How Command and Control Servers Remain Resilient

September 14, 2015 – 7:53 AM

One of the ways that malware activity on a network is spotted is via the activity of their network activity. However, in many cases this can be difficult to detect: there have been incidents where command-and-control (C&C) servers were able to stay online and pose a problem for many years. This particular group of threat actors was active for more than five years, and used a single C&C server for two years.

Malware, unlike future artificial intelligence, is generally not self-aware and requires direction from an attacker to function well. That’s where C&C servers come in. While these are commonly thought of as limited to use by botnets, that is less true than it is today: many different threats require C&C servers to function correctly today, not just botnets.

Previously C&C servers were limited to IRC servers that controlled victim machines via chatroom commands. Since then, it has become essentially standard for all malware to include some form of remote control in order to perform the following functions:

  • receive commands to perform directed malicious routines
  • report system information for tracking purposes
  • sends stolen information to an external drop zone
  • allow an attacker complete control of the affected machine

The infrastructure of these C&C servers has also improved over time. Servers are able to stay in use for far longer periods of time due to the use of increasingly sophisticated techniques. C&C servers have been implemented in ways to make them resilient to take downs, difficult to detect, and disguise their origins. In this post, we describe the most popular methodologies used to circumvent security solutions and maintain control for longer periods of time, starting with the more sophisticated techniques. This may give some insight into how attackers operate and how their activities can be stopped.

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/adapting-to-change-how-command-and-control-servers-remain-hidden-and-resilient/

HowTo: Privacy & Security Conscious Browsing

August 27, 2015 – 8:56 PM

The purpose of this document is to make recommendations on how to browse in a privacy and security conscious manner. This information is compiled from a number of sources, which are referenced throughout the document, as well as my own experiences with the described technologies.

Source:
https://gist.github.com/atcuno/3425484ac5cce5298932

Great Resource – Privacytools.io

August 21, 2015 – 9:24 PM

I probably never posted about this site on here but I still reference it quite frequently and I highly recommend it to anybody who is concerned with their online privacy.  This is a must-read and gets updated as needed with new tools and resources.

https://www.privacytools.io/

List of Windows 10 “phone home” domains

August 16, 2015 – 12:15 AM

Here is a list of all the domains caught so far sending your data back to Microsoft in Windows 10:

vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
redir.metaservices.microsoft.com
choice.microsoft.com
choice.microsoft.com.nsatc.net
df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
sqm.df.telemetry.microsoft.com
telemetry.microsoft.com
watson.ppe.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.urs.microsoft.com
telemetry.appex.bing.net:443
settings-sandbox.data.microsoft.com
vortex-sandbox.data.microsoft.com
survey.watson.microsoft.com
watson.live.com
watson.microsoft.com
statsfe2.ws.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
compatexchange.cloudapp.net
cs1.wpc.v0cdn.net
a-0001.a-msedge.net
statsfe2.update.microsoft.com.akadns.net
sls.update.microsoft.com.akadns.net
fe2.update.microsoft.com.akadns.net
diagnostics.support.microsoft.com
corp.sts.microsoft.com
statsfe1.ws.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
feedback.windows.com
feedback.microsoft-hohm.com
feedback.search.microsoft.com
rad.msn.com
preview.msn.com
ad.doubleclick.net
ads.msn.com
ads1.msads.net
ads1.msn.com
a.ads1.msn.com
a.ads2.msn.com
adnexus.net
adnxs.com
aidps.atdmt.com
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
a.rad.msn.com
a.ads2.msads.net
ac3.msn.com
aka-cdn-ns.adtech.de
b.rad.msn.com
b.ads2.msads.net
b.ads1.msn.com
bs.serving-sys.com
c.msn.com
cdn.atdmt.com
cds26.ams9.msecn.net
c.atdmt.com
db3aqu.atdmt.com
ec.atdmt.com
flex.msn.com
g.msn.com
h2.msn.com
h1.msn.com
live.rads.msn.com
msntest.serving-sys.com
m.adnxs.com
m.hotmail.com
preview.msn.com
pricelist.skype.com
rad.msn.com
rad.live.com
secure.flashtalking.com
static.2mdn.net
s.gateway.messenger.live.com
secure.adnxs.com
sO.2mdn.net
ui.skype.com
www.msftncsi.com
msftncsi.com
view.atdmt.com

Warning: Block them at your own risk.  You may break some updating functionality.

Attackers can access Dropbox, Google Drive, OneDrive files without a user’s password

August 6, 2015 – 7:19 PM

Hackers don’t even need your password anymore to get access to your cloud data.

Newly published research, released at the Black Hat conference in Las Vegas on Wednesday by security firm Imperva, shows how a “man-in-the-cloud” attack can grab cloud-based files — as well as infecting users with malware — without users even noticing.

The attack differs from traditional man-in-the-middle attacks, which rely on tapping data in transit between two servers or users, because it exploits a vulnerability in the design of many file synchronization offerings, including Google, Box, Microsoft, and Dropbox services.

This is not just an issue for consumers, but also businesses, which increasingly use cloud-based services to share sensitive customer and corporate data.

The report by Imperva, which has a research unit as well as having a commercial stake in the security space, said in some cases “recovery of the account from this type of compromise is not always feasible.”

The attack works by grabbing the password token, a small file that sits on a user’s devices for convenience (which saves the user from entering their password each time). When the token is obtained, either through a phishing attack or a drive-by exploit, it can be used to fool a new machine into thinking the attacker is the account’s owner. From there, the attacker can access and steal files, and even add malware or ransomware (which is on the rise) to the victim’s cloud folder, which can be used for further attacks.

Source:
http://www.zdnet.com/article/dropbox-google-drive-onedrive-files-man-cloud-attack/