On Sep 26, 2013, at 2:41 PM, Dave Aitel wrote: > You use your exploit framework of choice to phish a few people with a PDF > exploit. Your exploit is written by a professional team and is highly > reliable, and you know it triggered because it downloaded your trojan from > your watering-hole website, but you never got a callback. This is one of > those features of modern well-run networks. It's sometimes easy to get INTO > the network, but hard to get OUT of the network. INNUENDO is an injectable > DLL, so not easy to catch even by modern AV/HIPS. > > By design INNUENDO is highly configurable at build-time, and hot-patchable at > runtime using blocks of code that are strongly signed and encrypted. One of > the core features is that there are channels into and out of the core message > pumps, and these are themselves hot-swappable. So for PDF exploits, one of > the channels you'll use is a PDF sniffer that sits in the PDF reader and > looks at all new PDF's for signed messages from the C&C. It can then use > these to update itself with, say, a bi-directional ICMP channel, or a > Twitter/IMGUR channel (slightly higher bandwidth). Or a local exploit, of > course. > > One of the main things we're moving into here is a complete break from the > concept of tunneling connections into a network. Messages move throughout the > network and get routed as they want to. INNUENDO handles interruptions in > connectivity in a completely reliable way - if you switch to DNS tunneling > halfway through a big file transfer because they've blocked your HTTPS > callback, then so be it. > > In any case, if you want to be in on the early testing, or want to budget for > it in the new FY, let me know!
Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection. Daniel Uriah Clemens O +1 202 747 0043 Ext. 7001 M +1 205 567 6850 F +1 205 449 4731 Packet Ninjas LLC 265 Riverchase Pkwy E. Suite 103 Hoover, AL 35244 "Moments of Sorrow are moments of sobriety" _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
