Full Disclosure mailing list archives
Re: All China, All The Time
From: Dan Kaminsky <dan () doxpara com>
Date: Sat, 16 Jan 2010 00:21:29 -0500
If it's stupid and it works, it isn't stupid. On Jan 15, 2010, at 11:07 PM, Marc Maiffret <marc () marcmaiffret com> wrote:
Todd, have you verified this "encryption" specifically the statement by McAfee: "One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection." I assume by masquerade they mean the fact it is communicating over port 443 with some simple XOR'd bytes to form commands for performing various actions ranging from process to file manipulation and updating etc... There are by far better exploits and malware in the world and used even by joe botnet operators than this IE0day and malware. -Marc On Fri, Jan 15, 2010 at 2:57 PM, r00t <r00t () ellicit org> wrote:Can you explain how this is sophisticated. It looks to me like most decent malware samples I've RE'd: The result: triple encrypted shell code which downloads multiple encrypted binaries used to drop an encrypted payload on a target machine which then establishes an encrypted SSL channel to connect to a command and control network. If they are so sophisticated and organized, then why do they continually get noticed shortly after the attack. A major element that you fail to realize about these so called sophisticated attacks is stealth and persistence, which this attack lacks. On 1/15/10 12:33 PM, Densmore, Todd wrote:Here is my 2 cents on both Google and iiScan http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx ~todd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: All China, All The Time, (continued)
- Re: All China, All The Time Christian Sciberras (Jan 15)
- Re: All China, All The Time Benji (Jan 15)
- Re: All China, All The Time Christian Sciberras (Jan 15)
- Re: All China, All The Time Benji (Jan 15)
- Re: All China, All The Time Christian Sciberras (Jan 15)
- Re: All China, All The Time Thor (Hammer of God) (Jan 15)
- Re: All China, All The Time r00t (Jan 15)
- Re: All China, All The Time Marc Maiffret (Jan 15)
- Re: All China, All The Time Stack Smasher (Jan 15)
- Re: All China, All The Time Dan Kaminsky (Jan 15)
- Re: All China, All The Time Marc Maiffret (Jan 15)
- Re: All China, All The Time Christian Sciberras (Jan 18)
- Re: All China, All The Time Bipin Gautam (Jan 18)
- Re: All China, All The Time Christian Sciberras (Jan 18)
- Re: All China, All The Time Bipin Gautam (Jan 18)
- Re: All China, All The Time Christian Sciberras (Jan 18)
- Re: All China, All The Time omg wtf (Jan 19)
- Re: All China, All The Time Ivan . (Jan 19)