Members
  • Total Members: 12814
  • Latest: Rono
Stats
  • Total Posts: 28518
  • Total Topics: 8240
  • Online Today: 976
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: Red October Botnet Hides Calls to Control Server  (Read 650 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 723
  • KARMA: 116
  • Gender: Male
  • Pez
Red October Botnet Hides Calls to Control Server
« on: 05. March 2013., 08:38:36 »
Red October Botnet Hides Calls to Control Server



While working on the release of the latest version of the McAfee Network Security Platform, which offers advanced malware and botnet protection, we tested a sample of the malware Red October. With the help of our in-house advanced botnet analysis framework, we analyzed the network traffic generated by this sample and tracked its communications with the botnet control server.

Today, most malware uses cryptography in its communications to evade detection from network-monitoring appliance such as intrusion detection and prevention systems. The cryptography makes it very challenging to find the messages’ structure. The is the case with Red October, which collects infected machine information such as volume drive serial number, Internet Explorer product key, available MAC IDs, etc. and encrypts those messages with an SHA1-like algorithm and sends them to its control server. We find it useful to know the exact structure of the encrypted network communication because it also reveals what kind of data the malware steals and how it is encrypted.

Red October uses various layers of packers and obfuscation techniques to execute its final code. One of interesting bit of the code tells us how it triggers a function that sends user data to the control server after encryption.

The code uses the SetTimer API to execute the TimeProc function after 15 minutes.



We find the code for its cryptic stuff here:



And finally it sends to the control server:



In response, the control server sends encrypted commands to the infected machine. This command data is parsed accordingly:



McAfee customers are well protected with our UDS-BOT signature, which is now integrated with the Network Security Platform.


Orginal article: Saturday, March 2, 2013 at 10:15pm by Vikas Taneja
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Red October Botnet Hides Calls to Control Server
« on: 05. March 2013., 08:38:36 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising