Full Disclosure mailing list archives

Re: All China, All The Time

From: Marc Maiffret <marc () marcmaiffret com>
Date: Fri, 15 Jan 2010 21:47:10 -0800

Dan, I think the conversation we were having was centered around
McAfee saying this is ultra sophisticated and using descriptions that
are potentially very inaccurate in cases. I do not think anyone is
questioning whether this exploit, being simple or not, was successful.
Obviously it was successful and it goes to show how fragile most of
the worlds networks are given an IE 0day no more special than any we
have seen before and malware DEFINITELY no more special than even what
we see with widespread botnet C&C and related systems. The only thing
special in this case was the coordinated effort of how the attackers
used this leverage quickly and across many organizations to gain
access to systems of interest. Surely compromising a desktop user
through an IE0day did not provide the keys to the kingdom and further
attacks internally, which are as yet unreported, had to of taken
place. If McAfee believes this 0day/malware is ultra sophisticated
then I am afraid they simply have no grasp on what modern malware
entails these days.

So going back to the conversation more specifically comments by McAfee
like "triple encrypted shell code", I would like someone from McAfee
to tell me they saw encrypted shell code beyond simple java script
obfuscation and XOR encoding. I am assuming one of the worlds top
security companies is not OK with having people in the media confuse
XOR for encryption and that they should probably correct themselves or
show the rest of us where this magic encryption is.

-Marc Maiffret


On Fri, Jan 15, 2010 at 9:21 PM, Dan Kaminsky <dan () doxpara com> wrote:

If it's stupid and it works, it isn't stupid.



On Jan 15, 2010, at 11:07 PM, Marc Maiffret <marc () marcmaiffret com> wrote:

Todd, have you verified this "encryption" specifically the statement by
McAfee:
"One of the malicious programs opened a remote backdoor to the
computer, establishing an encrypted covert channel that masqueraded as
an SSL connection to avoid detection."

I assume by masquerade they mean the fact it is communicating over
port 443 with some simple XOR'd bytes to form commands for performing
various actions ranging from process to file manipulation and updating
etc...

There are by far better exploits and malware in the world and used
even by joe botnet operators than this IE0day and malware.

-Marc

On Fri, Jan 15, 2010 at 2:57 PM, r00t <r00t () ellicit org> wrote:


Can you explain how this is sophisticated.  It looks to me like most
decent malware samples I've RE'd:

The result: triple encrypted shell code which downloads multiple
encrypted binaries used to drop an encrypted payload on a target machine
which then establishes an encrypted SSL channel to connect to a command
and control network.

If they are so sophisticated and organized, then why do they continually
get noticed shortly after the attack.  A major element that you fail to
realize about these so called sophisticated attacks is stealth and
persistence, which this attack lacks.



On 1/15/10 12:33 PM, Densmore, Todd wrote:


Here is my 2 cents on both Google and iiScan


http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx

~todd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: All China, All The Time, (continued)
- - - Re: All China, All The Time Benji (Jan 15)
    - Re: All China, All The Time Christian Sciberras (Jan 15)
    - Re: All China, All The Time Benji (Jan 15)
    - Re: All China, All The Time Christian Sciberras (Jan 15)
    - Re: All China, All The Time Thor (Hammer of God) (Jan 15)
- Re: All China, All The Time Densmore, Todd (Jan 15)
  - Re: All China, All The Time r00t (Jan 15)
    - Re: All China, All The Time Marc Maiffret (Jan 15)
    - Re: All China, All The Time Stack Smasher (Jan 15)
    - Re: All China, All The Time Dan Kaminsky (Jan 15)
    - Re: All China, All The Time Marc Maiffret (Jan 15)
  - Re: All China, All The Time Anders Klixbull (Jan 18)
    - Re: All China, All The Time Christian Sciberras (Jan 18)
    - Re: All China, All The Time Bipin Gautam (Jan 18)
    - Re: All China, All The Time Christian Sciberras (Jan 18)
    - Re: All China, All The Time Bipin Gautam (Jan 18)
    - Re: All China, All The Time Christian Sciberras (Jan 18)
    - Re: All China, All The Time omg wtf (Jan 19)
- Re: All China, All The Time Densmore, Todd (Jan 19)
  - Re: All China, All The Time Ivan . (Jan 19)