[Discussion] Just one question

Fri Mar 20 16:50:04 UTC 2009

Yeah I think there was malware in the wild last year that used bits...
This guy published a PoC I believe.... that uses BITS to pull down an
exe from his site...

http://reconstructer.org/code/bitscode.zip

Regards,

Will

On Fri, Mar 20, 2009 at 5:56 AM, Seth Hall <hall.692 at osu.edu> wrote:
>
> On Mar 20, 2009, at 12:55 AM, Will Metcalf wrote:
>
>> oops, sorry had content-disposition on the brain today.  I meant range
>> requests, so for example malware x gets installed outside of your
>> environment and a user brings it back into your environment.  Twice a
>> day malware x checks for a new copy of itself but to avoid detection
>> by inline AV's  and something like the md5hash checks you speak of it
>> pulls pieces of itself using range requests so almost like a download
>> manager. How/can you deal with content reconstruction across multiple
>> tcp sessions.  I know inline AV scanners for the most part can't
>> properly deal with this, I was just wondering if bro could.  Hopefully
>> that makes sense, I'm pretty sleepy at this point.... ;-)
>
>
> Hah, that would be pretty sneaky.  Is there any malware that does this?
>
> What's nice about Bro is that you can always modify your script you account
> for strange situation like this.  I think I might write a script soon to see
> how common range requests are.  What this scenario does make difficult is
> that it makes it harder to even identify that it's a windows executable, but
> I suppose they'd have to download the beginning of the file eventually
> anyway so you'd see one chunk of it matching as a windows executable.  The
> easy hack we could do is kick of a download of the file once we notice a
> range request for an executable file.  Bro will then have an opportunity to
> see the full file.
>
> Thanks for the question, that had never even crossed my mind. :)
>
>  .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
>
>