Disturbing trend - Hiding in plain sight
Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: Disturbing trend - Hiding in plain sight

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    Disturbing trend - Hiding in plain sight

    Most of you know that I do a lot of research on the horrible things that haunt the internet. Recently, I have come across enough samples of malcode to suggest a truly sinister problem is heading our way.

    Though I cannot release the specifics, I have seen several unrelated groups actively testing spyware that once inside your perimeter, tunnels out to the C&C via SSH and in other cases, SSL.

    Detecting these new threats will be extremely difficult and will force security vendors to quickly throw together hueristics that say if you see this protocol and if the destination is an IRC server then block the traffic (or something of the like).

    I'm going to discuss this in detail with an AV vendor on Monday. Hopefully they will have encouraging news, as in they are also aware and have a viable solution ready to go.

    Consider this your early warning.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Well.... for us Windows users the SSH issue is mitigable, block port 22 outbound which is already done for all except 2 addresses on my internal network. Your average user doesn't need it so why allow it unless it's a "tripwire"? I like tripwires....

    SSL is a problem though.... How will I do my banking from work???? Seriously, it's impossible to manage who can connect to which site by SSL on all but the smallest networks. Certainly, the bigger the network the greater the "earache" IT will get when they chose to close outbound SSL.....

    It might be just the right time to set up an ethereal box to log all outbound SSL traffic and begin determining what is legitimate and what isn't. Call it "cotton wool preparation". Then when you chose to block it at least you are already armed with the information to allow the valid SSL traffic to move between the internal and the external.... It'll help with the earache if nothing else.

    The bothersome thing with this is the amount of work. Unless you watch it daily you have no idea how many banks redirect their users to unresolvable servers, (by RDNS), for the SSL online banking connections. This means Whois searches and often they turn up the provider for the bank meaning you have to backtrack in the log to the last HTML connection the user had and hope that indicates the bank.... Some of the users are smart enough to create a shortcut directly to the SSL login page which makes the backtrack idea an issue..... (though this isn't always possible 'cos some banks are smart enough to check the referrer when the connection is made IIRC). The only other "sensible" option, (unless you have time to sit there all day monitoring and VNCing to the individual boxes), is to play the "security nazi" and call everyone making an SSL connection and ask them what they are doing..... You're really gonna be loved for that....

    All together now.... "I love my job, I love my job....... etc."
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724

    Re: Disturbing trend - Hiding in plain sight

    Originally posted here by thehorse13

    tunnels out to the C&C via SSH and in other cases, SSL.
    --TH13
    At the risk of sounding like an amature, I'm not sure I understand what you mean by tunneling out to C&C. Honestly when i see C&C i think of command and conquer. Heh.. but for real, what is this about?
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  4. #4
    Banned
    Join Date
    Aug 2004
    Posts
    534
    i was thinking the same damn thing... long live C&C

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Command and Control is what I believe Hoss is referring to......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Ummm Hoss?
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, C&C is yet another acronym that you should quickly become familiar with. Command and Control. When a bot sets up shop on a host, it contact the command and control (usually IRC) server. From that server, the scum bag (usually in Asia) feeds commands down to the infected host while at the same time gathering (usually identity theft) information along with any credit card, banking and/or internet payment account info (paypal, etc.).

    This is the new battle folks. Trust me when I say this will get far worse before it gets better. I've not been impressed with vendor response to this issue. The word "futile" has come up from the very people you pay to protect your systems from this sort of junk.

    Tiger old pal,

    Yep, agreed that SSH is a lesser pain. They have been experimenting with SSH because its free, it's open and it's everywhere. The biggest problem as you know is SSL. We're already developing strategies for this in the organization, however, the average home user doesn't stand a chance.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    OK now that I have a better idea of what you're talking about, I did encounter something like this a short while ago, although I'm not sure if any ssh was involved.

    It was from a spam bot that appeared on Microburn's server. When I looked into it, I played with it and infected a VM host with it. I submitted the file to Norton and McAffee, and both responded within a day telling me that they had developed a removal tool for it. They did classify it as a "non-repairable threat", though.

    They worked by installing mIRC and then running it within a wrapper that hid that instance of mIRC from Windows.

    So I think they already exist, but are not to the point of being self replicating yet.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Exactly. The technique has not been perfected but from what I have seen, it will be soon.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Hoss:

    I'm more interested in the delivery technique to be honest.... It's sorta like having a nuclear weapon but only owning a truck when your target is across an ocean....

    The most likely mitigation will occur if you can block the delivery.

    Really though, the home user in general is no more screwed by this than anything else because they don't even know that an egress rule is something you can do. They get infected by something and it's endgame right there.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides