It’s nice to see a good application of concepts to an example that keeps your attention.
Sherri Davidoff has a nice post over at LMG Security blog on her look into a press release from RSA. In that post she applies the basics that information security professionals apply, and shares what the bits and pieces mean.
As you can see, even a tiny snippet of a pcap can reveal a lot! From just a few bits and bytes, we’ve learned that RSA’s investigator was probably using Windows XP on a VMWare guest, which was assigned the IP address 192.168.0.106. The local router had a network card likely manufactured by 2Wire. We’ve also seen firsthand that the C2 channel traffic, which was masquerading as “HTTPS,” was running over port 80, and confirmed the gh0st RAT’s destination.
If you take a minute or three to peruse the blog post you’ll see a nice show of basic traffic reading – Sherri details the places she finds the information, highlights the reason behind her pronouncements, and generally made a semester of InfoSec learning seem as if it stuck, all in the matter of a few minutes. A hearty thanks for that!