|
OSI bean dip posted:Here's a question for you: what is an APT and why do you use that term? You can substitute the word "targeted attack" for APT when you see the term if you want to: (A) get the gist of what the person is saying (B) not make a giant production over the stupid "WHAT IS AN APT REALLY?" argument
|
# ¿ Dec 18, 2015 00:49 |
|
|
# ¿ Apr 19, 2024 03:09 |
|
OSI bean dip posted:Yeah. No. You're not answering the question correctly. How did you come to this conclusion that those two answers are acceptable? I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?
|
# ¿ Dec 18, 2015 00:56 |
|
Wiggly Wayne DDS posted:You're not willing to try and understand a concept, so are taking shortcuts to avoid the tough questions? So by being able to parse a fairly simple question, I am taking shortcuts to avoid asking tough questions? Uhh, what? Like, if a guy comes into the infosec thread and asks a simple question about dns malware, such as whether using DNS callbacks for C2 communications is prevalent among commodity malware these days or whether it's generally the hallmark of targeted attacks, seems straightforward. Or can you guys not parse that simple of a question? [edit]Really, my credentials on APT for a freaking acronym holy hell.
|
# ¿ Dec 18, 2015 01:01 |
|
OSI bean dip posted:No. You do not understand the guy's question nor did you answer mine. Again, answer my question: how did you come to the conclusion that APT stands for what you have described to me? Do you know the origins of "APT" for that matter? Hello, using my expert knowledge, I have reconstructed this guy's impossible to parse query as: "Is malware using DNS callbacks for C2 communication generally limited to malware that would be used in targeted attacks, or would also be found in commodity malware such as crimeware, ransomware, etc"
|
# ¿ Dec 18, 2015 01:03 |
|
Wiggly Wayne DDS posted:This is called a shortcut: Are you familiar with the term 'paraphrase' quote:You opted into answering the question, don't be surprised if you get replies back. No one asked you for credentials, and you are entirely missing the point of the original question. I don't know what the gently caress you're saying to me in this exchange, and I have a feeling you don't either. A guy asked a pretty simple question and got told to gently caress off by someone who was too dumb to understand what he was asking. I pointed out that the question was simple and straightforward, then paraphrased the question when pressed. That's about it. Hopefully we are now on the same page and can return to the exciting topic of infosec and malware discussion. Would either of you august gentlemen care to weigh on whether you think DNS based C2 communications are typically used in more targeted attacks as opposed to say malware that uses HTTPS based callbacks? What about malware that uses google blogs and fake webpages for C2? Or are we still ignoring that guy's question as if it can't possibly be answered?
|
# ¿ Dec 18, 2015 01:45 |
|
OSI bean dip posted:Okay. First off all, stop talking as if you're getting hurt by my asking questions about your inability to understand that "APT" doesn't mean "targeted attack". If you had any clue about what you were talking about, you'd understand that "APT" was a term created by Mandiant to describe a group that was a "state actor", not a "targeted attack" or some other nonsense that you picked up from some marketing brochure at a lovely vendor event. I am not trying to malign your ego here by making you state your credentials as if you had any reading comprehension skills, you'd have noticed I did not once ask that. All I asked is if you understood what "APT" means and just like a lot of people out there, you do not. When people use the term APT colloquially, they mean "An attack where a guy or organization is targeting me." Does that mean a guy in a chinese military center doing dumps of your dc / exchange server or does it mean a russian crimeware guy trying to put POS malware on some system, it doesn't matter. It means that a guy is spending effort and assigning an operator to accomplish a task. And yes, in general, I do feel there is a correlation between the evasion techniques being used and whether an attack is targeted or not. "Good enough" is the motto for obfuscation and, in general, obfuscation techniques are not used where they will add unnecessary complexity or where they threaten to burn a technique through common usage that is not worth coming up with countermeasures for. You should not expect to see any DNS based C2 communication with things like cryptolocker. If you are seeing DNS based C2 communication, you probably aren't dealing with cryptolocker. This answer: quote:cheese-cube posted: So I think this answer is worth clarifying. Using UDP 53 for large data transfers is basically unheard of, yes. However, using DNS queries to both send and receive commands to compromised hosts is quite common and effective, simply because there's so many DNS queries to hide in and most DNS servers do not (did not) log queries due to performance and disk issues. Here's a writeup on DNS based C2: https://zeltser.com/c2-dns-tunneling/
|
# ¿ Dec 18, 2015 02:11 |
|
|
# ¿ Apr 19, 2024 03:09 |
|
Some of these replies are pretty ugh coming from IT security professionals. The suggestion is to put up a VM and hope it gets infected? Or downloading Mirai from Gith? If you google around for malware samples, you can find malware samples. So I googled latest bot samples and got a result for Trickbot with this writeup https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/ Which led to this hash https://virustotal.com/en/file/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a/analysis/ Which led to this site https://www.hybrid-analysis.com/sample/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a?environmentId=100 Which lets you download the sample (bot/malware) if you register an account. Here's another writeup that describes what the malware does: https://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot Then you can run it in your VM and see if you can find the same indicators. You can try that for other malware that has a writeup, find the writeup, find the hash, google the hash, see if you can DL the sample. [edit]Here's a list of a bunch of sites that offer malware samples and how access works: https://zeltser.com/malware-sample-sources/ Ham Sandwiches fucked around with this message at 23:13 on Jan 11, 2017 |
# ¿ Jan 11, 2017 23:09 |