Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dissecting RSA's 'Watering Hole' Traffic Snippet

Posted by Soulskill on from the you-can-tell-by-the-bits dept.

rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"

17 of 69 comments (clear)

  1. So what by Rosco+P.+Coltrane · · Score: 2, Funny

    From just one bit of traffic snippet, I can predict that the machine has networking capabilities. Beat that!

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  2. The machine exists by Bananatree3 · · Score: 2

    I posit that the machine exists. Beat that!

    1. Re:The machine exists by some+old+guy · · Score: 5, Funny

      Being a VM, the machine both exists and doesn't exist.

      Entanglement theory proven!

      Beat that!

      --
      Scruting the inscrutable for over 50 years.
    2. Re:The machine exists by Big+Hairy+Ian · · Score: 2

      So you proved that the VM exists and doesn't exists and is therefore in superposition but thus far this only proves cloud entanglement :)

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    3. Re:The machine exists by Fnord666 · · Score: 2

      Being a VM, the machine both exists and doesn't exist.

      So its Schrodinger's VM then?

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    4. Re:The machine exists by Fuzzums · · Score: 2

      Internet law: As an online discussion grows longer, the probability of a comparison involving cats approaches 1.

      --
      Privacy is terrorism.
  3. Nope. by StripedCow · · Score: 3, Insightful

    The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.

    --
    If Pandora's box is destined to be opened, *I* want to be the one to open it.
    1. Re:Nope. by jeffmeden · · Score: 4, Insightful

      The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.

      I thought it was strange that a (presumably) prominent researcher wouldn't at least come up with a mac address of a cheap embedded nic for the honeypot, i mean if i were a malware coder that would be one of the first things to clue me in that [ackbar]it's a trap![/ackbar]. Who would run a completely defenseless windows xp machine in a VM other than a white hat?

  4. Priceless by crazytrain86 · · Score: 5, Funny

    Wireshark - $0. Packet Capture - $0. Reading ability - $0. Publicity gained from slashdotting an article - Priceless

  5. Glean even more with a little research. by Lumpy · · Score: 2

    the 2wire card is probably on a desktop computer hosting the VM ware, she calls it a gateway, and the VM is actually using the hosts network card as a gateway.

    2Wire has only two options for cards.. USB and PCI USB in a laptop is somewhat unlikely as most laptops have wireless built in, so I'm looking at a Desktop with a higher probability.

    Vmware means it's also from a company or someone with money. Otherwise it would have been running under VirtualBox or other free VM.

    There is still a lot of data that can be extracted from that snippet by doing a little research.

    --
    Do not look at laser with remaining good eye.
    1. Re:Glean even more with a little research. by Lumpy · · Score: 2

      Yet you lose all your credibility by being an asshole. Want to try again but after you take your meds?

      --
      Do not look at laser with remaining good eye.
  6. Elementary my dear Watson by shikaisi · · Score: 5, Funny

    The Windows user was a short, balding man wearing a Harris tweed sports jacket, who had been married for a long time and had spent several years in India. He did not smoke, and drank only a little, but walked with a slight limp.

    --
    No left turn unstoned.
  7. Re:Lame by remus.cursaru · · Score: 2

    wireshark-101 and a mac lookup is something worthy of a /. front page?
    Next in the news, a tutorial about upgrading from IE6 to IE7?

  8. It's easy by Murdoch5 · · Score: 2

    People don't realize what they send in packets. When i was in school we use to have networking class where we had to examine packets for information. During one class we left a sniffer running on the school network just capturing packets, after a few hours we had a list of credit cards from students and profs, we have login names and passwords, we had the distribution of Linux, Mac and Windows computer on the network and more. Now we threw the information away and deleted the file but what was sad was that we were able to grab so much information with little effort.

    We then sat at a Starbucks down the road and did the same thing, we managed to capture several credit card numbers and other sensitive information, again we got rid of the information but it goes to show you that your not even close to as secure as you think. It takes one guy with a netbook to sniff a network and in a few hours or days he can have enough information to wreck you. I wonder why people aren't being made aware of this, we told our profs what we did and one prof, Jack, just laughed. He said, "That's awesome and well done, as long as the information is destroyed I'm not mad."

    So next time you think it's okay to just type that credit card number in or your SIN (social insurance number ) in, just think who could be sitting there wanting it.

    1. Re:It's easy by Anonymous Coward · · Score: 2, Insightful

      Was that before HTTPS was big and popular?

  9. I'm a trifle surprised... by fuzzyfuzzyfungus · · Score: 4, Interesting

    2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).

    Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.

  10. 192.168.*.* by PPH · · Score: 2

    There's that subnet again. It keeps popping up in our investigations. Perhaps we need to have the authorities raid it and shut it down. That should clear up a huge nest of miscreants.

    --
    Have gnu, will travel.