| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6aa1d39f1001152007p21ff51b8od56549f996cfb534@mail.gmail.com> Date: Fri, 15 Jan 2010 20:07:24 -0800 From: Marc Maiffret <marc@...cmaiffret.com> To: r00t <r00t@...icit.org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: All China, All The Time Todd, have you verified this "encryption" specifically the statement by McAfee: "One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection." I assume by masquerade they mean the fact it is communicating over port 443 with some simple XOR'd bytes to form commands for performing various actions ranging from process to file manipulation and updating etc... There are by far better exploits and malware in the world and used even by joe botnet operators than this IE0day and malware. -Marc On Fri, Jan 15, 2010 at 2:57 PM, r00t <r00t@...icit.org> wrote: > Can you explain how this is sophisticated. It looks to me like most > decent malware samples I've RE'd: > > The result: triple encrypted shell code which downloads multiple > encrypted binaries used to drop an encrypted payload on a target machine > which then establishes an encrypted SSL channel to connect to a command > and control network. > > If they are so sophisticated and organized, then why do they continually > get noticed shortly after the attack. A major element that you fail to > realize about these so called sophisticated attacks is stealth and > persistence, which this attack lacks. > > > > On 1/15/10 12:33 PM, Densmore, Todd wrote: >> Here is my 2 cents on both Google and iiScan >> >> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx >> >> ~todd >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists