[Dailydave] Better living through state machines

Dave Aitel dave at immunityinc.com
Tue Nov 19 11:55:25 EST 2013 

So when writing remote access tools like INNUENDO,  you have to throw
out all the parts of your brain that try to do normal RPC ("remote
procedure call").

For example, I just wrote a module (yes, I can still write code, sorta),
which sits on the client taking screengrabs every ten seconds. If the
screengrab is 10% different from the last one, it stores it into a list
(which has a maximum size of 100 images to avoid filling all of ram -
images are compressed but still largish). Then when the command comes in
to pull the list down, it serializes it, encrypts it to the server using
RSA (to annoy incident response people doing memory forensics) and
stores it in the data store (which can be disk, registry, memory, etc.)
Then it gets trickled up to the server using INNUENDO's weird data
transfer protocol and displayed to the user on request.

The end result is that you can see a sample of everything the user did
during the day, which is pretty awesome if that user is editing
interesting documents. 

The downside is that while your brain is thinking "STREAMING IMAGES",
this has to become "Start, Stop, Query, Collect". And this is true for
almost all operations that are ongoing.

In other words, people think of doing things with trojans like moving
their arms. I make the request, it moves. But modern trojans are more
like dealing with children. You make the request, you make the request
again, it maybe moves, it moves, it maybe tells you it moves, it maybe
tells you it already moved, so stop yelling at it!

But deep down, if your trojan still supports portforwarding then you are
failing.

-dave
(reminder, we have a talk coming up at INFILTRATE
<http://www.infiltratecon.com/>about this. Tickets on sale now!)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131119/b64dcdcc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131119/b64dcdcc/attachment.sig>

More information about the Dailydave mailing list