Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass
 
  • Post
  • Reply
Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

Here's a question for you: what is an APT and why do you use that term?

You can substitute the word "targeted attack" for APT when you see the term if you want to:

(A) get the gist of what the person is saying
(B) not make a giant production over the stupid "WHAT IS AN APT REALLY?" argument

* # ¿ Dec 18, 2015 00:49
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 19, 2024 03:09
  • Quote
Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

Yeah. No. You're not answering the question correctly. How did you come to this conclusion that those two answers are acceptable?

I seem to be able to understand that guy's question, and you seem to be struggling. Is there a reason for this?

* # ¿ Dec 18, 2015 00:56
  • Quote
Ham Sandwiches
Jul 7, 2000

Wiggly Wayne DDS posted:

You're not willing to try and understand a concept, so are taking shortcuts to avoid the tough questions?

So by being able to parse a fairly simple question, I am taking shortcuts to avoid asking tough questions? Uhh, what?

Like, if a guy comes into the infosec thread and asks a simple question about dns malware, such as whether using DNS callbacks for C2 communications is prevalent among commodity malware these days or whether it's generally the hallmark of targeted attacks, seems straightforward. Or can you guys not parse that simple of a question?

[edit]Really, my credentials on APT for a freaking acronym holy hell.

* # ¿ Dec 18, 2015 01:01
  • Quote
Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

No. You do not understand the guy's question nor did you answer mine. Again, answer my question: how did you come to the conclusion that APT stands for what you have described to me? Do you know the origins of "APT" for that matter?

Hello, using my expert knowledge, I have reconstructed this guy's impossible to parse query as:

"Is malware using DNS callbacks for C2 communication generally limited to malware that would be used in targeted attacks, or would also be found in commodity malware such as crimeware, ransomware, etc"

* # ¿ Dec 18, 2015 01:03
  • Quote
Ham Sandwiches
Jul 7, 2000

Wiggly Wayne DDS posted:

This is called a shortcut:

You're substituting a phrase for an entirely different one, while avoiding talking about what the original phrase means, or explaining why your substitution was appropriate and accurate.

Are you familiar with the term 'paraphrase'

quote:

You opted into answering the question, don't be surprised if you get replies back. No one asked you for credentials, and you are entirely missing the point of the original question.

I don't know what the gently caress you're saying to me in this exchange, and I have a feeling you don't either. A guy asked a pretty simple question and got told to gently caress off by someone who was too dumb to understand what he was asking. I pointed out that the question was simple and straightforward, then paraphrased the question when pressed. That's about it. Hopefully we are now on the same page and can return to the exciting topic of infosec and malware discussion.

Would either of you august gentlemen care to weigh on whether you think DNS based C2 communications are typically used in more targeted attacks as opposed to say malware that uses HTTPS based callbacks? What about malware that uses google blogs and fake webpages for C2? Or are we still ignoring that guy's question as if it can't possibly be answered?

* # ¿ Dec 18, 2015 01:45
  • Quote
Ham Sandwiches
Jul 7, 2000

OSI bean dip posted:

Okay. First off all, stop talking as if you're getting hurt by my asking questions about your inability to understand that "APT" doesn't mean "targeted attack". If you had any clue about what you were talking about, you'd understand that "APT" was a term created by Mandiant to describe a group that was a "state actor", not a "targeted attack" or some other nonsense that you picked up from some marketing brochure at a lovely vendor event. I am not trying to malign your ego here by making you state your credentials as if you had any reading comprehension skills, you'd have noticed I did not once ask that. All I asked is if you understood what "APT" means and just like a lot of people out there, you do not.

Only one vendor is allowed to use "APT" and that is Mandiant/FireEye, as they use it to describe what they suspect as state actor groups. The term is misused just as much as "0-day". So unless you are describing a state actor, an "APT" is not a loving targeted attack.

Now to answer your question: what the gently caress are you trying to get at? Targeted attacks will use any means to get out with whatever level of obfuscation. Any malware author engaging in a targeted attack will have scoped out your network enough to determine whether or not they need to communicate over DNS, HTTP, or the hell of it, UUCP. If I am going to target your organization, I sure as gently caress am going to use whatever means to get out.

This seems like an un-researched question really because if you had any clue about "targeted attacks", you'd not be asking how they'd engage in them.
So doesn't that seem like a really useless definition of APT? "The proper, empirical definition of APT is that this one company made up a specific term for state actors but you can only use it in their original, intended way." It was coined in a specific way, but it gets used generally.

When people use the term APT colloquially, they mean "An attack where a guy or organization is targeting me." Does that mean a guy in a chinese military center doing dumps of your dc / exchange server or does it mean a russian crimeware guy trying to put POS malware on some system, it doesn't matter. It means that a guy is spending effort and assigning an operator to accomplish a task.

And yes, in general, I do feel there is a correlation between the evasion techniques being used and whether an attack is targeted or not. "Good enough" is the motto for obfuscation and, in general, obfuscation techniques are not used where they will add unnecessary complexity or where they threaten to burn a technique through common usage that is not worth coming up with countermeasures for.

You should not expect to see any DNS based C2 communication with things like cryptolocker. If you are seeing DNS based C2 communication, you probably aren't dealing with cryptolocker.

This answer:

quote:

cheese-cube posted:

Not very, assuming you're referring to "tunnelling" via udp/53 for the purpose of exfil/C&C. It's extremely easy to spot and there are far better methods available.

So I think this answer is worth clarifying. Using UDP 53 for large data transfers is basically unheard of, yes. However, using DNS queries to both send and receive commands to compromised hosts is quite common and effective, simply because there's so many DNS queries to hide in and most DNS servers do not (did not) log queries due to performance and disk issues.

Here's a writeup on DNS based C2:
https://zeltser.com/c2-dns-tunneling/

* # ¿ Dec 18, 2015 02:11
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ Apr 19, 2024 03:09
  • Quote
Ham Sandwiches
Jul 7, 2000

 Some of these replies are pretty ugh coming from IT security professionals. The suggestion is to put up a VM and hope it gets infected? :psyduck: Or downloading Mirai from Gith?

If you google around for malware samples, you can find malware samples. So I googled latest bot samples and got a result for Trickbot with this writeup
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

Which led to this hash
https://virustotal.com/en/file/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a/analysis/

Which led to this site
https://www.hybrid-analysis.com/sample/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a?environmentId=100

Which lets you download the sample (bot/malware) if you register an account.
Here's another writeup that describes what the malware does:
https://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot

Then you can run it in your VM and see if you can find the same indicators.

You can try that for other malware that has a writeup, find the writeup, find the hash, google the hash, see if you can DL the sample.

[edit]Here's a list of a bunch of sites that offer malware samples and how access works:
https://zeltser.com/malware-sample-sources/

Ham Sandwiches fucked around with this message at 23:13 on Jan 11, 2017

* # ¿ Jan 11, 2017 23:09
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Infosec Thread: Yes, time to move off LastPass