Monday, February 8, 2010

Responder 2.0 Released!

We have been slaving away long hours since early December last year, but we made it. The 2.0 release of Responder is released. It's amazing. Hard to believe, but it's been two years since we announced Responder at the CEIC show in Vegas. After so many years of coding, I have come to understand there is a big difference between building commercial products, and just building hacker tools. There is so much work you wouldn't expect going in. I would like to publicaly thank my engineering team for all their hard work.

For fun, here are some sneak peeks of Responder 2.0

Above is the REcon recorded execution timeline from a particularly nasty APT malware that plagues the DoD by constantly hopping from NIPRNet to SIPRNet and vice versa, primarily through the dreaded USB stick.

The above diagram is a second malware. This malware puts the capital 'P' in APT. We were first introduced to this one back in 2005 during a DoD infection. The above sample we obtained just a few weeks ago, and clearly it's a variant of the original - that's almost 5 years and still going strong! The diagram shows the code and dataflow for a function that enumerates machine-specific data after an infection drops, this is then sent via the C&C channel when the malware reports in. This kind of behavior is very common in persistent malware, as the bad guys need to keep track of their machine-infection inventory. A little story goes like this: location 1) this queries the uptime of the machine.. 2) checks whether it's a laptop or desktop machine... 3) enumerates all the drives attached to the system, including USB and network... 4) gets the windows username and computername... 5) gets the CPU info... and finally, 6) the version and build number of windows. Quite thorough eh?

In a nutshell, Responder 2.0 cuts through APT like butter. More Info.