Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors

Rombertik is a complex piece of malware with several layers of obfuscation and anti-analysis functionality that is ultimately designed to steal user data.  Good security practices, such as making sure anti-virus software is installed and kept up-to-date, not clicking on attachments from unknown senders, and ensuring robust security policies are in place for email (such as blocking certain attachment types) can go a long way when it comes to protecting users.  However, a defense in depth approach that covers the entire attack continuum can help identify malware and assist in remediation in the event that an attacker finds a way to evade detection initially.

via Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors.

via Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors.

Al-Qaida update

I read with interest your latest analysis and forecast about al-Qaida.
Now al-Zawahiri has offered to “answer questions” he receives by
mid-January via the Internet. He is behaving like (setting himself up
as?) a mufti, who dispenses fatwas regarding any question from
believers–or perhaps, non-believers. This new tack may signal that he is
elevating himself to a position rivaling other internationally consulted
muftis, even though he is not a normative mufti. It is part of what you
have identified as the “ideological” battlefield.

In regard to your assumption of al-Qaida’s “devolution” (possibly a type
of failure), I would like to provide a few working principles from the
study of religion and violence, particularly in heterodox movements, which
may be of some interest:

From Cathy Wessinger (U.S., Loyola University, New Orleans): the concept
of a “fragile millennial group”
From Ian Reader (United Kingdom, U. of Manchester): the concept of “the
pragmatics of failure” (derived from his primary analysis of Aum
Shinrikyo)

A number of scholars have intensively studied new religious movements,
especially the problems a relative few present, since the Jonestown
incident and have developed some applicable principles, among which are
Wessinger’s and Reader’s.

Assumption: Al-Qaida is a millennial movement.

Millennialism (millenarianism, chiliasm) is “a belief in an
imminent transition to the millennial kingdom (i.e., the collective
salvation)”; it is a belief that “has the power to draw people together
to found new religious movements” that promise to reveal esoteric
knowledge about what is ultimately real and ultimately true.

Among the categories of millennial movements,

Al-Qaida is both “nativist” and “revolutionary.”

  • It is nativist because its ultimate concern is to
    defend the Muslim religion and the Muslim lands against cultural and
    physical alien invasion.
  • It is revolutionary because it possesses and
    acts according to a theology that legitimates violence (in order to attain
    the collective salvation/millennial kingdom).

    • It expresses the millennial kingdom in terms of a “caliphate” or “caliphates.”
    • Revolutionary millennial movements are also political, because the collective salvation
      is to be achieved on earth via a destruction of the status quo and a total
      transformation of the world. A hopelessly corrupted world will thus be
      rendered new, clean, and pure.

The fragility thesis applies when a millennial movement fails to meet its
unrealistic expectations, either because of external persecution or
internal stresses or a combination of both.

The group may then seek to
attain its collective salvation through other means, i.e., by legitimizing
violence against perceived scapegoats or by self-destructing as a witness
to the evil state of the status quo world.

An example of the former is

Aum Shinrikyo, which suffered humiliation in its foray into politics and
which fell short of meeting its unrealistic recruitment goals.

An example of the latter is

Jonestown, which conceived of no other option after its
continued existence in its Guyana refuge was threatened by exposure of its
practices and when Jones’ mental and physical health was deteriorating.

It is also possible that the Branch Davidians at Waco became a fragile
millennial group after they were assaulted by the FBI, believing that
Armageddon was occurring and that the “saints” were to be sacrificed, as
related in their version of Revelation. That may be why they set fires in
Mt. Carmel (recently verified by additional sources). In so doing, they
“witnessed” to the satanic evil of the opposing forces.

The point is that if al-Qaida/the International Jihad believes that its
expectations are not achievable, but that victory (of necessity) always
belongs to Allah, it may redefine “victory” and seek another mode of
enacting its self-identification as “the saved sect and victorious
group.”

It can do so in a variety of ways, some violent and some
peaceful.

Reader has proposed a “pragmatics of failure” thesis to account
for Aum’s turn to killing outsiders. First, Aum adopted a compassionate
doctrine from Tibetan Buddhism called “poa” that prescribed rituals to
deliver karmic merit to those who had died, and then it reinterpreted
“poa” to mandate the killing of the spiritually inferior souls in order to
prevent them from amassing further karmic demerits in this life. It could
not save all souls in the world, so it concentrated on saving itself and
accumulating more karmic merit for its victims.

However, it is also possible that achieving the millennial kingdom or
“mission” of the movement may be sought through peaceful means, such as
“routinization.” It is possible, for example, that a group that begins as
a revolutionary movement may seek to join the political process or seek
legimate status as a party or a church. The Bahai faith was one such
group.

In al-Qaida’s worldview, since Allah cannot fail, He will reveal to the
movement the modes of victory. What those modes may be may vary greatly
from self-destruction (group martyrdom or “witness”), religious
justification for the intensification of terrorism, or alternatives to
violence in order for the “truth” to prevail.

I am not suggesting that al-Qaida shares your view of their “devolution.”
Apparently, the leadership believes they have many options and that Allah
is gaining in victory over the infidels and apostates. However, should
they begin to believe that their efforts are futile, then we may expect
the movement to seek other modes to achieve their unrealistic goals. The
clue to any quantum shift will first appear in the group’s religious and
doctrinal rhetoric.

Thus, what the “mufti”–al-Zawahiri–issues as fatwas should be deciphered
by those who understand his worldview and religious emphasis. They may
signal a shift to other modes of achieving “victory,” whether it is
redefined in catastrophic or relatively irenic terms.

Jean Rosenfeld

Source: https://wikileaks.org/gifiles/docs/30/302969_al-qaida-update-.html

Am I Sending Traffic to a “Sinkhole”? | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security

The data collected by sinkholes is typically used for research purposes, and to notify infected users. How well this notification works depends largely on the collaboration between the sinkhole operator and your ISP.

via Am I Sending Traffic to a \”Sinkhole\”? | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

via Am I Sending Traffic to a “Sinkhole”? | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

Sagan as a Log Normalizer | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security

Using Sagan is another way of leveraging a Snort IDS database infrastructure to collect, correlated and monitor suspicious events via syslog. For additional information on Sagan, check the Sagan Wiki.

[1] http://sagan.quadrantsec.com/

[2] https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganMain

[3] https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganRuleReference

[4] https://wiki.quadrantsec.com/twiki/bin/view/Main/SaganInstall

[5] http://sagan.quadrantsec.com/rules/

[6] https://github.com/beave/sagan

via Sagan as a Log Normalizer | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.

via Sagan as a Log Normalizer | Diary Discussions | Community Forums | SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.