Joe Stewart, GCIH
The New York Times article Attack of the Zombie Computers Is Growing Threat said
Moreover, although rustock is currently being used for distributing spam, it is a more general tool that can be used with many other forms of illegal Internet activity.
“It could be used for other types of malware as well,” said Joe Stewart, a researcher at SecureWorks, an Atlanta-based computer security firm. “It’s just a payload delivery system with extra stealth.”
Last month Mr. Stewart tracked trading around a penny stock being touted in a spam campaign. The Diamant Art Corporation was trading for 8 cents on Dec. 15 when a series of small transactions involving 11,532,726 shares raised the price of the stock to 11 cents. After the close of business that day, a Friday, a botnet began spewing out millions of spam messages, he said.
On the following Monday, the stock went first to 19 cents per share and then ultimately to 25 cents a share. He estimated that if the spammer then sold the shares purchased at the peak on Monday he would realize a $20,000 profit. (By Dec. 20, it was down to 12 cents.)
Joe Stewart, GCIH is Senior Security Researcher with
specializes in reverse-engineering malware
and is also a
GIAC Certified Incident Handler.
He authored the following software available for free download:
Fess (File Exploit Scanning System),
Mumsie (Malicious URL Monitor and Snort Injection Engine),
Truman (Behavioral analysis sandnet),
Foregone (Forensic file recovery tool), plus a collection of
Reverse Engineering Tools.
He is also a frequent commentator on security issues for leading media
organizations such as The New York Times, MSNBC, Washington Post, USA
Today and others.
A popular speaker, Joe has presented at DEFCON 14, Las Vegas, NV; Raleigh ISSA, Raleigh, NC; Infosecurity Canada, Toronto; RECON 2006, Montreal, Quebec; CSI NetSec, Phoenix, AZ; SANS Denver, Denver, CO; InfoSec World Conference 2006, Orlando, FL; Silicon Valley ISSA, San Jose, CA; CodeCon 2006, San Francisco, CA; ShmooCon 2006, Washington D.C., among many events.
Joe authored Manually Unpacking a Morphine-Packed DLL with OllyDbg, SpamThru Trojan Analysis, DNS Cache Poisoning: The Next Generation, Pay-per-Click Hijacking, BitTorrent and the Legitimate Use of P2P, AdSubtract Proxy ACL Bypass Vulnerability, Windows Messenger Popup Spam on UDP Port 1026, Alien Autopsy: Reverse Engineering Win32 Trojans on Linux, Sobig.e – Evolution of the Worm, Reverse-Proxy Spam Trojan Migmaf, Webdav Exploits Exposed, Sobig.a and the Spam You Received Today, Reverse Engineering Hostile Code, Exposing the Underground: Adventures of an Open Proxy Server, and Wormsign: Predicting the Next Outbreak. Read his full list of publications!
He also coauthored Detecting and Containing IRC-Controlled Trojans: When Firewalls, AV, and IDS Are Not Enough, Milkit: An Innovator of Old Technology, and Managed Security Services and the Incident Handling Process.
OllyDbg Plugins and Scripts by Joe include Analyze This! (Force analysis of non-code sections), AttachAnyway (Anti-anti-attach PoC), Labelmaster (Batch processing of labels/comments, OllyBonE (unpacking plugin for OllyDbg), OllyGraph (code flowchart plugin), OllyPerl (Perl scripting for OllyDbg), OllyVBHelper (aids in reverse-engineering Visual Basic apps), and WaveDiff (binary difference analysis for OllyDbg (uses OllyPerl).
Read his blog posts on the SecureWorks Blog and OpenRCE Blog.