Tales from Crisis, Chapter 4: a ghost in the network
(Publication) Google search: [1]
| Tales from Crisis, Chapter 4: a ghost in the network | |
|---|---|
| Botnet | Crisis |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 26 aug2012 |
| Editor/Conference | Osxreverser |
| Link | http://reverse.put.as/2012/08/26/tales-from-crisis-chapter-4-a-ghost-in-the-network/ reverse.put.as (reverse.put.as Archive copy) |
| Author | Osxreverser |
| Type | |
Abstract
“ This post is about the first network communication of Crisis with the C&C server. The reason why I think it’s very useful to write about it is that it opens the possibility for you to build a tool to wipe out Crisis from your network. The infection rates appear to be extremely small and there are some technical problems in this implementation. Still, it’s interesting information that can help you to understand this threat and clean it if applicable.
The first packet that the backdoor module sends to the C&C server is an authentication request. In the the sample I have the C&C server was located at the IP address 176.58.100.37. The communication is via HTTP on port 80, with a POST request to /. The contents are encrypted and their size should be always 104 bytes for this request.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1135,
editor = {Osxreverser},
author = {Osxreverser},
title = {Tales from Crisis, Chapter 4: a ghost in the network},
date = {26},
month = Aug,
year = {2012},
howpublished = {\url{http://reverse.put.as/2012/08/26/tales-from-crisis-chapter-4-a-ghost-in-the-network/ reverse.put.as}},
}