[Dailydave] IMAP C&C channels have some massive advantages for attackers and penetration testers

Dave Aitel dave at immunityinc.com
Fri Oct 10 11:05:06 EDT 2014


INNUENDO IMAP CHANNEL DIAGRAM IS HERE IN HTML EMAILS

One thing you know about the future of cyber security is that malware is
being used right now that is far more advanced than what you read about
in various exciting threat reports titled "NAVY PANDA" or "EXCITED BEAR"
or "TINY-MINI-FLAME 2.0.1.2.3 rc4 found!". There's been some almost
embarrassingly good results from people scanning the whole Internet for
FinFisher and other command and control setups after finding an
installation or demo copy of it.

But it's not true that malware analysis for "Indicators of Compromise"
or scanning for C&C  endpoints will work to find the real setups being
used by even B-grade teams in the future. Likewise, a connection like
INNUENDO's new IMAP channel is hard to disrupt at the network layer
since so much of it is encrypted naturally by the transit providers, and
of course each campaign is going to use a different email provider.

This video shows the gritty and interesting details:
http://vimeo.com/108496757

Resources:
http://threatpost.com/rat-malware-communicating-via-yahoo-mail/107590
http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-uses-evernote-as-command-and-control-server/
http://researcher.watson.ibm.com/researcher/files/us-kapil/emailbotnet-dsn08.pdf

-dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141010/4a694fff/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: innuendo_imap_channel.png
Type: image/png
Size: 91123 bytes
Desc: not available
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141010/4a694fff/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141010/4a694fff/attachment-0001.sig>


More information about the Dailydave mailing list