[Dailydave] Dshell versus INNUENDO
Dean Pierce
pierce403 at gmail.com
Wed Feb 4 13:22:19 EST 2015
This has me curious about something. I remember Alberto's INFILTRATE 2013
talk about using services like uni.me for these sorts of backchannels
(video here : http://infiltratecon.com/albertogarciaillera.html) but it
always seemed to me like using social networks instead has some clear
advantages. Making it look like someone is just obsessively checking
reddit, or facebook (over SSL) seems like it would be much less suspicious
than giant wacky DNS queries. Of course my experience in this field is
more theoretical than practical, and I wouldn't have brought it up if I
didn't full comprehend how sophisticated INNUENDO is. Some friends and I
demoed a PoC of a CNC backchannel over myspace back in 2007 at the first
Toorcon Seattle. I've seen the idea pop up again multiple times since
then, but it never seems to have caught on. I work in the product security
space at the moment rather than anti-malware/pro-malware, so maybe it's
really popular and I just haven't been paying close enough attention.
This leaves me with three possibilities:
1. "DNS still works fine, so why go to all the effort to make sneakier
backchannels?"
2. "Of course INNUENDO supports social network backchannels."
3. "Social network backchannels are a stupid idea and you don't know what
you're talking about."
My money is on #3, but I'm not sure why. Maybe someone in dailydave land
might finally be able to explain this to me? I can't image a better
audience for this sort of question.
- DEAN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150204/a1a917e4/attachment.html>
More information about the Dailydave
mailing list