On Thu, Dec 12, 2013 at 5:17 PM, coderman <coderman@gmail.com> wrote:
... triggering is active, observable (potentially), and usually re-playable. the only "delivered payloads", ala EGOTISTICAL*/ERRONEOUS*, appear to be for confirmation pinging or identification, and memory resident forensic/exfiltration run locally on the host. even the slides you link to note the OPSEC concerns of "adversarial actors" (i think that's us on this list?)
correction: persistence after reboot also has been stated to be performed, though optional. per Bruce's write up[0], 1. target identified (at endpoint or observable mid-point) 2. QUANTUM INSERT redirect to FoxAcid server 3. FoxAcid picks loader exploit according to: target value, exploit value, target skill, other factors. 4. Loader exploit delivered to target 5. confirm success? if no, abort. 6. With loader active, run two basic first pass payloads: 7. Collect configuration information (apps, registry, settings, etc.) 8. Collect location information 9. Escalate to persistent infection, run arbitrary other plugins, etc. in any case, this is more consumer endpoint focused. not applicable to embedded VPN/HTTPS devices. 0. Bruce Schneier's attacking Tor article for the Guardian: http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-an...