Single Stage Attacks?
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Single Stage Attacks?
by snort user
::
Rate this Message:
Greetings All,
Typically, network based attacks have multiple stages. (reconnaissance, infection, download rootkit, call home, further infection etc) Some attacks may have a single stage (without reconnaissance) to compromise a host. However, even those attacks have a post-compromise stage, such as call home or transfer/steal data or something else. Otherwise, what's the motivation for compromising in the first place? Can someone enlighten me if there are attacks that only have a single stage? Examples or scenarios is much appreciated. Thanks |
|
|
Re: Single Stage Attacks?
by Jamie Riden
::
Rate this Message:
2009/5/17 snort user <snort.user@...>:
> Greetings All, > > Typically, network based attacks have multiple stages. > (reconnaissance, infection, download rootkit, call home, further infection etc) > > Some attacks may have a single stage (without reconnaissance) to > compromise a host. > However, even those attacks have a post-compromise stage, such as call home > or transfer/steal data or something else. > Otherwise, what's the motivation for compromising in the first place? > > Can someone enlighten me if there are attacks that only have a single stage? > Examples or scenarios is much appreciated. SQL Slammer. (stage 2 - if there was one - was just stage 1, but outgoing instead of incoming, so not really separate in my opinion) cheers, Jamie -- Jamie Riden / jamesr@... / jamie@... http://www.ukhoneynet.org/members/jamie/ |
|
|
Re: Single Stage Attacks?
by dreamwvr
::
Rate this Message:
snort user wrote:
> Greetings All, > > Typically, network based attacks have multiple stages. > (reconnaissance, infection, download rootkit, call home, further infection etc) > > Some attacks may have a single stage (without reconnaissance) to > compromise a host. > However, even those attacks have a post-compromise stage, such as call home > or transfer/steal data or something else. > Otherwise, what's the motivation for compromising in the first place? > > Can someone enlighten me if there are attacks that only have a single stage? > Examples or scenarios is much appreciated. > > > Thanks > > to spray discord would fit the bill IMHO. Take any that does privilege escalation on mail or webservers coupled with worm tendencies. Then simply gets the type of daemon and attacks accordingly. Most often it will get enough information to wreak havoc by the way the daemons responds.. That is all.. Best Regards, dreamwvr@... ps - sure you could consider this a multi level attack if you want too.. |
|
|
Re: Single Stage Attacks?
by Stuart Staniford
::
Rate this Message:
Most attacks at the moment are server -> client, rather than client ->
server (the wide deployment of firewalls, packet filtering rules, network segmentation has rendered the latter unprofitable). The typical sequence is the victim stumbles onto a malicious webpage (often an ad) and then is taken via a chain of iframes or similar to an exploit server which delivers the exploit (currently the vast bulk of attacks on the wire are via malicious PDF and secondarily SWF - Adobe is it apparently). The exploit shellcode then goes and fetches a dropper executable, which may in turn fetch more. Then there is generally some kind of callback protocol for command and control of the bot according to whatever the business model of the campaign is. In targeted attacks, this scenario may be preceded by tempting emails etc, to get a particular victim to go to a designated attack point (rather than just culling random victims from the herd). I have seen recent attacks as simple as a single bad PDF or SWF with no precursor at all other than the normal operation of the ad delivery ecosystem, and then the download of a single exe and no immediate callback. I have not seen a recent example in the wild in which the payload was integrated into the exploit shellcode (there's obviously no real barrier to doing this other than administrative convenience for the attackers). Stuart Staniford Chief Scientist, FireEye On May 16, 2009, at 11:39 PM, snort user wrote: > Greetings All, > > Typically, network based attacks have multiple stages. > (reconnaissance, infection, download rootkit, call home, further > infection etc) > > Some attacks may have a single stage (without reconnaissance) to > compromise a host. > However, even those attacks have a post-compromise stage, such as > call home > or transfer/steal data or something else. > Otherwise, what's the motivation for compromising in the first place? > > Can someone enlighten me if there are attacks that only have a > single stage? > Examples or scenarios is much appreciated. > > > Thanks > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > |
| Free embeddable forum powered by Nabble | Forum Help |
