Not explicitly #3, but social-based mechanisms can run into a few troubles, depending on the environment in which it is deployed: a) policy-based proxy blocking (twitter? that's not a business-needs site!) b) behavioral/anomaly-based proxy blocking (your user never used to go to $social_network, and now you periodically check in! and push many many many messages!? anomaly! probably badness!) (there are probably ways to break this up, like posting images into which you encode exfil'd data, and varying the check-in frequency) (I've only encountered this in the wild a very small number of times. twice?)
...of course these are probably more "edge cases" than primary reasons not to use social platforms for C2. But because these cases exist, it is nice to have nifty C2 mechanisms like DNS TXT which may bypass some logging, passive DNS collection, blocking controls, sinkholing, or otherwise be able to circumvent various other tools defenders might use to catch your tool. On Wed, Feb 4, 2015 at 10:22 AM, Dean Pierce <[email protected]> wrote: > This has me curious about something. I remember Alberto's INFILTRATE 2013 > talk about using services like uni.me for these sorts of backchannels (video > here : http://infiltratecon.com/albertogarciaillera.html) but it always > seemed to me like using social networks instead has some clear advantages. > Making it look like someone is just obsessively checking reddit, or facebook > (over SSL) seems like it would be much less suspicious than giant wacky DNS > queries. Of course my experience in this field is more theoretical than > practical, and I wouldn't have brought it up if I didn't full comprehend how > sophisticated INNUENDO is. Some friends and I demoed a PoC of a CNC > backchannel over myspace back in 2007 at the first Toorcon Seattle. I've > seen the idea pop up again multiple times since then, but it never seems to > have caught on. I work in the product security space at the moment rather > than anti-malware/pro-malware, so maybe it's really popular and I just > haven't been paying close enough attention. > > This leaves me with three possibilities: > > 1. "DNS still works fine, so why go to all the effort to make sneakier > backchannels?" > 2. "Of course INNUENDO supports social network backchannels." > 3. "Social network backchannels are a stupid idea and you don't know what > you're talking about." > > My money is on #3, but I'm not sure why. Maybe someone in dailydave land > might finally be able to explain this to me? I can't image a better > audience for this sort of question. > > - DEAN > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > -- Kyle Creyts Information Assurance Professional Founder BSidesDetroit _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
