Exposing Malnet Strategies and Best Practices for Threat Protection

David_B wrote in news:k0fsrv$8sj$ snipped-for-privacy@dont-email.me:

Content-Type: message/rfc822; name="Exposing Malnet Strategies and Best Practices for Threat Protection.eml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename*0="Exposing Malnet Strategies and Best Practices for Threat Pro"; filename*1="tection.eml"

What the f*ck is wrong with you? Don't post binaries.

All I saw was an empty post.

here is what I saw

Pay no attention to the number.

Lol.. I made a picture for you to ask a few questions:

I have no AV to update. I haven't run the battery low for quite some time now. I haven't customized much since reloading from the EISA factory restore partition and updating to sp3.

Just playing with ya, I figured it was a VM or something.

Malware has adopted VM and sandbox detection and can act benign if it thinks it's being watched.

To hide it from detection in a VM?

Sort of, more to avoid revealing its malicious action while being analyzed. For example a trojan that directs a browser to a blackhole server unless it detects a VM - in which case it sends it to Google instead. They check for certain VMs, sandboxes, or debuggers and change their own behavior if found. Many researchers use online tools, and these are being targetted for detection.

FromTheRafters wrote in news:k0l9c8$ki3$ snipped-for-privacy@dont-email.me:

Many researchers who aren't really capable of a thorough analysis on their own rely solely on the online scanners. I for one think this is a good thing. It'll seperate some real researchers from the ones who aren't actually, researchers. A title undeserving if you cannot code. If you cannot read/write code, you cannot thoroughly research programs! Malware or otherwise.

So, the more the malware is aware of automated systems, the better.

Dustin has brought this to us :

Yep, the human brain reigns supreme.

...until about 2025 I've heard :D

FromTheRafters wrote in news:k0mu83$5f1$ snipped-for-privacy@dont-email.me:

Well, submitting a suspect file for analysis to a 3rd party so you can claim you detect it! is kinda lame, imo. I understand doing so for verification purposes; that's just fine. Atleast be able to actually take the damn thing apart for study. So, the more the malware becomes of automated systems and the less the "researcher" really knows about the executables internal structure, the malware is going to get ahead and I predict some companies we've seen in the past few years are going to need to hire coders, or fold.

I hope if they elect to remain in business and hire outside help to do the real work they've promised their customers they do for so long costs them serious money on the payroll. No nickel and dime shit.

Seriously. Most of the automation detection routines can easily be patched with a simple! hex edit, no actual disassembly needed. But, alot of the malware ehh, researchers online have no programming background; thus no coder experience and so, the malware will no longer run because they don't know how to edit the executable.

I'll tell you a small story, to give you an idea of the type of researchers responsible for the stuff people use today.. I'm not trying to be arrogant or brass or anything else, I just want you to have an idea. Call it an ER horror story. [g]

Some years ago, An executable came across my desk that was aware of various apps a company used to study malware. It wouldn't properly run if it caught you using one of these apps.

I examined the file with a hex editor looking for ascii text strings, and i'll be damned if I found the ones which control the exe/dll files it's looking for to determine if you're using one of these programs.

I found I could easily patch this executable and then, run those apps with it running, no problem. I verified this was cool later with IDA Pro and Olydebug.

My superiors knew nothing of hex editing, including the main programmer on staff who actually developed the program we supported. Yes, you could forget many of the researchers disassembling anything. Mostly, run it in a VM/sandbox and study it. Doesn't work so well tho if the malware knows about your vm/sandbox software and you aren't actually deserving of the title you have, because you lack needed reverse engineering skills to play in this game on a serious level, so you can't fix the damn executable. HoHoHo what a mess we have for ourselves now.

I manually rebuilt some exe headers as for some reason, they were damaged in transit to us. Aside from one other person who wasn't with us in the beginning, Nobody else knew how to do this. I literally scraped

22 bytes from the front of the executable, bringing the MZ back as characters 1 and 2. Piss simple.

You'd think! someone paid to research LIVE MALWARE samples would know those tricks and many many many more. They're playing with binaries you know. So, I think this is very cool. It'll seperate the wannabes from those of us who actually do know how to do this stuff.

I'm tired of seeing posers on various web forums with the title "malware researcher" who aren't. It's more complex than checking out hijackthis logs and/or running other peoples apps.

Some companies just don't have a bright future ahead now. [g]

That's not really that long when you consider things.

It's true, there are an increasing number of 'experts' who are just button = pushing users of third party tools and I couldn't agree more about the use = of a good ol' hex editor too ! (See Dave, I told you to get a hex editor)

As for clueless bosses, I've had lots of those in my time but as long as I'= m learning what I want to learn and I'm allowed free access to their hardwa= re then I'm quite happy for them to live in cloud cuckoo land and there is = so much enjoyment to be had as every so often they suddenly realise that th= ey have no clue how you do what you do...

:)

Personally I have lots of respect for the abilities of good coders, I came = to programming late in life and consider myself to be a total lamer in that= discipline. I have very little respect for dickweeds with a certificate an= d no fecking clue !

pushing users of third party tools and I couldn't agree more about the use of a good ol' hex editor too ! (See Dave, I told you to get a hex editor)

learning what I want to learn and I'm allowed free access to their hardware then I'm quite happy for them to live in cloud cuckoo land and there is so much enjoyment to be had as every so often they suddenly realise that they have no clue how you do what you do...

programming late in life and consider myself to be a total lamer in that discipline. I have very little respect for dickweeds with a certificate and no fecking clue !

That piece of paper hung on the wall is meaningless unless the person loves and lives for the technology. The programmers I know, even those working for the university have no diploma, they have knowledge and ability instead. The best example of meaningless diplomas is the great silliness known as Affirmative Action where the dumbest SOB's found in The Universe are handed diplomas then turned loose on an unsuspecting world to wreak havoc. O_o

TDD

[...]

I recently had a discussion with a very highly-educated individual about this same subject. Well ... basically the same subject ... concerning how many people there are who were privileged to go to college and who have no knowledge or abilities beyond their book learning. That assumes they *did* learn anything in college.

It's the ability to apply what you learn that makes the difference in how smart someone is ... at anything ... I think.

A coder friend of mine once told me that he knew many IT professionals that knew a great deal less about computers than I apparently did. I have next to none in my estimation, having no practical experience nor any formal education in the field. It scared me at the time to think of all those monkeys jumping around with the keys to the kingdom.

The really interesting part, at least to me, is how much older programmers learned compared to what's being taught in school now. Look at the languages that aren't even used by so many any more. Everything is about knowing what program can do what you want it to do, without really knowing why it happens. Talk to some guys who graduated 30 years ago and you'll know what I mean. Reminds me a lot of Space Cowboys.