Dissecting RSA's 'Watering Hole' Traffic Snippet

rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"

Re:The machine exists

[some+old+guy]

Being a VM, the machine both exists and doesn't exist.

Entanglement theory proven!

Beat that!

Priceless

[crazytrain86]

Wireshark - $0. Packet Capture - $0. Reading ability - $0. Publicity gained from slashdotting an article - Priceless

Elementary my dear Watson

[shikaisi]

The Windows user was a short, balding man wearing a Harris tweed sports jacket, who had been married for a long time and had spent several years in India. He did not smoke, and drank only a little, but walked with a slight limp.