Its important to do as much evaluation as possible after an incident. This not only sheds light on how you were pwned, but it also provides invaluable lessons on how not to be pwned by the same bug in the future.

To wit; one of our partner laptops was recently compromised by a spamming trojan, despite having best-in-class HIPS and antivirus (best-in-class AV isn’t saying much when the bar is so low anyway. Oh how I love to hate the current state of AV technology!).

The trojan came from a website on 12/16 while the user was at home and thus not behind one of the enterprise IPS appliances. The user visited a malicious website somewhere and Internet Explorer created the file ‘C:\WINDOWS\system32\~.exe’.

Then the file ‘C:\Temp\AEVEm.exe’ contacted a website in Russia (75.126.154.90), presumably to check in and report its existence. Then it created the directory ‘C:\WINDOWS\system32\AppCert\’ and the following files therein; wsil32.dll and wnl32.dll.

The file ‘C:\Temp\AEVEv.exe’, then wrote to boot.ini and then created the file ‘C:\WINDOWS\system32\rpcc.exe’.

Then Internet Explorer renamed two files to: ‘C:\WINDOWS\system32\confmspt.dll’ and ‘C:\WINDOWS\system32\d3d8o.dll’. We don’t have records of what the original file names were.

After renaming two files, it looks like the machine rebooted. After the reboot, explorer.exe started attempting to send emails to Mother Russia (194.67.23.111). The HIPS firewall blocked the SMTP traffic. There were a few more reboots that day, followed by email attempts and one attempt by Outlook.exe to access ipconfig.exe.

The machine then fell into a rhythm of attempting to send emails using the following processes:

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe

There is no record of what created the AVEVEm.exe and AVEVEv.exe files.

Our AV didn’t detect any part of the trojan and the trojan was able to disable AV by blanking a registry key on start-up. I still haven’t found how its doing this, as the HIPS software protects the key. It must be doing it before the HIPS software is initialized.

We ran a couple of different anti-spyware programs on the machine and CounterSpy from Sunbelt was the only one that detected ~.exe as malicious. I’m waiting with baited breath for Sunbelt to release the VIPRE stand-alone AV…

The laptop belongs to a partner and he doesn’t want it rebuilt despite our advice to nuke from orbit, so we have no choice but to try to find all the droppings the trojan left behind. The fact that it’s able to disable our AV without the HIPS even detecting it is worrisome…

Stay tuned. We still have a lot of unanswered questions.

I’ve been watching the spam spew on the unwitting Info sec Sellout blog for several days now, much like I look at the infamous tubgirl picture. It’s hideous, but still I look. My favorite of the posts is a simple one; Girls, msg me.

I imagine that the author has configured his blog to monitor an email address. Any email in that mail box gets posted to the blog in its entirety. I use it as well, to blog from my blackberry. I too ran into problems with spam, until I set up Boxtrapper. Now, only email accounts white-listed can send email to that account.

Boxtrapper sends verification emails to anyone not white-listed so that a human being is forced to respond. You can set up auto-authorization or manual authorization upon verification. But in this application, I just set it to manual and ignore any requests for authorization.

Its 100% effective in preventing the train wreck. Hopefully the author of info sec sellout returns from wherever he or she is in time to save some face.

Is it me or is Gmail less accurate in filtering spam from other gmail.com accounts?

81.95.146.227 is trying to clobber my site with comment spam that always starts with the phrase “ka-ka-sh-ka” followed by a seemingly random 7-digit number. Luckily Akismet has been holding its own and identified it all as spam (go Akismet!). I received over 900 comments in the last 24 hours from that IP alone.

The IP is out of Panama City. I’ve emailed the ISP but I doubt it does any good.

Anyone else seeing this?

I received a big lump of blog spam this weekend and one even managed to get past Akismet (not that I’m complaining, to date Akismet has rawked for me).

What’s the world coming to?