Dissecting RSA's 'Watering Hole' Traffic Snippet

← Back to Stories (view on slashdot.org)

Dissecting RSA's 'Watering Hole' Traffic Snippet

Posted by Soulskill on Tuesday May 7, 2013 @09:15PM from the you-can-tell-by-the-bits dept.

rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"

6 of 69 comments (clear)

Min score:

Reason:

Sort:

Re:The machine exists by some+old+guy · 2013-05-07 21:52 · Score: 5, Funny

Being a VM, the machine both exists and doesn't exist.
Entanglement theory proven!
Beat that!

--
Scruting the inscrutable for over 50 years.
Nope. by StripedCow · 2013-05-07 22:32 · Score: 3, Insightful

The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.

--
If Pandora's box is destined to be opened, *I* want to be the one to open it.
1. Re:Nope. by jeffmeden · 2013-05-08 01:42 · Score: 4, Insightful
  
  The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.
  I thought it was strange that a (presumably) prominent researcher wouldn't at least come up with a mac address of a cheap embedded nic for the honeypot, i mean if i were a malware coder that would be one of the first things to clue me in that [ackbar]it's a trap![/ackbar]. Who would run a completely defenseless windows xp machine in a VM other than a white hat?
Priceless by crazytrain86 · 2013-05-07 22:33 · Score: 5, Funny

Wireshark - $0. Packet Capture - $0. Reading ability - $0. Publicity gained from slashdotting an article - Priceless
Elementary my dear Watson by shikaisi · 2013-05-07 22:57 · Score: 5, Funny

The Windows user was a short, balding man wearing a Harris tweed sports jacket, who had been married for a long time and had spent several years in India. He did not smoke, and drank only a little, but walked with a slight limp.

--
No left turn unstoned.
I'm a trifle surprised... by fuzzyfuzzyfungus · 2013-05-08 01:00 · Score: 4, Interesting

2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).
Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.