Dailydave mailing list archives
Re: IMAP C&C channels have some massive advantages for attackers and penetration testers
From: Curt Wilson <curtwilson618 () gmail com>
Date: Sat, 11 Oct 2014 10:54:57 -0500
We came across a short-lived SMTP-based C2 and/or exfil point from what looked like a targeted ransomware campaign not long ago. However in this case they simply used base64 which of course is the weak link detection-wise. On Friday, October 10, 2014, Dave Aitel <dave () immunityinc com> wrote:
[image: INNUENDO IMAP CHANNEL DIAGRAM IS HERE IN HTML EMAILS] One thing you know about the future of cyber security is that malware is being used right now that is far more advanced than what you read about in various exciting threat reports titled "NAVY PANDA" or "EXCITED BEAR" or "TINY-MINI-FLAME 2.0.1.2.3 rc4 found!". There's been some almost embarrassingly good results from people scanning the whole Internet for FinFisher and other command and control setups after finding an installation or demo copy of it. But it's not true that malware analysis for "Indicators of Compromise" or scanning for C&C endpoints will work to find the real setups being used by even B-grade teams in the future. Likewise, a connection like INNUENDO's new IMAP channel is hard to disrupt at the network layer since so much of it is encrypted naturally by the transit providers, and of course each campaign is going to use a different email provider. This video shows the gritty and interesting details: http://vimeo.com/108496757 Resources: http://threatpost.com/rat-malware-communicating-via-yahoo-mail/107590 http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses-evernote-as-command-and-control-server/ http://researcher.watson.ibm.com/researcher/files/us-kapil/emailbotnet-dsn08.pdf -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- IMAP C&C channels have some massive advantages for attackers and penetration testers Dave Aitel (Oct 10)
- Re: IMAP C&C channels have some massive advantages for attackers and penetration testers Curt Wilson (Oct 11)