I pitched at about 70 degrees and stuck in my lager area at about 50 degrees. After a week of not checking on it I took a gravity reading and it was still at its original gravity. No fermentation had happened at all.

I transferred it off its yeast cake into a 5gal carboy and stuck it in my ale closet to warm up so I could pitch another yeast.

After one day at 70 (even after transferring it off its yeast cake) it went crazy! Lava lamp style active fermentation. Apparently this is a lager yeast that has to ferment at ale temps? After about 10 days the gravity was at its expected terminal gravity reading. I transferred it again and stuck it in the lager closet at 50. I will let you guys know how it turns out.

For those of you not close to me, I was hired by the DoD (Department of Defense).  What does this mean?  Well you will never again hear the words “today at work…” uttered again.  That does not mean I will lacking topics to post about.

My security research at home is picking up again.  Expect posts on the topics of forensics, anti-forensics, malware and possibly a new pentest tool or two.

It’s nice to be back and for those of you reading this, thank you for sticking it out and visiting again.

The traffic mostly (82 of the 84 events today) originates from sequential IPs out of China.  This immediately raises alarms with me.

Upon further examination I discovered even stranger patterns.

• destination port tcp/2550
• source port is tcp/80
• Over the last 24 hours 82 attempts had been made (and blocked) by Chinese
• All Chinese IPs target 1 specific host
• 2 attempts from US data centers to two other IPs
• Further correlated searches on source IPs returns little else outside of what I normally see on the firewall
• Digging back 30 days indicates that today was the first time such traffic has hit me

Port 2550 is associated with a protocol called ADS (Automation Device Specification) created by Beckhoff for use in their TwinCAT system.  This information meant absolutely nothing to me.  I have never heard of the protocol, company for product so I started digging.

It’s for embed systems.  Its billed as “PLC and Motion Control on the PC” meaning that it could be used for automating just about anything.

“TwinCAT consists of run-time systems that execute control programs in real-time and the development environments for programming, diagnostics and configuration. Any Windows programs, for instance visualization programs or Office programs, can access TwinCAT data via Microsoft interfaces, or can execute commands”

According to the “Applications and Solutions” section of their website it can be used for Robotic Assembly automation, Building/HVAC Automation, Water Treatment and Management, Semiconductor Manufacturing, Medical engineering, the Energy Industry and so on.  These all seem like pretty tempting targets if I was interested taking over a countries infrastructure.

Odder still… I port scanned the target server and it does not have anything running on that port.  I also have historical port scans going back months (so I can detect when new listeners are launched) and it was never open.

Am I missing any known malware that operates on that port?

I think I’m going to send some of this output to the SANs internet storm center to see if they know anything about it.

Today alone I have received 4 copies of an email with the subject line “2 Populaar Myths About Female Orgasms -  How to Become an Irresistible Lover” containing an attachment named “Preview.app Document”.

I haven’t had a chance to analyse the .app yet, but I think its safe to assume that its malware of some sort.

The good news is that OS X is still built well.  If I double click it thinking its a document its going to tell me “Hey stupid!  This is an app that was downloaded from the Internet.  Are you sure you want to run it?”.  Maybe not in those exact words.  At that point if I say – “I thought I was opening an document, but sure, lets run this app-like-document” – then I deserve to be infected.

For all the detail oriented folks here are the headers (bold are items changed to protect my info):

Return-path: <efflrescent@aperfectmix.com>
Envelope-to: MY_ADDRESS
Delivery-date: Fri, 01 May 2009 09:39:27 -0400
Received: from [87.18.181.177] (helo=ksecb.telecomitalia.it)
by myserver.mydomain.com with smtp (MyMail Dameon)
(envelope-from <efflrescent@aperfectmix.com>)
id 1LzsxZ-0000Ib-JG
for MY_ADDRESS; Fri, 01 May 2009 09:39:27 -0400
Message-ID: <49FAF79E.9745295@aperfectmix.com>
Date: Fri, 01 May 2009 13:39:25 -0100
From: Chesner <efflrescent@aperfectmix.com>
MIME-Version: 1.0
To: MY_ADDRESS
Subject: 2 Populaar Myths About Female Orgasms -  How to Become an Irresistible Lover
Content-Type: multipart/mixed;
boundary=”————32D524EA4E2E67F07C94899F”
X-Spam-Status: No, score=3.8
X-Spam-Score: 38
X-Spam-Bar: +++
X-Spam-Flag: NO

The body contains no data.

In the VM world this type of vulnerability is an absolute worst case, but are very rare.

On April 10th CVE-2009-1244 was released stating that a number of VMWare products are vulnerable to VM escapes.

You should patch as soon as possible if you are running:

• VMware Workstation 6.5.1 and earlier
• VMware Player 2.5.1 and earlier
• VMware ACE 2.5.1 and earlier
• VMware Server 1.x before 1.0.9 build 156507
• VMware Server 2.x before 2.0.1 build 156745
• VMware Fusion before 2.0.4 build 159196
• VMware ESXi 3.5
• VMware ESX 3.0.2, 3.0.3, and 3.5

Per the CVE this vulnerability:

allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916.

This also validates why all of the best practice documents recommend that VMs of different sensitivity levels be run on physically separate hosts and/or clusters.

SANs Internet Storm Center reports that an exploit is available ‘in the wild’ for a fee.  They also provide a link to the following video of someone allegedly leveraging this exploit.

I think this will be a good way to detect new services and potential malware infection, but what about machines that are already infected?

To fix that I wrote in a function that parses the output for known malware ports.  The only problem is that I cant find a definitive list of known malware ports.  Does anyone know of such a resource?

*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp:         Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000  0×102000  5.02.3790.4062  C:\WINNT\system32\KERNEL32.dll

Now I can think of lots of malicious reasons why this would be.  In fact I recently wrote on one of these reasons.   But I cant think of any legitimate reasons.

I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.

Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?

Thanks guys.

I remember a couple of years ago all the small form factor optiplex’s I had suffered from a bad cap on the motherboard.  Eventually all of them just die.

My whole team at work have the same model workstation and the PSU went on each of them, one by one.

I have a service tag – the “serial number” unique to each computer – and type it into their site looking for drivers.  You would think, being that this tag is unique, that they could look up your computer and give you your network card drivers, your video driver etc.  NO!  Instead they give you the choice to download every driver for every chipset that was ever used on that given model.  Why do I have this service tag?!  Why don’t I just type in the model?!  Its the same results!

After all that people still buy these pieces of crap.  They never even question why that is.

http://www.dallasnews.com/sharedcontent/dws/news/localnews/transportation/stories/013009dnmetzombies.1595f453.html

I have an issue of 2600 magazine from about 5 years ago that contains that default password.  I had always thought it would be funny if did something like this.  They even changed the default password.  How perfect.

DISCLAIMER: I do no endorse the “hacking” of morons who don’t change default passwords.

This article reinforces many of the things I have been telling people for a very long time, but for whatever reason never sinks in.

I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do—which means basically anything.

Aside from reinforcing that Internet Explorer is a poor choice to use for web browsing (unless you enjoy collecting and cleaning malware… you know, for practice), it also outlines an interesting new technique that I recently witnessed as I was cleaning a machine.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it. That’s fine until somebody goes and deletes the executable.

The next thing that Direct Revenue did—actually I should say what I did, because I was pretty heavily involved in this—was make a poller which continuously polls about every 10 seconds or so to see if the BHO was there and alive. If it was, great. If it wasn’t, [ the poller would ] install it.

During my live analysis of this machine I used the ms/sysinternals filemon program to watch for a bit and noticed explorer.exe doing something similar to what the author describes.

34139    6:32:11 PM    explorer.exe:2916    OPEN    C:\NTDETECT.COM:QebiesnrMkudrfcoIbamtykdDa.exe:$DATA    NOT FOUND    Options: Open  Access: Read

The article explains how they will create a seemingly random named file (a hash of the mac address) and use that as the installer.  This one appears to be a variant on the technique that takes it a step further and uses hidden data streams (or alternate data streams). These are data streams that I had previously detected and removed.

The article also has an interesting point about evasion.

Next we made a function shuffler, which would go into an executable, take the functions and randomly shuffle them. Once you do that, then of course the signature’s all messed up. [ We also shuffled ] a lot of the pointers within each actual function. It completely changed the shape of the executable.

In the virology and malware world this is known as polymorphism, and is a very effective technique for evading most anti-virus/spyware programs.

Now the truly frightening part mentions using interrupt handlers instead of executables and states that they decided not to do it.  Because the concept is written, someone will run with it.

There was one further step that we were going to take but didn’t end up doing, and that is we were going to get rid of threads entirely, and just use interrupt handlers. It turns out that in Windows, you can get access to the interrupt handler pretty easily. In fact, you can register with the OS a chunk of code to handle a given interrupt. Then all you have to do is arrange for an interrupt to happen, and every time that interrupt happens, you wake up, do your stuff and go away. We never got to actually do that, but it was something we were thinking we’d do.

What this all boils down to is that the malware authors once again have leap frogged the anti-virus industry.  Microsoft also needs to take a more proactive role in securing IE and Windows against these sorts of threats.

The days of recycling the old code as variants is over and its time that we prepare ourselves for a whole new world of malware threats.