Private: The True Origins of Malware DNA

February 14, 2011

 Here is the link to my original presentation  

Here are my prior posting on the concept of Malware DNA

Post 1 Post 2 Post 3 Post 4 Post 5 Post 6 Post 7

The rest has been redacted due to a DCMA complaint filed to have the information removed. 


We received a valid DMCA Notice ( ) for the following material found on your blog:

If you do not have the legal rights to distribute the file/content/material, you are required to delete the post(s) and let us know when this has been done. The removal will then be verified, and the blog will be returned to normal.

Republishing the content without permission of its copyright holder – or continuing to publish material that results in DMCA notices – will result in a permanent blog suspension. Publishing such material is a direct violation of our Terms of Service ( ).

If you wish to formally challenge this DMCA notice, we will be happy to provide you with the details you need.


> The information has been removed, thanks for your quick response.  If
> possible, could you please set the post to public and reenable my posting
> abilities.

You are now able to access your dashboard and edit the postings as usual.

> Additionally, do I have the right to be given the information on who
> submitted the complaint and the reason for concern?  The content I posted
> was copied from open Internet resources that can be found in multiple
> places.

Yes, you absolutely have that right. Here is the DMCA notice that we received:


> > This law firm represents HBGary, Inc. One of the websites you are hosting,
> >  is
> > being used to distribute confidential trade secrets and copyrighted works that have been misappropriated from HBGary as part of a well-publicized criminal intrusion into their network. The stolen works and trade secrets at issue consist of emails posted as images and a link providing access to a database containing additional stolen email hosted on .
> >
> > In accordance with the DMCA notice requirements, we have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the HBGary, its agents, or the law. I swear, under
> > penalty of perjury, that the information in the notification is accurate and that I am authorized to act on behalf of HBGary, Inc., the rightful copyright holder.
> >
> > We trust that Layered Technologies does not support the use of its servers to facilitate misappropriation of trade secrets and copyright infringement and that you are committed to prohibiting this unlawful activity as part of your Terms of Service. Accordingly, we request your assistance in immediately taking down this site and preserving any logs or account information you may have associated with this site. Please let me know as soon as possible once you have received this message. I may be reached at the email address above. Thank you in advance for your prompt cooperation.
> >
> > Sincerely yours,
> >
> > Leota Bates
> >
> > [cid:[email protected]]
> >
> > Leota L. Bates
> > Zwillinger Genetski LLP
> > 1705 N. Street, NW
> > Washington, D.C. 20036
> >
> > (202) 706-5209 (direct)
> > (202) 296-3585 (main office)
> >
> >



ATTN: Leota L. Bates

I would like to request that you client substantiate that they have existing, and relevant established Prior Art on the concept of Malware DNA as stated by them as based on their collaborative work with McAfee dating back to 2006.  The recent incidents involving HBGarys loss of intellectual capital, while unfortunate, give credible credence that the aforementioned verbal affirmations that they have established prior work in this field prior to Sept 2008 remain unsubstantiated and open to considerable doubt, and cloud all previous communications on this subject with suspiciousness.  I acknowledge that in the field of technical development and research there are legitimate independent parallel discoveries and innovations and it is this issue I am trying to verify.  Proof of your clients previous work substantiating claims that they indeed worked on the Malware DNA concept and not some unrelated technical research area in malware would put these issues to rest.  I respectfully request that your clients clear the air of this issue so that they may continue reconstitute after such significant data breach. 

It is within my right, to challenge the assertions made by your client as the SOLE innovator and creator of this technology, when I have concrete knowledge that my research was shared and divulged to his company approximately 30 days before any significant developments in code were made, that were integrated as a key component in their flagship product.  The statements by your client that they had developed this research completely on their own without any outside support or funding contradicts what was verbally stated to multiple parties in their communications as well as to outside parties, and conflicts to any previous statements that this research was developed as a result of a collaborative and possibly funded effort with McAfee.

I look for to clearing the air on this issue in an open, friendly and timely fashion.

I can certainly provide a timeline of my research and examples if you would like to review them. 


One of the most destabilizing aspects of the HBGary data breach is the sheer amount malware samples, cybercrime and APT related there are as well as customer lists.  These customer’s generally buy products only after getting wacked by APT.  So gleaning through the data, there is a massive victim list which obviously most everyone knew already, however the fact that this is public makes it all the worse.  News will be pouring out of this archive for months. 

This is a gold mine of cyber intelligence and efforts being developed behind closed doors.

My prediction, some Defense contractor will buy at a fire sale price the IP of the company, its products and hopefully bring its true technical talent into its ranks and get rid of the executives.

Information Bombs

February 14, 2011

Well, as predicted, Anonymous dropped Greg Hoglund’s email spool which contains 27,000 emails.  This will very likely be bad.  This year has witnessed the beginning age of the new cyber weapon, the Information Bomb.  This is a weapon used in a cyber attack to use an enemy’s information against him by piercing the security of communications that most organizations assume they enjoy.

Ironically, Penny and Greg had won over the Anonymous group in their IRC conversations, but somehow managed to piss them off, prompting them to drop the rest of the email, deep sixing what Penny and Greg tried so hard to keep private.  Anonymous also did what the promised and started a Web based email reader interface so the world can “investigate”.

I wish I could channel the voice of that Guy who said the cool shit whenever the Dukes of Hazzard get in deep shit, but for now I think the HBGary dukes are “Retired”.  I hope they have strong drinks in Carmel.


They appear to be coded with a quickness and implemented in PHP.  

Even though the Internet has had many wild and wooly days, I think we reached an interesting tipping point this past year with traditional power structures having power stripped forceabily frome their grasp by the ultimate enabler and disrupter of modern times.  The Internet.  Of course this has been studied before so I will be more specific.  The digital destruction of the company HBGary at the hands of a… God I hate this term, hacktivist group, or should better be known as a hive-mind collective of world wide individuals that rally around certain ideals and concepts.    

The tipping point I am mentioning is that typically the groups protest in many ways, but typically through the technical execution of the problem with no current answer.  Distributed Denial of Service (DDOS) attacks.  However recently several targets have been “raided” and the literal lifeblood of their organization, their email has been absconded with and posted in leak forums, social cloud based posting sites, and in bittorrent feeds.  God help companys that are corrupt or have , or embarrassing personal data, or critically sensative content that would make or break them…..  Now are running for the hills.

The ability to post something on the Internet and have it picked up and replicated such that it is impossible to retrieve is truly a POWERFUL tool that could be used for good or evil.  Additionally it is a great equalizer, or could be used for false information attacks, or just to sow chaos. 

I could actually be used for good when used judiciously and wisely by releasing Malicious Actor information and exposing their operations.  However, the releaser would have to be content to not be able to take credit for this information, and most assuredly make sure it is never found out that the information orginated or was released by them.  This of course was HBGary Federal Aaron Barr’s collossal mistake.  One would have wondered with a long background in intelligence and IO as well as much trolling experience at the keyboard observing the behaviors of Anonymous why on earth he would have thought to voluntarily blow his cover and reveal himself.  Partly it was due to sheer greed and self promotion for his company, and to get PR to obtain more Federal Goverment work for his company.  Nothing bad about generating business for yourself, however when you deal with the ruff and tumble of the digital underground you need to play certainly by different rules. 

The problems we currently face on the Internet are numerous, allowing for digital gansters to bridge the divide from cyber to real world and impose punishing costs.  The zillions of dollars in IT security has done Little to NOTHING to change this fact and it continues to get worse.  One of the reasons is the fact that there is too much duplication of efforts, the the defensive side of the house, and the offensive as well.  Everyone wants their own rice bowl, instead of developing national level strategic capabilites.  There is a concept called coopetition where organizations can collaborate and share information on some things, and then compete on other things such as price, service, support, and features.   You can see a complete FAIL of this in the Malware DNA concept development realm.   I pioneered the concept a couple of years ago and it spawned a whole slew of completely incompatible offerings that are all in parallel development.  If one problem needed such a critical consolidation of research and effort it would be this one.

OMG BTW – Greg Hogland, – If you present at RSA your “idea” of what APT is to RSA like you described in your audio clip that was posted, and how your emails about what it is and isnt, you will be laughed out of the room.  I suggest you get with people who really understand the threat and get briefed before you look completely stupid.

I will wrap this up by stating that I think this is just the beginning and we will probably see more raids to come.  Organizations better get off their collective asses and implement SIGNED AND ENCRYPTED email before they get OWNED as well.  Come on guys, this technology has been around for Years and Years.  I wont even post any links to good vendors if they are that ignorant.  Of course the concept of mandatory signed and encrypted email will have everyone screaming but maybe it would prevent the total vacumn cleanering of email out of our nations most sensitive inboxes to include every major VIP in our goverment.

SO, Attribution Intelligence…. DO it right, use the Internet, do it Anonymously next time.  Build an Attribution Market for the secure posting of Attribution Intelligence.  Seed and build incentives for participation.   And .   Im really suprised someone didnt warn you better.   Go SLOW, Danger Will Robinson, Here they be Giants.

Ironically, the social network analysis research Mr. Barr was “pioneering” is now being done on over 100,000 emails in the digital domain through a cloud supported, crowd sourced digital investigation and then will be publisized through a steady stream of media releases and reports.  Apparently the “Haul” was so damageing and impressive that they group has decided to launch their own .  This does not bode well for the future of secure digital information.

Real intel agencies have been doing social network analysis at a massive sophisticated level for years.

And even in MORE irony, if Anonymous is not careful, and they go searching through the email, they might get infected with a number of APT related malware samples, providing plenty of opportunities them to get Snagged up in National CounterIntelligence Surveillence networks.  (not guys you want to fuck with)  There’s really not much Anonymitity/Privacy/or Security when your shit gets pwned.   And as an added benefit, Anonymous would get exploited by Chinese Military Intelligence.  That would be exactly WHAT we need.  IF Anonymous really wanted a hard target they should take on Chinese APT groups.

The Farewell Dossier

February 8, 2011

I have previously blogged about but a guy named Charles Jeter had some good sources, a wealth of real world experience, and .  I will post it here for your interest.

CyberNinja FAIL

February 8, 2011

So apprently Mr Barr tried to get all on the amorphous chaotic and admirably highly effective Anonymous Group.  This of course was resulting in him and his entire company getting a by the “” or at least thats what I think they are being branded as. 

For people who cant seem to read between the lines, is a wonderful smokescreen effectively running amok and tying up Federal cyber investigative resources that could be better used investigating the zillions of terabytes of critical information getting stolen on a regular by our “Friends” according to official US Foreign policy, the PRC PLA.

Interestingly enough this FAIL example was driven by self interest and not the common good.  Its also kind of disgusting to see how leak information is being misused.  For example, Wikileaks just dribbles out information and cherry picks it to correspond to the latest new cycle, such as the Egyptian revolution thingy. As that effort goes on, out pops Wiki cables of guess what, Isreal and Egypt scheming on Mubaraks successor.  How timely.  If you had any balls you would just release the whole 266k of cables and not just the crappy 2000 or so for your own personal media benefits.  Im sure the Internet through crowd source affects can analyze it on their own thank you very much.

Now the parallel to this latest fiasco.  HBGary decided to “Investigate” Anonymous group by using them as an example of how social media “shiver” is all bad and scary.  Sorry, your to late to the game, Myspace worms, twitter hijacks and Robin Sage cleared that all up okie, oh ya and Koobface.  Then they intended to glory whore the information at only the Largest security conference on the planet. RSA.  As well as peddle the information to the FBI.  Did they release their investigative targets to the open public? No. 

You see the power of the Internet is that when you release it, it never can be taken back.  Their second mistake was that they blabbed about their “targeting” to Financial Times and crowed about it.  This to the enemy is called “indications and warnings” in military speak.  If they thought Anonymous was just going to not take up that challenge, it speaks worlds about how clueless they are to hackivist causes and capabilities.  And if your gonna burn a group with your incredible research, release it ANONYMOUSLY for the world to enjoy.  Dont be a twat and try and use it for personal benefit by exploiting it to drive security business to your company. 

On a side note I personally like their products and they have a decent Memory analysis product which I think has gone a long way towards popularizing memory analysis.  They also have some good reversers who are pretty straight up.  However I have heard from many that their leadership unfortunately is pretty  XXXXXX just like many other security Luminaries that claw and step on the backs of others in order to hack their personalities in the eyes of the security practioner public.

Unfortunately there are a zillion hacktivists out there with hive like mentalities and short attention spans.  The real problem though is that it would be nice to focus their talents, and energies on real hard targets such as the cyber units of the PLA in each of their military regions.  If given cause, direction, and targeting, this could effectively be a long term, low level chaotic effect in the enemys rear echelons, maybe enough to drain their resources so they are burdened somewhat.  Not bloody likely tho.

Some of the interesting things of note was the fact that they erased their backups, OUCH, and hacked (no fair) which is a great website.  Also they published Mr. Barrs personal details and his SSN/address/and telephone number which is just like mean.  Apparently he is getting death threats and phone calls at home.   

The most damaging of course is the theft of their email which could be a killer for their company.  Or better yet drive it into a cheap takeover or buyout by an enterprising company that wants a good cyber aquisition.  Frankly Im surprised that havent been purchased yet. 

Another approach would be to publish all his research now, be a man and stand behind it and say Yea MFers, I got yer info, I am publishing it, and the feds will be at your door shortly.  If his research is good, then it will stand the scrutiny of the public.  If its crappy research, well then, I guess his methods just suck.  

Either way, I think Mr. Barr, Hogland and HBGary and company will be getting most likely a LOT of pizza delivered to their doorsteps in the next year.  ___I recommend on M Street.  Im thinking the staff at ole Gary might enjoy quite a bit of the Belgium Beer they have on tap. 

So this is attribution research done RONG (Tune of Mr. Kim Il Jong)

Here’s a recap of what went wrong and what to do next time.

  • Do good research that can stand up to scrutiny
  • Publish it to the public for good, dont whore it to RSA for glory or for money to the FBI
  • When you publish, be dam well sure it doesn’t get back that you did it. 
  • Enjoy your victory in private, and only tell trusted associates.
  • Watch while the Internet becomes a better place

There is a huge potential for the proper disclosure of attribution data to change the character of the Internet.  DONT buy the BS that things cannot be tracked or discovered.

Only an attribution market that disclosed the worst actions across the realm of cyberspace could deter malicious actions.  Frankly the hijinks of Anonymous doesn’t pass real threat muster in my book.  Unfortunately it will waste thousands of investigative hours, because the FBI LOVEES Anonymous just like they strutted up and down on their investigative prowess busting the Palin hacker, who got a year and a day in jail. 

This I believe takes our eyes of the real threats and doesnt really do our country any good.

Dont wind up like this guy…


Get every new post delivered to your Inbox.