Disturbing trend - Hiding in plain sight

***slarty*** · May 22nd, 2005, 12:52 AM

That doesn't surprise me in the slightest. They could equally, put one of those control IRC servers that just happens to be on port 443 (it might use SSL too).

Firewalls, even content-filtering ones, typically just let anything through on HTTPS, because of course, as it's encrypted they can't tell what it is.

Some nasty-ware is bound to exploit this, and just make outgoing connections via HTTPS (or protocols indistinguishable from HTTPS)

Yes - either you ban HTTPS, or only allow it to given IP addresses - but that's not very good, as banks etc, change their IP addresses of their HTTPS servers from time to time (and/or use round-robin).

***thehorse13*** · May 22nd, 2005, 11:05 AM

I'm more interested in the delivery technique to be honest

Thus far, delivery has been done through the following:

1) SPIM (Instant message spam) i.e. Hey, take a look at this pic! <link>
2) SPAM Various banking and online payment links to look at new changes to the agreement.
3) Wireless "seeding". This is very new. What they're doing is wardriving for access points, getting a DHCP lease, then passing the payload to open fileshares and/or through old RPC exploits. Out of all of the methods, this is the one that has me worried the most. There are other implications of using this method that were found that I cannot release publically - yet.

--TH13

***jinxy*** · May 22nd, 2005, 01:23 PM

Well I think pretty much that using method 3. Has effectivly bypassed your firewall on that segment of your network.

No need to connect to c&c through your gateway, which could be easily spotted. Connection could be made through attacking box.

***Tiger Shark*** · May 22nd, 2005, 01:53 PM

"Wireless "seeding".

Ah yes, whatever happened to Kurt Hack and his Wireless Oakland... As soon as I mentioned a solution to his "problem" at less cost, less management overhead and more security he never returned.....

***thehorse13*** · May 22nd, 2005, 02:03 PM

No need to connect to c&c through your gateway, which could be easily spotted. Connection could be made through attacking box.

You're on the right path. C&C operators know how security personnel spot their activity. It's usually never at the host, rather, at a gateway or other network device. The logical thing to do is mitigate this so that the activity goes on undetected. Using encryption is one. Seeding with some very interesting routing is another.

**savysan** · May 23rd, 2005, 09:56 PM

Sounds like SubSeven, Netbus, BackOrifice, and that whole bunch all over again except with ssh and ssl options tacked on. Didn't they always used to try to connect via IRC in the old days, too?

Just a dumb question from a curious newbie.

**Outer_Heaven** · May 24th, 2005, 01:25 AM

Are there any lists of file names that you have or are allowed to provide to be on the look out for? Or is it just the same (and new) bots just using a different delivery technique? Or are they totally new bots altogether using a different delivery technique?

C&C is yet another acronym that you should quickly become familiar with

Also Known As C2 (squared)

***dinowuff*** · May 24th, 2005, 02:16 AM

This is the results of a quick search on a topic which has been lurking in the back of my mind.

'Mesh networks, where user devices and routing nodes can get co-mingled, might be an interesting twist on Metcalfe's law, which says the value of a network is proportional to the square of the number of users or nodes. Think about it. Where all user devices are also routing devices, it's pretty obvious that, at least for the beginning part of the 'S' innovation curve, the value of network externalities is even greater. This has some interesting implications for seeding 'core' networks by seeding the 'edges'. I'll have to think about that.'

Author unknown?

http://www.sce.carleton.ca/wmc/QoSZAP/

Brings a very interesting point to bare:

There is another "law" apart from Moore's Law which has an impact on the progress of computing both in business and in general. This is Metcalfe's Law.

The "law" originated with Bob Metcalfe, the founder of 3Com and the designer of the Ethernet protocol for computer networks ? work that he did while at Xerox Corporation. It is believed that Metcalfe invented his law as a means of encouraging companies to network computers together.

In any event the Law states roughly that:

"The 'value' of a computer network is proportional to the square of the number of computers in the network."

Although it is sometimes quoted as:

"The usefulness of a network is proportional to the square of the number of users."

(From - http://www.pcw.co.uk/news/1129770)

In a sense Metcalfe wasn't saying anything profound. Mathematically, if you put a number of dots on a piece of paper, then the number of lines you can draw that connect any two of them is proportional to the square of the number.

Try to follow my drunken state of mind.

It's not the that there is a "CNC" or IRC relay that poses a new threat, but a different way of doing the same thing. Horse: You are correct in pointing out the latest and greatest. I agree that there will be tremendous damage done; however, there are measures that the "latest" cannot defeat.

In order to compromise a host, one must install and execute a program. To take over a memory stack is simple:

mov dx, OFFSET buffer

But to do that remotely, a process must be launched in memory.

So let's look at the 'implications for seeding 'core' networks by seeding the 'edges''

Now we have the ability to remotely control the routers and switches. Sure, drive down your street and reset your neighbors wireless routers DHCP address to 127.0.0.1 WTF? This does us no good.

But set the same router to switch, whereby packets are switched based on the DLCI (a Frame Relay equivalent of a MAC-level address)? Routers are configured as a hybrid DTE switch or pure Frame Relay DCE access node in the Frame Relay network. Cisco's implementation of Frame Relay switching does just this and GUESS who bought Linksys?

Hoss: The more I type the more I think - Let me ponder this, sorry this post is so long and not definitive. In the infamous last words of dino "SysAdmin" I got me an Idea!

**Outer_Heaven** · May 24th, 2005, 08:35 AM

The reason I was asking was because my laptop was acting funny a couple days ago and I ran Hijackthis on it and I found a Zoominghook.exe in system32 and wanted to know if it might possibly be one of them because I was unable to turn up any solid info googling it other than it was related to toshiba, which I have, but whatever it's purpose was is unknown. But I also learned from googling other executables I didn't quite recognize that if it isn't a microsoft file, that it shouldn't be in system32. So, rather than start a whole new thread asking about what a zoominghook.exe really does and getting everyone's panties in a bunch over nothing, and possibly getting myself negged for asking, I figured I would ask Horse if he had a list of known files of spyware already found being delivered by this new method that was attacking the comand and control center, which I am assuming is System32, although I don't know for sure.

Everything I have learned since I joined this site this past December since first deciding I wanted to go into network security & computer forensics and asked you guys where I start I have taught myself, so I figured by my asking him that I could learn something as well as decide if I should fix that file, as well as finding out if there are any other files that may be of concern to me.

***Tiger Shark*** · May 24th, 2005, 09:45 AM

new method that was attacking the comand and control center

It's not attacking the command and control it's getting it's instructions from the command and control.... It will be used, along with all the other compromised machines, to attack other network entities when the command and control orders it to.....

Thread: Disturbing trend - Hiding in plain sight

Thread Tools

Display

Posting Permissions