funsec mailing list archives
Re: The Criminal Underground: A Walk on the Dark Side
From: coderman <coderman () gmail com>
Date: Wed, 5 Sep 2007 20:54:20 -0700
On 9/5/07, Dude VanWinkle <dudevanwinkle () gmail com> wrote:
... so most comcast machines send hash fragments over the web? or is it just port 443 traffic to legitimate sites? I tried googling but found only theory. If anyone has a good link I would appreciate it. It seems impossible to me that they have no centralized communications, else how would commands be given?
the root of the C&C is surely a few people, with a small number of servers (maybe even one person?). these are obfuscated via multiple hops to the "injector" or "controller" peers in the DHT ring (eDonkey2k/overnet/kademlia). so, finding connections from the anonymized C&C into the ring is very hard. then you get to track backwards (if you even get this far) and try to break the anonymized hops (where each hop is monitored by upstream router) to find the source, and without alerting the suspects to your investigation... [is it any wonder storm continues unabated? *g*]
(where each hop is monitored upstream as well, to know when to cut and run...)You can use their size against them, you cant personally watch that many machines at once, or is the cut-and-run programmatic, because if so, I see a great solution ;-)
i don't know much detail about this aspect of it. it is certainly programmatic, but i have no idea what constitutes an "alarm" from the upstream router. this is also the least discussed aspect of these networks, perhaps because the white hats are trying to sleuth as well as inform without tipping their hand too much. who knows. ask arbor, caida, or $malware_research_team :P [with millions of hosts to pick from, a non trivial subset will have vulnerable upstream routers. these working in tandem are great for each anonymized hop.]
I keep thinking that if the bot herder has a way to tell all machines to do something (DDoS, send spam, etc), we could take advantage of that and tell them to uninstall the malware.. after RCE'ing their code
yes, if you can break the encryption. i'll avoid a tangent about the ethics of hacking others with good intent. remember creeper and reaper? :)
thanks for the info! I have a lot of terms to google!
i just found this paper which is an excellent overview of how it works: "Peerbot: Catch me if you can" http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf a decription of the kademlia dht protocol is here: http://en.wikipedia.org/wiki/Kademlia and a collection of interesting facts about W32.Mixor.Q@mm -> Trojan.Peacomm -> "storm worm" - it uses MMX, FPU, and exotic API calls like User32!DdeQueryConvInfo to thwart virtualized environments. - it actively detects VMWare, Virtual PC, and other VM's and goes into an infinite loop. - it uses a variant of the Tibs polymorphic packer to continually push out variants every ~30? minutes to evade detection signatures. - the rootkit functionality pulled after initial infection can hide from rootkit revealer, and other malware detectors (although parts of it, like the packer, the wincom32.sys, the spammer, etc, may be detected) - it has a DDoS component that has been used to react aggressively toward defensive measures like network scans [see http://lists.sans.org/pipermail/unisog/2007-August/027405.html ] as well as others researching the trojan/botnet. interesting stuff, even if it is nasty business... best regards, _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The Criminal Underground: A Walk on the Dark Side, (continued)
- Re: The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- High Concept Comedy: Security is Economic! Bruce Ediger (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side coderman (Sep 05)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Valdis . Kletnieks (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Jim Murray (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 06)
- Re: The Criminal Underground: A Walk on the Dark Side Dude VanWinkle (Sep 04)
- Re: The Criminal Underground: A Walk on the Dark Side Paul Ferguson (Sep 01)