Author: Andrew Hay
Great analysis on Clapzok multi-OS malware
I can’t recall who tweeted it, but an excellent article was published on the analysis of what {W32/Linux/OSX}/Clapzok does. The full article can be downloaded here [Google Drive rendered PDF] and below is the brief intro:
A cross-infector of entirely unrelated platforms is typically implemented as two viruses stuck together, simply because it’s the easiest way to do it. However, if the general mechanics of fi le enumeration and infection are the same across the affected platforms, then a virus can implement an abstraction layer and expose APIs that each of the routines can call to perform the essential functions of find/open/map/unmap/close. This is exactly what {W32/Linux/OSX}/Clapzok does.
The virus begins by calculating the CRC32 of itself. It uses a reverse polynomial (the usual ‘0xEDB88320’) to calculate the hash value. The resulting value is used as the seed for the random number generator in the virus. The virus also relocates the pointers to the abstraction routines, according to the load address of the virus code.
More details can be found here:
- http://www.intego.com/mac-security-blog/clapzok-a-multi-platform-virus/
- http://reverse.put.as/2013/05/31/clapzok-a-reversing-the-os-x-part-of-a-multiplatform-poc-infector/
- http://www.symantec.com/security_response/writeup.jsp?docid=2013-052815-0738-99
- http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Clapzok-A.aspx
Facilitating Fluffy Forensics – Part 1
I’ve always known that CloudPassage Halo could help facilitate forensic acquisition in cloud environments but we’ve been missing the ability to acquire disk images from target servers in a reliable, repeatable, and free manner.
After reading Ken Pryor’s excellent NBDServer blog post on Wednesday, April 10th, and while preparing for my SOURCE Boston 2013 talk entitled Facilitating Fluffy Forensics, I found myself wondering if the tool might help with investigations in public cloud environments.
Guest Post: Why Get Out of the Cavern?
InfoSec, like many professions, has a known echo chamber. The same people that joke about it are the same people that contribute to it the most.
The repetition appears in tweets, blog posts, podcasts, and at conferences.
- How many panel discussions held at conferences actually have led to known change?
- How many presentations and panels at conferences are identical or repeated at different conferences and every year?
- How many times has someone posted/tweeted something only to be told that someone else spoke/wrote about the same thing months or even years ago?
- How often are new speakers and actual new topics accepted and presented at conferences?
While the InfoSec space has a fairly large echo chamber, it is also a rather harsh space in which to work. Someone makes a mistake – tweets goes out, blogs are written, podcasts analyze it, and a TV reporter might conduct interviews about it. How often do people in the InfoSec space praise each other? While it might be difficult to recognize successes in InfoSec, there are far more companies that don’t make the news for negative reasons. I would like to think that the people securing the companies are doing something right or well. People that read this are probably thinking that any company not exposed for a compromise must be hiding or not sharing information. If a company is compromised and immediately takes the necessary steps to fix the problem without the company making headlines or killing a twitter feed, is that a bad thing?
The echo chamber makes me laugh at least once a day with the over use of acronyms and repeated “this doesn’t work, we need to change” mentality. As I watch my twitter feed roll by with a fair amount of negativity, I wonder where the leaders are with ideas on how to change and improve the InfoSec space. I believe that many of them are working quietly and implementing controls to keep their company or business safe. I would love hear from them, but suspect they feel safer keeping quiet.
The preceding blog post was originally posted by my lovely wife Keli Hay on her shiny new blog. Though new to blogging, she’s not new to critical opinions. You can read more of her posts at OutsideLookInfoSec and follow her on Twitter using twitter.com/kelihay.