Saturday, November 24, 2012

Concealing Data Exfiltration with Youtube or Facebook

You've probably already read about Backdoor.Makadocs which uses Google Docs or Google Drive as a command-and-control (C&C) server. This made quite a big stir last week, unfortunately this isn't a new trick. ACAD/Medre.A was created for the mass exfiltration of AutoCad files and used for transmitting files. I'm sure there are many other examples too.

The use of legitimate sites like Google Docs, Facebook and Youtube seem to be the obvious choice for hackers wanting to exfiltrate data. The benefit of course is the lack of IoC's from a network perspective. Could you tell the difference between someone watching a 30-minute clip or exfiltrating *.{doc,xls,dwg} files to Youtube or Facebook over SSL? There are already tools available to hide TrueCrypt volumes in mp4's. Why not use Youtube or Facebook to exfiltrate data? I haven't read any incidents involving this but it's coming.

As companies improve there security to detected unwanted software the move to legitimate remote administration programs such as GoToMyPC, the natural path of evil doers would be to use those as well. Speaking of which, did you know you can control who uses GoToMyPC from your corporate IP space?

"Can I block the unofficial use of GoToMyPC Pro while allowing authorized use?
Yes. Through our free Authorization Management Service (AMS), GoToMyPC Pro will gladly work with you to block selected Internet-visible IPs while still enabling authorized GoToMyPC Pro account access. If you do not currently have a GoToMyPC Pro account but wish to block access by using AMS, please If you are a current GoToMyPC Pro customer, please contact us"
If your company has a policy against using GoToMyPC (and no way to enforce it) you should probably work with Citrix to restrict access. If your company allows it, you should really restrict authorized accounts.