Feb 19 2008

Shmoocon 2008

Published by at 2:19 pm under Chinese Malware

I spent the weekend in DC at the Shmoocon hacker annual.  It was a lot of fun and a great learning opportunity.  Simple Nomad made an historical reference to a Chinese trojan that a lot of people probably aren’t aware of or don’t remember. wikipedia_trojan_horseIn October of 2000, Microsoft’s internal security staff detected account passwords being sent to a Russian email address.  The investigation later revealed that an internal machine had been compromised by a Chinese trojan called QAZ.  The trojan gave remote access to the attacker who may have been able to retrieve the source code for some Microsoft products.  Network forensic information also indicated that the infected machine sent a notification to a remote server in Asia.Most of the articles indicate that an internal Microsoft computer recieved the QAZ trojan as an email attachment.  Later reports indicated that Microsoft thought a remote attacker may have used a Microsoft employee’s home computer.  The later makes much more sense.Simple Nomad suggested that someone just scanned home computer networks located in the Redmond area and compromised one or more until he was able to get access to a user with VPN access to Microsoft.  This makes a lot of sense because the QAZ trojan listens on a high-numbered TCP port which wouldn’t have been permitted through Microsoft’s perimeter. Also, if PAT/NAT was used, another firewall rule would have been required to redirect the traffic from a public address to the private address.  An attacker could have routed through a home-user’s VPN connection if the VPN permitted split-tunneling.The attacker could have just as easily spammed Redmond-specific email lists rather than scanning for vulnerabilities directly.If anyone has any details that were not widely covered in the media, let me know.

3 responses so far

3 Responses to “Shmoocon 2008”

  1. anon e mouseon 20 Feb 2008 at 9:59 am

    Glad to hear you had a good time – would have been nice to have met you and shook your hand. I can’t remember the last time I was so impressed with the content of a infosec blog, especially one focusing on the 8th layer and not just re-hashing bugtraq.

    Are you local to the DC area? Do you happen to attend of the local security groups?

  2. jumperon 20 Feb 2008 at 10:45 am

    Thanks for your kind remarks. Heike deserves the bulk of the credit considering he has about 100 posts on me. And he wrote the book entirely on his own.

    I’ve published an infosec book but my mother bought all of the available copies so I don’t bother posting about it here.

    Neither of us are local to the DC area. I’ll be at Defcon XVI this year though. Are you planning on going?

  3. anon e mouseon 20 Feb 2008 at 11:02 am

    Defcon’s fun, but the travel and expense involved means it’s up in the air for me. HOPE (hope.net) in NYC will probably be easier for me to justify.

    Keep up the good work!