Not so long ago a friend of mine came to me telling me that he thinks his web server is acting as a command and control (C&C) server for some hacker. I took a look, and indeed found the Poison Ivy (PI) C&C app (or as its author calls it, “remote administration tool”) installed on the machine. After realizing that the network administrator has some pcap files of network traffic, my friend asked me to see if I can find out what the hacker did with the app on his machine. Unfortunately, PI’s traffic is encrypted, so I asked my friend for the C&C app to see if I can find out how to decrypt the data.
Continue reading →