Pawn Storm Group Makes Trend Micro IP Address a C&C Server

An anonymous reader writes: Following Trend Micro's disclosure of Russian hacking group Pawn Storm's 7-year campaign against military-industrial targets in and related to the United States, the security company has today announced that one of the IP addresses it owns has been 'designated' by the hackers as a C&C server for their spear-phishing scenario. The intent of the DNS record redirection, according to the company, is likely to be to convince others that it has been hacked (which it hasn't), or else to push one of its IP addresses into administrative blacklists.

who's fooling who

[turkeydance]

on YouTube as well

Re:who's fooling who

[im_thatoneguy]

We have a popular YouTube video which suddenly started getting jibberish comments on it. I'm pretty sure someone's using the comments section as a C&C server.

Battle-Scarred Usenet Veteran

[bmo]

"C&C"

I always read that as "coffee and cats."

Pawn Storm Group Makes Trend Micro IP Address a Coffee and Cats Server

YMMV.

--
BMO

Re:Battle-Scarred Usenet Veteran

I read this as...

Pawn Storm Group Makes Trend Micro IP Address a Command and Conquer server.

Cool, which game client do they support?

Re:Battle-Scarred Usenet Veteran

[preacha]

Mmmmm Tanya

Re:Battle-Scarred Usenet Veteran

I'm so glad I wasn't the only one who read it that way.

Unit lost. Silos needed. Low Power. Reinforcements have arrived. REAL TOUGH GUY.

Re:Battle-Scarred Usenet Veteran

There is always a way in...

Re:Battle-Scarred Usenet Veteran

[Liinux]

The story just above this one is "Paralyzed Man Hits the Streets of NYC In a New Exoskeleton", now I have "Mechanical Man" stuck in my head.

Command and Conquer

[viperidaenz]

I thought they were hosting a game server for a minute.

Command and control isn't as exciting.

Re:Command and Conquer

[GoodNewsJimDotCom]

Everyone talks about how bad Command and Conquer 3 was balanced. In that game there is no financial decisions or tiberium farming strategies like C&C1. You build 95% medium tanks and so does your opponent, and win or lose. Next game? Build all medium tanks.

But I'm curious about C&C1. I was really good at it with my people at my university, but I'd be curious to see how it holds up if it was laddered. Its probably imbalanced really badly, but it is hard to be more imbalanced than C&C3 where you can build a single unit all game and be top 100 world wide in ladder.

Re:Command and Conquer

Maybe play some OpenRA.

Re:Command and Conquer

C&C3 was best when building a line of power plants directly from your base into the enemy's was a viable strategy.

Re:Command and Conquer

[antdude]

Well, Command & Control is real life. :P

Rick Harrison has a buddy....

[BenJeremy]

So the Pawn Store is dealing with old RTS game servers?

What?

Re:Rick Harrison has a buddy....

Time to rock 'n roll.

Re:Rick Harrison has a buddy....

[Joe_Dragon]

Well that is what they get for replacing there IT guy with an h1b

and his buddy Marco Rubio wants have an massive increases in the number of H-1b guest-worker

Re:Rick Harrison has a buddy....

I've got a present for ya!

Since the summary is impenetrably obfuscated

[qubezz]

Here's the narrative:

- Trend Micro documented a 0-day Java exploit, leading to it's patching http://blog.trendmicro.com/tre...

- The hacking org Operation Pawn Storm that was using the exploit got all pissy, and redirected a domain that computers infected with their malware contact, pointed it to an IP address in Trend Micro.

The domain names contacted for command and control instructions are usually randomly encoded and encrypted, and rotate on a regular basis. The crackers know what the next domain name to be used is, but they are hard to deduce from the binary. Infected systems will likely move on to contacting the next domain/ip looking for remote control instructions in hours/days.

Re:Since the summary is impenetrably obfuscated

[gl4ss]

microsoft security essentials has a more comprehensive detection library than trend micro and doesn't fuck up your hard disk access times.

maybe pawn storm is trend micro. wouldn't surprise me.

Re:Since the summary is impenetrably obfuscated

[Joshua+Fan]

Thank you for a thankless task. However, I think of pedantic /. summary authors as liking to trolls: the only way to combat them is to ignore them, so that they learn that if they make deciphering their stories a chore, no one will bother to try.

Re:Since the summary is impenetrably obfuscated

https://www.av-test.org/en/antivirus/home-windows/

Sort by protection. Behold.

Are you sure about that? I'm a hardcore MSE user and I'm getting worried, unfortunetely everything I've tried amounts to being overcomplicated. Avira was good, but it blocked all file I/O for 20 seconds on boot. Everything else either has a download.com or cnet.com download link and tries to install toolbars and other shit, or is non free.

Also like to add that on most of the virustotal samples I look through that get posted by various blogs and orgs like SANS, MSE is non existent with protection, usually one of the last to have a virus definition added for a specific sample, if ever.

Re:Since the summary is impenetrably obfuscated

[wbr1]

Bitdefender Free FTW. Light, high catch rate. MSSE lets too much through now.

Re:Since the summary is impenetrably obfuscated

I use avira, my boot time is less than 8 seconds. Next?

Go! Spammers!

Why wouldn't they also add Kaspersky, McAfee, Norton, AVG, Avira, etc to their next batch.

Fuck, why not add 74.125.21.* and 207.46.163.* to thei C&C list. I wonder if the Google Air Force, or Microsoft have any atomic bombs to drop on Spamhaus?

ISP?

If trend micro really has not been hacked, how can they know that their ISP or an upstream provider has not been hacked in such a way that the attacker can use Trend Micro's IP address as a C&C server?

Re:ISP?

No, as a C&C server address in their bot, so as to send C&C traffic to a TrendMicro ip address in an attempt to get Spamhaus et al to add the /24 to the blocklist.

Re:ISP?

[mysidia]

Seems like this is a great opportunity for Trend to sinkhole some traffic or capture the C and C traffic for analysis and to help with remediation efforts and notifying owners of networks with infected systems.

Said owners will then be endeared to Trend for helping them and possibly purchase Trend products or tell their friends about it etc

DDOS?

So is this supposed to be a DDOS attack on Trend Micro? Or are they planning on hacking Trend Micro and using their servers as actual C&C?

Unjustifiable downmods?

See subject: I post it again, you run dry of 'em - I win (no limits ac poster here)!

* To quote one of my FAV. films lately on that note?

"No scenario? I see every scenario. I see 50 scenarios. THAT'S WHAT IT DOES, KARL - it puts me 50 MOVES AHEAD OF YOU..." - Eddie Morra from LIMITLESS from -> https://www.youtube.com/watch?...

APK

P.S.=> So your single effete useless 'weapon' = moot (just like you, YOU limited weasel, lol):

Unbelievable - I'm actually offering a decent solution vs. DNS redirect poisoning, unlike a SCUMBAG like the one downmodding my posts (which is fine - I always outsmart the dolt doing it anyhow as noted above)... apk

How hosts defeat this easily in detail

See subject - 1st enter trend's proper hostname to ip address resolution ala

216.104.20.189 trendmicro.com

THEN, block the redirect poisoned DNS entry of:

0.0.0.0 ausameetings.com

* It works to defeat this on BOTH fronts, easily...

(Utterly NULLIFYING this threat, to resolve properly here vs. this threat, per data from the source article -> http://thestack.com/pawn-storm... )

---

How to build the BEST hosts file possible with data from 10 reputable sources in the security community vs. threats of this nature + for more speed, reliability, & anonymity as well as security online?

Hey, you know (by "yours truly", of course):

APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!

* :)

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

PERTINENT QUOTE/EXCERPT:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

(Accept NO substitutes!)

...apk

How hosts defeat this easily in detail

See subject - 1st enter trend's proper hostname to ip address resolution ala

216.104.20.189 trendmicro.com

THEN, block the redirect poisoned DNS entry of:

0.0.0.0 ausameetings.com

* It works to defeat this on BOTH fronts, easily...

(Utterly NULLIFYING this threat, to resolve properly here vs. this threat, per data from the source article -> http://thestack.com/pawn-storm... )

---

How to build the BEST hosts file possible with data from 10 reputable sources in the security community vs. threats of this nature + for more speed, reliability, & anonymity as well as security online?

APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!

* :)

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model also https://www.virustotal.com/en/...

---

"The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

PERTINENT QUOTE/EXCERPT:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

(Accept NO substitutes!)

...apk

Re:Unjustifiable downmods? Ok... apk

[Anonymous+Cow+Ward]

The downvotes are perfectly justifiable. Your rants are off-topic (although haven't been marked as such; if I had mod points, I would). Add this to the fact that you (or another AC pretending to be you) stalks and harasses people who disagree with you, and you really make people not want to buy your stuff.