Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: All China, All The Time
From: Dan Kaminsky <dan () doxpara com>
Date: Sat, 16 Jan 2010 00:21:29 -0500

If it's stupid and it works, it isn't stupid.



On Jan 15, 2010, at 11:07 PM, Marc Maiffret <marc () marcmaiffret com>  
wrote:

Todd, have you verified this "encryption" specifically the statement  
by McAfee:
"One of the malicious programs opened a remote backdoor to the
computer, establishing an encrypted covert channel that masqueraded as
an SSL connection to avoid detection."

I assume by masquerade they mean the fact it is communicating over
port 443 with some simple XOR'd bytes to form commands for performing
various actions ranging from process to file manipulation and updating
etc...

There are by far better exploits and malware in the world and used
even by joe botnet operators than this IE0day and malware.

-Marc

On Fri, Jan 15, 2010 at 2:57 PM, r00t <r00t () ellicit org> wrote:
Can you explain how this is sophisticated.  It looks to me like most
decent malware samples I've RE'd:

The result: triple encrypted shell code which downloads multiple
encrypted binaries used to drop an encrypted payload on a target  
machine
which then establishes an encrypted SSL channel to connect to a  
command
and control network.

If they are so sophisticated and organized, then why do they  
continually
get noticed shortly after the attack.  A major element that you  
fail to
realize about these so called sophisticated attacks is stealth and
persistence, which this attack lacks.



On 1/15/10 12:33 PM, Densmore, Todd wrote:
Here is my 2 cents on both Google and iiScan

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx

~todd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]