Excellent ISC diary entry

I really enjoyed reading a recent ISC diary entry by Maarten Van Horenbeeck.

Its very important for malware researchers and forensics folks to expand their focus when dealing with intrusion incidents, regardless of if the attacker is white hat or black hat. The attacker knows you are watching, and they will try to hide in plain sight. This entry involves trickery on multiple fronts. If you don't have an expert group of penetration testers attack your network quarterly, an expert group of blackhat hackers might.

Stories like Maartens help keep me interested in going to work every day.

I'd love to hear more stories like this one - if you'd like, please share them in the comments section.

CME711 - Its a howl!

Storm/CME711 is back to a 'funny greeting card' page.


(Note the "copyright error" in the image)

• The file postcard.exe is offered by clicking on the image.
• The file ecard.exe is offered when waiting 5 seconds.
• The file e-card.exe is offered when clicking the 'click here' link.

Many people already watch for *card.exe with their IDS. I don't expect this to last long. Perhaps the next will be related to the anticipated U.S. Economic Stimulus Package --- or maybe Easter?

It appears this latest run drops the peers list to c:\windows\system32\diperto.ini.

A few MD5's for the binaries are:

11b9d46c4b3e2059361a9ca3d85ddf82
399c189575547593a5b1f0dcab23cf67
4291a354788c2e4100ff7286c03536e2
47336a1cc00f028abbd75fc44ac51b75
51730a17b5dbfb4d508ac9c6c9b3a574
73b17235901ecbb04ec5e1984df89b4d
76e8e63915ec5c44f62e1bbd91b47522
dea1a23e7561e0326edc0e1b487b07dd
e65359a96fb163553f4e5516ac150d1f
e68e331c3e4fd2c1e6a5eaa233cd8554