OpenRCE_adityaks
December 4th, 2007, 13:00
Concept Driven:
This post is a composite response to the post written on RDP Botnets designing. The point undertaken is very generic and nicely stated. The explanation works in subtle manner if you are able to bypass certain reliability factors of RDP protocol. Opening a process for looking specific functions work very fine. But the building of RDP botnets searching is not so easy as stated. The practcial citation will be delivered why this can not be accomplished in one step. Certain reasons which have to be looked carefully which are collectively stated as:
1. Due to SEO(Search Engine Optimization) the queries are well filtered. Stringent filters have been applied on PATH based Queries invloving characters like "/\". This was considered to be as problem because previously Google bypass metacharacters and give rogue queries to display false results that constitutes even malware stuff too. For more details:
Google Metacharacter Spamdexing Bug ("http://www.secniche.org/papers/GoogleMetaCBug.pdf")
The Cognitive Cause of Metacharacter Bug ("http://www.secniche.org/papers/Cognitive_Cause_MetaC_Spam_Bug.pdf")
This problem of searching specific texts were clearly explained in above provided documents.
2. The searching in Local Area Networks by simple scanning methods is quite easy but finding so much targets on remote positions not feasible as such. This is because the randomization factor is very high. The centralising of RDP targets is tough task.Even if you have seen about honeypots analysis of botnets , they usually compromise organizational networks or small public networks with weak window machines".For more details you can check:
http://www.honeynet.org/papers/bots/
If the user go through this document the most exploited ports are provided. The port 3389 (Remote Desktop Connection) have not yet been added or specified in so much threat related to Botnet Designing.
3. Most of the botnets attacks certain kind of worms that exploit windows functionality further. The penetration into networks is mostly a hardheaded process. Bot developers take everything into consideration for exploiting persistent vulnerabilities. The remote command control is also feasible if there is interconnection between different nodes persist by exploiting network components. The RDP in itself is remote driven but there are certain network factors comprising of authenticaation, the user access rights , privileges , presence of RDP port in open state etc matters. So collaborating all these factors is very hard process.
4. The malware properties in a system state i.e Local subsystem and Remote type matters. Even if you like , RDP backward access is not as such specific you can walk along path to find certain thigs. But most of time it starts a window subsystem when a remote client is connected to as sub system process and results in remote desktop client. So the complexities are much more in RDP as such. Traversing along lot of web servers and systems easily as specific to RDP issue.
GOOGLE DORKING : MALWARE RESPONSE
Lets see the practical proof of searching for finding web targets. the bypassing of filters along google is not so easy as rightly stated above. Like searching path based strings:
1."\\tsclient\C\DOCUME~1\Owner\LOCALS~1\Temp\_TS7.tmp\_TS1.tmp
2."\LOCALS~1\Temp\_TS7.tmp\_TS1.tmp"
3."\C\DOCUME~1\Owner\LOCALS~1\Temp\"
Lets see what the intelligent search engine says GOOGLE:
http://www.secniche.org/goog_error.gif
So searching in reliable way is always not possible. It has been advised in this way search engines are now much more advanced and can trace virus prone signatures and specific path searching in web servers. This clears one of the point.
The Real State:
The issue relates to security. But every issue presented in this way cannot be exploited so stringently looking at the repercussions of it. No doubt the issue is of great concern. As port 139 , 445 , 3389 are some of the finest ports of system compromise from user centric point of view.The designing of as such RDP botnets are not so specific and stuff related to it. Practical applicability is not so easily to accomplish.
Your views are welcomed for more detail talk on this.
Regards
0kn0ck
http://www.secniche.org
https://www.openrce.org/blog/view/983/RDP_Botnets_:_Malware_Google_Dorking_-_Not_an_Easy_Task
This post is a composite response to the post written on RDP Botnets designing. The point undertaken is very generic and nicely stated. The explanation works in subtle manner if you are able to bypass certain reliability factors of RDP protocol. Opening a process for looking specific functions work very fine. But the building of RDP botnets searching is not so easy as stated. The practcial citation will be delivered why this can not be accomplished in one step. Certain reasons which have to be looked carefully which are collectively stated as:
1. Due to SEO(Search Engine Optimization) the queries are well filtered. Stringent filters have been applied on PATH based Queries invloving characters like "/\". This was considered to be as problem because previously Google bypass metacharacters and give rogue queries to display false results that constitutes even malware stuff too. For more details:
Google Metacharacter Spamdexing Bug ("http://www.secniche.org/papers/GoogleMetaCBug.pdf")
The Cognitive Cause of Metacharacter Bug ("http://www.secniche.org/papers/Cognitive_Cause_MetaC_Spam_Bug.pdf")
This problem of searching specific texts were clearly explained in above provided documents.
2. The searching in Local Area Networks by simple scanning methods is quite easy but finding so much targets on remote positions not feasible as such. This is because the randomization factor is very high. The centralising of RDP targets is tough task.Even if you have seen about honeypots analysis of botnets , they usually compromise organizational networks or small public networks with weak window machines".For more details you can check:
http://www.honeynet.org/papers/bots/
If the user go through this document the most exploited ports are provided. The port 3389 (Remote Desktop Connection) have not yet been added or specified in so much threat related to Botnet Designing.
3. Most of the botnets attacks certain kind of worms that exploit windows functionality further. The penetration into networks is mostly a hardheaded process. Bot developers take everything into consideration for exploiting persistent vulnerabilities. The remote command control is also feasible if there is interconnection between different nodes persist by exploiting network components. The RDP in itself is remote driven but there are certain network factors comprising of authenticaation, the user access rights , privileges , presence of RDP port in open state etc matters. So collaborating all these factors is very hard process.
4. The malware properties in a system state i.e Local subsystem and Remote type matters. Even if you like , RDP backward access is not as such specific you can walk along path to find certain thigs. But most of time it starts a window subsystem when a remote client is connected to as sub system process and results in remote desktop client. So the complexities are much more in RDP as such. Traversing along lot of web servers and systems easily as specific to RDP issue.
GOOGLE DORKING : MALWARE RESPONSE
Lets see the practical proof of searching for finding web targets. the bypassing of filters along google is not so easy as rightly stated above. Like searching path based strings:
1."\\tsclient\C\DOCUME~1\Owner\LOCALS~1\Temp\_TS7.tmp\_TS1.tmp
2."\LOCALS~1\Temp\_TS7.tmp\_TS1.tmp"
3."\C\DOCUME~1\Owner\LOCALS~1\Temp\"
Lets see what the intelligent search engine says GOOGLE:
http://www.secniche.org/goog_error.gif
So searching in reliable way is always not possible. It has been advised in this way search engines are now much more advanced and can trace virus prone signatures and specific path searching in web servers. This clears one of the point.
The Real State:
The issue relates to security. But every issue presented in this way cannot be exploited so stringently looking at the repercussions of it. No doubt the issue is of great concern. As port 139 , 445 , 3389 are some of the finest ports of system compromise from user centric point of view.The designing of as such RDP botnets are not so specific and stuff related to it. Practical applicability is not so easily to accomplish.
Your views are welcomed for more detail talk on this.
Regards
0kn0ck
http://www.secniche.org
https://www.openrce.org/blog/view/983/RDP_Botnets_:_Malware_Google_Dorking_-_Not_an_Easy_Task