Re: [PLUG] The 'Penquin' Turla

brent timothy saner on 9 Dec 2014 00:35:45 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The 'Penquin' Turla

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] The 'Penquin' Turla
Date: Tue, 09 Dec 2014 03:35:36 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:openpgp:content-type:content-transfer-encoding; bh=zwTwhKZrMSrI+sLd6YettzN/vDTHqeCVRX/Q96B/4PE=; b=Cm6XsluGrLFha3KcRchub+CSSX2aK75yA1sfjYkQ9PofcN8Htx6oHJnmZjqAzP2s2m zFeoPFKwcVu5ici5UK5xVZxNeE5HlhOCaqbVMIh9GawmbGJq5sboPbd4kKlf/x0S/deP 8LJZ6VJd8tMGm4D4Xphnise+HFVR8BR4q66U1/Iro85R9cJ78VDMm+Y/KmrLr7/KhslY tO2L6eisjm+AHL4jV24Rk7APh9FEZaB2s9w3AREt43uwif/vmKLF21woSB0JAR5tygiS OMRKWZZnt8vO8zs/3t3x7m6NVTm++w41EmNjiGfaUK5kzF+GUPhU8iIg1vCAGgFYrVMm 3SiQ==
Openpgp: id=93481F6B
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 12/09/2014 12:49 AM, Keith C. Perry wrote:
> I'm not sure about this write up.  Regular users can launch network listeners on ports above 1024 so that has nothing to do with root access.  That's not an automatic flag for a problem.
> 

And there's perl magic out there that lets regular users run on <1024.
Even multiplex a socket a service would normally listen on so it's
harder to track down.

> Network c&c, although slick, probably would set off heuristic security devices that do higher layer protocol inspection.  Such devices tend to be easy to set off as well.  Manually inspecting traffic would reveal this as well.
> 

If it's SSL, have fun with that without trying to MitM. It'd have to
rely on target destination, which thankfully appears to be hard-coded
in- but heuristic NIDS/NIPS aren't that hard to fool if you know what
you're doing.

Honestly, I wouldn't be too worried- the article reports that the author
hasn't seen it in the wild yet, so I would take it with a grain of salt
for now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUhrRKAAoJEIwATC+TSB9rQ54P/i0zufxzJXqhtnO0YExeRIfK
KdVlXcxE9T3wHdo/3nLJd5zEEQWy9VcqF47SraxjYrWCrWZxVWXot/+FYMAiK5QS
y1bPgK5fx7S7uJVXoQc2p5up0fYzbAPjZK8xODI0ReE77JCbVyrIWHkiljmY/mvA
otzz6dBl5sEibEHD/UHbT3rF85ySCMJdbOCQkdinD/CciMWzfo0jfPMKzSDzkqFL
3lA9SMQy9pBW8IJE0XVljymyCJTv+5eunzK1/ew3A/q3a52IcZU/+xSgUokkCHM9
fCgRLKqtFCnoYN1cY1LZpQgUq6jG9rdTfQhA5CcfPPgmuuz7G+51t7IrvpWRNOsS
NwgmAcEGOSNV77cEvOF4hUxZauZoTBrqX5Gmz384e1+4LzmR+lABy6E+0LmkOjIe
lMd1ISmXEsCGc+ny3nIg5FY2pm8Mb4VHxqNdG6ts3Ks8OXYhgbJBDPGLH4k+EVaQ
4n42rOOZgm28iUc/Ud8W0aSIywZ7fGIXncUQR7y17jDDTprG9ga5pHVXIr0NBKEa
rmo5Msgu1DgVNJud8TrSl5wsNMDQlqqYgam02SyvDcTIwFt+pKYC80R/79m5H0qV
U62wCSvrLskbesZfyFoRZ1f92VfGHvl42ES9Is/gswI8IYvObVnBqev6W42F5tEK
IPk/GSrbLmIfOjCtkRBO
=32qp
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

References:
- Re: [PLUG] The 'Penquin' Turla
  - From: "Keith C. Perry" <kperry@daotechnologies.com>

Prev by Date: Re: [PLUG] The 'Penquin' Turla
Next by Date: Re: [PLUG] The 'Penquin' Turla
Previous by thread: Re: [PLUG] The 'Penquin' Turla
Next by thread: Re: [PLUG] The 'Penquin' Turla
Index(es):
- Date
- Thread