• Analyze suspicious code for signs of Malware, viruses, and exploits
• Identify and research new attack techniques
• Research product improvements to help detect and eliminate security threats

Skills required:
• Hands on experience at identifying Windows malicious code
• Reverse engineering Windows executables
• Working knowledge of exploitation tools and techniques
• Experience with Win32 packing and unpacking technologies
• Understanding of x86 assembly language, C/C++, Java, and scripting languages such as PERL

We are also looking for a software engineer to join our team. This developer will be in charge of the development and maintenance of the backend infrastructure used here at Sana Security. This position is fast-paced and plays a key role in the success of the company.

• Plan and manage the development of mission critical internal applications
• Develop applications for automation and reporting of security related information
• Work with the product team to coordinate new features into the back end system

Skills required are

• Strong server application development skills
• Professional experience developing and maintaining database driven Java, J2EE, and Perl applications
• Experience planning and developing database schemas
• Experience working with Linux, Apache, MySQL

Please contact Jeremy Pickett

Resilient Infrastructure for Network Security

This covers a model that I originally wrote about in a paper in the Complexity journal (available here). I have updated the model somewhat in these slides. The talk argues that traditional security models (consisting of prevention, detection and response) fail in the face of very fast attacks (e.g. worms) or very slow ones (information stealing malware). The slides talk about possible technologies that can augment prevention, detection and response to give better performance on fast and slow attacks.

Combining Endpoint and Network Defenses

This looks at the properties of common defenses on the network and endpoint for malware, and looks at how they stack up when implemented in different places, to make sure that adding defenses in the network and the endpoint result in better security.

Hello,
Thank you for your interest in my car. I gladly inform you that it is still on sale so you are right on time.
Sorry for the delay, as I am staying in the hospital right now. As I have to cover all the costs myself, I am selling it and the deal is very good for you. The car is in an excellent good condition. Please, follow the link and download all the specific information about the car:
http://url_removed/myalbum.exe
As soon as you download it, you will have all the necessary data:
description, photos, and other
details. Please, make sure you are well acquainted with the info so that your decision would be reasonable. The car is in excellent condition, no accident. Thank you.
Please, reply ASAP and feel free
to ask any questions.
P.S. To watch the pictures you are to save the portfolio on your computer and launch it.

And surprise surprise myalbum.exe is not photos, but a nastly piece of malware, similar to the Rootkit.Hearse discussed in previous blogs.

premier forum in the Department of Defense (DoD) to enhance attendee’s professional skills and knowledge of systems and software technologies and policies, enabling them to improve the capabilities they provide to the warfighter.

The talk covers some of the trends behind modern malware, and looks in detail at the arms race in technologies between attacker and defenders. It shows how some of the aspects of modern malware, such as hiding with rootkits, mutating, being split into multiple cooperating components and resisting removal result because they exploit weaknesses in security software. It also covers how new technologies such as heuristic signatures, and Sana's behavior based detection and removal technology can have a sustainable impact on the problem.

One of the sites is still actively infecting machines. It attempts to download several pieces of Spyware, Adware, and Trojans, in addition to the rootkit. The rootkit has two pieces: the first piece is a device driver named 'zopenssld.sys', and a DLL named 'zopenssl.dll'. The device driver appears to cloak any file named 'zopenssld.sys' or 'zopenssl.dll' regardless of where they reside, though the malicious versions are located in the System32 folder.

While the DLL was invisible on the file system, it is visible as an injected DLL in many running processes. Since zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process, most users would never see it, and it can survive even in safe mode.

The Trojan appears not to be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication. To view it in action, a virtual machine was infected with the rootkit and Trojan, and then the user browsed to http://bankofamerica.com, and entered a fake username and password. All of the network traffic was recorded, and after ending the web browser session, the Trojan communication became apparent.

After further investigation, it was determined that this Malware was sending information to a web server located in Russia. Ironically, this web server was not secured, and any user browsing the site could view the information that was being stolen.

According to the dates on this web server, it has been active since at least the 16th of March. The oldest stolen data observed was from the 19th of March. Based on the sheer amount of data that has been stolen, the infection has been more than tripling in size every day.

Finally, just want to give a big thanks to sysinternals and the developers of ethereal for making such great tools (rootkit revealer, process explorer, filemon, autoruns, and ethereal).

http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf

So on that note, some phishers have taken a step forward in sophistication. According to several articles (one of which is here: http://www.boingboing.net/2006/02/14/phishers_trick_inter.html ), a phishing site was erected that not only looked like the legitimate bank, but it had an SSL certificate issued from Geotrust, and assurance from Choicepoint that they were the genuine article.

What do we do if even jaded security professionals can get duped, and the mechanisms that are in place to assure individuals about who we should trust and who we should shun are compromised?

I do think that incidents such as this will raise awareness in the trusted authority community that scammers are now actively targeting them. While I love that SSL certificates are no where near the price they were five years ago, I do believe that improvements in fraud detection from the cert authorities will enter an arms race similar to that of the malware/anti-malware dynamic.

With the recent Nyxem worm, Sana's SafeConnect detected it without signatures. By the time we had analyzed it, only one other anti-virus company had a signature for the sample that we had. Within the next 4 days, the other 22 odd anti-virus products that we test against duly added signatures for the worm.

The customers of the last product to get a signature would then have had a "zero-day" attack possibly proceeding for 4 days!

We will also be showing some information about the malware that we have found (and removed!) from the beta program.

You can sign up from http://www.sanasecurity.com.

21% of workers allow family and friends to access the internet.

51% of workers connect their own gadgets to their computers.

McAfee also identified 4 sterotypical types of employee that put organizations at risk

• The Security Softie – This group comprises the vast majority of employees. They have a very limited knowledge of security and put their business at risk through using their work computer at home or letting family members surf the internet on their work PC.
• The Gadget Geek – Those that come to work armed with a variety of devices/gadgets, all of which get plugged into their PC.
• The Squatter – Those who use the company IT resources in ways they shouldn’t (i.e. by storing content or playing games).
• The Saboteur – A very small minority of employees. This group will maliciously hack into areas of the IT system to which they shouldn’t have access or infect the network purposely from within

What is often lost in these types of analysis is the business benefits of more freedom, as opposed to the business losses due to security issues. There is often a knee jerk reaction to clamp down, while a bigger picture view might swallow the risk of attack in the face of happier and more productive employees.

See also Bruce Schneier's blog entry on this

It also does some generic measurements of whether executables are packed.

Many of us were wondering what had happened to all the worms. My take on it was that it was simply due to chance: with usually no more than two major worms in any year, there is a high probability there will be no worms at all.

There are a few very interesting features about the Zotob incident. One is the loss of the patching window - the worm started spreading 5 days after Microsoft announced the vulnerability. Myself and other security experts have been talking about this likely occurrence for years, although 5 days still seems slow to me. I expect that soon it will be no more than 24 hours.

And what will we do then with patches and AV signatures if the worm prevents an infected machine from getting help? This truly could be the death of signature-based systems, as Vincent Weaver, senior director of Symantec's security response team said:

"Using signatures as a primary defense is no longer effective today"

No wonder there is a growing emphasis on heuristics and behavioral approaches that don't need signatures.

Another interesting aspect is the "war" that erupted in the wake of Zotob. Evidently, multiple varieties of malware (11 different types according to F-Secure) were all attacking the same vulnerability, and competing for control of the host, for example, trying to remove competing bots. Clearly, there are multiple worm writers on the loose, so the idea that no one wants to write worms any more is just dead wrong (see point 2 in my previous post).

Even more interesting, from the point of biomimicry, is that computers are becoming battlefields for malware, just as our bodies are battlegrounds for microbes. This could be a dangerous trend, because it gives malware authors the incentive to make their malware more virulent, so that they get to the victim first. On the other hand, it may be a good thing, by increasing the soft selection on malware. Who knows, perhaps Zotob would have been worse if it weren't for all the subsequent competing variants? Whatever the case, digital life progresses apace - this will not be the last worm we shall ever see!