Keith C. Perry on 9 Dec 2014 09:40:15 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The 'Penquin' Turla


I find it hard to believe that perl or any other available "magic" gets around a properly configured system that uses Linux capabilities with nosuid mounted filesystems.  That would break selinux enhancements, cpusets and generally the concept of Linux containers from the security point of view.  If you have a link to some perl scripts that do this, I'd like to test this in my lab to confirm for myself.  You never know but I don't see a practical attack vector for this on modern Linux box either.

Regardless though, the best way to check for network traffic is out of band- i.e. assume, ps, netstat, lsof -i, nmap, etc have been compromised and are hiding something.  Layer 2 network security devices will still show the traffic flow and that at least will tell where something is happening- there's no need to waste time with higher layer inspection.  I completely agree, NID and NIP devices are just as easy to fool as they are to set off and that is because heuristics should not be applied to protocols since you'll more likely to get false positives than you are to catch any c&c traffic.

That was my argument to someone once when my network monitoring application kept setting off alarms for them :D

Exploit writers are pretty smart folks- these writers... not so much.  A hardcoded endpoint ?!??!  That's a gift!


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Owner, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com


From: "brent timothy saner" <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Sent: Tuesday, December 9, 2014 3:35:36 AM
Subject: Re: [PLUG] The 'Penquin' Turla

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 12/09/2014 12:49 AM, Keith C. Perry wrote:
I'm not sure about this write up.  Regular users can launch network listeners on ports above 1024 so that has nothing to do with root access.  That's not an automatic flag for a problem.
 

And there's perl magic out there that lets regular users run on <1024.
Even multiplex a socket a service would normally listen on so it's
harder to track down.

Network c&c, although slick, probably would set off heuristic security devices that do higher layer protocol inspection.  Such devices tend to be easy to set off as well.  Manually inspecting traffic would reveal this as well.
 

If it's SSL, have fun with that without trying to MitM. It'd have to
rely on target destination, which thankfully appears to be hard-coded
in- but heuristic NIDS/NIPS aren't that hard to fool if you know what
you're doing.

Honestly, I wouldn't be too worried- the article reports that the author
hasn't seen it in the wild yet, so I would take it with a grain of salt
for now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUhrRKAAoJEIwATC+TSB9rQ54P/i0zufxzJXqhtnO0YExeRIfK
KdVlXcxE9T3wHdo/3nLJd5zEEQWy9VcqF47SraxjYrWCrWZxVWXot/+FYMAiK5QS
y1bPgK5fx7S7uJVXoQc2p5up0fYzbAPjZK8xODI0ReE77JCbVyrIWHkiljmY/mvA
otzz6dBl5sEibEHD/UHbT3rF85ySCMJdbOCQkdinD/CciMWzfo0jfPMKzSDzkqFL
3lA9SMQy9pBW8IJE0XVljymyCJTv+5eunzK1/ew3A/q3a52IcZU/+xSgUokkCHM9
fCgRLKqtFCnoYN1cY1LZpQgUq6jG9rdTfQhA5CcfPPgmuuz7G+51t7IrvpWRNOsS
NwgmAcEGOSNV77cEvOF4hUxZauZoTBrqX5Gmz384e1+4LzmR+lABy6E+0LmkOjIe
lMd1ISmXEsCGc+ny3nIg5FY2pm8Mb4VHxqNdG6ts3Ks8OXYhgbJBDPGLH4k+EVaQ
4n42rOOZgm28iUc/Ud8W0aSIywZ7fGIXncUQR7y17jDDTprG9ga5pHVXIr0NBKEa
rmo5Msgu1DgVNJud8TrSl5wsNMDQlqqYgam02SyvDcTIwFt+pKYC80R/79m5H0qV
U62wCSvrLskbesZfyFoRZ1f92VfGHvl42ES9Is/gswI8IYvObVnBqev6W42F5tEK
IPk/GSrbLmIfOjCtkRBO
=32qp
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug