EA Effectiveness Series: Highly Impactful EA Organizations Make Value Driven Decisions

Mike The Architect Blog: Value Driven Decisions

A big thank you to all the folks that came to my presentation at the Troux World Conference last week. We had a full room of enterprise architects and EA consultants. Thank you for all your support and great questions. 

I wanted to  share with all of you my presentation given at the conference. Just like with most of my presentations there are lots of images that require a voice over. So, my apologies to those who are seeing this for the first time without hearing it in person. To remedy that a bit, I will post about the concepts form within the presentation over the course of the next few weeks . 




Enterprise Architects are faced with a rapidly changing business climate, competitive pressures and a shifting technology landscape that is forcing the enterprise to evolve. With this acceleration of change in the market it requires faster decisions that are well informed to maximize value. Enterprise Architects are at the tip of the spear to enable this change but need the tools.

In this session I will explore one of the proven practices that I have found from highly impactful Enterprise Architecture (EA) organizations, namely enterprise portfolios. Enterprise portfolios extend past the traditional project and program discipline to cover all aspects of the enterprise. Moving from disconnected, static and context-less pieces of data to a governed portfolio of enterprise knowledge that can maximize value and mitigate risk to our businesses.


Evernote: So useful, even malware loves it

The Evernote interface for Chinese users—and the gateway to commands for a very sneaky backdoor.

Your average workaday botnet uses a command and control server to give the malware bots on infected PCs their marching orders. But as network security tools begin to block traffic to suspicious domains, some enterprising hackers are turning to communications tools less likely to be blocked by corporate firewalls, using consumer services to deliver their bidding to their digital minions. Today, security researchers at Trend Micro revealed the latest case of the consumerization of botnet IT: malware that uses an Evernote account to communicate.

The backdoor malware, designated as VERNOT.A by Trend Micro, is delivered via an executable file that installs the malware as a dynamic-link library. The installer then ties the DLL into a legitimate running process, hiding it from casual detection. Once up and running, the backdoor starts to collect information about the system it has made its home—the computer's name, the person and organization identified as its registered owners, the operating system version, and its timezone. Then it connects to Evernote—specifically the Chinese interface to the Evernote service—to fetch information from notes saved in an account, including commands to download, run, and rename files on its host system.

According to a blog post by Trend Micro Threat Response Engineer Nikko Tamaña, the backdoor may have also used Evernote as a location to upload stolen data. Fortunately (or unfortunately, depending on how you look at it), the account that was hard-coded into the backdoor's channel to home had already been shut down—ironically, because its password was reset after Evernote's recent security breach.

Read 2 remaining paragraphs | Comments

Spamhaus DDoS grows to Internet-threatening size

Last week, anti-spam organization Spamhaus became the victim of a large denial of service attack, intended to knock it offline and put an end to its spam-blocking service. By using the services of CloudFlare, a company that provides protection and acceleration of any website, Spamhaus was able to weather the storm and stay online with a minimum of service disruptions.

Since then, the attacks have grown to more than 300 Gb/s of flood traffic: a scale that's threatening to clog up the Internet's core infrastructure and make access to the rest of the Internet slow or impossible.

It now seems that the attack is being orchestrated by a Dutch hosting company called CyberBunker. CyberBunker specializes in "anything goes" hosting, using servers in a former nuclear bunker (hence the name). As long as it's not "child porn and anything related to terrorism," CyberBunker will host it. This includes sending spam.

Read 18 remaining paragraphs | Comments

New Ransomlock Variant Bypasses Automated Threat Analysis Systems’ Sandboxes

A lot of malware modify themselves to either hide from security software when they copy themselves to the compromised computer or to hinder engineers attempting to analyze the malware by executing the decrypted memory area and reading the decrypted memory value. This blog examines the behavior of Trojans that modify themselves by sharing memory.

The malware process follows the red line in Figure 1.

new ransomlock 1 edit.png

Figure 1. Code showing the threat process

Address ebx-4 indicates the top of the .data section. Initially, ebx-4 is a zero so if it is compared to 31h and 32h, it fails.

The code writes 31h to address ebx-4 and the Trojan executes itself by executing the WinExec function with its own file name. It then uses the ExitProcess function to end itself. It appears that the program just executes and quits repeatedly since the value at ebx-4 is always 0 at execution, but it does perform malicious activities. Here’s the trick.

File structure

This file sample has the following .data section structure.

new ransomlock 2.png

Figure 2. File structure of the file sample

The characteristic rw- d0000040 is an unusual configuration and has the following settings.

new ransomlock 3 edit.png

The memory value is shared because of the IMAGE_SCN_MEM_SHARED setting.

Actual behavior

When the malware runs for the first time, the address ebx-4 is zero so the code writes 31h to the address and executes itself again. When it runs again, because ExitProcess has not yet executed, it shares memory that has 31h at the address.

new ransomlock 4 edit.png

Figure 3. Process follows different route when run again

The newly executed program writes 32h at the address and executes itself again. The new program shares memory that has 32h at the address.

new ransomlock 5 edit.png

Figure 4. Process reaches decryption routine

Because the address is 32h, it executes the _decrypt function, decrypts encrypted code, and jumps to the esi address. The behavior is shown below in sequential order:

  1. Windows loads the file
  2. The address has 0 as its initial value from the file
  3. Modifies the value to 31h
  4. Executes itself
  5. Windows loads the file image except shared memory; the original file still has 0 on the disk image
  6. The program runs with the value 31h
  7. Exits the first process
  8. Modifies the value to 32h
  9. Executes itself
  10. Windows loads the file image except shared memory the original file still has 0 on disk image. The program reaches to decryption routine and the computer is now compromised
  11. Exits the second executed process


Figure 5. Behavior shown in sequential order

Process behavior in a sandbox

I believe the attacker tried to hide the malicious behavior from automated threat analysis systems. I submitted a sample file to eight websites that host automated threat analysis systems and the following are the results:

  1. ThreatExpert logged the created file, registry modifications, and unexpected network access. Therefore, I recognized the sample behavior and decided that the file is malicious.
  2. Three websites logged that the process executed but nothing else.
  3. The other four websites did not log anything.

It seems that automated threat analysis systems only monitor the red section shown in Figure 5. We often see this type of specialized code to bypass these automated systems.

Symantec will continue to monitor the type of malicious code and the techniques outlined in this blog. We also recommend that users do not run suspicious programs and keep their operating system and antivirus software up to date.