Dailydave mailing list archives
Re: Better, more FLAME-like, penetration testing
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 27 Sep 2013 16:17:36 -0400
[resending because of RAID controller mishaps]
Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection. Daniel Uriah Clemens
I knew Wes pretty well, back from when he worked with Justine at ISS. And of course, keep in mind he named his Mosquito project MOSREF, as a bit of a play on the CANVAS remote compiler core, MOSDEF. Frankly, there's only a slight difference between injecting LISP and injecting Python at that layer. But the design of INNUENDO is a lot more than "put a dynamic language in memory" - it's about building an entire stack aimed at covert communications and behavior. MOSDEF and CORE and Meterpreter and Mosquito and all manner of things are essentially connection bound. You can see them as a tree, spawning downwards from patient zero. Even when they are going over UDP, they are doing so with a persistent connection. This model is even built into their nomenclature and DB schemas. And it's wrong. But compare that to the C&C structure for FLAME (and I can't link to this enough because it should be required daily reading for everyone in this business): http://labs.bitdefender.com/2012/06/flame-the-story-of-leaked-data-carried-by-human-vector/ That is the operational plan INNUENDO models. Even for the most basic things: moving a big file from point A to point B. INNUENDO has a built in resilient bit-torrent like protocol. If the implant can't connect for a few days, and then gets back online, it'll auto-resume, while at the same time handling whatever other requests have come in for it. Admittedly, I think the Python part of it is important. There's something about being able to adjust your operational plans faster than incident response teams, while using the same toolkit. But INNUENDO is not just "can package Python into Lsass" any more than Flame is about how to build a web proxy in Lua. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Better, more FLAME-like, penetration testing Dave Aitel (Sep 26)
- Re: Better, more FLAME-like, penetration testing Daniel Clemens (Sep 27)
- Re: Better, more FLAME-like, penetration testing Dave Aitel (Sep 27)
- Re: Better, more FLAME-like, penetration testing Dave Aitel (Sep 27)
- Re: Better, more FLAME-like, penetration testing Moses (Sep 27)
- Re: Better, more FLAME-like, penetration testing Daniel Clemens (Sep 27)