Advisory Board

Joe Stewart, GCIH

The New York Times article Attack of the Zombie Computers Is Growing Threat said

Moreover, although rustock is currently being used for distributing spam, it is a more general tool that can be used with many other forms of illegal Internet activity.
 
“It could be used for other types of malware as well,” said Joe Stewart, a researcher at SecureWorks, an Atlanta-based computer security firm. “It’s just a payload delivery system with extra stealth.”
 
Last month Mr. Stewart tracked trading around a penny stock being touted in a spam campaign. The Diamant Art Corporation was trading for 8 cents on Dec. 15 when a series of small transactions involving 11,532,726 shares raised the price of the stock to 11 cents. After the close of business that day, a Friday, a botnet began spewing out millions of spam messages, he said.
 
On the following Monday, the stock went first to 19 cents per share and then ultimately to 25 cents a share. He estimated that if the spammer then sold the shares purchased at the peak on Monday he would realize a $20,000 profit. (By Dec. 20, it was down to 12 cents.)

Joe Stewart, GCIH is Senior Security Researcher with SecureWorks who specializes in reverse-engineering malware and is also a GIAC Certified Incident Handler. He authored the following software available for free download: Fess (File Exploit Scanning System), Mumsie (Malicious URL Monitor and Snort Injection Engine), Truman (Behavioral analysis sandnet), Foregone (Forensic file recovery tool), plus a collection of Reverse Engineering Tools. He is also a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, USA Today and others.
 
A popular speaker, Joe has presented at DEFCON 14, Las Vegas, NV; Raleigh ISSA, Raleigh, NC; Infosecurity Canada, Toronto; RECON 2006, Montreal, Quebec; CSI NetSec, Phoenix, AZ; SANS Denver, Denver, CO; InfoSec World Conference 2006, Orlando, FL; Silicon Valley ISSA, San Jose, CA; CodeCon 2006, San Francisco, CA; ShmooCon 2006, Washington D.C., among many events.
 
Joe authored Manually Unpacking a Morphine-Packed DLL with OllyDbg, SpamThru Trojan Analysis, DNS Cache Poisoning: The Next Generation, Pay-per-Click Hijacking, BitTorrent and the Legitimate Use of P2P, AdSubtract Proxy ACL Bypass Vulnerability, Windows Messenger Popup Spam on UDP Port 1026, Alien Autopsy: Reverse Engineering Win32 Trojans on Linux, Sobig.e – Evolution of the Worm, Reverse-Proxy Spam Trojan — Migmaf, Webdav Exploits Exposed, Sobig.a and the Spam You Received Today, Reverse Engineering Hostile Code, Exposing the Underground: Adventures of an Open Proxy Server, and Wormsign: Predicting the Next Outbreak. Read his full list of publications!
 
He also coauthored Detecting and Containing IRC-Controlled Trojans: When Firewalls, AV, and IDS Are Not Enough, Milkit: An Innovator of Old Technology, and Managed Security Services and the Incident Handling Process.
 
OllyDbg Plugins and Scripts by Joe include Analyze This! (Force analysis of non-code sections), AttachAnyway (Anti-anti-attach PoC), Labelmaster (Batch processing of labels/comments, OllyBonE (unpacking plugin for OllyDbg), OllyGraph (code flowchart plugin), OllyPerl (Perl scripting for OllyDbg), OllyVBHelper (aids in reverse-engineering Visual Basic apps), and WaveDiff (binary difference analysis for OllyDbg (uses OllyPerl).
 
Read his blog posts on the SecureWorks Blog and OpenRCE Blog.