Jump to content

Search the Community

Showing results for tags 'blasco'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. CANCUN–Attackers have long used distributed denial of service attacks to knock domain-name servers offline but over the last several months malware creators have taken to using DNS requests to tunnel stolen data. Jaime Blasco, vice president and chief scientist at AlienVault, showed a handful of real malware samples that are using this technique at the Kaspersky Lab Security Analyst Summit Tuesday. Blasco, who’s identified suspicious domains before, took the crowd through the motions by discussing some tools to use: NSTX, OzymanDNS, Iodine and perhaps the best known, DNScat. The apps allow users to upload files, run shells, and powershell scripts to download other payloads to use within attacks. For the attack, Blasco described how there has to be an upstream channel which has a fully qualified domain name (FQDN) that has a minimum label length of 63 octets and a maximum domain length of 255 octets. The downstream channel can store a handful of different files in the: TXT records, CNAME records, NULL records and on occasion AAAA records. As part of an experiment Blasco and company found 50 million files that contained traffic, threw it into a parser and found that many malware samples store a URL in a TXT file and tell it which piece of spyware or malware to deploy. “There’s a bunch of software that are using DNS in a weird way,” Blasco said. One of the types of malware they found, FeederBot, was using base64 to encode and had an RC4 encrypted payload. Others used base64 and XOR. Blasco also stumbled upon FrameworkPOS, a fairly recent POS malware variant that was curiously spotted using DNS, although he believes the creators were either testing it out to allow DNS or had access to a company that used it. Morto, a worm that’s been around for a while and PlugX, a remote administration tool that’s existed in some incarnation since 2008, but has been making a return as of late, also turned up. Blasco said that since outbound DNS is usually allowed on corporate networks, many attackers have used it and avoided detection with a simple network protector like MyDLP. Anomalies in DNS traffic, like large content in TXT or NULL records, or a spike in DNS queries, or queries with long domains and subdomains are signs that something fishy might be afoot with a system’s DNS requests, he said. Source
×
×
  • Create New...