<div dir="ltr"><div class="gmail_extra">Thanks for this post, Dave. I enjoyed reading it. </div><div class="gmail_extra"><br></div><div class="gmail_extra">Regarding the EQ Group leak, I think that there's a good case to be made that an insider or an ex-employee was responsible. I hope to have some reasons posted on why that is in the next few days.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Jeff Carr</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 17, 2016 at 9:00 AM, <span dir="ltr"><<a href="mailto:dailydave-request@lists.immunityinc.com" target="_blank">dailydave-request@lists.immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Dailydave mailing list submissions to<br>
<a href="mailto:dailydave@lists.immunityinc.com">dailydave@lists.immunityinc.<wbr>com</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:dailydave-request@lists.immunityinc.com">dailydave-request@lists.<wbr>immunityinc.com</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:dailydave-owner@lists.immunityinc.com">dailydave-owner@lists.<wbr>immunityinc.com</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Dailydave digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Latency is a demogorgon (dave aitel)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Wed, 17 Aug 2016 11:01:50 -0400<br>
From: dave aitel <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>><br>
To: "<a href="mailto:dailydave@lists.immunityinc.com">dailydave@lists.immunityinc.<wbr>com</a>"<br>
<<a href="mailto:dailydave@lists.immunityinc.com">dailydave@lists.immunityinc.<wbr>com</a>><br>
Subject: [Dailydave] Latency is a demogorgon<br>
Message-ID: <<a href="mailto:71567dae-6b09-6e93-472b-c5642f5baa76@immunityinc.com">71567dae-6b09-6e93-472b-<wbr>c5642f5baa76@immunityinc.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
<br>
<br>
So every remote access trojan framework has a high level interpreter<br>
built into it these days. It brings you back to something from that Zero<br>
Day movie (which we all watched drunk to make it bearable, admit it)<br>
where a Kaspersky analyst talked about Stuxnet being "Big but amazingly<br>
BUG FREE". Not having subtle bugs is something you can do much more<br>
easily in Python/Lua/Ruby/etc than in C/C++. There are other good<br>
reasons to have a high level language in your RAT system, but that is a<br>
major one.<br>
<br>
One of the other major reasons is that you can push complex logic to the<br>
endpoint that only lives there temporally. By complex logic, we mean<br>
full-on exploits. You can drive CANVAS's entire MSRPC libraries inside<br>
INNUENDO <<a href="https://immunityinc.com/products/innuendo/" rel="noreferrer" target="_blank">https://immunityinc.com/<wbr>products/innuendo/</a>>, without ever<br>
touching disk. And we often do (MSRPC is still important in the world<br>
even though the last good public bug was MS08-026).<br>
<br>
And this is a good reason to choose Python instead of Lua in your RAT.<br>
You're going to want to write your exploits in Python. You're going to<br>
want to run your exploits on the remote side - because of Latency.<br>
<br>
Latency is a funny thing. Inside all networking code is a hellish<br>
mishmash of timeouts, MTUs, retries, and buffers. That mishmash does<br>
Murphy-law-level chaotic things in the face of what you might consider<br>
very reasonable network conditions. Sat hops are one second latency<br>
bombs. Add a couple of those, and a bit of packet loss, and TCP breaks<br>
down in some hard to debug ways that will drive your exploits from<br>
"Working \o/" to "Not worky worky sadface". This is hard to emulate on<br>
VMWare or other software stacks for some reason.<br>
<br>
In any case, there are bad things about putting Python in your RAT, but<br>
one GOOD thing is that no soon-to-be-fired-for-extreme-<wbr>idiocy operator<br>
will ever upload an entire package to some random redirector box on the<br>
Internet to avoid latency issues.<br>
<br>
That said, I still lean towards HUMINT being a source for the EQGRP<br>
leak. It's kinda a happy battle between colossal stupidity and insane<br>
malice at this point?<br>
<br>
-dave<br>
<br>
TL;DR: <a href="https://twitter.com/itsDanielSuarez/status/764898078663012356" rel="noreferrer" target="_blank">https://twitter.com/<wbr>itsDanielSuarez/status/<wbr>764898078663012356</a><br>
<br>
<br>
<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="https://lists.immunityinc.com/pipermail/dailydave/attachments/20160817/520a7d61/attachment-0001.html" rel="noreferrer" target="_blank">https://lists.immunityinc.<wbr>com/pipermail/dailydave/<wbr>attachments/20160817/520a7d61/<wbr>attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.<wbr>com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br>
<br>
End of Dailydave Digest, Vol 57, Issue 8<br>
******************************<wbr>**********<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div style="font-family:arial;font-size:small">Jeffrey Carr (<a href="http://jeffreycarr.com" target="_blank">jeffreycarr.com</a>)</div><div style="font-family:arial;font-size:small">CEO, Taia Global, Inc. (<a href="http://taiaglobal.com/" style="color:rgb(17,85,204)" target="_blank">taiaglobal.com</a>)</div><div style="font-family:arial;font-size:small">Founder, Suits and Spooks (<a href="http://suitsandspooks.com/" style="color:rgb(17,85,204)" target="_blank">suitsandspooks.com</a>)</div><div style="font-family:arial;font-size:small">Author, "Inside Cyber Warfare: Mapping the Cyber Underworld" (O'Reilly Media, 2009, 2011)</div><br><br>THE CONTENTS OF THIS EMAIL ARE FOR THE RECIPIENT'S EYES ONLY AND MAY NOT BE DUPLICATED OR DISTRIBUTED WITHOUT PRIOR PERMISSION.</div></div></div></div>
</div></div>