May 23, 2016

Don’t make these people mad.

By Daniel

It’s been a good week. I want to get the gaming stuff out of the way because I have something entertaining to talk about. I picked Diablo 3 back up over the weekend and man it feels like a whole different game compared to launch. Fantastic. Got a new wizard from 1 to 70 and cleared my first rift without a death. Only on Hard, mind, which is like the 2nd easiest difficulty out of 10. But I think I’ll be down that rabbit hole for quite a while.

Anyway, what I really wanted to get into. I wrote two weeks ago that I wanted to get into malware analysis and research. So I have been, meeting new people and getting in some circles. Twitter is the go-to community for this line of work, as the rapid response time and ability to talk to people you’d never met before both work in its favor.

My experience with trying to get into the inner circle of a new community is to bring something to the party. So I did, in the form of the Practical Malware Analysis starter kit, which has been a smash hit and got me a little credibility for the cost of about five hours on a Saturday morning getting the stuff I would’ve gotten at some point anyway. I also wrote up a piece on using GPOs to neuter some malware. So it got me a little cred.

That’s led to good things. I can’t be specific yet because the virus is still live and the author isn’t aware, but thanks to a community-provided sample, me and a few other guys and girls got our hands on some new ransomware, before any large campaign got underway. We were able to extract data from the software sample, and with a combination of internet sleuthing, intuition and a little luck, we’ve accomplished two big things:

  1. We added a backdoor to the ransomware, to decrypt any infection when we desire.
  2. We were able to identify the man’s name, age, and the university he attends. Unfortunately, said university is in Morocco, so I don’t think the FBI is terribly interested.

What’s crazy is that this isn’t some sort of test, something from the Practical Malware Analysis lab questions. This is real malware with real consequences for the people that get infected with it. The whole reason I wanted to get into this is to make a difference and I think I managed to do so in my first week.

Don’t misunderstand, I got a bit of a break getting something this easy to crack in my first week. I still have a ton to learn. I said this is pretty much all new content and that’s been true. Learning assembly and the whole world of unpacking, decrypting, and generally breaking open a black box is a new world. But it’s still significant, because it showed the community at large that I’m worth training. Now I can ask questions and I’ll get answers, or at least pointed to the right resources. I can’t overstate how important that is. Nobody learns alone.

We’re approaching a four-day weekend. That’ll be my first one since my first week on the job, almost exactly six months ago. I’ll be down half my staff and my boss after Wednesday, so read-only Thursday as well as Friday. We’re also approaching what is essentially a read-only month, the last two weeks of June and the first two weeks of July. The last machine we were going to bring into Nutanix was done last week so we are fully on that platform and the monolithic task we’ve been calling Nutanix since November is done.

This is gonna be a great week, too. I can feel it. My GTD article should come out this week too.