Monday, November 07, 2005

Websense ToorCon Presentation

Thanks to a comment from Shahid for pointing me to the WebSense Security Labs presentation The Web Vector: Exploiting Human and Browser Vulnerabilities (.pdf). I think the most interesting part of the briefing is the introduction of Web-based bot net command and control. Because organizations are locking down outbound IRC, bot net controllers are using HTTP as a replacement protocol. If anyone has any experience with this sort of traffic, I would be interested in hearing from you.

5 comments:

Adam said...

Hey Richard, there was a malware analysis challenge by honeynet.org not too long ago where the subject was a backdoor controlled via HTTP.

http://www.honeynet.org/scans/scan32/

BTW congrats on Extrusion Detection. I've had it pre-ordered for a while now and can't wait to start reading it! :)

Richard Bejtlich said...

Thanks Adam!

John Ward said...

I am actually suprised we havn't seen more of this sort of thing in the wild, especially with the increased availability and encapsulation of SOAP libraries. Although I have no direct experience with this, in theory it really wouldn't take much to have a central Apache server acting as a bot controller and have the client machines poll for commands using SOAP calls. Its even possible to use specially crafted session and cookie variables (yeah yeah, that whole cookie paranoia of the late 90's) to communicate, and have the server return commands with to the bot with specially crafted HTML tags or steganography images. To a network security analyst, this would look like benign HTTP requests returning HTML and very difficult to detect. This is of course assuming that something like this is not already out there.

By the way, the SoTM challenges are great sources of info, I love those things :)

Russell Fulton said...

There is a very simple reason why people have not yet seriously started using more sophisticated methods of protecting their bot net traffic. At the moment the cost of doing so is still higher than the payoff. IRC works, it is simple. As soon as IRC starts causing the botnet ops trouble then they will switch to some new technology.

It is in the bot net operators interest to use each technology for as long as possible and to use the minimum amount of technology to get the job done. This is because it takes us (the white hats) time to adapt our defences to each new ploy so the best offensive stategy is to slowly change your methods which forces the defender to spend much more time and energy in a continuous process of adaptation.

This is exactly what spammers do.

If they were to play all their tricks at once then we would take 6 months to to figure out how to defeat the new system but doled out one step at at time these tricks will last for years.

Angela said...
This comment has been removed by a blog administrator.