Dissecting RSA's 'Watering Hole' Traffic Snippet 69
rye writes "Even the tiniest snippets of network traffic reveal a lot — not just about viruses and botnets, but also about the malware research lab setup inside corporations like RSA. Watch as Sherri Davidoff of LMG Security tears apart a teeny tiny snippet of gh0st RAT traffic released by RSA during their investigation of the VOHO 'watering hole' attack. Quoting: 'From just a few bits and bytes, we've learned that RSA's investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We've also seen firsthand that the C2 channel traffic, which was masquerading as "HTTPS," was running over port 80, and confirmed the gh0st RAT's destination.'"
So what (Score:3, Funny)
From just one bit of traffic snippet, I can predict that the machine has networking capabilities. Beat that!
The machine exists (Score:3)
Re:The machine exists (Score:5, Funny)
Being a VM, the machine both exists and doesn't exist.
Entanglement theory proven!
Beat that!
Re: (Score:3)
Re: (Score:3)
Internet law: As an online discussion grows longer, the probability of a comparison involving cats approaches 1.
Re: (Score:3)
Being a VM, the machine both exists and doesn't exist.
So its Schrodinger's VM then?
Re: (Score:2)
But knowing the package came from that VM will cause a collapse of its OS.
Re: (Score:2)
if a windows cloud crashes would it be a blue sky?
Re: (Score:1)
You think the machine exists, therefore you are.
Re: (Score:1)
You think the machine exists, therefore you are.
Because you interact with the machine, you become aware of yourself. /existentialism
Re: (Score:1)
Re: (Score:2)
I posit that the machine exists. Beat that!
1 bit, therefor I am.
Re: (Score:1)
Only in your head, mate. ;)
In fact, all of Slashdot, including me, this post and in fact the whole basement and food-bringing mom only exist in your mind.
And there's no Matrix telephone nor pills to get out. You can only go *deeper*.
Now what?
Lame (Score:1)
I was expecting a bit more than disasembling packets.
Re: (Score:2)
Next in the news, a tutorial about upgrading from IE6 to IE7?
Re: (Score:2)
Re: (Score:2)
Other than the article suggests, 0xFFFF != 255
Sure it does.
0xFFFF = -1 (signed int) = -1 (signed char) = 255 (unsigned char)
Nope. (Score:4, Insightful)
The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.
Re: (Score:2)
It's a virtual machine, I'd be terribly surprised if it somehow became an actual physical Windows XP box connected to the network.
Re:Nope. (Score:5, Insightful)
The machine was just pretending to be a Windows XP machine running as a VMWare guest, etc.
I thought it was strange that a (presumably) prominent researcher wouldn't at least come up with a mac address of a cheap embedded nic for the honeypot, i mean if i were a malware coder that would be one of the first things to clue me in that [ackbar]it's a trap![/ackbar]. Who would run a completely defenseless windows xp machine in a VM other than a white hat?
Priceless (Score:5, Funny)
Re: (Score:2)
Maybe if you'd stop reminding people where the meme came from it could be divorced from the bullshit. You can't kill the joke but you can sure as hell kill the PR.
Re: (Score:1)
Just be happy he got the brand wrong.
Re: (Score:2)
Glean even more with a little research. (Score:3)
the 2wire card is probably on a desktop computer hosting the VM ware, she calls it a gateway, and the VM is actually using the hosts network card as a gateway.
2Wire has only two options for cards.. USB and PCI USB in a laptop is somewhat unlikely as most laptops have wireless built in, so I'm looking at a Desktop with a higher probability.
Vmware means it's also from a company or someone with money. Otherwise it would have been running under VirtualBox or other free VM.
There is still a lot of data that can be extracted from that snippet by doing a little research.
Re: (Score:2)
Data in article was straight from packets, your conjecture is just an ass_umption you pulled out of your ass.
People pirate VMWare, macs are randomly generated.
Re: (Score:3)
Yet you lose all your credibility by being an asshole. Want to try again but after you take your meds?
Re: (Score:2)
You are right, I'm sorry. I get really agitated when someone commits fallacy of the converse.
Re: (Score:2)
Data in article was straight from packets, your conjecture is just an ass_umption you pulled out of your ass.
People pirate VMWare, macs are randomly generated.
Pirate vmware? ESXi hypervisor can be had for *free* and a version of it (current or past, all are stable) can run on just about any hardware, even a cheap $300 homebuilt test box. The question is, was the XP pirated or was it showing a "your computer is at risk!!!" screen?
Re: (Score:2)
From VMWare documentation [vmware.com]
The first three bytes of the MAC address that is generated for each virtual network adapter consists of the OUI. The MAC address-generation algorithm produces the other three bytes.
Unless you manually pick a MAC address, youre going to end up with a MAC that identifies as VMWare, every time.
Grats on being both a jerk, AND wrong; its really a potent combination.
Elementary my dear Watson (Score:5, Funny)
Re: (Score:2)
We can narrow the search a bit further. My crack team of forensic consultants have discovered that his mother was a snow blower, and his father reeked of elderberries.
Re: (Score:1)
Thought the mother was a hamster?
It's easy (Score:2)
Re: (Score:2, Insightful)
Was that before HTTPS was big and popular?
Re: (Score:2)
Any idiot typing in their credit card number on an unencrypted connection? Well, they deserve what they get, basically. Even my dad is paranoid about the little yellow padlock and he's only just graduated to two-finger typing (two index fingers, mind you, but it's an improvement!). Hell, he phoned me up one day because he was buying something and the site had a GREEN padlock icon. Gosh. But he had the brains to stop, think, and check in before he typed ANYTHING in.
Pre-HTTPS, which is a long while ago,
Re: (Score:1)
I'm a trifle surprised... (Score:5, Interesting)
2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).
Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.
Re: (Score:2)
2-wire is a deeply unrenowned maker of painfully shitty integrated DSL modem/router arrangements of the sort that you get because your ISP hates you. So, a very odd thing to see on an actual corporate network; but a plausible thing to use if you are trying to duplicate a 'standard newb user'(or if your security testing environment, for security and verisimilitude does actually have a bunch of consumer DSL lines set up).
Any trace of Vmware, on the other hand, is something of a dead giveaway of "Not a clueless home user". Maybe the install base of their Windows-on-mac product is big enough these days; but VMware-related virtual hardware devices, MACs, guest addons, etc.(on a desktop OS) are a bit of a dead giveaway that you've just hit somebody's burner test machine(on server OSes, obviously, landing in a VM is perfectly plausible in production environments). I'm surprised that somebody doing security-related work wouldn't make a greater effort to conceal the fact that they are in a VM, to avoid the possibility of rousing the suspicion of a sophisticated attacker.
It smacks more of the boss saying "hell no you can't honeypot on our network" and the next best thing being to order a cheap DSL connection, have it delivered to the office, and then plug it into a set of otherwise isolated test boxes for the duration of the experiment. That, or someone working from a machine on their home lab. Its just not plausible that they reset the router MAC and not reset the host MAC.
Re: (Score:2)
Oh, buying a cheapie residental DSL line for security testing seems totally sensible. I'm just a touch surprised that somebody honeypotting for possibly-sophisticated attackers wouldn't conceal the fact that they are using a burner VM, as well as not using a network connection associated with a well-known security firm.
Re: (Score:2)
And now... (Score:1)
For my next trick, I will guess this man's name, address, and electricity provider from nothing more than a copy of his electric bill I took from his mailbox! And without even opening the envelope!!
What a non story...
Am I the only one (Score:1)
SMH (Score:1)
Editors, you continue to impress me with your ever steepening spiral of buzzword-laden, information-starved stupidity, and baseless drivel.
At least post stories which are fantastical, nebulous, or humorously false.
I understand that everybody who comes here does not possess a basic understanding of cutting edge topics like what a packet header is, but the existence of such things is not news, and reporting as such makes you look like an imbecile one grade beyond the typical "I don't know the difference betwe
192.168.*.* (Score:3)
There's that subnet again. It keeps popping up in our investigations. Perhaps we need to have the authorities raid it and shut it down. That should clear up a huge nest of miscreants.