Cyberwar and attribution

December 31, 2008

One thing I dont understand is why bad guys are’nt smarter.  For example.  Attribution.  If your Chinese government trying to steal US goverment secrets, Why the hell would you use Chinese code and exfil data to Chinese drop sites, and use Chinese hosted malware download locations.  To me thats just stupid.  If I was chinese I would code in Brazilian, and attack from Ghana, exploit from England, and exfil to Australia.  You get the point?  Cyberwar has not crossed the multi-lingual barrier to become cross language enabled and geographically obfuscated.  Geographic Obfuscation and misdirection would be a very interesting area to research  from an attack perspective.  One of the primary tenents in Information Operations is Deception. 

oj_if_i_did_it

I give the current attack community an F for Deception.  At least how its played out in the press.  Its practically obvious the Chinese are hacking the shit out of US on a daily.  And its practially obvious that Russians are in control of RBN out of Saint Petersburg, protected by politically connected powerful parties.  RBN controls the Storm worm and other cybercrime botnets, as well as being some of the best coders around (Reference Rustock). 

NOTE:  NAME THE EFFIN guys behind the Storm worm already, certain parties know who they are but ain’t talkin.  Put up detailed bios of them in the mass media.  I think its pretty sucky that the security community doesnt combine intelligence with Security technology.  There are lines that they draw and dont cross them when you get a much well rounded picture when you are not afraid to amp up a 1000Watt Spotlight on something and expose it to the public. 

Another side note.  Hey security community.  Start posting graphics, code and info on the Backend software and consoles for some of the more powerful botnets like Rustock, Storm, Asprox.  Lets do a Dissection of a C&C for these, and post about it for the research community.   Has anyone found the Builders for any of these?  How about Source code.  I would imagine it can either be stolen, compromised or someone bribed.  Have we fingerprinted where its coded and identified via coding methods how many are involved and tracked identities that way?  Also, There needs to be way way more research on EXPLOITING these botnet binaries.  Not just for monitoring sake.  YOUVE been monitoring for years.  DO something already.  If you can Internationally capture and prosecute then for pete’s sake Run an operation on these guys.  Or maybe this is all one big scam operation get everyone to buy more Security software and purchase Credit monitoring services and insurance.

One example of a botnet being repurposed to massive detrimental effect is Asprox.  They are now P2P/FastFlux and have a automatic SQL injection engine as well as Password stealing capabilities.  I was wondering when botnets where going to adapt to do something other than the same bullshit propagation, spam, and DDOS.  That shits boring. 

Back to Attribution.  If the Chinese and Russians had done things right We would’nt be screaming about them, people would still be scratching their heads and wondering WTF?!   Maybe they are just unsophisticated or lazy, maybe they dont care.   Probably both, Maybe thats why you never hear about American cyberwar attacks.  Either A, we are too scared and dont do it (lawyers got our balls in a cinch) or B we have been doing it all along and are just way way to good to get caught because we do it right.  My vote is on B.  BTW anyone know who ran that operation that Bugged the Greece Prime Minister and trojaned their Erriccson wireless teleco switches to effectively wiretap them for 6 months.  NOW that was a hack.   Only the best do that shit, I havent heard anyone name names but I have a clue.

Enuff about that.  The point is.  If you run an op whatever it is.  but non-atributable bet geographically distributed, or better yet attack from YOUR enemys back yard.  Let him take the heat.

flames1

So is innovation dead in Malware development?  I have been perplexed at the lack of innovation with regards to Internet level hacks/events that have occured over the past years.  I think Money and the crime angle has certainly been a distraction.  Most innovative ideas that Im thinking of have more of an Offensive Cyberwar aspect to them vice  a espionage (read stealth) or infostealing (crime) or propagation (read worm/spam).  If your not following me let me try and explain.  When was the last time you have heard of a really interesting Internet event (by this I mean an event that impacts Large sections of the net) does something totally wack, and has a large impact. 

I would call this as something so unique its a singularity.  They advent of mobile malicious code (IE a worm) I would consider a singularity that changed the whole game.  The advent of the buffer overflow another, the advent of remote control (trojans – Lets hear it for BO woot!) and the advent of P2P decentralized networks, and double fast flux networks, as well as the advent of Software armoring andpolymorphism.  All of these factors dramatically changed the playing field and force everyone else to adapt to new rules of engagement.   But I digress.

death20angel120200

Let me shoot out some memes that I have NOT seen or heard about and ponder why?

Why isn’t there whistleblower malware?  That would be pretty bad ass.  Think of a piece of code that seeds the net with information that is senstive to achieve a certain effect.  Could be a sensitive document, could be a database export.  One piece of malware that did this was Nimda which mailed random documents from your My Documents folder to your entire email list.  Now that was cool.  Businesses failed and people got arrested or divorced over that type of stuff.  Pretty crazy.  The goal of whistleblower malware would be some type of enforcement of social justice.

Ive also wonder about why malware doesnt use database tools to dump databases and post them to P2P networks where they would be rapidly replicated.  Once something goes P2P there is no way to retrieve it.  (Think about celebrity sex vids)  Do you really think Paris Hilton could have put her cooch pix back in the genies bottle once they got out to the net?

I dont advocate stealing of data for destructive effect, In this blub I am just wondering why I have not seen malware that targets Databases more effectively.  Why is it always credit card databases that are stolen and not the Bazzillions of other interesting databases that exist out there with much more important data in them.   One hypothesis is once again the crime angle distraction.  The other is that most hackers are just one technology ponies and couldnt scratch their way around a database even if they tried.    Illustrates how an effective attack organization would have to highly skilled and multi-disciplined to be useful.

Anti Malware Malware

December 31, 2008

So I was thinking of an interesting idea.  Create a target list of all malware and hacker sites.  Take a massive database of MD5 hashed malware, hacking tools, ectera, create a crawler bot that can autopwn sites and then upon detection, Secure Delete or AES 256bit encrypt the files upon detection and then destroy the AES key.  It would be pretty interesting and have massive undetermined effects. You could call it White Friday.  The result would be like a mass cleaning of malware from the net in one big swoop putting them back to the drawing board a bit.   One of the primary reasons for this is that the center of gravity I believe for this type of malware development is very small if actually studied versus the rest of the poser community that just uses the tools and extends or customizes them.  The Malware/hacker site list would ensure that unintended victims are not impacted.  You could also furter refine your targeting.  It would most likely have to be architected as a worm of some sort with a Software as a Service type back end to a MD5 Hash DB.  Or the malware could just AES encrypt all underground sites out there.  NOW that would be interesting.    An AES encryption attack would not be destructive, yet simply TRANSFORM the look of their data (Thats what encryption essentially does)  You could actually embed the SECRET key randomly dispersed somehow into their encrypted files or elsewhere on their systems so that They had the power to unencrypt them if by some infentessimal probability they could find the key.  You could also actually somehow get around legalities by justifying the if the Site accepts user input in any way shape or form you can essentially run the attack and not have any repercussions legally.  But of course this would be a non attributable black OP.

This is to start a thought meme on this until I refine it more later.  Feel free to comment.

I think I will call this the WhiteFriday event horizon.   Im going to add more way out there ideas.

angel

Ultimate Phish

December 31, 2008

So some Dutch guys figured out how to create trusted certificates using that can pose as Ecommerce site certs.  Pretty awesome research.  Shame on the Root CA’s from using MD5 in the first place.  I would suspect that the Browser makers will update or disable the Root CA certs in their browsers for the offenders until such time that they can issue at least Sha-1 based certs.  Pretty awesome research if I do say so myself.  O yea.  The generated the collisions useing a whole room full of PS3 processors.

attack

Mirror, Mirror on the wall..

December 19, 2008

Whose the PWNiest of them all. 

For NUBs edification, most malware is not that advanced.  The secret is to get past all the BS perimeter and host defenses to run yer code.  How do they do it?  Crazy ass to get past all that stuff.  What do I mean, well a derivative of Software “Protection”  add a little poly and metamorphism and you get the picture.  Malware samples Skyrocket, Malware detection Drops through the floor, Identity theft explodes, Botnets proliferate, everyone gets the bejesus scared right out of them. 

O yea, Government , , then spends billions of dollars and Classifies every scrap of information attached to Cyber it can get its hands on, makeing research 10 times more difficult unless you can wait the 10 years plus to get a goddam alienXFiles clearance (read SCI Full Scope Polygraph).

So to the War Weapons that allow all this to happen.  Much malware just haxors existing packer open source code and adds some polymorphism to it.  Adds a slew of anti-dump, anti-analysis, anti-sandbox, , anti-vm, anti-tracking trix, and then bundle/bind all their little nastieness into a package then distrubute based on Massive sql injection attacks if they can seed via lovely 0-day mass exploits like the latest IE7 fiasco.

I will list some of the most difficult tools to generically unpack that are giving .  Obviously malware authors are cheep, like to roll their own protections oblivious to the fact that you can purchase professional shit and get much better output, or just plain dam lazy.  Another take is that its so easy to bypass today’s defenses so why even bother.  Im putting my bets on lazy and easy.

by   some .

themida11

cvprotopt

by and

This thing is awesome, its basically malware running in its own Virtualization Engine.

vmprotect1

 by  and - probably need to run it through babelfish if you cant read Italiano

More protectors to be added later

Maltego Madness

December 19, 2008

Digitial Intelligence is all the RAGE.  Check out from Paterva,  I dont understand everything it does yet but It looks bad ass.  Hows that for .  Download it yerself and see with the as well as their .

Check out a of it in action.

PDF Mundjer Extrodinaire

December 19, 2008

Occasionally I come across excellent blogs and wanted to single this guy out.  He has done alot of PDF exploit research and has a bunch of other awesome tools.  His name is and he is well known for his work on the Javascript analyzer Spider Monkey and XORsearch tool to find encrypted strings in malware.  Check him out you’ll learn a bunch.

Fireeye is badass

December 16, 2008

This group is deep in the trenches attempting to detect and destroy botnets.  They have excellent intel and perform some great analysis.  My only beef is that they had around 450k of bots tied up by awesomely preregistering its fallback domains in conjunction with getting the main RBN-like-in-the-US host provider  and then and now the botnet controllers updated their C&C to servers outside the US (it was predictable).  McColo’s operations are tracked by many but here is a on them.

In my opinon the fact that this host provider hosted 80 percent of the C&C’s of the most prolific spam operations in the world which accounts for 90%+ of traffic, this was a major fuck up for law enforcement and Intelligence.  At least from the open source reporting side.  I only hope that enough intel was gathered prior to the pressure that security researchers placed on McColo’s internet peering providers that resulted in them getting .  These guys where freaking based in SanDiego.  I would expect with the link to child porn, ID theft and the shear amount of bad activities that all their servers and It equipment would be currently Boxed up by the Men in Black for forensics and a sturdy baton curtesies once they get ahold of the owners.  Once again,  we have not gotten to this level yet in our responses nationally so people will continue to suffer.  Already traffic is back to its previous pretakedown levels as predicted. 

SO I will say this again.  MAJOR OPPORTUNITY LOSS<> MAJOR FUCKUP.  try again next time.  I told this to an agent with the cybercrime squad from the Washington Field Office and he gave me a predictable line about “blah blah, how sometimes you dont want to take people down (inferred intelligence reasons)”  But guys Come on this what is called a Center of Gravity in military terms and you had the opportunity to drop a 2000 lb bomb and you let them fly out of jurisdiction like a fart in the wind.  This will be the last iteration before malware bots go full up P2P resilient with robust fallback mechanisms and harder to trace operations.  This will make things 10 x harder. 

Course with the piss ant sentences a botnet controller would get these days it really doesnt matter if they get caught or not. 

Great but misguided efforts by the security community.

Maybe someday Security researchers will have the balls to infiltrate and neuter or destroy these bots in place.  It has not become a main stream security response practice yet but hopefully it will.  Everybody is scared of the gaddamn lawyers but I say fuck  it.  Get a Unattributeable network in place and run a BlackOps operation.  Corrupt the Bots PE header, kill the process so as to keep it from running and move upon your merry way. 

1204715835-1204715806-darkangel1

Post a little message saying Yer ass has just been saved.

They also have Excellent analysis on other beasts such as ,  / , and the  all of which employ tons of anti-analysis and .

Forget about it.  Events like this and other zero days will forever put data at Risk.  Of course Im talking about the new 0-day vulnerability that promises to pwn systems the world over, unless you use another browser such as the excellent and wind up getting pwned by some other exploit.  These are called drive-bys but don’t leave your physical body red and bloody, just your bank account and identity and you sense of personal well being and place in this world.  At least there are some that can rapidly respond with intelligence and sympathy.  Im speaking about the excellent analysis that is available from the researchers at and other organizations who consistently provide the detail for enlightened understanding. 

heap_spray

Here is what they have … on …DruUUUm roll please…  The !  It exploits a library function in IE to exploit XML functionality with a ofuscated Javascript delivered by still more SQL injection attacks.  The actual shell code is pretty awesome and can pwn Vista as well due to the evolution of exploits utilizing techniques instead of typical and rapidly becoming exinct buffer overflows via the stack.  From this point it can deliver to a host system any manner of malware as seen and .

Heh,  I just confirmed that one of our clients got exploited on the 11th/12th which means that its pretty prevalent.  That was like 4 days ago!

already has posted the so its only a matter of time till mass chaos.  At this point Microsoft doesnt have a patch yet.  And has already added a for it in the excellent engine of mass destruction. 

On another note, peeps should be using the as it removes a ton of malware from their systems monthly.  You can it removes here which gives pretty good descriptions of the nastiness out there today.

Excellent Antipacker site

December 16, 2008

F0und a cool little site from a crew called Team Furry that has excellent resources on Packer reverse engineering called .

inv3

Follow

Get every new post delivered to your Inbox.