Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Cleaning Up the Mess After a Major Hack Attack

httptech Re:Government warnings?? (100 comments)

It's pretty simple - the attackers install backdoor trojans which phone home to various command-and-control (C2) servers. In some cases when the USG identifies a high-value (i.e. involved in corporate and/or government espionage) C2 in the U.S. they get a warrant to monitor all network traffic to and from that host at the upstream. Once you have netflow or pcap data you can pretty easily tell who the compromised companies are when you see their corporate firewall IP hitting the C2 at regular intervals.

Private-sector researchers do this as well sometimes, but you need cooperation from the upstream. Or in some cases, the attackers are sloppy enough to leave behind publicly-accessible server logs ala Shady RAT.

more than 2 years ago
top

McAfee Disclaims Claims of Chinese Involvement in 'Shady RAT'

httptech Re:Why is this supposed to be a government attack? (56 comments)

Hardly any of the trojans used by Chinese APT actors are sophisticated at all. All these sophisticated features you listed are fine if you're only looking to launch a single-purpose attack, like a Stuxnet. The Chinese APT actors want to maintain a long-term presence even after they are discovered on the network.

As the sophistication of the malware rises, so does the cost/time involved, so it limits how many trojans you can deploy at once. Once your super-sophisticated trojan with rootkit, traffic tunneling, AV circumvention, strong encryption, disk and network stealth features gets discovered, your capability to maintain a long-term presence ends and you have to develop another one from scratch. There are only so many programmers working at this skill level, you don't find them every day.

The Chinese APT actors' answer to the problem is simply to throw a ton of different entry-level programmers at the problem. Each one basically uses the same feature requirements list and comes up with a completely different malware codebase, each one by default undetected by AV since it is brand new. Then each actor group goes after their targets using a set of those malware families. If one is discovered, that's OK, because nine more are probably still live on the victim network.

about 3 years ago
top

Microsoft: No Botnet Is Indestructible

httptech Re:Anything U don't recognize? Potential malware! (245 comments)

You have a chicken-and-the-egg problem. You said: "1.) Recovery Console bootup 2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)" - in this case you have prior knowledge. You knew there was a rootkit in play, and you knew what it was named.

What if it has borrowed the name of another legit third-party driver? What if the rootkit code is just a stub inside another legit driver? This technique has been used by malware for years now. Now, how do you tell which is the malicious driver and which is not? How do you even tell if there is a rootkit in play at all? The answer is: other tools and techniques and most importantly, a lot of time spent.

more than 3 years ago
top

Microsoft: No Botnet Is Indestructible

httptech Re:Let ME correct YOU, point-by-point... apk (245 comments)

You missed the point. Yes, TDL4 malware can be cleaned manually, no one is disputing that. The entire system could be forensically sanitized - manually - using the recovery console or a liveCD. It could take a long time depending on how many payloads had been downloaded and how well they hide. But this is not enough to kill the botnet unless you do this to 4.5 million PCs all at once. I never said your TDL-4 removal steps were incorrect, I just said they would not "kill the botnet", which is what Microsoft is suggesting they can do.

While nothing is impossible in theory, trying to destroy this botnet "one rig at a time" as you suggest would take decades even if you had an army tracking them down and cleaning them. The botnet would die on its own by then because the hard drives of those systems would fail first. Again though, I am reply to Microsoft's claims here, not yours.

The part you are wrong about is being able to use ProcessExplorer to fully sanitize the PC of the remaining malware. The only thing that truly separates malware from non-malware is intent. That's it. A P2P filesharing client and a P2P bot could share 99.999% of the same code, with only a single hidden malicious function. Tell me where in ProcessExplorer you would see the difference.

I'm not sure if you truly understand rootkits if you think they can't hide from ProcessExplorer. Even the simpler kernel-mode rootkits can do this, removing the hidden process from the kernel's linked list of objects - the same list that ProcessExplorer has to request from the OS to show you that tree of parent/child processes.

Making a determination on whether or not a program is malware is very hard to do programatically and even for a human often takes hours poring over the code in a debugger trying to understand the program's intent. If it were so easy, antivirus programs would still be adequate protection in this day and age.

more than 3 years ago
top

Microsoft: No Botnet Is Indestructible

httptech Re:He's right, & here's my technique for it... (245 comments)

No one said TDL4 can't be cleaned from a single PC. Cleaning it from all of them near-simultaneously is what you would have to do to destroy this botnet. The MSRT tool is not capable of performing the steps you described.

BTW your steps could still leave malware on the system unless you are a forensic/malware expert and can tell good processes from bad in ProcessExplorer. It's not so easy as you make it seem. Even if you are that experienced in process analysis, there could still be other kernel-level rootkits hiding malicious processes from ProcessExplorer. It could take days to truly disinfect a TDL-4-infected system that had been downloading payloads for a while. That's why reformat/reinstall has become the best-practice for dealing with malware, even though it is anathema to most Windows users/admins.

Another thing to note is that Microsoft hasn't destroyed the Rustock botnet, they are merely suppressing it. They will never be able to clean all the infected Rustock PCs, because countless thousands of them don't get Windows updates (either because they are pirated copies of Windows or updates have been disabled by other malware) and thus will never run the MSRT tool. If MS ceases their efforts before every last machine is sitting in a dump somewhere, the botnet could return, however unlikely that the author would bother to restore control.

more than 3 years ago
top

Targeted Attacks Focus On Economic Cyberterrorism

httptech Re:Time for IBM to work on the ZTIC successor? (73 comments)

Have a look at Cronto - it's an out-of-band authentication system, similar to ZTIC but doesn't use an electrical connection to the computer that could be impacted by a malware infection on the PC. Instead it transfers encrypted/signed transaction details via visual code to the Cronto device (or Cronto app running on a camera-enabled smartphone). There are a few other similar systems from other vendors, but Cronto is the only one I've seen with a mobile app so far.

more than 3 years ago
top

Stuxnet Analysis Backs Iran-Israel Connection

httptech Re:It's called circumstantial evidence (307 comments)

Nope, I'm pretty sure it's a reference to guavas, considering the complete path was:

b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

more than 3 years ago
top

Botnet Targets Web Sites With Junk SSL Connections

httptech Re:Is it an attempt to break in? (64 comments)

It's not. There's no exploit code sent, just random bytes and the replies are discarded.

more than 3 years ago
top

Botnet Targets Web Sites With Junk SSL Connections

httptech Re:Huh? (64 comments)

I think they're attempting to evade brain-dead automated protocol inspection, not trying to fool a human.

more than 3 years ago
top

Botnet Targets Web Sites With Junk SSL Connections

httptech Re:Entropy depletion (64 comments)

They're not. The connections are far too infrequent (15 connections, then sleep for 30 hours).

more than 3 years ago
top

Banks Urge Businesses To Lock Down Online Banking

httptech Re:Oh, yeah! Another "Eastern Europe" story... (201 comments)

Yeah, that's why most banking fraud trojans that target U.S. banks are compiled on Russian-language PCs and connect back to Russian-developed webserver software. I'm afraid your "well-established" fact doesn't ring true with anyone that actually tracks banking trojans for a living.

about 5 years ago
top

Diagnose Conficker With Web-Based Eye Chart

httptech Re:Jon Stewart? (180 comments)

Ah yes, as hilarious as the first hundred times I've seen that joke posted about me. Maybe I _should_ just change my name to !jonstewart...

-Joe

more than 5 years ago
top

The World's Biggest Botnets

httptech Re:The lack of mention of business security here.. (243 comments)

Your scenario of corporate chaos isn't accurate when it comes to Storm. Storm isn't self-replicating; it doesn't spread to other internal systems. It can however steal email addresses and possibly other external systems will begin to send Storm social-engineering emails to the rest of the company. However, if you have a sane firewall policy that doesn't allow arbitrary high-port UDP traffic outbound and inbound, the Storm node will never be able to link up to the rest of the botnet, rendering it more of a noisy annoyance than a threat to the company's data.

more than 6 years ago

Submissions

top

httptech httptech writes  |  more than 7 years ago

httptech writes "Recently I was targeted for a DDoS attack by a custom-compiled DDoS trojan. During the course of my investigation into the attack, I not only learned which malware author was behind the attack, but that similar attacks have been taking place targeting anti-rootkit developers and anti-spam researchers- particularly those involved in exposing pump-and-dump stock spam. Though similar in nature, the attack patterns are different, meaning there seems to be a growing trend among a few virus authors/stock spammers to try and silence those who stand in the way of their profits."

Journals

httptech has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>