Keith C. Perry on 9 Dec 2014 09:40:15 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The 'Penquin' Turla

I find it hard to believe that perl or any other available "magic" gets around a properly configured system that uses Linux capabilities with nosuid mounted filesystems.  That would break selinux enhancements, cpusets and generally the concept of Linux containers from the security point of view.  If you have a link to some perl scripts that do this, I'd like to test this in my lab to confirm for myself.  You never know but I don't see a practical attack vector for this on modern Linux box either.

Regardless though, the best way to check for network traffic is out of band- i.e. assume, ps, netstat, lsof -i, nmap, etc have been compromised and are hiding something.  Layer 2 network security devices will still show the traffic flow and that at least will tell where something is happening- there's no need to waste time with higher layer inspection.  I completely agree, NID and NIP devices are just as easy to fool as they are to set off and that is because heuristics should not be applied to protocols since you'll more likely to get false positives than you are to catch any c&c traffic.

That was my argument to someone once when my network monitoring application kept setting off alarms for them :D

Exploit writers are pretty smart folks- these writers... not so much.  A hardcoded endpoint ?!??!  That's a gift!

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167

From: "brent timothy saner" <>
Sent: Tuesday, December 9, 2014 3:35:36 AM
Subject: Re: [PLUG] The 'Penquin' Turla

Hash: SHA512

On 12/09/2014 12:49 AM, Keith C. Perry wrote:
I'm not sure about this write up.  Regular users can launch network listeners on ports above 1024 so that has nothing to do with root access.  That's not an automatic flag for a problem.

And there's perl magic out there that lets regular users run on <1024.
Even multiplex a socket a service would normally listen on so it's
harder to track down.

Network c&c, although slick, probably would set off heuristic security devices that do higher layer protocol inspection.  Such devices tend to be easy to set off as well.  Manually inspecting traffic would reveal this as well.

If it's SSL, have fun with that without trying to MitM. It'd have to
rely on target destination, which thankfully appears to be hard-coded
in- but heuristic NIDS/NIPS aren't that hard to fool if you know what
you're doing.

Honestly, I wouldn't be too worried- the article reports that the author
hasn't seen it in the wild yet, so I would take it with a grain of salt
for now.
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --