Dailydave mailing list archives
Re: Dshell versus INNUENDO
From: Kyle Creyts <kyle.creyts () gmail com>
Date: Thu, 5 Feb 2015 18:19:51 -0800
Not explicitly #3, but social-based mechanisms can run into a few troubles, depending on the environment in which it is deployed: a) policy-based proxy blocking (twitter? that's not a business-needs site!) b) behavioral/anomaly-based proxy blocking (your user never used to go to $social_network, and now you periodically check in! and push many many many messages!? anomaly! probably badness!) (there are probably ways to break this up, like posting images into which you encode exfil'd data, and varying the check-in frequency) (I've only encountered this in the wild a very small number of times. twice?) ...of course these are probably more "edge cases" than primary reasons not to use social platforms for C2. But because these cases exist, it is nice to have nifty C2 mechanisms like DNS TXT which may bypass some logging, passive DNS collection, blocking controls, sinkholing, or otherwise be able to circumvent various other tools defenders might use to catch your tool. On Wed, Feb 4, 2015 at 10:22 AM, Dean Pierce <pierce403 () gmail com> wrote:
This has me curious about something. I remember Alberto's INFILTRATE 2013 talk about using services like uni.me for these sorts of backchannels (video here : http://infiltratecon.com/albertogarciaillera.html) but it always seemed to me like using social networks instead has some clear advantages. Making it look like someone is just obsessively checking reddit, or facebook (over SSL) seems like it would be much less suspicious than giant wacky DNS queries. Of course my experience in this field is more theoretical than practical, and I wouldn't have brought it up if I didn't full comprehend how sophisticated INNUENDO is. Some friends and I demoed a PoC of a CNC backchannel over myspace back in 2007 at the first Toorcon Seattle. I've seen the idea pop up again multiple times since then, but it never seems to have caught on. I work in the product security space at the moment rather than anti-malware/pro-malware, so maybe it's really popular and I just haven't been paying close enough attention. This leaves me with three possibilities: 1. "DNS still works fine, so why go to all the effort to make sneakier backchannels?" 2. "Of course INNUENDO supports social network backchannels." 3. "Social network backchannels are a stupid idea and you don't know what you're talking about." My money is on #3, but I'm not sure why. Maybe someone in dailydave land might finally be able to explain this to me? I can't image a better audience for this sort of question. - DEAN _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
-- Kyle Creyts Information Assurance Professional Founder BSidesDetroit _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Dshell versus INNUENDO Dave Aitel (Feb 03)
- Re: Dshell versus INNUENDO J. Craig (Feb 04)
- Re: Dshell versus INNUENDO Ben Creitz (Feb 04)
- Re: Dshell versus INNUENDO Dean Pierce (Feb 05)
- Re: Dshell versus INNUENDO Kyle Creyts (Feb 06)
- Re: Dshell versus INNUENDO Dean Pierce (Feb 05)