Viewing a single comment thread. View all comments

JohnGillnitz t1_j5zdus8 wrote

Reply to comment by JohnPlayerSpecia1 in FBI has seized website used by notorious ransomware gang by Bananaramas

Once malware gets onto a system it typically tries to contact a Command & Control (C&C) server for the attacker to really get in there and mess with things. The C&C server is usually hard coded into the malware, so if you take that down all the infected hosts that try to connect to it will remain inert. Much of this takes place over Tor traffic, so one of the best things a Network Admin can do is block all Tor traffic. For some reason that isn't a default.

225

HamOfWisdom t1_j5zhk70 wrote

I remember reading a story about how a hacker who made a banking virus later ended up solving a massive ransomware attack by simply obtaining the domain and routing it back to oblivion, essentially.

Probably skimming over a lot but it was a pretty interesting story. I think the channel Disrupttv (or maybe just disrupt) was who posted it. Fun watch, I'll find a link once I'm not at work!

69

arnielsAdumbration t1_j5znkdw wrote

Was it this article?

60

ferrusmannusbannus t1_j63tnbn wrote

Damn, glad this kid didn’t get completely screwed. I remember those early hackforums days and people used to do wiiiiiiild shit on there.

5

Noocawe t1_j63yoso wrote

That's a great read, I had never even heard of this guy before. Thanks for sharing.

3

E_D_D_R_W t1_j5zxxv3 wrote

If the other commentor is correct and you're thinking about WannaCry, that's kind of the gist of it. The malware was hard-coded to only do its thing if it couldn't connect to a particular (previously unregistered) DNS domain. Thus registering that domain "triggered" the kill-switch and stopped any future infections of that version of WannaCry. Per wikipedia, later versions didn't have that vulnerability.

43

L00pback t1_j606gpu wrote

Oh god I hated wannacry. Self-replicating shit was a pain in the ass because lab owners don’t patch shit.

18

pegothejerk t1_j5zib92 wrote

Those websites are rarely run on the servers the malware points to, you'd have to be too stupid to write malware to point the drones to the same servers your public face was presented on for exactly this reason. It's the first thing feds can legally and technically take down.

19

JohnGillnitz t1_j5zjy46 wrote

I would guess that is what they actually mean when they say web site. It's pretty easy to find what IP address or domain they are going to from an infected host. They just don't go into that much detail in the article. One would hope. If it is just a web site, you are right. Taking it down wouldn't stop the malware and more of a badge of honor for the attacker.

15

[deleted] t1_j601132 wrote

[deleted]

8

dakotahawkins t1_j61jzaq wrote

AFAIK network admins are probably MITM-ing https traffic. I’ve looked into doing it at my house because you’d have to in order to set up a network-wide adblocker, but businesses do it because reasons. If they can’t MITM tor or similar, they could still use their MITM system to block unrecognized encrypted traffic, probably.

2

justmy2loonies t1_j62ablr wrote

You don’t have to mitm to Adblock. DNS filtering isn’t exactly mitm

6

dakotahawkins t1_j65eub5 wrote

Sorry for the delayed response.

Sure, but it's nowhere near as thorough. Some ads are served by domains you probably wouldn't want to blacklist, and otherwise you may want to block specific page elements like your in-browser adblocker does (or should).

If you MITM your own traffic you can do that kind of matching to block individual requests. Does that make sense? I had a raspberry pi running pihole for quite a while and when something broke with it I just gave up on it as I didn't feel it was buying me that much.

1

wasdninja t1_j6021k7 wrote

> For some reason that isn't a default.

Tor exists for the sole reason of not being easy to block. That might just be a reason.

8

L00pback t1_j6064kf wrote

Everyone worries about ingress traffic rules and never egress. A good network admin controls both for just this reason.

7

JohnGillnitz t1_j60dkod wrote

Yup. One of my clients got hit a couple of years ago. Nasty. We had all the security boxes checked at the time, but it got in anyway. Encrypted everything, which was the bad news. The good news is that we could check the router logs and confirm that none of the data had been exfiltrated. All attempts were blocked because Tor was blocked.
That sucked, but we were able to recover everything from offline backups. Even the delta from them was recovered when a decryption tool became available a couple of months later. We didn't have to go out and get a credit monitoring service for the entire customer base, which would have bankrupted the place.

16

Stinkyclamjuice15 t1_j61z4rp wrote

Thank you for having a huge pair and working infosec, that shit seems really stressful king

7

Xivvx t1_j602sye wrote

If it isn't normal, it should be. I know everything is going all zero trust and all that, but the perimeter is still important.

2

xCryptoPandax t1_j62m2ik wrote

That’s highly inaccurate, idk why that’s gotten so many upvotes.

Most malware use sketchy top level domains ex.) .xyz .makeup .me, etc not to mention most ransomware gangs compromise legitimate sites and host malware on them in order to bypass new domain creation and add that level of legitimacy.

One indicator for a ransomware gang which I think is actually this one was official government sites of Texas after they themselves were victim of ransomware.

Source: I work Incident Response

2

JohnGillnitz t1_j62vyqs wrote

I'm not sure how what I said was any different from what you said. No matter if they use an IP address or domain, those C&C servers are still set at the time of deployment. One of the first things they do is phone home (or homes) and get an updated list of C&C servers. That still leaves them dependent on reaching a limited number of sites that can be shut down effectively killing the that variant of the malware.
Do you live in Corpus and drive a Tesla? We may have met.
Edit: The CISA notice with the deets: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

2