full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] All China, All The Tim

Re: [Full-disclosure] All China, All The Time

From: Marc Maiffret <marc_at_nospam>
Date: Sat Jan 16 2010 - 04:07:24 GMT
To: r00t <r00t@ellicit.org>


Todd, have you verified this "encryption" specifically the statement by McAfee: "One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection."

I assume by masquerade they mean the fact it is communicating over port 443 with some simple XOR'd bytes to form commands for performing various actions ranging from process to file manipulation and updating etc...

There are by far better exploits and malware in the world and used even by joe botnet operators than this IE0day and malware.

-Marc

On Fri, Jan 15, 2010 at 2:57 PM, r00t <r00t@ellicit.org> wrote:
> Can you explain how this is sophisticated. It looks to me like most
> decent malware samples I've RE'd:
>
> The result: triple encrypted shell code which downloads multiple
> encrypted binaries used to drop an encrypted payload on a target machine
> which then establishes an encrypted SSL channel to connect to a command
> and control network.
>
> If they are so sophisticated and organized, then why do they continually
> get noticed shortly after the attack. A major element that you fail to
> realize about these so called sophisticated attacks is stealth and
> persistence, which this attack lacks.
>
>
>
> On 1/15/10 12:33 PM, Densmore, Todd wrote:
>> Here is my 2 cents on both Google and iiScan
>>
>> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx
>>
>> ~todd
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/