Forgot your password?
typodupeerror
Security

Dissecting RSA's 'Watering Hole' Traffic Snippet 69

Posted by Soulskill
from the you-can-tell-by-the-bits dept.
rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"
This discussion has been archived. No new comments can be posted.

Dissecting RSA's 'Watering Hole' Traffic Snippet

Comments Filter:
  • So what (Score:3, Funny)

    by Rosco P. Coltrane (209368) on Wednesday May 08, 2013 @05:17AM (#43663183)

    From just one bit of traffic snippet, I can predict that the machine has networking capabilities. Beat that!

  • by Anonymous Coward

    I was expecting a bit more than disasembling packets.

  • Nope. (Score:4, Insightful)

    by StripedCow (776465) on Wednesday May 08, 2013 @06:32AM (#43663441)

    The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.

    • by Sockatume (732728)

      It's a virtual machine, I'd be terribly surprised if it somehow became an actual physical Windows XP box connected to the network.

    • Re:Nope. (Score:5, Insightful)

      by jeffmeden (135043) on Wednesday May 08, 2013 @09:42AM (#43664459) Homepage Journal

      The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.

      I thought it was strange that a (presumably) prominent researcher wouldn't at least come up with a mac address of a cheap embedded nic for the honeypot, i mean if i were a malware coder that would be one of the first things to clue me in that [ackbar]it's a trap![/ackbar]. Who would run a completely defenseless windows xp machine in a VM other than a white hat?

  • Priceless (Score:5, Funny)

    by crazytrain86 (1787660) on Wednesday May 08, 2013 @06:33AM (#43663443)
    Wireshark - $0. Packet Capture - $0. Reading ability - $0. Publicity gained from slashdotting an article - Priceless
  • by Lumpy (12016) on Wednesday May 08, 2013 @06:43AM (#43663459) Homepage

    the 2wire card is probably on a desktop computer hosting the VM ware, she calls it a gateway, and the VM is actually using the hosts network card as a gateway.

    2Wire has only two options for cards.. USB and PCI USB in a laptop is somewhat unlikely as most laptops have wireless built in, so I'm looking at a Desktop with a higher probability.

    Vmware means it's also from a company or someone with money. Otherwise it would have been running under VirtualBox or other free VM.

    There is still a lot of data that can be extracted from that snippet by doing a little research.

    • by citizenr (871508)

      Data in article was straight from packets, your conjecture is just an ass_umption you pulled out of your ass.
      People pirate VMWare, macs are randomly generated.

      • by Lumpy (12016)

        Yet you lose all your credibility by being an asshole. Want to try again but after you take your meds?

        • by citizenr (871508)

          You are right, I'm sorry. I get really agitated when someone commits fallacy of the converse.

      • by jeffmeden (135043)

        Data in article was straight from packets, your conjecture is just an ass_umption you pulled out of your ass.
        People pirate VMWare, macs are randomly generated.

        Pirate vmware? ESXi hypervisor can be had for *free* and a version of it (current or past, all are stable) can run on just about any hardware, even a cheap $300 homebuilt test box. The question is, was the XP pirated or was it showing a "your computer is at risk!!!" screen?

      • From VMWare documentation [vmware.com]

        The first three bytes of the MAC address that is generated for each virtual network adapter consists of the OUI. The MAC address-generation algorithm produces the other three bytes.

        Unless you manually pick a MAC address, youre going to end up with a MAC that identifies as VMWare, every time.

        Grats on being both a jerk, AND wrong; its really a potent combination.

  • by shikaisi (1816846) on Wednesday May 08, 2013 @06:57AM (#43663513)
    The Windows user was a short, balding man wearing a Harris tweed sports jacket, who had been married for a long time and had spent several years in India. He did not smoke, and drank only a little, but walked with a slight limp.
    • We can narrow the search a bit further. My crack team of forensic consultants have discovered that his mother was a snow blower, and his father reeked of elderberries.

      • by Anonymous Coward

        Thought the mother was a hamster?

  • People don't realize what they send in packets. When i was in school we use to have networking class where we had to examine packets for information. During one class we left a sniffer running on the school network just capturing packets, after a few hours we had a list of credit cards from students and profs, we have login names and passwords, we had the distribution of Linux, Mac and Windows computer on the network and more. Now we threw the information away and deleted the file but what was sad was th
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Was that before HTTPS was big and popular?

    • by ledow (319597)

      Any idiot typing in their credit card number on an unencrypted connection? Well, they deserve what they get, basically. Even my dad is paranoid about the little yellow padlock and he's only just graduated to two-finger typing (two index fingers, mind you, but it's an improvement!). Hell, he phoned me up one day because he was buying something and the site had a GREEN padlock icon. Gosh. But he had the brains to stop, think, and check in before he typed ANYTHING in.

      Pre-HTTPS, which is a long while ago,

      • by Murdoch5 (1563847)
        I agree with you for the most part, but what about students at a school? The sad fact is that most school networking / IT staff really don't understand security and the schools are to cheap to hire anyone with the proper papers to build in the security needed. Well most / some people will look for the "lock" in the corner or will make sure the address says "https" not "http", many people wont. Most have no reservation about wiping out the credit card and making a purchase.
  • by fuzzyfuzzyfungus (1223518) on Wednesday May 08, 2013 @09:00AM (#43664093) Journal

    2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).

    Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.

    • by jeffmeden (135043)

      2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).

      Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.

      It smacks more of the boss saying "hell no you can't honeypot on our network" and the next best thing being to order a cheap DSL connection, have it delivered to the office, and then plug it into a set of otherwise isolated test boxes for the duration of the experiment. That, or someone working from a machine on their home lab. Its just not plausible that they reset the router MAC and not reset the host MAC.

      • Oh, buying a cheapie residental DSL line for security testing seems totally sensible. I'm just a touch surprised that somebody honeypotting for possibly-sophisticated attackers wouldn't conceal the fact that they are using a burner VM, as well as not using a network connection associated with a well-known security firm.

    • by pnutjam (523990)
      I like that, 2wire is proof that your ISP hates you.
  • by Anonymous Coward

    For my next trick, I will guess this man's name, address, and electricity provider from nothing more than a copy of his electric bill I took from his mailbox! And without even opening the envelope!!

    What a non story...

  • ... who always thinks RSA is South Africa at first? It really had me for a minute with the "watering hole" thing. First thing I think of is a muddy pond surrounded by hyenas and giraffes and such...
  • by Anonymous Coward

    Editors, you continue to impress me with your ever steepening spiral of buzzword-laden, information-starved stupidity, and baseless drivel.

    At least post stories which are fantastical, nebulous, or humorously false.

    I understand that everybody who comes here does not possess a basic understanding of cutting edge topics like what a packet header is, but the existence of such things is not news, and reporting as such makes you look like an imbecile one grade beyond the typical "I don't know the difference betwe

  • by PPH (736903) on Wednesday May 08, 2013 @11:07AM (#43665193)

    There's that subnet again. It keeps popping up in our investigations. Perhaps we need to have the authorities raid it and shut it down. That should clear up a huge nest of miscreants.

Life is difficult because it is non-linear.

Working...