible to make some kind of training document from what you do with it?

I know, I'm asking a lot. Just looking for good ways to learn things, from people who would know what they're doing.
OSWP, Sec+
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Wed Aug 26, 2009 6:21 pm

Re: Don't drink the water.

No problem Chris.  Since it is not a virus that's been circulating around for a bit.. and from where I am getting it, I didn't want to throw it out there to everyone and their uncle.  Since...

1)  It could hose your system if you arn't very careful.
2)  I don't want to feel responsible for #1
3)  I dont' want it circulating around since no AV apparently can get rid of it yet.

You can get a lot of viral code out there to play with and check out.  Dean is pretty badass at that sort of thing.  He probably has quite a few bits sitting around.  Tons of sites have repositories of it as well to work with.  I'm sure there are others here who either have custom bits of stuff, and have far more experience with working with it than I.  They would be much better people to talk to about starting on working with this stuff... since I really dont' want to feel responsible hehe. 
"Bad.. Good?  I'm the guy with the gun"
<<

g00d_4sh

User avatar

Sr. Member
Sr. Member

Posts: 394

Joined: Tue Sep 18, 2007 1:50 pm

Location: Guayaquil, Ecuador

Post Wed Aug 26, 2009 6:27 pm

Re: Don't drink the water.

And certainly, I can do a writeup of what my DC group and I find when we have our monthly meeting and play with it.  :) Should be fun times.  BBQ, beer, and playing with malcode... what more could one wish for a Summer Sunday?
"Bad.. Good?  I'm the guy with the gun"
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Aug 26, 2009 6:50 pm

Re: Don't drink the water.

4sh

I wouldn't want to be responsible for it getting out and causing problems elsewhere either. I think what I'm interested in is:

1) what is making it so hard to clear
2) what kind of things to look for on a network that indicates it's there (original detection, in general)
3) What this bad boy is using as an entry vector
4) what your test environment is like

If I was setting this up, which I lack the hardware for at this time, I'd do a chrooted virtual window's box on a system I don't mind destroying the hard drive out of afterward. Although that seems a little expensive when I think about it (constantly going through hard drives).

What's the best way to get involved with a local DC group? I tried to join a local Perl Monger's group once, but they hardly ever met, and when they did, they wanted to focus on showing off what they (the host's company) was working at the time. (*edit: turns out the local DC is no longer DC, it's now ArbSec...)

I'll also remember to shop smart, shop S-Mart. :)
Last edited by rattis on Wed Aug 26, 2009 6:57 pm, edited 1 time in total.
OSWP, Sec+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Aug 26, 2009 7:44 pm

Re: Don't drink the water.

g00d_4sh, I wouldn't mind getting a copy for reversing purposes.  It's not one of those nasty buggers that detects VmWare, or worse, tries to jump it, is it?  Also, is it in English?  I don't want you to get into any sort of trouble either, just so that I can play with a new toy :)

PS.  I will not spread it, at least not purposely.  If it spreads from my machine, it's likely that my machine will have perished.  ;D
~~~~~~~~~~~~~~
Ketchup
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Wed Aug 26, 2009 7:54 pm

Re: Don't drink the water.

If you do a writeup on it, I'd be interested in seeing it.
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Aug 26, 2009 11:08 pm

Re: Don't drink the water.

I would like a copy.
Security+, OSCP, CEH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Aug 26, 2009 11:37 pm

Re: Don't drink the water.

I think I am currently too busy with other things so that I can't take a look at myself, but I would appreciate to take a look at your research paper.

As already pointed out by Ketchup, keep in mind that there are techniques which allows malware to detect if it is debugged in a virtual machine and behave in a different way than it would usually or even escape from it and attack your host system. Therefore you may consider to debug it on a seperate physical machine if you can afford one.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Aug 27, 2009 5:29 am

Re: Don't drink the water.

awesec wrote:I think I am currently too busy with other things so that I can't take a look at myself, but I would appreciate to take a look at your research paper.


I fall into the same camp at present, and if it's causing the military this many headaches it likely beyond my current reversing skills anyway. Would definitely be interested in anything you manage to discover though.

Keep us in the loop and thanks for the offer, wish I had time to have a play...

(P.S. try not to hose your systems ;) )
<<

nightmare44

Newbie
Newbie

Posts: 10

Joined: Mon Jul 13, 2009 7:19 am

Location: Maryland

Post Thu Aug 27, 2009 7:31 am

Re: Don't drink the water.

Hey man can I get a copy? I'd like to reverse it in one of my malcode analysis VM's.. What DC group are you IN?
<<

Bane

Post Thu Aug 27, 2009 10:42 am

Re: Don't drink the water.

I would like to get a copy. My organization has international presence in 30 or so countries. So, I would definitelly like to get ahead of this one, even if it is a localized threat.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software