full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] All China, All The Tim

Re: [Full-disclosure] All China, All The Time

From: Marc Maiffret <marc_at_nospam>
Date: Sat Jan 16 2010 - 05:47:10 GMT
To: Dan Kaminsky <dan@doxpara.com>


Dan, I think the conversation we were having was centered around McAfee saying this is ultra sophisticated and using descriptions that are potentially very inaccurate in cases. I do not think anyone is questioning whether this exploit, being simple or not, was successful. Obviously it was successful and it goes to show how fragile most of the worlds networks are given an IE 0day no more special than any we have seen before and malware DEFINITELY no more special than even what we see with widespread botnet C&C and related systems. The only thing special in this case was the coordinated effort of how the attackers used this leverage quickly and across many organizations to gain access to systems of interest. Surely compromising a desktop user through an IE0day did not provide the keys to the kingdom and further attacks internally, which are as yet unreported, had to of taken place. If McAfee believes this 0day/malware is ultra sophisticated then I am afraid they simply have no grasp on what modern malware entails these days.

So going back to the conversation more specifically comments by McAfee like "triple encrypted shell code", I would like someone from McAfee to tell me they saw encrypted shell code beyond simple java script obfuscation and XOR encoding. I am assuming one of the worlds top security companies is not OK with having people in the media confuse XOR for encryption and that they should probably correct themselves or show the rest of us where this magic encryption is.

-Marc Maiffret

On Fri, Jan 15, 2010 at 9:21 PM, Dan Kaminsky <dan@doxpara.com> wrote:
> If it's stupid and it works, it isn't stupid.
>
>
>
> On Jan 15, 2010, at 11:07 PM, Marc Maiffret <marc@marcmaiffret.com> wrote:
>
>> Todd, have you verified this "encryption" specifically the statement by
>> McAfee:
>> "One of the malicious programs opened a remote backdoor to the
>> computer, establishing an encrypted covert channel that masqueraded as
>> an SSL connection to avoid detection."
>>
>> I assume by masquerade they mean the fact it is communicating over
>> port 443 with some simple XOR'd bytes to form commands for performing
>> various actions ranging from process to file manipulation and updating
>> etc...
>>
>> There are by far better exploits and malware in the world and used
>> even by joe botnet operators than this IE0day and malware.
>>
>> -Marc
>>
>> On Fri, Jan 15, 2010 at 2:57 PM, r00t <r00t@ellicit.org> wrote:
>>>
>>> Can you explain how this is sophisticated. It looks to me like most
>>> decent malware samples I've RE'd:
>>>
>>> The result: triple encrypted shell code which downloads multiple
>>> encrypted binaries used to drop an encrypted payload on a target machine
>>> which then establishes an encrypted SSL channel to connect to a command
>>> and control network.
>>>
>>> If they are so sophisticated and organized, then why do they continually
>>> get noticed shortly after the attack. A major element that you fail to
>>> realize about these so called sophisticated attacks is stealth and
>>> persistence, which this attack lacks.
>>>
>>>
>>>
>>> On 1/15/10 12:33 PM, Densmore, Todd wrote:
>>>>
>>>> Here is my 2 cents on both Google and iiScan
>>>>
>>>>
>>>> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx
>>>>
>>>> ~todd
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/