Hello and welcome to the Monday, April 20th,

2006 edition of the Sands Internet Storms Centers.

Stormcast, my name is Johannes Ulrich,

recording today from Amsterdam, Netherlands.

And this episode is brought you by the Sands.edu credit certificate program in cyber security fundamentals.

In the iris today, we got another reverse analysis and forensics walkthrough by a Pratt.

A Pratt is talking about Luma Steeler and Sacktop Rat.

The way this particular infection starts is sadly the common trick of offering commercial

software for free.

So basically the cracked version of various Adobe products in this particular case, the user

then downloads an actually suspiciously small SIP, that then extracts into a rather large,

like around 800 megabyte executable.

The executable is so large because it's just padded with zeros, and that, of course, is often

used to prevent anti-malware products from scanning it.

In this case, it may also make the particular

executable more plausible because the user may expect a certain size executable for these products.

Now, as the user then starts the executable, that's where Luma Steeler is first installed, and then later SETOPRAT.

So first credentials are being stolen, and then persistent access is being provided by the remote access tool.

And then we have a series of postings by Hunter's Labs 2X that explain how they're seeing the three recent

vulnerabilities in Windows Defender being exploited. All of these three vulnerabilities were

discovered and proof of concept code was released by an individual that goes by the name of Nightmare Eclipse.

The first vulnerability here is referred to as undefend. This vulnerability just disables a Windows

...