Monday, February 8, 2010

Responder 2.0 Released!

We have been slaving away long hours since early December last year, but we made it. The 2.0 release of Responder is released. It's amazing. Hard to believe, but it's been two years since we announced Responder at the CEIC show in Vegas. After so many years of coding, I have come to understand there is a big difference between building commercial products, and just building hacker tools. There is so much work you wouldn't expect going in. I would like to publicaly thank my engineering team for all their hard work.


For fun, here are some sneak peeks of Responder 2.0




Above is the REcon recorded execution timeline from a particularly nasty APT malware that plagues the DoD by constantly hopping from NIPRNet to SIPRNet and vice versa, primarily through the dreaded USB stick.




The above diagram is a second malware. This malware puts the capital 'P' in APT. We were first introduced to this one back in 2005 during a DoD infection. The above sample we obtained just a few weeks ago, and clearly it's a variant of the original - that's almost 5 years and still going strong! The diagram shows the code and dataflow for a function that enumerates machine-specific data after an infection drops, this is then sent via the C&C channel when the malware reports in. This kind of behavior is very common in persistent malware, as the bad guys need to keep track of their machine-infection inventory. A little story goes like this: location 1) this queries the uptime of the machine.. 2) checks whether it's a laptop or desktop machine... 3) enumerates all the drives attached to the system, including USB and network... 4) gets the windows username and computername... 5) gets the CPU info... and finally, 6) the version and build number of windows. Quite thorough eh?


In a nutshell, Responder 2.0 cuts through APT like butter. More Info.

Thursday, February 4, 2010

See You in Sac-Town at ISSA

I will be giving a talk on APT at the Sacramento Valley Chapter of the ISSA, Feb 19th. This should be fun, since Sac-Town is my home turf. When I first thought of moving to Sacramento, I had horrid fears, but these were unfounded. Sac is a really cool place in California. Not just because it's the Capital, but it has great and diverse ethnic restaurants, more trees than you can count, and EPIC FISHING within an hour drive in any direction. It's also a great place for a tech company right now. Way better than the 'valley. Housing is much more affordable, and there is a great hiring pool with HP, Intel, and two major universities in the area. There are numerous initiatives to support small business growth, including tax incentives to build out on either Mather or McClellan AFB (I drive past Mather on the way into HBGary in the morning). Sac also has hacker history too, callbacks to the old days. HBGary already reached out to the locals last year when Penny outfitted the Sac PD with free copies of Responder Field Edition. In the local area we have given memory forensics training at International High Technology Crime Investigation Association (HTCIA) and Internet Crimes Against Children Task Force (ICAC). There is a lot going on around here and I glad to be a part of it.

Tuesday, February 2, 2010

Is the term ‘malware’ eclipsed by ‘APT’?

I am wondering why we need to change the term 'malware' to 'APT'. APT stands for 'Advanced Persistent Threat' and the term was cooked up by the Department of Defense to describe malware that worked, as opposed to malware that got caught. The term APT has been in the press since the very public Google hacking incident. I like the term APT, but I still wonder why we need it. To its credit, APT is a great term because it accurately describes the problem. On the other hand, it also confuses people. It makes APT sound different and new, when in fact there nothing is new.

Many of us have been analyzing malware for years and functionally the malware today is just the same as it was three years ago, but back then we didn't call it APT. In general, this got me wondering why people change the terms used to describe something (for anything in life)? For this malware and APT thing the best I could come up with is that many existing security companies adopted the term 'malware' many years ago, and thus their product offerings become tightly associated with the word 'malware'. Over the last few years or so, as people within the DoD and elsewhere realized that existing security investment wasn't adequate to protect their network, instead of calling the investment a failure for missing the malware, they instead decided to call the missed malware by a new name. Think: "This isn't malware; it's something new, so of course the millions we've spent doesn't address it!". A stretch?

The fact is this - malware has always had the ability to be updated in the field, it has always been able to be remote controlled, and it has always had the ability to spawn a remote shell to a live attacker. And, it has always had the ability to scan the file-system for files like source-code and CAD drawings, and it has always had the ability to exfiltrate those files. At all times and without exception, these malware programs have been operated by real and persistent humans at the other end. The malware doesn't operate itself, it's not an automaton. For the last 365 days, I just called that malware.