HBgary release as it pertains to the oil industry

Discussion in 'Networking and Security' started by wilburbear, Feb 17, 2011.

  1. Need help from all ET tech people.

    Is this anything significant?

    This dude is saying he found several "hupigons" at oil giants Shell, and Baker Hughes. I looked up "hupigon" and it's a secret, backdoor entry into a computer system.

    What's going on here?


    HBGary Email Viewer
    greg@hbgary.com
    Original file: 26865
    click here to show this e-mail with HTML markup
    From:
    To:
    Date: Thu, 27 Jan 2011 17:53:02 -0800
    Subject: Sandpit
    click here to show full headers
    Full headers
    -----
    delivered-to: greg@hbgary.com
    received: Array
    return-path:
    received-spf: pass (google.com: domain of Shane_Shook@mcafee.com designates 67.97.80.206 as permitted sender) client-ip=67.97.80.206;
    authentication-results: mx.google.com; spf=pass (google.com: domain of Shane_Shook@mcafee.com designates 67.97.80.206 as permitted sender) smtp.mail=Shane_Shook@mcafee.com
    from:
    to:
    date: Thu, 27 Jan 2011 17:53:02 -0800
    subject: Sandpit
    thread-topic: Sandpit
    thread-index: Acu+jhkvNeRf5BkPSGSL68k4orjHgw==
    message-id: <381262024ECB3140AF2A78460841A8F703505C1A92@AMERSNCEXMB2.corp.nai.org>
    accept-language: en-US
    content-language: en-US
    x-ms-has-attach:
    x-ms-tnef-correlator:
    acceptlanguage: en-US
    content-type: text/plain; charset="iso-8859-1"
    content-transfer-encoding: quoted-printable
    mime-version: 1.0
    Attachments: This e-mail does not have any attachments.
    Hey Greg, not sure if Stu told you but McAfee set up a sandpit to listen for the trojan from the dyndns addresses we have registered. Ryan wrote a listener service for it.

    I'm transferring the 5 that I know today - cia.selfip.com, bhi.thruhere.net, bakerhughes.thruhere.net, shell.is-a-chef.com, and shell.office-on-the.net

    I'm really interested to learn about the gray pidgeon code you have. I've got several hupigon detections at BH and Shell and want to figure out if the are related or coincidental.

    On another note, we now have 3 different versions of the same C&C application (zwshell.exe). 2 of them use the same password, I haven't figured out how to enter the password in the 3rd though. While our first version is c, the others are Delphi and double the size - though the same capabilities and GUI. I can send you samples. I really wish I could find the source code for it - or a published version on the net, it looks so familiar but I can find where I've seen it before.

    I was thinking I'd come to your office next Friday?

    - Shane


    --------------------------
    Shane D. Shook, PhD
    Principal IR Consultant
    425.891.5281
    Shane.Shook@foundstone.com