lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 15 Jan 2010 20:07:24 -0800
From: Marc Maiffret <marc@...cmaiffret.com>
To: r00t <r00t@...icit.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: All China, All The Time

Todd, have you verified this "encryption" specifically the statement by McAfee:
"One of the malicious programs opened a remote backdoor to the
computer, establishing an encrypted covert channel that masqueraded as
an SSL connection to avoid detection."

I assume by masquerade they mean the fact it is communicating over
port 443 with some simple XOR'd bytes to form commands for performing
various actions ranging from process to file manipulation and updating
etc...

There are by far better exploits and malware in the world and used
even by joe botnet operators than this IE0day and malware.

-Marc

On Fri, Jan 15, 2010 at 2:57 PM, r00t <r00t@...icit.org> wrote:
> Can you explain how this is sophisticated.  It looks to me like most
> decent malware samples I've RE'd:
>
> The result: triple encrypted shell code which downloads multiple
> encrypted binaries used to drop an encrypted payload on a target machine
> which then establishes an encrypted SSL channel to connect to a command
> and control network.
>
> If they are so sophisticated and organized, then why do they continually
> get noticed shortly after the attack.  A major element that you fail to
> realize about these so called sophisticated attacks is stealth and
> persistence, which this attack lacks.
>
>
>
> On 1/15/10 12:33 PM, Densmore, Todd wrote:
>> Here is my 2 cents on both Google and iiScan
>>
>> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx
>>
>> ~todd
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ