Websense ToorCon Presentation

Thanks to a comment from Shahid for pointing me to the WebSense Security Labs presentation The Web Vector: Exploiting Human and Browser Vulnerabilities (.pdf). I think the most interesting part of the briefing is the introduction of Web-based bot net command and control. Because organizations are locking down outbound IRC, bot net controllers are using HTTP as a replacement protocol. If anyone has any experience with this sort of traffic, I would be interested in hearing from you.

Comments

Anonymous said…
Hey Richard, there was a malware analysis challenge by honeynet.org not too long ago where the subject was a backdoor controlled via HTTP.

http://www.honeynet.org/scans/scan32/

BTW congrats on Extrusion Detection. I've had it pre-ordered for a while now and can't wait to start reading it! :)
Thanks Adam!
John Ward said…
I am actually suprised we havn't seen more of this sort of thing in the wild, especially with the increased availability and encapsulation of SOAP libraries. Although I have no direct experience with this, in theory it really wouldn't take much to have a central Apache server acting as a bot controller and have the client machines poll for commands using SOAP calls. Its even possible to use specially crafted session and cookie variables (yeah yeah, that whole cookie paranoia of the late 90's) to communicate, and have the server return commands with to the bot with specially crafted HTML tags or steganography images. To a network security analyst, this would look like benign HTTP requests returning HTML and very difficult to detect. This is of course assuming that something like this is not already out there.

By the way, the SoTM challenges are great sources of info, I love those things :)

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics