<div dir="ltr"><div>A fun question to ask is, <i>"why wasn't that Cisco ASA remote patched?"</i></div><div><i><br></i></div><div>Because EQGRP didn't tell Cisco about it, duh.</div><div><br></div><div>But, wait, if you're EQ and suddenly a bunch of your vulns are in the wind, you're bloody well going to rethink the equities there, right? Especially knowing that an adversary was suddenly in possession of a bunch of your unpatched vulnerabilities...</div><div><br></div><div>Unless, of course, you didn't know.</div><div><br></div><div>pty</div><div><br></div><div>(Alternative explanations: 1. the vuln just got lost in the bureaucracy; 2. meh, it's just a persistence bug, and notifying the vendor would be a tell; 3. some bugs get disclosed, some bugs don't, and, say, an inquiring mind might discern a thing or two about the equities process by reviewing which ones got patched, and when, and which ones didn't.)<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 17, 2016 at 8:01 AM, dave aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<p><br>
</p>
<p>So every remote access trojan framework has a high level
interpreter built into it these days. It brings you back to
something from that Zero Day movie (which we all watched drunk to
make it bearable, admit it) where a Kaspersky analyst talked about
Stuxnet being "Big but amazingly BUG FREE". Not having subtle bugs
is something you can do much more easily in Python/Lua/Ruby/etc
than in C/C++. There are other good reasons to have a high level
language in your RAT system, but that is a major one.</p>
<p>One of the other major reasons is that you can push complex logic
to the endpoint that only lives there temporally. By complex
logic, we mean full-on exploits. You can drive CANVAS's entire
MSRPC libraries inside <a href="https://immunityinc.com/products/innuendo/" target="_blank">INNUENDO</a>,
without ever touching disk. And we often do (MSRPC is still
important in the world even though the last good public bug was
MS08-026). <br>
</p>
<p>And this is a good reason to choose Python instead of Lua in your
RAT. You're going to want to write your exploits in Python. You're
going to want to run your exploits on the remote side - because of
Latency.</p>
<p>Latency is a funny thing. Inside all networking code is a hellish
mishmash of timeouts, MTUs, retries, and buffers. That mishmash
does Murphy-law-level chaotic things in the face of what you might
consider very reasonable network conditions. Sat hops are one
second latency bombs. Add a couple of those, and a bit of packet
loss, and TCP breaks down in some hard to debug ways that will
drive your exploits from "Working \o/" to "Not worky worky
sadface". This is hard to emulate on VMWare or other software
stacks for some reason. <br>
</p>
<p>In any case, there are bad things about putting Python in your
RAT, but one GOOD thing is that no
soon-to-be-fired-for-extreme-<wbr>idiocy operator will ever upload an
entire package to some random redirector box on the Internet to
avoid latency issues. <br>
</p>
<p>That said, I still lean towards HUMINT being a source for the
EQGRP leak. It's kinda a happy battle between colossal stupidity
and insane malice at this point?<br>
</p>
<p>-dave</p>
<p>TL;DR: <a href="https://twitter.com/itsDanielSuarez/status/764898078663012356" target="_blank">https://twitter.com/<wbr>itsDanielSuarez/status/<wbr>764898078663012356</a></p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</div>
<br>______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.<wbr>com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>