×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dissecting RSA's 'Watering Hole' Traffic Snippet

Soulskill posted about a year ago | from the you-can-tell-by-the-bits dept.

Security 69

rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

69 comments

So what (2, Funny)

Rosco P. Coltrane (209368) | about a year ago | (#43663183)

From just one bit of traffic snippet, I can predict that the machine has networking capabilities. Beat that!

The machine exists (2)

Bananatree3 (872975) | about a year ago | (#43663301)

I posit that the machine exists. Beat that!

Re:The machine exists (5, Funny)

some old guy (674482) | about a year ago | (#43663317)

Being a VM, the machine both exists and doesn't exist.

Entanglement theory proven!

Beat that!

Re:The machine exists (2)

Big Hairy Ian (1155547) | about a year ago | (#43663509)

So you proved that the VM exists and doesn't exists and is therefore in superposition but thus far this only proves cloud entanglement :)

Re:The machine exists (0)

Anonymous Coward | about a year ago | (#43663789)

Oh yeah... the desktop background is set to the cutest picture of Schrödinger's cat

Re:The machine exists (2)

Fuzzums (250400) | about a year ago | (#43666641)

Internet law: As an online discussion grows longer, the probability of a comparison involving cats approaches 1.

Re:The machine exists (1)

Anonymous Coward | about a year ago | (#43663319)

You think the machine exists, therefore you are.

Re:The machine exists (1)

redneckmother (1664119) | about a year ago | (#43665253)

You think the machine exists, therefore you are.

Because you interact with the machine, you become aware of yourself. /existentialism

Re:The machine exists (0)

Anonymous Coward | about a year ago | (#43663329)

I deduce there is pr0n on that machine

Re:The machine exists (1)

Anonymous Coward | about a year ago | (#43665423)

HOW DID YOU KNOW!?

Re:The machine exists (1)

Anonymous Coward | about a year ago | (#43663399)

Only in your head, mate. ;)

In fact, all of Slashdot, including me, this post and in fact the whole basement and food-bringing mom only exist in your mind.

And there's no Matrix telephone nor pills to get out. You can only go *deeper*.

Now what?

Re:The machine exists (-1, Troll)

Anonymous Coward | about a year ago | (#43664145)

Now what?

We can tell nigger jokes and piss off the primitives who still get upset at what other people say.

Re:The machine exists (-1)

Anonymous Coward | about a year ago | (#43664953)

luke, i am your father... wanna watch the video of me fucking your momma when you were conceived?

Re:So what (0)

Anonymous Coward | about a year ago | (#43666075)

My home server is at 192.168.0.105. Have at it boys!

Lame (1)

Anonymous Coward | about a year ago | (#43663309)

I was expecting a bit more than disasembling packets.

Re:Lame (2)

remus.cursaru (1423703) | about a year ago | (#43663855)

wireshark-101 and a mac lookup is something worthy of a /. front page?
Next in the news, a tutorial about upgrading from IE6 to IE7?

Re:Lame (0)

Anonymous Coward | about a year ago | (#43664249)

wireshark-101 and a mac lookup is something worthy of a /. front page?

No, you also need to be bad at math...

Digging deeper into the TCP segment, you can see the Window Size is 0xFFFF, or 255.

Re:Lame and incorrect (1)

scsirob (246572) | about a year ago | (#43664441)

And incorrect at that. Other than the article suggests, 0xFFFF != 255

Re:Lame and incorrect (1)

Fnord666 (889225) | about a year ago | (#43665035)

Other than the article suggests, 0xFFFF != 255

Sure it does.

0xFFFF = -1 (signed int) = -1 (signed char) = 255 (unsigned char)

Nope. (3, Insightful)

StripedCow (776465) | about a year ago | (#43663441)

The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.

Re:Nope. (1)

Sockatume (732728) | about a year ago | (#43663827)

It's a virtual machine, I'd be terribly surprised if it somehow became an actual physical Windows XP box connected to the network.

Re:Nope. (0)

Anonymous Coward | about a year ago | (#43666547)

This is why you never underestimate XP. Microsoft made a huge mistake.

Re:Nope. (4, Insightful)

jeffmeden (135043) | about a year ago | (#43664459)

The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.

I thought it was strange that a (presumably) prominent researcher wouldn't at least come up with a mac address of a cheap embedded nic for the honeypot, i mean if i were a malware coder that would be one of the first things to clue me in that [ackbar]it's a trap![/ackbar]. Who would run a completely defenseless windows xp machine in a VM other than a white hat?

Re:Nope. Chuck Testa (0)

Anonymous Coward | about a year ago | (#43664471)

Maybe it was a XP VMware session on an XP machine.

Priceless (5, Funny)

crazytrain86 (1787660) | about a year ago | (#43663443)

Wireshark - $0. Packet Capture - $0. Reading ability - $0. Publicity gained from slashdotting an article - Priceless

That isn't dead yet? Really? (-1)

neoshroom (324937) | about a year ago | (#43663669)

32-inch television - $270. Superbowl add - $3.8 million. Visa net worth - $19.1 billion. Never letting us forget a mediocre commercial by turning it into a horrible meme - Priceless. Visa, it's everywhere you don't want to be.

Re:That isn't dead yet? Really? (0)

Anonymous Coward | about a year ago | (#43663783)

How is superbowl adding different from normal addition? Enquiring minds want to know!

Re:That isn't dead yet? Really? (1)

Sockatume (732728) | about a year ago | (#43664011)

Maybe if you'd stop reminding people where the meme came from it could be divorced from the bullshit. You can't kill the joke but you can sure as hell kill the PR.

Re:That isn't dead yet? Really? (1)

Anonymous Coward | about a year ago | (#43664125)

Just be happy he got the brand wrong.

Glean even more with a little research. (2)

Lumpy (12016) | about a year ago | (#43663459)

the 2wire card is probably on a desktop computer hosting the VM ware, she calls it a gateway, and the VM is actually using the hosts network card as a gateway.

2Wire has only two options for cards.. USB and PCI USB in a laptop is somewhat unlikely as most laptops have wireless built in, so I'm looking at a Desktop with a higher probability.

Vmware means it's also from a company or someone with money. Otherwise it would have been running under VirtualBox or other free VM.

There is still a lot of data that can be extracted from that snippet by doing a little research.

Re:Glean even more with a little research. (0)

Anonymous Coward | about a year ago | (#43663589)

The MAC address is purely virtual - I've used KVM with VMWare OUI MAC addresses before.

VMWare can be had for nothing (this could just be a VMWare player app used for this work - no need for a monied company.

The hypervisor is probably running in bridged mode and the 2Wire address is that of some ADSL router.

Re:Glean even more with a little research. (0)

Anonymous Coward | about a year ago | (#43663945)

No, because "some ADSL router" does not have 2Wire chipsets. do some research man.

Re:Glean even more with a little research. (0)

Anonymous Coward | about a year ago | (#43664001)

http://www.amazon.com/gp/aw/d/B001AO1XME
- your move

Re:Glean even more with a little research. (1)

citizenr (871508) | about a year ago | (#43663755)

Data in article was straight from packets, your conjecture is just an ass_umption you pulled out of your ass.
People pirate VMWare, macs are randomly generated.

Re:Glean even more with a little research. (2)

Lumpy (12016) | about a year ago | (#43663951)

Yet you lose all your credibility by being an asshole. Want to try again but after you take your meds?

Re:Glean even more with a little research. (1)

citizenr (871508) | about a year ago | (#43665657)

You are right, I'm sorry. I get really agitated when someone commits fallacy of the converse.

Re:Glean even more with a little research. (1)

jeffmeden (135043) | about a year ago | (#43664503)

Data in article was straight from packets, your conjecture is just an ass_umption you pulled out of your ass.
People pirate VMWare, macs are randomly generated.

Pirate vmware? ESXi hypervisor can be had for *free* and a version of it (current or past, all are stable) can run on just about any hardware, even a cheap $300 homebuilt test box. The question is, was the XP pirated or was it showing a "your computer is at risk!!!" screen?

Re:Glean even more with a little research. (1)

LordLimecat (1103839) | about a year ago | (#43664885)

From VMWare documentation [vmware.com]

The first three bytes of the MAC address that is generated for each virtual network adapter consists of the OUI. The MAC address-generation algorithm produces the other three bytes.

Unless you manually pick a MAC address, youre going to end up with a MAC that identifies as VMWare, every time.

Grats on being both a jerk, AND wrong; its really a potent combination.

Re: Glean even more with a little research. (0)

Anonymous Coward | about a year ago | (#43666667)

RSA is a divison of EMC, which owns (90% of) VMWare. Getting a copy or two hundred is really no more difficult than finding the key generator on the IT department website.

with money (0)

Anonymous Coward | about a year ago | (#43668797)

Last i heard ( like yesterday.. ) vmware has several free offerings.

And who is to say they were not using the internal wifi of a laptop for other 'host' uses, or to avoid blacklisting their laptop somehow?

Elementary my dear Watson (5, Funny)

shikaisi (1816846) | about a year ago | (#43663513)

The Windows user was a short, balding man wearing a Harris tweed sports jacket, who had been married for a long time and had spent several years in India. He did not smoke, and drank only a little, but walked with a slight limp.

Re:Elementary my dear Watson (0)

Anonymous Coward | about a year ago | (#43663719)

the game is afoot!

Re:Elementary my dear Watson (1)

VortexCortex (1117377) | about a year ago | (#43664045)

We can narrow the search a bit further. My crack team of forensic consultants have discovered that his mother was a snow blower, and his father reeked of elderberries.

Re:Elementary my dear Watson (1)

Anonymous Coward | about a year ago | (#43664301)

Thought the mother was a hamster?

Re:Elementary my dear Watson (0)

Anonymous Coward | about a year ago | (#43664995)

We can narrow the search a bit further. My crack team of forensic consultants have discovered that his mother was a snow blower, and his father reeked of elderberries.

You seem to be mixing your movies. The "mother was a snow blower" line is from Short Circuit and the "father reeked of elderberries" line is from Monty Python and the Holy Grail.

Stop killing the cat! (0)

Anonymous Coward | about a year ago | (#43663547)

The cat is a humen too and he's got enough!
So, stop killing the cat.

Re:Stop killing the cat! (0)

Anonymous Coward | about a year ago | (#43664091)

The cat is a humen too and he's got enough!

You misspelled hymen.

It's easy (2)

Murdoch5 (1563847) | about a year ago | (#43663891)

People don't realize what they send in packets. When i was in school we use to have networking class where we had to examine packets for information. During one class we left a sniffer running on the school network just capturing packets, after a few hours we had a list of credit cards from students and profs, we have login names and passwords, we had the distribution of Linux, Mac and Windows computer on the network and more. Now we threw the information away and deleted the file but what was sad was that we were able to grab so much information with little effort.

We then sat at a Starbucks down the road and did the same thing, we managed to capture several credit card numbers and other sensitive information, again we got rid of the information but it goes to show you that your not even close to as secure as you think. It takes one guy with a netbook to sniff a network and in a few hours or days he can have enough information to wreck you. I wonder why people aren't being made aware of this, we told our profs what we did and one prof, Jack, just laughed. He said, "That's awesome and well done, as long as the information is destroyed I'm not mad."

So next time you think it's okay to just type that credit card number in or your SIN (social insurance number ) in, just think who could be sitting there wanting it.

Re:It's easy (2, Insightful)

Anonymous Coward | about a year ago | (#43664065)

Was that before HTTPS was big and popular?

Re:It's easy (0)

Anonymous Coward | about a year ago | (#43664231)

Ever tried using encryption?

Re:It's easy (1)

ledow (319597) | about a year ago | (#43664765)

Any idiot typing in their credit card number on an unencrypted connection? Well, they deserve what they get, basically. Even my dad is paranoid about the little yellow padlock and he's only just graduated to two-finger typing (two index fingers, mind you, but it's an improvement!). Hell, he phoned me up one day because he was buying something and the site had a GREEN padlock icon. Gosh. But he had the brains to stop, think, and check in before he typed ANYTHING in.

Pre-HTTPS, which is a long while ago, yes you could grab a lot over the network. Email is probably your biggest target - still a lot of unencrypted email sent around, people obviously haven't heard of SSL/TLS when it comes to SMTP. But anyone sending their credit card number by email - again, they deserve what they get, because at any stage it could end up transmitted or stored unencrypted.

Nowadays, if you can sniff anything, there should be alarm bells ringing. Hell, even the good guys who want to sniff SSL have to basically make all clients trust their fake-root certificate in order to do so. There's no way to sniff SSL/TLS traffic on clean device without being in possession of the target website's private keys, or getting HUGE warnings about how your connection might be unencrypted, basically.

That said, there's a lot worse you can do, for instance intercepting DNS via ARP spoofing and then redirecting to your own "google.com" with a self-signed certificate that you've got from somewhere trusted by the client, or similar. But it's a lot less of a viable real-world attack.

And most people who work from home or hotels have now been forced onto VPN's by their local data protection laws. Good luck sniffing anything on those, even what DNS server they are using.

But, sure, if you gave me a capable connection that sniffed the open Internet, you'd find some fool - and you'd maybe get some details out of an email or two, or passwords to websites, that you can then use for further attacks.

Fact is, though - pretty much you're safe as a casual browser, so long as you keep an eye out for proper security whenever something sensitive is requested. And the people with something worth losing are using VPN's. I know all my "hotel"/"pub"/"airport" access goes through my personal VPN, or not at all.

Re:It's easy (1)

Murdoch5 (1563847) | about a year ago | (#43664843)

I agree with you for the most part, but what about students at a school? The sad fact is that most school networking / IT staff really don't understand security and the schools are to cheap to hire anyone with the proper papers to build in the security needed. Well most / some people will look for the "lock" in the corner or will make sure the address says "https" not "http", many people wont. Most have no reservation about wiping out the credit card and making a purchase.

I'm a trifle surprised... (4, Interesting)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43664093)

2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).

Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.

Re:I'm a trifle surprised... (1)

jeffmeden (135043) | about a year ago | (#43665157)

2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).

Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.

It smacks more of the boss saying "hell no you can't honeypot on our network" and the next best thing being to order a cheap DSL connection, have it delivered to the office, and then plug it into a set of otherwise isolated test boxes for the duration of the experiment. That, or someone working from a machine on their home lab. Its just not plausible that they reset the router MAC and not reset the host MAC.

Re:I'm a trifle surprised... (1)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43665667)

Oh, buying a cheapie residental DSL line for security testing seems totally sensible. I'm just a touch surprised that somebody honeypotting for possibly-sophisticated attackers wouldn't conceal the fact that they are using a burner VM, as well as not using a network connection associated with a well-known security firm.

Re: I'm a trifle surprised... (0)

Anonymous Coward | about a year ago | (#43666587)

I work at another division of EMC (the company that owns RSA and VMWare). We have a Comcast line into our office for testing like this.

And now... (1)

Anonymous Coward | about a year ago | (#43664115)

For my next trick, I will guess this man's name, address, and electricity provider from nothing more than a copy of his electric bill I took from his mailbox! And without even opening the envelope!!

What a non story...

Am I the only one (1)

arlo5724 (172574) | about a year ago | (#43664397)

... who always thinks RSA is South Africa at first? It really had me for a minute with the "watering hole" thing. First thing I think of is a muddy pond surrounded by hyenas and giraffes and such...

Re:Am I the only one (0)

Anonymous Coward | about a year ago | (#43664555)

Nah, Seffrika is not that important (contrary to the belief of many Saffers). And most people just abbreviate it as SA nowadays (which has its own problems with some other countries, regions, continents, and company names). Or ZA, for some internet-savvies, after the TLD.

SMH (1)

Anonymous Coward | about a year ago | (#43664411)

Editors, you continue to impress me with your ever steepening spiral of buzzword-laden, information-starved stupidity, and baseless drivel.

At least post stories which are fantastical, nebulous, or humorously false.

I understand that everybody who comes here does not possess a basic understanding of cutting edge topics like what a packet header is, but the existence of such things is not news, and reporting as such makes you look like an imbecile one grade beyond the typical "I don't know the difference between power and energy" popular science writer.

192.168.*.* (2)

PPH (736903) | about a year ago | (#43665193)

There's that subnet again. It keeps popping up in our investigations. Perhaps we need to have the authorities raid it and shut it down. That should clear up a huge nest of miscreants.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...