From: Kevin Noble (knobleterremark.com)
Date: Wed Aug 26 2009 - 08:02:17 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I tend to over clock on some of Dave's teaser comment so I will post what has come to mind.

Achieving a persistent presence with a low probability of detection and a low probability of eradication is achieved in subverting hardware and out of band communication. I think of the condition as 'relative superiority' as all attacks (that I know of), are temporary in nature. At some point, entrenching makes the attacker switch to defender and only the dormant can really be non-temporary (think of human virus carriers). Many have spoken of subverting firmware as means to resiliency but these are all but single methods of persistence.

No one or two techniques gives an attacker 'permanent residence' status, only the methodical entrenchment of getting enough information that you could run the place in absence of the IT staff will allow one to remain. It is the dedication of becoming intimate with an organization that is so effective.

One of the more interesting techniques demonstrated by Rich Smith at Immunity was frequently overwrites of byte code or even wiping of byte code in memory leaving only the stub to inject the next byte code. On the chance of detection, the byte code does not reveal past presence or overall intent (not in itself). He explained this as just one disciplined technique among many.

I can image an attacker exposing some systems with routine malware just to test an incident response and build up an 'immunity' (heh) to exposure. I don't pretend to be pulling back the curtain on the topic, but I find the concept intriguing.

KnobleTerremark.com

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]