Covert Channels and Poor Decisions: The Tale of DNSMessenger

This is why our emails and sensitive documents are all over Wikileaks. Stop clicking shit.  (Geekish)

Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

Machine Efficiency

SAN DIEGO – Shh! you may want to turn down your television set because Alexa the internet-connected home assistant device may be listening. The Amazon Echo system which does everything from getting your weather report to ordering more laundry detergent can also do some things you don’t want it to. When it comes to answering those tough questions or getting…


Siege Release: 4.0.2

Well Your Linux distributors should be happy now. For years they’ve been bugging Your JoeDog to eliminate his convenience library. Linux distributors don’t like convenience libraries which is odd because they’re very convenient. With this release, we move that code from lib/joedog into src.

Valery Levental fixed and improved issues involving the data URI scheme, chunked transfers and zero-length content.

Danylo Hlynskyi improved the man page documentation.

[SIEGE: 4.0.2]

Test Connectivity To An AJP Server With AJPing

Your JoeDog is pleased to announce a new utility for your fun and games. This is a full-featured version of a perl script we wrote and which is now implemented in C. Introducing AJPing.

This program began life as a snippet which should pave the way for Apache JServ Protocol (AJP) support for siege. Since it’s very useful for checking connectivity and/or measuring the health of a servlet engine, we decided to release it as a fully functional utility.

AJPing supports both IPv4 (default) and IPv6. You can invoke the latter with a command line switch. Let’s take a look at this puppy in action, mmmkay?

Bully $ ajping -i6 -r5 ajp://ip6-localhost:8009/
--- ajping v1.0.1 to ip6-localhost:8009 ---
5 bytes from ip6-localhost (::1): seq=1 time=979 ms
5 bytes from ip6-localhost (::1): seq=2 time=257 ms
5 bytes from ip6-localhost (::1): seq=3 time=199 ms
5 bytes from ip6-localhost (::1): seq=4 time=235 ms
5 bytes from ip6-localhost (::1): seq=5 time=239 ms

--- ip6-localhost:8009 ajping statistics ---
5 packets sent, 5 received, 0% packet loss, time: 1909 ms
rtt min/avg/max = 199/381/979 ms

The first thing you’ll notice is the output looks a lot like ping. That was by design. AJPing sends and receives 5 byte packets and measures the round trip time in milliseconds. When the run is complete, it summarizes the transaction stats in the statistics section of the output.

[AJPing: Initial Public Release]


Siege 3.1.2

With next to no fanfare you’re JoeDog released siege-3.1.2.

Awesome! What’s new? We moved an include directive from one file to another. Exciting! Wait – what?

Basically this means siege-3.1.2 should compile in more environments than siege-3.1.1.

Oh, well that’s something … I guess.

[SIEGE: 3.1.2]

Al Qaeda’s Porn

al qaeda steganographyIn 2011, an al Qaeda operative named Maksud Lodin was arrested in Berlin. Among his possessions was a memory card that contained, among other things, a porn video called KickAss. While that may have raised eyebrows — “a religious holy warrior is carrying beat-off material?” — it wasn’t what authorities were after. To them the “good stuff” is actionable intelligence. According to die Zeit, they found it. Federal police recovered al Qaeda documents that were hidden on the card. Where? The were embedded in the film.

In total, the Germans recovered 141 separate text documents hidden within a .mov file. The discovery confirmed a long-standing hunch that al Qaeda used steganography to hide its information in plain sight. The public was outraged and horrified. “OMG! Al Qaeda is embedding shit inside our porn!!11!1!!”

Your JoeDog was reminded of al Qaeda’s porn when he stumbled across timeshifter. It’s a small utility that lets you to embed messages in regular network traffic. How does it work? By modifying the time intervals between packets, @anfractuosus is able to hide messages in plain site. The system relies on binary encoding. A short delay means 0 and a long delay means 1. By sending messages in this manner, the transmission is unlikely to arouse suspicion.

To implement this system, you’ll need the libnetfilter_queue library and the ability to set iptables rules. All the code is available along with detailed instructions. Check it out.

[anfractuosity: Timeshifter]

Food Pills and Flying Cars

The Jetson's robot, RosieThe future is now and it kind of sucks.

Paul Krugman reminds us of that in today’s column. He takes us back the 1979 cult classic, The Hitchhiker’s Guide To The Galaxy. In that book, Earth is dismissed as an archaic planet whose life forms “are so amazingly primitive that they still think digital watches are a pretty neat idea.” Yeah, well that was before the technology revolution. Now we have iWatches that remind us to stand when we’ve been sitting too long …. ugh.

So what happened to the future? We were supposed to have flying cars and they gave us 140 characters. We were supposed to have witty housekeeping robots. Instead we’re watching rumbas terrorize the dogs. We were supposed to have food pills but we’re still feeding ourselves. What do you want to eat? I don’t know, what do you want? Why can’t I just take a pill? We have pills for everything else. Can’t get a boner? Here’s your pill. Can’t pay attention? Have a pill. And what is hunger but a medical condition? It’s 2015 and we still haven’t cured that chronic disease.

Well things are looking up, you guys. Silicon Valley entrepreneurs are concocting food shakes to get you through the day. Hunger pangs? Drink this protein pancake batter. It’s not a food pill, but it’s a start. You still have to drink it but the only thing you dirty is a spoon and glass. If you use disposable plastic, clean up is a snap. Gulp, gulp, gulp, toss. Your JoeDog had a protein shake for lunch. Gulp, gulp, gulp, toss. Two hours later, he’s hungry as hell. Stupid science. Where’s my food pill?