Slashdot Mirror
Dissecting RSA's 'Watering Hole' Traffic Snippet
rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"
From just one bit of traffic snippet, I can predict that the machine has networking capabilities. Beat that!
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I posit that the machine exists. Beat that!
I was expecting a bit more than disasembling packets.
The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
Wireshark - $0. Packet Capture - $0. Reading ability - $0. Publicity gained from slashdotting an article - Priceless
the 2wire card is probably on a desktop computer hosting the VM ware, she calls it a gateway, and the VM is actually using the hosts network card as a gateway.
2Wire has only two options for cards.. USB and PCI USB in a laptop is somewhat unlikely as most laptops have wireless built in, so I'm looking at a Desktop with a higher probability.
Vmware means it's also from a company or someone with money. Otherwise it would have been running under VirtualBox or other free VM.
There is still a lot of data that can be extracted from that snippet by doing a little research.
Do not look at laser with remaining good eye.
The Windows user was a short, balding man wearing a Harris tweed sports jacket, who had been married for a long time and had spent several years in India. He did not smoke, and drank only a little, but walked with a slight limp.
No left turn unstoned.
The cat is a humen too and he's got enough!
So, stop killing the cat.
How is superbowl adding different from normal addition? Enquiring minds want to know!
People don't realize what they send in packets. When i was in school we use to have networking class where we had to examine packets for information. During one class we left a sniffer running on the school network just capturing packets, after a few hours we had a list of credit cards from students and profs, we have login names and passwords, we had the distribution of Linux, Mac and Windows computer on the network and more. Now we threw the information away and deleted the file but what was sad was that we were able to grab so much information with little effort.
We then sat at a Starbucks down the road and did the same thing, we managed to capture several credit card numbers and other sensitive information, again we got rid of the information but it goes to show you that your not even close to as secure as you think. It takes one guy with a netbook to sniff a network and in a few hours or days he can have enough information to wreck you. I wonder why people aren't being made aware of this, we told our profs what we did and one prof, Jack, just laughed. He said, "That's awesome and well done, as long as the information is destroyed I'm not mad."
So next time you think it's okay to just type that credit card number in or your SIN (social insurance number ) in, just think who could be sitting there wanting it.
Maybe if you'd stop reminding people where the meme came from it could be divorced from the bullshit. You can't kill the joke but you can sure as hell kill the PR.
No kidding!!! What do you say at this point?
2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).
Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.
For my next trick, I will guess this man's name, address, and electricity provider from nothing more than a copy of his electric bill I took from his mailbox! And without even opening the envelope!!
What a non story...
Just be happy he got the brand wrong.
... who always thinks RSA is South Africa at first? It really had me for a minute with the "watering hole" thing. First thing I think of is a muddy pond surrounded by hyenas and giraffes and such...
Editors, you continue to impress me with your ever steepening spiral of buzzword-laden, information-starved stupidity, and baseless drivel.
At least post stories which are fantastical, nebulous, or humorously false.
I understand that everybody who comes here does not possess a basic understanding of cutting edge topics like what a packet header is, but the existence of such things is not news, and reporting as such makes you look like an imbecile one grade beyond the typical "I don't know the difference between power and energy" popular science writer.
And incorrect at that. Other than the article suggests, 0xFFFF != 255
To Terminate, or not to Terminate, that's the question - SCSIROB
Maybe it was a XP VMware session on an XP machine.
Other than the article suggests, 0xFFFF != 255
Sure it does.
0xFFFF = -1 (signed int) = -1 (signed char) = 255 (unsigned char)
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
There's that subnet again. It keeps popping up in our investigations. Perhaps we need to have the authorities raid it and shut it down. That should clear up a huge nest of miscreants.
Have gnu, will travel.
It was a MasterCard advertisement......
Last i heard ( like yesterday.. ) vmware has several free offerings.
And who is to say they were not using the internal wifi of a laptop for other 'host' uses, or to avoid blacklisting their laptop somehow?