More reports of RBOT using ASN.1 vuln
We are getting more and more reports of the use of the ASN.1 vuln in an rbot variant. This is using one of the ASN.1 vulns patched by MS04-007. The exploit is borrowed from an existing proof of concept. For more discussion see this article on the vuln-
This was previously mentioned in the diary on the 3rd of June as possibly rbot attacking IIS' authentication methods
This is the report from VirusTotal for the samples we've seen:
Windows Integrity tracking
Having just suffered from a violent system crash, I'm in the perfect place to start tracking everything that is done to my system. My concern is that recently I ended up having to do multiple rebuilds not because I knew my system was compromised but because I couldn't be confident that it wasn't. After running all the rootkit detection tools, AV tools, spyware/adware tools, forensic tools, etc.. that I could find, I still didn't have complete confidence.
So with my nice clean build, I'm setting a goal of having complete tracking of the state of the system. I want to know anything that executes and anything it calls and when anything of that sort changes. I started by looking around for integrity tools and trying to choose one that would make it easy to track all this (cause I'm going to get a lot of noise, I realize that).
Before you ask, yes, I've hardened the build. Yes, I use tools like InControl, the application control built into my personal firewall, WinInterrogator, WinAudit, BHO Demon, AdAware, Spybot S&D, two different AV products, Rootkit Revealer, everything Sysinternals makes, and those are just the ones that come to mind without trying. I've tried everything I can find to track this sort of stuff. None of them give me the level of visibility and assurance I want & need. So, I've been brought to this.
At the moment, the ones I'm trying are Xintegrity Professional and Osiris. Xintegrity offers a free trial and has a clean interface. It seems to crash on occasion but I'm putting up with that for now. Osiris is free and (as far as I know) only offers a command-line interface but that's fine). I've started by building a baseline of the entire system. As I add new software, I'll update the baseline to include the freshly installed software. I'm in the process of identifying the files that are going to change (legitimately) frequently. Once I have those, I'll likely remove most of them from the checks.
Why would I do this? Why not trust my AV software, my personal firewall, my anti-spyware tools, my bootable forensics distro, and everything else? Simply because none of them offer the simple confidence that I want- that I know everything that is going to execute on my system, be it BHO, DLL, EXE, firefox extension, and I want to know when any of them or any of their configurations change. I don't trust my OS, I don't trust any of the software running on it (if the recent months have shown us anything, it is that Firefox has at least as many vulnerabilities showing up as it gains popularity, as IE does), and our tools for dealing with this just seem to stink (or at least fall short of the goal by a good distance).
What do y'all do to help deal with this issue? If there is an interest, I'll post updates in the diary from time to time.
Finally, Apple has released patches for a whole slew of vulnerabilities:
Jun 9th 2005
Jun 9th 2005
1 decade ago