-
May 24th, 2005, 02:51 PM
#21
Junior Member
quick question where did you get the bits of code you were talking about in your opening post
-
May 24th, 2005, 03:14 PM
#22
TH13: After the attacker successfully install his bot, why use a https session anyway?
since https traffic is 10% of traffic (got here at my client) why botter to use a small traffic to "cover" your activity?
The bot can use a regular http session to do that. Its pretty common http tunnels (including source) on internet. for free. To establish a C&C base, attacker can use a "normal" http session to comunicate with bot, since it will be hard to monitor (and analyze) each piece of http passing thru firewall.
Maybe a traffic behavior analysis can get those guys (since that is pretty uncommon to see a very long session on http/https) but if its a 1 minute surf it will be tough to see.
Here we are trying to do that (to capture http tunneling) but we are not been succesfull most of the time.
For example, im one of the "testers" (some of us from tech support were asked to start and do http tunneling from time to time) and until now (3 months) they didnt caught me
And im using a free sw (httport) with default server. Its really hard when you have a T3 connection to internet and its is been used up to the top.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 24th, 2005, 04:20 PM
#23
cacosapo:
I can write Snort rules for HTTP traffic because it is in clear. The SSL connection is encrypted so I can't predict the patterns to match.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 24th, 2005, 04:54 PM
#24
Originally posted here by Tiger Shark
cacosapo:
I can write Snort rules for HTTP traffic because it is in clear. The SSL connection is encrypted so I can't predict the patterns to match.
I noticed that, TS; however, we couldnt identify a pattern on some traffic that made it diferent from a normal one. What should i look for on http packets?
what we already tried (and failed):
destination host
long sessions (in my case i start the tunnel, start mirc, send a couple of msg for about 1 minute and disconnect)
http command and text. (they didnd realized that they can trace /join or other cmds, but its only valid for a irc. a bot can use other protocols to talk, even acessing some pages to xfer info as a covert channel)
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
May 24th, 2005, 05:06 PM
#25
There are bleeding snort rules for this. Also, like Tiger mentioned, we can spot unencrypted sessions a mile away. The botnet operators know that hiding traffic using widely used protocols such as SSL and SSH will make it difficult to spot them. They are also taking measures so that network devices will miss the traffic, thus, creating a 100% covert operation (or very close to it).
quick question where did you get the bits of code you were talking about in your opening post
Sorry, I cannot reveal this.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 24th, 2005, 06:25 PM
#26
Sorry, I cannot reveal this.
He wrote them....
cacosapo: This will be one of those "wait and see" things. We can't write the rules to match a pattern in a packet until we see the packet streams and determine what the constants are in an "in clear" datastream. In an encrypted stream there won't be any constants which makes it impossible to write a rule to match a pattern in a data stream.
It's going to be a problem.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 24th, 2005, 08:31 PM
#27
There are security applications that store hashes of known programs via local database and vendor supplied database. For instance winword.exe with the familiar icon association has a nice recorded hash. If I change the icon association (nice common antvirus avoidance mechanism) or rename or copy winword.exe the hash changes and therefore a rule that says any uncategorized exe com or whatever will never be executed will alarm security eyes and prevent the infection in the first place. In addition ssh traffic patterns can be monitored for increase and location of infection machines when traversing the firewall or web filtering appliance.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
May 24th, 2005, 08:37 PM
#28
In addition ssh traffic patterns can be monitored for increase and location of infection machines when traversing the firewall or web filtering appliance.
Baselining this will be a pain too. I know one of our sister agencies has an app that posts via SSL over the net. The problem is that the damned app opens about 15-20 SSL streams every time they work on it. Then there's all the users who are just getting into internet banking and so the baseline changes regularly as they go online. It won't be fun chasing these down every week and often the SSL server is an unresolvable host forcing more in-depth investigation. Don't try asking the user "Where you banking or shopping at 10:00am today" because they know that it is against policy but, apparently, their mommies omitted to tell them that lying is a bad thing...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 24th, 2005, 08:43 PM
#29
In that case I would rely on application based filtering. You use websense Tiger. Client Policy Manager can lock down application infection not even antivirus and firwalls can stop. And if you run into that one critical application that gets locked because it was updated without your knowledge then it can be restored on the fly. Before that I used the web filter to track my spyware and find those pesky internal mail hosts spamming away because they clicked "do you want to stop pop ups?"
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
May 24th, 2005, 08:45 PM
#30
Now, here's my problem.... I don't use websense....
I use SurfControl.... But I really don't want to have to start discovering and entering all the valid apps..... Please, don't make me do it....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|