[Dailydave] Beyond Fast Flux

Mon Dec 17 10:56:12 EST 2007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I uploaded a PDF version
http://www.immunityinc.com/downloads/BeyondFastFlux.pdf for those of
you without an ODF viewer installed.

I agree - DNS doesn't normally change a lot. It's easy to find hosts
where DNS is changing all the time, which is why we eschew any name
service as our locater, essentially.

In designing a covert C&C that's parasitic, you also have to consider
the indexer. You don't want your entire network to go silent because
an engineer on Google's search team has found a way to fingerprint
your commands. It would probably be better to replace the <base64>
with <babble-encrypt> because it's a lot harder to fingerprint, until
Google starts doing expensive Bayesian signatures on every Blog
posting in their index. At which point you switch to Technorati or
something. The goal is to make it extremely expensive on their end,
and cheap as dirt on your end. You could just have a link to a file,
rather than embedding the commands in the post itself. A thousand
options. But all of them better than messing with DNS all day, imho. I
didn't do this design, of course. I'm just the VP of Marketing.

People commented about stenography to me: You could steg into an
image/video with a keyphrase in the comment field, for example. But
images get indexed a lot less often than blog postings, and writing
the unsteg code would be a pain in the rear. It's good to keep
Dildog's Tao of Buffer Overflows comment in mind - "What are you
writing, an MFC trojan?!?" Playing the steg game is expensive. It's
likely someone else is better than you and will be able to hunt you out.

__________________________

Dave Aitel
VP Marketing and Publishing
Immunity, Inc.

matthew wollenweber wrote:
> Having spent some time writing network sensors for the government
> and time trying to get tools to connect outbound during pen tests
> I've seen nothing more effective than clever HTTP traffic embedded
> in real webpages using tags and simple encoding. Abusing DNS
> whether with tunnels, fastflux, or open resolvers sticks out as
> anomalous behaviour -- it's not all too difficult to detect. Yes
> it's costs money and labor but it can be done. What can you do
> about PINK type communication?
>
> I'm not going to claim to have all the answers, but I spent about 9
> months writing network sensors and I can't fathom how you can
> detect that traffic on any scale. Fast flux is the current sexy
> thing but Trickler (govt software) and Tenable's PVS can be tweaked
> to pick it up (even on large OC-3+) pipes.
>
> On Dec 14, 2007 9:44 PM, Paul Ferguson <fergdawg at netzero.net>
> wrote:
>
> -- Brandon Enright <bmenrigh at ucsd.edu> wrote:
>
>>>> If you're going to attack something you should back your
>>>> argument up with a little evidence.  The C&C methods
>>>> mentioned in the paper are:
>>>>
>>>> * IRC * HTTP to single server * Fast-Flux of DNS Servers *
>>>> Storm P2P protocols * PINK
>>>>
>>>> About the only thing they missed was DHT, which is arguably
> covered by
>>>> Storm.
>>>>
>>>> PINK is a good idea.  If it really is light-years behind the
> criminals
>>>> show us the papers, presentations, and discussions of more
> advanced >C&C.
>>>> If your argument is that PINK is primitive or that it won't
>>>> work, respond with a paper, a countermeasure, or at the very
>>>> least a
> detailed
>>>> email of possible flaws in it.  C'mon, Gadi, you know better.
>>>>
>>>>
> What about Open DNS resolvers, using double-flux, combined with the
>  Storm Overnet?
>
> :-)
>
> - ferg
>
>>
>>
>>
- --
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/
>>
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
>>

> -------------------------

> _______________________________________________ Dailydave mailing
> list Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHZpwaB8JNm+PA+iURAhd7AKC+KwgGeWfwchBmprNmJyAHYw8NAwCgzjxe
qIFvJOynLsByBZ/8P2ZQ6mU=
=YukG
-----END PGP SIGNATURE-----