Deobfuscating malware droppers written in VBScript

Once in a while I run across malware that drops itself via a macro embedded into a Microsoft Word DocX file, written in Visual Basic script. These payloads are fairly common and have been documented in a number of places. However, I noticed in one instance that the payload it was retrieving was encoded somehow with the macro doing the decoding.

If you're not sure what the document I am referring to looks like, here's a screenshot of what you should expect if you were to open it in Word or LibreOffice.

I've opted to not share the whole source code for the payload here but I am writing this as a primer for retrieving the data should you be interested in it. I've removed references to the keys and location of the payload but again this writeup should provide more than enough information.

It's pretty straightforward to decipher what the URL is so you can download the payload. It will look a lot like this when you do so:

IsDwQV = "httEeDxPbOZhstcWp://"
dlBSaKVPUZeUffK = Replace(IsDwQV, "EeDxPbOZhstcW", "")

vJPIYmKkzEidc = dlBSaKVPUZeUffK + "127.0.0.1/" + "file.da" + "t"

As we can see, the URL is really "http://127.0.0.1/file.dat" so all one has to do is retrieve it normally and have the payload. This isn't new to this type of attack, but what is different here is that you'll need to look for an additional line to decode the file. An example of what we're looking for is here:

PTIEIYzefrUBrv.Write auRPAIQxRBuNVNs(ZlOton(AsWLAJsjgp), "mal" + "wa" + "rek" + "ey")

Again, just as straightforward as earlier, we just need to combine the second argument in this function to form the key "malwarekey".

Now that we've gone and figured out the payload's URL and the key, we'll want to see how the payload is decoded. It goes through two processes: the first where reorders the contents of the file and the second where it performs a XOR on each byte.

The reordering function looks a lot like this (keep in mind, the variables and function names will change to avoid detection but the patterns will remain mostly the same):

Function auRPAIQxRBuNVNs(gZZoRIEiqkagc, CIKkGOaWM)
Dim vJPIYmKkzEidc
vJPIYmKkzEidc = ""
Dim yjiyoPGJqpm
yjiyoPGJqpm = 2 - 1
Dim RpKxIaBse
RpKxIaBse = 1
For RpKxIaBse = 1 To Len(gZZoRIEiqkagc)
PhnHyZVCyES = Mid(CIKkGOaWM, yjiyoPGJqpm, 1)
vJPIYmKkzEidc = vJPIYmKkzEidc & Chr(Asc(Mid(gZZoRIEiqkagc, RpKxIaBse, 1)) Xor Asc(PhnHyZVCyES))
yjiyoPGJqpm = yjiyoPGJqpm + 1
If Len(CIKkGOaWM) < yjiyoPGJqpm Then yjiyoPGJqpm = 1
Next

auRPAIQxRBuNVNs = vJPIYmKkzEidc
End Function

The XOR function then will look like this:

Function ZlOton(ODkdfygTwl)
Dim XvZDYBA, ZazVWW, SyyWJefcxs, eauVLHixkVU, cQdAHb, WGHeGPbgR
Dim myjfHUNidfOgtQ
XvZDYBA = 1
ZazVWW = (&H3EF + 2892 - &HF3A)
SyyWJefcxs = (&H3EF + 2892 - &HF3A)
myjfHUNidfOgtQ = LenB(ODkdfygTwl)
Do While XvZDYBA <= myjfHUNidfOgtQ
WGHeGPbgR = WGHeGPbgR & Chr(AscB(MidB(ODkdfygTwl, XvZDYBA, 1)))
XvZDYBA = XvZDYBA + 1
SyyWJefcxs = SyyWJefcxs + 1
If SyyWJefcxs > 300 Then
cQdAHb = cQdAHb & WGHeGPbgR
WGHeGPbgR = ""
SyyWJefcxs = (&H3EF + 2892 - &HF3A)
ZazVWW = ZazVWW + 1
If ZazVWW > 40 * (&H20 + 1142 - &H491) Then
eauVLHixkVU = eauVLHixkVU & cQdAHb
cQdAHb = ""
ZazVWW = 1
End If
End If
Loop
ZlOton = eauVLHixkVU & cQdAHb & WGHeGPbgR
End Function

The reorder function is easy to clean up, so I've gone ahead and written it like so:

Function reorder(filedata)
Dim var1, var2, var3, var4, var5, var6
var1 = 1
var2 = 1
var3 = 1
Do While var1 <= LenB(filedata)
var6 = var6 & Chr(AscB(MidB(filedata, var1, 1)))
var1 = var1 + 1
var3 = var3 + 1
If var3 > 300 Then
var5 = var5 & var6
var6 = ""
var3 = 1
var2 = var2 + 1
If var2 > 200 Then
var4 = var4 & var5
var5 = ""
var2 = 1
End If
End If
Loop
reorder = var4 & var5 & var6
End Function

Once we've cleaned this all up we can now determine that the function does absolutely nothing and is there to really obfuscate it further. The data that goes through this function comes out as the same, so it's really just a time-waster. However, the data is still encoded so I did go ahead and clean up the second function as so:

Function decodexor(filedata, filekey)
Dim var1
var1 = ""
Dim var2
var2 = 2 - 1
Dim var3
var3 = 1
For var3 = 1 To Len(filedata)
var4 = Mid(filekey, var2, 1)
var1 = var1 & Chr(Asc(Mid(filedata, var3, 1)) Xor Asc(var4))
var2 = var2 + 1
If Len(filekey) < var2 Then var2 = 1
Next

decodexor = var1
End Function

Okay. So this code does in fact do something and now tells us that it's a straightforward XOR of the data. We can now just rewrite this script into Python line to line.

I've made it available via this Github Gist and per below:

from sys import argv

filename = argv[1]
malwarekey = argv[2]

def dexor(filedata, filekey):
    var1 = ''
    var2 = 0
    var4 = ''
    for x in xrange(0, len(filedata)):
        var4 = filekey[var2]
        var1 = var1 + chr(ord(filedata[x]) ^ ord(var4))
        var2 += 1
        if var2 >= len(filekey):
            var2 = 0
    return var1

if __name__ == '__main__':
    data = open(filename, 'rb').read()
    print dexor(filedata=data, filekey=malwarekey)

You'll want to ignore the fact that this Python function is really a terrible mirror copy of the original, but works one-to-one like the original VBScript; there are of course better ways to write this.

Once happy, we can run it like so:

$ python dexor.py file.dat malwarekey > file.exe
$ file file.exe 
file.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Now we have the file decoded and can execute it within whatever sandbox we'd like!

An open response to Veiltower and Edsard Ravelli's Kickstarter update

An update was posted on the Veiltower Kickstarter earlier today. This was in response to the furor expressed by myself and many others on Twitter since yesterday morning. As a result of this response and as a follow up to my previous entry, I've opted to opine on the response.

Dear Backers,

Edsard here, developer of Veiltower. Our project has now been active on Kickstarter for over 24 hours. To say that it has been overwhelming is a major understatement.

On the one hand we’ve been receiving a lot of praise - particularly from friends, colleagues and business partners who know us - and on the other hand there has been criticism directed at our project from a few people in the information security community. 

The criticism was primarily directed at one thing; the ‘100% secure’ statement on our Kickstarter page. Information security officers will always tell you that nothing can be infinitely 100% secure. And that is true. But frankly this is, in my honest opinion, a theoretical debate. For instance ‘PGP’-encrypting technology for e-mail is great, but 99% of people on the planet don’t use it. Why? 

Edsard,

This isn't amateur hour: the fact that you tried to enter the cyber security space with what appears to be inadequate knowledge and research should be enough to warrant scorn and ridicule over the use of the term "100% secure".

Trying to also pass off praise from friends, colleagues, and business partners in face of this valid criticism is akin to a child receiving praise from their parent after having achieved a failing grade in school. The opinion of the parent is not going to change the outcome of the child's inability to perform.

The reason why information security professionals who are adept at their jobs frown upon "100% secure" statements is that it is impossible to have such a thing. If your device was even remotely capable of providing this, you wouldn't be selling it at $159 but instead for much, much more. By using that statement, you've put yourself in a league of many other failures who've gone and made such a remark and then later found to be far from secure.

The problem with information security isn't a device or application problem: it's a human one. The human problem--or as I like to call it, the "Layer 8 Problem"--is the primary culprit behind breaches, malware infections, and scams. With infections and scams, users tend to fail to keep their machines up to date or do not take a critical look at what they're being presented with. You fail to understand this but have no problem going about stating that a simple VPN and "secure" access point is going to solve everything.

I am ignoring your PGP question because if you truly understood the problem you're facing you would have not asked that.

If you want to secure yourself as a tech-savvy person you would setup a solution in your home with a strong firewall, strong Wi-Fi encryption, and add into the mix a VPN both on your system at home as on all of your devices. You will configure and maintain them daily, spend the effort and remain vigilant at all the time. Simple. But most of you, and the majority of internet users, neither have the time or the experience to set this up, let alone maintain it. 

And that’s what the Veiltower concept is all about. It’s about combining existing and proven methods in a way that’s easy for ‘Average Joe’. The real threat to our security – as stands today – is the complexity of use and the lack of usability. We don’t use ‘PGP’ because it’s perceived as complex. 

The "real threat to our security" is not just the complexity of it or that humans make mistakes, it is also the fact that people like you try and sell half-baked solutions. I come across many, many products on a constant basis in my line of work where the vendors promise that it will do this with minimal cost on resources. For every one good security product out there, there are umpteen that are complete garbage and are backed by individuals like yourself. I rarely if ever endorse a product but I have no problem calling one "garbage" when I see it--and yours comes under that category.

When you go on Kickstarter claiming "100% secure" then go on Twitter and claim that you're just stating this for the common layperson, you're being deceitful and demeaning. It doesn't matter if you're talking to an information security professional or a common user: you tell the truth. Making security easier for users is something that all of us should try and do, but we do it in a way that doesn't require us to talk down to them--like you are--and also doesn't involve us manipulating them by making outright lies--such as claiming "100% secure".

Also, while I won't explain the problem with PGP in this response, I will explain the problem with your example. PGP is not something that you'd use to secure a network or computer but instead it's something to secure data. PGP won't stop malware, won't stop data leaks on networks, and won't prevent the human problem. This is a really an inadequate example on your part and I am not sure why you'd want to use this other than you have no clue which is really what I think is going on here.

And that is what I have focused on for the past 12 years; taking something very complex and making it easy to use. For example in 2001 at KPN (biggest Dutch carrier) I created a simple way to connect via ‘GPRS’ – because they understood that without usability nobody would use their service. I introduced automatic carrier detection and Wi-Fi (including automatic authentication to various hotspot providers) into the Vodafone Connection Manager worldwide in 2005 and 2006, although it seemed like it couldn’t be done because Wi-Fi was a ‘competing technology’ to their mobile data offering. In 2009 I created a solution for Best-Buy that would do both GSM and CDMA (2 competing technologies used by AT&T and Verizon) and switch a user from one network to the other, based on the best coverage for that user at that location - without the consumer having to do anything. 

Veil Systems is not based around a small group. It’s about a collection of idealistic people from the US, UK, Ukraine, Argentina, The Netherlands, Switzerland, Germany and Russia that came together – all bringing their own expertise – to create Veiltower. Our goal: help stop cyber-crime and protect the people that need protecting. 

Great. I am glad that you have this team and experience behind you: why are you just pointing out yourself, a designer, and a logistics person in the Kickstarter instead of you know maybe people who are behind the development of this project? You claim to have people scattered all over the Americas and Europe yet only focus on yourself and two people from the Detroit area. When you cite these countries, are they the actors in your videos or are they actually the main people behind the project?

We received comments about the lack of technical specs on our Kickstarter page. We did this deliberately. In our experience most of you don’t care about the various technical ‘flavours’ which could have been used. EAP-TLS vs. EAP-TTLS vs. EAP-FAST or 256-bit symmetric key vs. 2048-bit asymmetric key or Broadcom vs. Intel chipsets or why 256Mb is enough instead of 512Mb or Debian vs. OpenBSD vs. openSUSE. Every one of them have pro’s and con’s. That creates an infinite debate without end. In the end; it’s a ‘flavour’. You – the people we have built Veiltower for - just want it to work. You just want it to protect you. We knew, well in advance, that with adding a lot of tech specs we would scare you off or run the risk of our story would end up in a technical debate. And that is not what this should be about. 

You're essentially telling everyone that you'd rather create a blackbox rather than give any level of specifications on the product? This makes no sense considering even other Kickstarters like your own have referenced such things. Also, calling encryption symmetries as "flavours" is woefully ignorant and just demonstrates a lack of technical depth that you have.

Is Veiltower is finished product that has undergone every possible certification and validation process? No! It’s a prototype that we have developed, tested and that works. Can it be improved? Always! And that’s exactly why we are on Kickstarter. The funding will allow us, as part of our 6 month process, to do the types of improvements, certification and validation tests that the information security community – rightfully – demands from a finished product.  

Whoa. Stop the fuck right there.

So what you're telling us is that Veiltower has not gone under every possible certification and validation process, but you had the audacity to claim that it is "100% secure"? What sort of validation tests do you plan to take on this? What sort of certification? Can you elaborate on how you tested the device?

Note: If we don’t achieve our funding goal. Nobody pays anything. And if we achieve our funding goal and we don’t deliver we also refund your money. We have stated this on our Kickstarter page very clearly. 

This opens up a question for me: how are you going to continue to guarantee support for the product after raising all the money? The reason why I ask this is that in 2013, your prior company, Diginext claimed bankruptcy, leaving the organization owing almost half-a-million Euro.

If your product is as good as you claim it to be, you would not be going to Kickstarter for getting it launched because you'd have investors crawling all over you for what would be considered the Holy Grail of Cyber Security. Your business plan to use Kickstarter and your earlier bankruptcy does not seem to add up in my books as something that will work long-term for users.

Let’s do this!
Edsard Ravelli

Let's say we don't do this and instead end the Kickstarter. You're making yourself look like a fool and you're tarnishing the names of two other individuals who do not deserve to be part of your failure.

Veiltower: a misleading plastic jungle of deception

Once again we have another Kickstarter that claims that it is 100% secure, un-breachable, and uses unheard of cryptography. Introducing "VeilTower", a plastic jungle of deception.

As indicated in my opening, I've dealt with this sort of claim before where erroneous claims about the product's capabilities were made in a Kickstarter. In this case, we're being told of the following capabilities in the device using terms like "military-grade" which tend to set off alarms:

Some of the most security conscious organizations in the world have been using what’s called 802.1x with great success. That’s what we’re using. The encryption currently in use for typical consumers is 256 bit encryption. We’re utilizing 2048 bit encryption. We wanted to give consumers a product with military-grade technology.

Veiltower also makes your digital presence anonymous by masking your traffic and connected devices with it's state of the art embedded VPN (Virtual Private Network) solution.

It goes on further in an update that was posted after they were confronted online to explain its "100% secure" statement:

Some have questioned whether its not too bold of a statement to claim Veiltower provides 100% security. And that is a very fair question.

The simple reality is that almost anything can be cracked/hacked if enough effort is put in and over the years various standards (remember the heartbleed bug?) contained, in hindsight, vulnerabilities.

So to our knowledge, the encryption we use in Veiltower is secure! That's until one day we, and many other Access Point providers that employ the same encryption, are proven wrong.

For the techs:

Wi-Fi: EAP-TLS and EAP-TTLS 

VPN: Strong Swan IKEv2

This of course after this tweet was made at me:

Needless to say it started quite the Twitter conversation so I am going to condense everything I know about them and additionally opine on the matter.

To start off here, no product no matter its claims can go and say that what they do and or provide is 100% secure and is immune to breaches. Anyone who makes such a claim is either being intentionally deceptive or has zero clue about what they're talking about. In this case, I think that's more of the latter as based on the background of the individual leading this project, as he does not appear to have ever worked on anything cyber security-related.

Veiltower (also known as Veil Systems) has a bit of a history and this is not their first Kickstarter either. It has since been removed but did manage to create a PNG mirror of the campaign draft which was penned around November 2014. They did tweet aggressively leading up to the date they expected to launch everything but for some unspecified reason, Kickstarter did not accept the submission so they promised to regroup and launch again later in the year.

However, after the last tweet, they made no quip about the Kickstarter campaign and just proceeded to share videos that they had already made. Additionally, the product was slightly different than what we are seeing now as they were also promising NAS functionality and an IP camera in addition to the "security" features we're seeing today.

Physically the products are similar except that there is a glowing, device shaped like a bowling pin that would have had the IP camera at the top. The campaign however appears to provide more details on the inner guts the device which is something I found lacking in the current campaign.

They're also providing the specifications in this old campaign.

Which again is sorely missing from the campaign.

However, something didn't add up: how is the PCB larger than the above disc in the guts image? If we look at a photo of the rear of the unit, you'll notice that the device doesn't even have ports that match the board.

This sort of reminds me of the Sever thing because it was revealed to me in conversation with some people close to the project that the board didn't match the case itself. What's going on here? Well without details on the specs of the unit in the current campaign, I guess we'll never know.

One thing to add: I call this a "misleading plastic jungle of deception" for good reason: they make the following claim about the antenna design:

A friend of mine is an avid ham radio operator and he informed me that the antenna slant wouldn't be enough to incur a polarization shift, meaning that the benefit from this design would be non-existent.

In any event, based on the hardware details from the previous Kickstarter and the lack of details in the current, it doesn't really bode well for this device at least from a physical standpoint. Any claims about its abilities to improve your overall Internet experience will be exaggerated at best.

Perhaps it's worth learning a bit about who's behind it: really there is one but it seems like there is quite a bit of discord going on behind the scenes as evident in these tweets.

I am guessing that after the exchange had started earlier (the crypto one from earlier was by this "social media guru"), Edsard Ravelli, the founder or leader behind this project decided to get involved and effectively sack the person behind the Twitter account--it should be assumed that the 802.1x encryption remark was made by the removed individual. I think that it is a bit fair to talk about the person behind this project.

Edsard hails from Amsterdam and appears to have been involved with the project from the start. He has claimed via his LinkedIn to once have been CEO and Founder of a company called DigiNext, but left in Autumn 2014, a year and a half after founding Veil Systems--I was not able to procure details on what happened with DigiNext but I can safely tell you that their website has a lot of broken links. Additionally he also has a software patent to his name, depicting some sort of update mechanism that reeks of similarity to every other software updater out there.

Veiltower mentions two other employees in the Kickstarter: Eric Stebel and Kris Caryl. Eric is cited as being the "Lead Designer" for the project, but judging based on his website, he's likely involved in the creation of the physical case of the device and not the electronics itself--however I will admit that Eric has done some cool stuff. I was not able to get much in the way on Kris other than her being cited as a Veiltower's logistics person.

Noticed something peculiar? Not a single person with an information security, software development, or hardware design background is cited. And here they are making claims about having a product that is 100% secure.

Of course, Edsard was okay in citing that it was okay to claim this because he's trying to lay it out to the laymen:

Edsard's excuse here is that it's acceptable to lie in the Kickstarter because he's trying to "appeal to consumers who [are] technology illiterate". By that logic, Volkswagen should be off the hook because consumers wouldn't notice the difference between the government-mandated emissions testing and "real world situations".

He continues to say that he had details posted on Facebook weeks before with over 5,000 followers where nobody made a quip about the claims. This is completely idiotic to claim and I am not even going to entertain the idea of writing here about why.

Going back to employees, Veiltower has gone out of their way to hire freelancers using Elance. Since April 2014, they have spent $38,002 USD across 29 different freelancing job requests--or about $1,300 on average per request. In contrast to their $250,000 goal on Kickstarter, the money spent on Elance would account for 15% of what they need to raise. How much is Edsard paying himself, Eric, and Kris? At a minimum, if these two have worked a year for Veil Systems at a wage of $8.12/hour, they'd each account for $16,952 ignoring things like sick days or other labour aspects. Times two, that's 14% of the campaign costs, meaning that around 30% is just for labour--this is a huge assumption too.

It should also be noted that none of the freelance requests were for anything technical and appeared to be solely marketing-related.

There's also no indication that there are other employees with Veil Systems as the name does not link to any other employees on LinkedIn other than Edsard himself.

One of the rewards is a white Veiltower for 1,999 people at a cost of $159. To meet that goal of $250,000, they need to get over three-quarters of that amount in order to cross that threshold required for a Kickstarter payout. But makes me wonder: does $250,000 cover all the salaries and development costs incurred?

If this was a product that was worth funding, a Kickstarter campaign would have not been ever needed. I tend to believe that the vast majority of campaigns out there are for ideas that are not marketable at all and just pander to a niche market. There are exceptions to this rule but it's a very short list of them.

Edsard has claimed that tomorrow he'll have some answers so we shall wait and see!

How Patreon made themselves a hole

As you might have heard, Patreon was breached and had its database and code dumped on the Internet. Canary has a copy of all e-mails and they are now all searchable.

I wrote this elsewhere, but this is how Patreon created a problem for themselves.

It's pretty easy to enable debug within Werkzeug but it isn't enabled by default. It's also not by default listening on "0.0.0.0" but rather instead by default "127.0.0.1".

Here's exactly what they did in the code (this is straight from the dump):

    web_app.debug = patreon.config.debug
    web_app.run('0.0.0.0', port=args.port, use_reloader=False)

Then in the patreon.config.debug string, it had a true statement:

debug = True

Whoever enabled this server wouldn't have fed arguments to enable it as it was hard-coded into the application. All someone had to do was just type "python patreonweb.py" and the server would be ready to go with debug-mode enabled.

Detectify Labs wrote a blog entry and linked to a previous one of mine. Don't enable debug on Internet-facing servers and if you can help it don't enable it to listen on "0.0.0.0" either.

Threat Intelligence (is|can be) (useless|useful)

One of the interesting side-effects of SIEMs becoming popular in organizations is the rise of threat intelligence. Threat intelligence is really nothing new as it has existed since the mid-90s in the form of DNS Blackhole Lists (DNSBL) to combat spam. Today, we're seeing it used to not only identify spam but to also identify infected hosts belonging to botnets, machines identified belonging to less-than-reputable ISPs, and much more.

However, I've struggled with the usefulness or uselessness of this data. At the organization I work at, we're using some free threat intelligence data that is as described really useful but in practicality is very difficult to utilise because of the fact that in order for us to sift out the useful tidbits, we have to filter out the noise.

A prime example of a useful list that is littered with noise are lists of Tor exit and entry nodes. This is very useful data to know one can detect the use of these nodes quite quickly and then perhaps determine if there is an infected machine or inappropriate use. However, the data becomes useless when these Tor nodes (smartly) add themselves to NTP pools and these machines have misconfigured software that uses an NTP pool instead of whatever is set within domain policy. The solution is of course to fix your domain policy but then there may be other pitfalls that may arise as these nodes may just adopt something else to obscure their purpose.

Another example of where I find threat lists useless is that some groups will just place numerous honeypots and sensors across the globe and then use that to collect information on which machines are misbehaving and where they are attacking. A good example of such a setup would be with IP Viking's Norse map which looks like something ripped out of a remake of Wargames.

The problem I have with this approach is that it's like making yourself a member of as many Block Watch groups as possible. Sure. You're going to know which neighbourhood is more at risk than the other and you might even know who the perpetrators might be, but is it going to be useful to know this as someone not belonging to any of these Block Watches for your neighbourhood located in Seattle when the incident happened in Mumbai? Yeah. You'll mark that IP or IP block as malicious, but is it really a true concern?

Companies will sell this sort of information at ridiculous rates too. One company I had the pleasure of being on the phone with wanted to offer such data at a rate of $150,000 USD per year. That's a six-figure value for a constantly updating list of IP addresses. The data isn't really verifiable either as they depend on their own sources and purportedly say that whatever they're seeing is a "threat".

And that is just it: what constitutes a threat to your network and will threat intelligence provide you with anything of value? Is it really worth spending $150,000 USD per year on threat intelligence that may or may not be of value?

I'm going to toot my own horn here and say that the type of threat intelligence that these lists provide is more or less useless outside of perhaps the Tor example and perhaps mail reputation--I can save the latter for another rant.

With Canary (name soon to be retired), I don't mark discoveries found within the database as a threat--in fact, I avoid the phrase "threat intelligence" entirely on the site but that is likely to change. It's better to identify a threat on your own rather than rely on some third-party to do so. If your IP block, company hostname, or perhaps a hash with your own special salt shows up in the service, it's up to you to determine if it is worth investigating. At that point, the threat intelligence could actually be potentially useful.

Your security team should be making a decision on what is a threat and then reacting appropriately based on your response plan. Relying on a third-party to determine a threat is going to slow you down and eat up resources that otherwise may be better suited for other things.

When you look at the aforementioned Rolls Royce-costing service, you're going to get a list of IP addresses that you should look out for. It may be useful because maybe you'll just go and block those addresses from touching your network or maybe you'll sniff around your firewall logs to see if an address popped up before, but at the end of the day you're dealing with potential red-herrings and all because you're reacting to a situation in Mumbai when you're all the way in Seattle.

I don't really hate threat intelligence services per se like my example, but I at the same time struggle with finding the value in them. It is useful to know what sort of malicious activity is going on the Internet, but it can be useless to make decisions within your enterprise based on them.