Dismantling Plague Bot
Since Friday, I have been having fun reverse engineering this piece of malware called Plague bot. Overall the bot has the typical suite of functionality including the MSN spreader, USB infector, DDoSer, SSyn along with download and updating capabilities. The initial binary was encrypted/obfuscated using a VB 6.0 compiled program. This wraps the binary in a VB virtual machine – effectively hiding the true binary. This fact was apparent because very few strings were visible and the binary itself imported the MSVBVM60.dll. Because of the P-Code wrapping, initial static analysis provided little use. Therefore we used dynamic reversing to extract the binary.
Rapid7 Aquires Metasploit
A few weeks ago I noticed HD posted a status update on linkedin that he was working on Metasploit full-time now. I thought that a bit unusual since, as far as I knew, he was still at Breaking Point. A few days later I saw open requisitions posted on a few security mailing lists for key positions on the Metasploit team. At that point it was obvious something was going on and we all began speculating what was going to happen next. Either HD planned to take Metasploit commercial himself or an acquisition was underway. Today, that was all proven right with Rapid7’s announcement it was acquiring Metasploit and HD would join the company as its new CSO. While a big congratulations is in order to HD for all his hard work, I can’t help but wonder how long Rapid7 will maintain Metasploit as an open source project. According to HD, the acquisition extends beyond Metasploit and also includes rights to Warvox as well. I’m not exactly sure how many of his tools were part of the agreement or what’s in store for them now, but I immediately downloaded the latest source code for both tools as soon as I heard the news. In any case, congratulations HD! Rumors also have it he is apparently buying the rounds at the next AHA meeting to celebrate.
Cyber Policy Review Released
Melissa Hathaway’s report is finally available off of the White House website. I believe we will see sweeping changes in the next 12 – 24 months regarding our nation’s efforts in securing its networks.
Cyber Security Assessment Report Due Friday
Press Secretary Robert Gibbs has just announced Melissa Hathaway’s 60 day cyber security assessment report will be released this Friday, May 29th. The industry has been awaiting this annoucement since the Hathaway’s let down at RSA this year. Most expect the report to paint a very damaging picture of the current state of the nation’s cyber security posture.
Metrics Finally Coming In
Valid, usable metrics is something that has been lacking in information security for some time. It appears that is finally starting to change and several organizations are making independent efforts in various areas. Today, the Center for Internet Security just released an initial series of metrics covering vulnerability management, patch management, application security, configuration management, and financial metrics. Companies can use this information to compare how their information security programs stack up with others. Cigital and Fortify also recently released BSIMM which provides metrics on software security activities performed by the companies who have adopted software security and are leading the charge. WhiteHat Security should also be mentioned for its recent metric publications focusing on web application security. All organizations mentioned are providing this information to the public for free and should be applauded for their efforts.