DCEPT - Honeytokens for Active Directory

March 8th, 2016

James Bettke and I wrote a tool to detect attempts to escalate privileges on a Windows Active Directory domain. We read a SANS blog post suggesting an easy way to inject honeytokens into the credential cache on Windows in a way that Mimikatz or other credential-scraping tools could find it. We wrapped the idea in a server/agent model and made some tweaks - foremost being rotating the credentials per machine per day, in order to give an incident response team a timeframe and context to work from upon being alerted of an attempt to use the honeytoken credentials.

DCEPT screenshot

The project is available on Github, check it out here.

Operation Aurora: Clues in the Code

January 20th, 2010

With the recently disclosed hacking incident inside Google and other major companies, much of the world has begun to wake up to what the infosec community has known for some time – there is a persistent campaign of “espionage-by-malware” emanating from the People’s Republic of China (PRC). Corporate and state secrets both have been shanghaied over a period of five or more years, and the activity becomes bolder over time with little public acknowledgement or response from the U.S. government.

Read more…

On The New Cybersecurity Bill

May 22nd, 2009

On April 1, 2009, while the rest of the cybersecurity world was largely focused on the Conficker worm, Senators John (Jay) Rockefeller and Olympia Snowe introduced the Cybersecurity Act of 2009. Since the hype over Conficker has died down now, I’ve had a chance to review the text of this somewhat controversial bill and add my two cents to the discussion. There are 23 sections to the bill, a few of which have raised some alarm in the infosec community.
Read more…

Speaking at RSA

April 17th, 2009

The 2009 RSA conference kicks off next week in San Francisco. It looks like a busy week for me - I’ll be presenting first on Tuesday, April 21st at the SecureWorks booth on the showfloor at 1:00 PM PDT. This will be a “Conficker Q&A” session. I’ll be answering questions with the knowledge I’ve gained from reverse-engineering Conficker and also from my participation in the Conficker Working Group. So, if you have any burning questions about the threat posed by the Conficker worm, drop by the booth at that time and I’ll try to answer them.

Read more…

Conficker Eye Chart

April 2nd, 2009

I’ve been working on a few different ways to detect Conficker via a web page load. I originally came up with a javascript method but I decided to go with a simpler approach using only images. Thus, the Conficker Eye Chart was born. It’s a simple visual test you can use to evaluate a Windows PC just by surfing to that page and looking at the images. It doesn’t work if you’re behind a web proxy (since the proxy will resolve the remote sites for you, bypassing Conficker’s blocking ability). But if you are behind a proxy, you should already be getting your Windows updates (including the MSRT tool) on time and updates from your anti-virus company as normal, so you shouldn’t be infected, right?

Conficker April Fools Hype

March 27th, 2009

If you’ve been reading any news at all on the Internet in the past week, you’ve probably heard that Conficker Armageddon is approaching, and it’s scheduled for April 1st, only a few days from now. The SecureWorks Counter Threat Unit has been receiving an increasing number of inquiries asking what one needs to do to prepare for the impending April 1st outbreak.

The truth is, there will be no April 1st outbreak, despite what some of the press stories have said so far. The only thing that will happen with Conficker on April 1st is that already-infected systems will begin to use a new algorithm to locate potential update servers. There, that’s not so scary, is it?

Read more…

Clever Hack, or Carders-at-Work?

March 12th, 2009

Earlier this week, reports began to circulate in the media about Chinese hackers selling $200 USD iTunes gift cards online for 17.90 RMB (about $2.60 USD). It was explained that these hackers were able to acheive the remarkable feat of cracking Apple’s algorithm for generating the gift voucher codes, and were thus able to generate as many cards as they liked, all of which would be redeemable in the iTunes store.

Read more…

Ozdok: Watching the Watchers

January 20th, 2009

Recently, with the help of Spamhaus, we were given access to files collected from yet another Ozdok/Mega-D command-and-control server. Although we have seen the controller code before, it was surprising to learn that this variant was collecting screenshots from its victims’ computers, and that thousands of them were stored on the control server. Grabbing screenshots isn’t new for backdoor trojans, but it’s the first time we’ve seen this functionality in a spambot.

Read more…

Tracking Gimmiv with Google Earth

November 4th, 2008

Gimmiv in MalaysiaOn October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

Read more…

It Can Happen to Anyone

July 10th, 2008

Writing good antivirus software is hard. Just ask the developer at a major antivirus company who was infected with the Coreflood trojan on his personal computer for over a year. Perhaps he was just testing their product, but it seems odd to have allowed the trojan to capture some of his personal information. Fortunately the antivirus developer was not a domain administrator on the company’s network, so Coreflood didn’t spread to every other system in the Windows domain like it did at several other businesses, hospitals and government organizations.

Read more…