Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pawn Storm Group Makes Trend Micro IP Address a C&C Server

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: Following Trend Micro's disclosure of Russian hacking group Pawn Storm's 7-year campaign against military-industrial targets in and related to the United States, the security company has today announced that one of the IP addresses it owns has been 'designated' by the hackers as a C&C server for their spear-phishing scenario. The intent of the DNS record redirection, according to the company, is likely to be to convince others that it has been hacked (which it hasn't), or else to push one of its IP addresses into administrative blacklists.

17 of 45 comments (clear)

  1. who's fooling who by turkeydance · · Score: 1

    on YouTube as well

    1. Re:who's fooling who by im_thatoneguy · · Score: 1

      We have a popular YouTube video which suddenly started getting jibberish comments on it. I'm pretty sure someone's using the comments section as a C&C server.

  2. Battle-Scarred Usenet Veteran by bmo · · Score: 1

    "C&C"

    I always read that as "coffee and cats."

    Pawn Storm Group Makes Trend Micro IP Address a Coffee and Cats Server

    YMMV.

    --
    BMO

    1. Re:Battle-Scarred Usenet Veteran by Anonymous Coward · · Score: 3, Insightful

      I read this as...

      Pawn Storm Group Makes Trend Micro IP Address a Command and Conquer server.

      Cool, which game client do they support?

    2. Re:Battle-Scarred Usenet Veteran by Liinux · · Score: 1

      The story just above this one is "Paralyzed Man Hits the Streets of NYC In a New Exoskeleton", now I have "Mechanical Man" stuck in my head.

  3. Command and Conquer by viperidaenz · · Score: 5, Funny

    I thought they were hosting a game server for a minute.

    Command and control isn't as exciting.

    1. Re:Command and Conquer by antdude · · Score: 1

      Well, Command & Control is real life. :P

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  4. Rick Harrison has a buddy.... by BenJeremy · · Score: 2

    So the Pawn Store is dealing with old RTS game servers?

    What?

  5. Since the summary is impenetrably obfuscated by qubezz · · Score: 5, Informative

    Here's the narrative:

    - Trend Micro documented a 0-day Java exploit, leading to it's patching http://blog.trendmicro.com/tre...

    - The hacking org Operation Pawn Storm that was using the exploit got all pissy, and redirected a domain that computers infected with their malware contact, pointed it to an IP address in Trend Micro.

    The domain names contacted for command and control instructions are usually randomly encoded and encrypted, and rotate on a regular basis. The crackers know what the next domain name to be used is, but they are hard to deduce from the binary. Infected systems will likely move on to contacting the next domain/ip looking for remote control instructions in hours/days.

    1. Re:Since the summary is impenetrably obfuscated by gl4ss · · Score: 1

      microsoft security essentials has a more comprehensive detection library than trend micro and doesn't fuck up your hard disk access times.

      maybe pawn storm is trend micro. wouldn't surprise me.

      --
      world was created 5 seconds before this post as it is.
    2. Re:Since the summary is impenetrably obfuscated by Joshua+Fan · · Score: 1

      Thank you for a thankless task. However, I think of pedantic /. summary authors as liking to trolls: the only way to combat them is to ignore them, so that they learn that if they make deciphering their stories a chore, no one will bother to try.

    3. Re:Since the summary is impenetrably obfuscated by Anonymous Coward · · Score: 1

      https://www.av-test.org/en/antivirus/home-windows/

      Sort by protection. Behold.

      Are you sure about that? I'm a hardcore MSE user and I'm getting worried, unfortunetely everything I've tried amounts to being overcomplicated. Avira was good, but it blocked all file I/O for 20 seconds on boot. Everything else either has a download.com or cnet.com download link and tries to install toolbars and other shit, or is non free.

      Also like to add that on most of the virustotal samples I look through that get posted by various blogs and orgs like SANS, MSE is non existent with protection, usually one of the last to have a virus definition added for a specific sample, if ever.

    4. Re:Since the summary is impenetrably obfuscated by wbr1 · · Score: 1

      Bitdefender Free FTW. Light, high catch rate. MSSE lets too much through now.

      --
      Silence is a state of mime.
  6. Go! Spammers! by Anonymous Coward · · Score: 1

    Why wouldn't they also add Kaspersky, McAfee, Norton, AVG, Avira, etc to their next batch.

    Fuck, why not add 74.125.21.* and 207.46.163.* to thei C&C list. I wonder if the Google Air Force, or Microsoft have any atomic bombs to drop on Spamhaus?

  7. Re:ISP? by Anonymous Coward · · Score: 2, Informative

    No, as a C&C server address in their bot, so as to send C&C traffic to a TrendMicro ip address in an attempt to get Spamhaus et al to add the /24 to the blocklist.

  8. Re:ISP? by mysidia · · Score: 1

    Seems like this is a great opportunity for Trend to sinkhole some traffic or capture the C and C traffic for analysis and to help with remediation efforts and notifying owners of networks with infected systems.

    Said owners will then be endeared to Trend for helping them and possibly purchase Trend products or tell their friends about it etc

  9. Re:Unjustifiable downmods? Ok... apk by Anonymous+Cow+Ward · · Score: 1

    The downvotes are perfectly justifiable. Your rants are off-topic (although haven't been marked as such; if I had mod points, I would). Add this to the fact that you (or another AC pretending to be you) stalks and harasses people who disagree with you, and you really make people not want to buy your stuff.

    --
    Examine even your most deeply held beliefs. Nobody is always right.