http://blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town. html
Command & Control protocol This backdoor uses HTTP to carry its custom obfuscated protocol. To evade signature-based IPS/IDS, the URLs are generated randomly to be highly dynamic based on the the current time. ( It is tries to evade being seen by IPS/IDS which isn't a good thing, its targeted in its attack and its developers are smart enough to employ techniques that evade normal IDS/IPS implementations) And its CNC channel is over HTTP therefore without deeper inspection of the http traffic this CNC traffic could defintely be going outbound to the bot-herder, or keeper of the botnet without any other inspection and totally be allowed, which is even scarier. And this is all possible because of drive-by exploits targeting the latest in browser flaws ( IE 0 days). Defintely something that could be lurking in a lot of corporate networks, and with the lack of egress filtering and deeper inspection of outbound packets from the Internal Trust Networks, means a lot of machines could be owned and send corporate data out the pipe without the business never even picking up on it. Food for thought, Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
