[Dailydave] Dshell versus INNUENDO

Kyle Creyts kyle.creyts at gmail.com
Thu Feb 5 21:19:51 EST 2015 

Not explicitly #3, but social-based mechanisms can run into a few
troubles, depending on the environment in which it is deployed:
a) policy-based proxy blocking (twitter? that's not a business-needs site!)
b) behavioral/anomaly-based proxy blocking (your user never used to go
to $social_network, and now you periodically check in! and push many
many many messages!? anomaly! probably badness!) (there are probably
ways to break this up, like posting images into which you encode
exfil'd data, and varying the check-in frequency) (I've only
encountered this in the wild a very small number of times. twice?)

...of course these are probably more "edge cases" than primary reasons
not to use social platforms for C2. But because these cases exist, it
is nice to have nifty C2 mechanisms like DNS TXT which may bypass some
logging, passive DNS collection, blocking controls, sinkholing, or
otherwise be able to circumvent various other tools defenders might
use to catch your tool.


On Wed, Feb 4, 2015 at 10:22 AM, Dean Pierce <pierce403 at gmail.com> wrote:
> This has me curious about something.  I remember Alberto's INFILTRATE 2013
> talk about using services like uni.me for these sorts of backchannels (video
> here : http://infiltratecon.com/albertogarciaillera.html) but it always
> seemed to me like using social networks instead has some clear advantages.
> Making it look like someone is just obsessively checking reddit, or facebook
> (over SSL) seems like it would be much less suspicious than giant wacky DNS
> queries.  Of course my experience in this field is more theoretical than
> practical, and I wouldn't have brought it up if I didn't full comprehend how
> sophisticated INNUENDO is.  Some friends and I demoed a PoC of a CNC
> backchannel over myspace back in 2007 at the first Toorcon Seattle.  I've
> seen the idea pop up again multiple times since then, but it never seems to
> have caught on.  I work in the product security space at the moment rather
> than anti-malware/pro-malware, so maybe it's really popular and I just
> haven't been paying close enough attention.
>
> This leaves me with three possibilities:
>
> 1. "DNS still works fine, so why go to all the effort to make sneakier
> backchannels?"
> 2. "Of course INNUENDO supports social network backchannels."
> 3. "Social network backchannels are a stupid idea and you don't know what
> you're talking about."
>
> My money is on #3, but I'm not sure why.  Maybe someone in dailydave land
> might finally be able to explain this to me?  I can't image a better
> audience for this sort of question.
>
>   - DEAN
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>



-- 
Kyle Creyts

Information Assurance Professional
Founder BSidesDetroit

More information about the Dailydave mailing list