AOH :: ISN-2839.HTM

Hacking The Dead Cow

Hacking The Dead Cow
Hacking The Dead Cow 

By Sean Michael Kerner  
August 9, 2006

In the annals of computer "(in)security," few groups are as well known 
as the Cult of the Dead Cow (cDc).

They are now adding a new chapter to their infamous history with the 
release of a new malware search engine that enables researchers to 
analyze over 31,000 "hostile" files.

It's all part of an effort the cDc calls "offensive computing."

Originally founded in 1984, cDc and its members are well known for a 
number of their efforts over the past 22 years.

Perhaps most notably is their Back Orifice application, which debuted 
in 1998 as a network backdoor that enabled full remote control of a 
system, including process, passwords and file system (essentially a 
first-generation Trojan).

Back Orifice was updated in 2000 as B02K and is currently maintained 
as an open source project on the code repository.

In cDc's new offensive computing strategy, the group is turning its 
skills toward hacking malware.

Part of the effort is the malware search engine, which is geared 
toward increasing the knowledge around malware to better improve 
detection and removal.

There is also a relationship between the Malware search effort and 
that hatched last month by H.D. Moore of Metasploit fame; it uses 
Google to find malicious code.

"We use Google from time to time, and we worked with H.D. Moore on his 
Google malware search project," Val Smith a cDc member and part of the 
offensive computing effort, told "We provided him 
signatures to search on)."

Smith explained that his group has written some code to do auto 
analysis of malware.

"People upload it directly to the site, or provide me with archives 
over e-mail, and then we load it into our auto analyzer," Smith said.

"Once the analysis is done, that data gets put into the database which 
people can search. We have large collections of malware sitting around 
waiting to be bulk processed."

Access to the offensive computing malware search requires user 
registration, though only a valid e-mail address is required for the 

While most of the major AV vendors, including McAfee, Symantec, Panda 
Labs, Sophos and others, provide online libraries of vulnerabilities, 
there are a few things that offensive computing provides that the 
commercial vendors do not.

For one, offensive computing provides downloadable samples of the 
malware in question.

It also includes a clear warning to users: "This site contains samples 
of live malware. Use at your own risk."

Offensive computing also claims that the analysis is done in an open 
manner that yields reproducible results.

The results also detail multiple checksums md5,sha1,sha256, which 
should help to further improve identification.

Smith's hope is that his group's effort will challenge the security 
community to get more involved in publicly fighting the problem of 

"This problem is growing too fast and complex for the traditional 
methods to defend against it," Smith said.

"We need to unite resources and knowledge in order to protect our 
systems. We have a lot of respect for several AV companies, but it's 
time to do more."

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods