So I originally came up with this Idea for Counterterrorism a while ago and have modified it for Cyberwar conflict.  It goes like this.  Why are’nt more terrorists Killed on a daily basis by powers that can do it and have the will?  For the completely countervailing reason that usually trumps Direct Action.  Intelligence gathering. Plain and Simple.  INTs collection is used on a world wide basis to target actors.  However, Pre 9/11 completely showed a lack of will and balls to actually take care of problems for completely bullshit reasons.    Lawyers, human rights blah blah. Bureaucracy.  Apethy and pragmatic thought.

sea-storm-clouds

My solution for terrorists was this.  You all the INT collection you want.  But 1 [ONE] DAY EVERY YEAR you have a what I will term a BLACK NOVEMBER. What is it do you ask.  Its a kill pulse.  all the intelligence derived and gathered and fused and generated during the year gets put into a master target list.  And direct action takes place Syncronized.   This will have the immediate effect of Dramatically draining the SWAMP immediately, eliminating alot of the BS INTEL noise you get in collection efforts and clear the way for a new round of intel gathering, new link analysis and Intel collection.

Direct action will be expendable, and non-attributable and revolve around “accidents or otherwise mundane unfortunate circumstances”  Better not to attack that much attention unless thats what you want to go for.

I then evolved this concept to Terrorist electronic communication forums which present the inherent evil in allowed for dispursement of terrorist ideaology, plans, TTPs and other Terrorist crap.  So the BLACK NOVEMBER would essentially over time corrupt any backups of data that was being made, then target and destroy, Crypto attack or secure delete all world wide terrorist extremeist forums and other info material that is in direct control of mal actors.

One, this highly disruptive attack would sow CHAOS into the ranks, break communication mechanisms, force the reestablishment of new networks and comms that can be rapidly identified and tracked to be put into the next yearly Purge cycle for cyberwipe.

So after this I come to my 3rd evolution of BLACK NOVEMBER.  That is doing the same thing but targeting the numerous cybercrime forums, tool factories, egosites, and Botnet command and control sites that exist throughout the Internet. [NOTE: IF IT WASN'T ALREADY OBVIOUS. you do this Non-attributable, preferably geographically spread across the Internet IP space and Geographies, you also use massive variation in code, techniques, and character sets and styles.  Unless of course you don't care about attribution for the shock factor]

This can be a massive sweep or it could be a certain number of high threat target sets.  Either way, this pulse of cyberpurging would ENSURE ONE THING. That there are no excuses, no compromises, and real,…REAL action taken against at least the Technical mal-infrastructure that pervades the net and sucks like a vampire of our National Security and Economic Security.

I will be the first to say that I dont think our authorities have the will, vision, foresight, or balls to ever consider any of these actions.  However I will say this.  I am laying out there as a though meme, a destabilizing concept that needs to be expanded and discussed and further investigated….
SO WHAT…. DO YOU HAVE A BETTER SOLUTION?  If so fire away propose one.  And don’t rehash any of the ideas that have been bandied about for years.  Come up with something original.

Yes folks, we need a Phoenix Program for Cyber.  That’s what I’m saying.

So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.

motorcycle-160

Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.

etbadge

HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.

dna2

I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.

I’m calling

senanigans

Ok, I’m am starting to get a little pissed.  As you know I have been questioning why researchers are not more proactive about taking out botnets and hacking malware and its infrastructure.  Common refrains are NONONONO ooooo that would be illegal blah blah blah.

Now see the following.. just from today.  There are many more such examples if you troll around.

Here is an article from the highly overhyped Brian Krebs who I think does a good job reporting but really does’nt go far enough in his questions or the depth of levels needed to really discuss the important issues in his articles.  Even investigative reporters of the crappy kind go deeper than his content which is sad, because if he chose to do so would dramatically up the level of discussion and populate the idea pool with more useful ideas.  He has the audience now he just needs to up his game to be more effective as a thought leader instead of just a reporter.  Reporters are boring from a research standpoint and do little to add to the cumulative public knowledge base to really solve problems.

“Prior to site’s demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program.”

Now explain to me how they were able to do that without breaking any use laws.  I want to be clear here.  I am not supporting breaking of laws, I am noting that said laws are used as an excuse to really SOLVE the malware infrastructure problem and support the Security products industries bottom lines.

Based on an alternative is needed for protection… Awesome Title BTW

Storm Worm Botnet Lobotomizing Anti-Virus Programs

Any and all of these attempts would run afoul of some narrow minded anal retentive lawyer and somehow break a computer law somewhere.  However the key thing here is authority and intent.

If its illegal to walk on the grass, yet you see a lady getting mugged on the other side of the really nice garden, do you run across the grass and help her or walk ALL the way around and hope that the scumbag does’nt off her and make off with her valuables.

If there is a technical way to disable, subvert, dismantle, neuter, compromise, impact, DOS, surveille a botnet, malware author, cybercrime crew, criminal organization then it should be investigated and done if possible provided it does not make the system inoperable and unusable.  The problem here is that you need extremely sophisticated techniques to do so.  You cant have a bunch of jackass cybervigilantes running amok and causing more havoc then good.

Actions should be given to competant organizations / researchers based on a validated and widespread threat.  Sort of like what a CyberInterpol would do, but we know that will never happen.  Essentially what we need is a vetting process whereby through a collaborative cooperative of security responders/researcher get a free pass to conduct offensive surgical strikes on malware infrastructure and Run ops against these crews.

Here is an attempt to that was dead on arrival because there was no will and balls behind the effort.

Result would be degradations of malware infrastructure, sowing distrust and discord among organizations, infiltration through stings, paying rival organizations to rat out their competitors, higher bounties, snatch and grab operations, poison pilled exfiltration data from high level targets, arrest and PREEEESSSUREEEE on the low level schmucks to roll on their buddies, leadership chain attacks, exploitation of malware binaries to render them inert, integrity attacks on command and control channels to render them disrupted or get them to disable or delete themselves, updating the malware do doing something beneficial like disable functions or change its communication mechanism so it is no longer reachable by its command and control at all.  The field is WIDE OPEN for research to discuss and innovate but do you see it being done??  NO.  I repeat NO>

And thats why I am calling SHANANIGANS on the whole lot of them.  When people ever bring the subject up they give you the standard BS responses, however in the background they do things as shown in the previous articles that would clearly be construed as illegal.

I am calling for a Cyber Free Fire Zone.

081110170523

For example.  Make a law that says that all machines that are compromised and attacked, entitle the user or its designated parties via a special use license to make any modifications or actions against said invading party.  This basically protects the user from legal recourse and could fall under reasonable cyber self defense guidelines.  If you come into my house to steal my Playstation 3 or rape my wife I am going to beat the shit out of you.  Or worse in the second case, however if you come in to my computer and steal my vital data or work and compromise my identity or cause me extreme financial hardship I have no recourse and cant to anything?!?!

Now people that just doesnt make sense.  From the goverment side we need a Cyber Monroe doctrine which I believe is a great idea.  As well if you look at the statistics, many many of the malware operations are run from inside the United States to I dont believe for a second, that our laws long arms cant reach into Pukipsee.

A person who I know well, Lenny Seltser who teaches courses for SANS on malware analysis (SANS 610)  posted recently a that while has important points I respectfully disagree with.  I think you need to weigh the consequences between an active response and the impact of not acting.  That is the ethical equation.  If you can do more good then harm, you should serious consider the action.

Here some more on the BBC incident.  Unfortunately I do not see many advocating any counter malware actions, not to my suprise because that is the status quo.

So what do we do?  Prosecute security researchers for their intelligence actions that they try and keep on the downlow, while at the same time espousing support for the rule of law?  I dont advocate that.  I advocate the declaration of a Cyber Free Fire Zone, Establishment of a Cyber Monroe Doctrine, Creation of a counterhack implied user license for legal protection, and enhanced and publised experimentation and surgical counterstrike actions being conducted as I have stipulated above.

Here is an from Britian at least attempting to solve the problem, however present much opportunity for abuse and is only allowed by law enforcement which defeats the purpose and overall goal.  Regardless, Britian with all its security incidents is really in no way shape or form qualified to lead in security research or cyber actions due to its nightmareish list of compromises and general cyber ignorance from its military, goverment and intel sections.

Here is another example

Gee Boss, now whut?? (Scratches his head)  The answer is focused collaborative research on cyber course of actions.  DUH!  Thats what the military does all the time.  Establish course of actions against an enemy’s order of battle.  The acts.  No action here….
Here is another example from the Prevx group

Stolen-data trove offers look inside a botnet

Now how could researchers obtain this and not break the law?  Why was this box not infiltrated and monitored to prosecute, track and punish the people that connect and download said purloined information.

Caches of stolen data like these are hidden throughout the Internet, usually locked away inside password-protected websites or heavily fortified servers. Prevx’s researchers were able to infiltrate this site because it was protected with poor encryption.”

- Cut the bullshit about not being able to do something as a security researcher and whining about laws.  Researchers are already doing it.  however they are at risk of prosecution so this debate is about empowering them by giving them cover or implied authority.  A digital RobinHood / Zorro if you will.

I think the fact of the matter is, researchers dont want anyone else to do it, so use the cover of the law to keep public debate to a minimum.  As well, alot of their SENSOR networks and compromised honeypots used for intelligence yet are members of said botnets are operational and doing everything a full member of a botnet would be doing such as DDOS and spam.  Maybe even SqL injection attacks ala ASPROX.

It would be nice if guys who had the balls like Offensivecomputing had the same initiative and championed these counter cyber attack research options through public debate.  Currently right now I would imagine it is only debated in Military and Intel communities but those organizations are so hamstrung with policies and bullshit that I doubt anything rarely gets accomplished, or its not in their domain, or they just dont care.

FBI included.  They have only limited resources ya know and threshold for what warrants attention.  “So what you got hacked and lost 10grand to a russian guy who drained your brokerage account. Go call the local PD. Dial 911, Operator, whats the emergency.  Caller- some guy just hacked my computer and stole 10 grand from my brokerage account.  Operator, thats not an emergency. Police officer status not my problem, call the FTC.”  _get_THE_PICTURE?

The website that Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.” – wow no action, i am not suprised…

They should have realized abuse complaints in that part of the world go straight to the bit bucket…. duh.. Next time act.  compromise the data in the trove with beacons and find the real culprits,  put crypto attack code in the documents so that whoever opens them gets their files cryptolocked with a Secret key and a message to contact a POC to get your files unlocked.   Other avenues of action are or could be equally disruptive and intersting.  Send the badguys information and keystrokes back to the victim.

Here is another great example of retarded action.

Two awesome researchers did excellent innovative work.  Then what happened.  NOTHING.  Great job management.  Next time set up a Skunkworks unattibutable group with resources that are untraceable and Fucking Do it.  Then destroy all traces of said action.  In the current environment this is the only recourse for real action.  Someone needs to stick their dick in the pool first.  Whose it going to be.  O yea right.  Your not supposed to find out.  Sorry you wont get the credit but youll be the one smiling in the room when its discussed…..

Pretty soon we need to start dealing with these issues effectively and dealing with the likes of these.

lens1552240_evilleprechaun

Or we can start expecting our data and vital operations to look like this…

beirut2

So here is a little experiment.  I am going to run a monthly posting contest.  The purpose is to allow malware authors to hype their baddest ass skills and techniques as compared to some of the most insidious examples the research community has been dealing with.
Winners will recieve the dubious title of BADDEST ass code that does the BADDEST ass things.  O yea.  and the right to be represented by this Avatar.

ghost

There will be a chumpy award as well for code that thinks its bad ass enough to be ranked as the best but really is “old tired and busted” using stale and well know techniques.

They will get represent with this little digital Homage..

retard_ninja
So here are the categories for assessment of who the baddest should be.

  • Best Hiding Techniques for (files, registry, process listing):
  • Best network or file based stenagraphy techniques:
  • Best innovative and destructive capabilities:
  • Most kleptoKrazy information stealing capabilities:
  • Most innovative functions: if you mention opening the CD drive bay door you get DDos’ed automajically:
  • Most enriching social engineering techniques: Sorry Bernie Madoff has the record so this place is automatic second place:
  • Most elegant code/resilency from detection:
  • Best polymorphic,metamorphic illusionist techniques:
  • Best code protection for code and logic integrity vs debugging, tracing, dumping:
  • Innovative and secure use of encryption:
  • (if you submit xor/rot/base64/rc4 or any other weak ass shit you get your remote files automatically encrypted with AES 256bit and the secret key Secure deleted from memory and the entire file system.  That’s after the secret key is encrypted. of course.
  • Best and most ievil undetectable Embedded attacks against third party file types. IE Office, Flash, PDF, CHM ectera:
  • Baddest and most comprehensive web page example with close to every drive by exploit out there:
  • Most Disruptive piece of code:
  • VISTA pwnage.  (most code rapes XP)  start evolving and compromise Vista systems if you have the balls: Special points for getting around Vista Security and specifically the 64-bit hardware enabled in BIOS DEP features.
  • Implementation of malicious VMs as a obfuscation technique or as a the payload itself by putting the target into the matrix without his knowing.

grindhouseexperience
Requirements for submission are as follows:

  • Name of malware or self named or just plain found somewhere.
  • Why it deserves inclusion into the baddest ass hall of malware fame from a technique standpoint.
  • Description of its capabilities and its closest variants if any.
  • And for the do gooders, Who and what is to blame for this glaring technique and what can be done about it.
  • And O yea.  is it able to fully exploit and run on a Base build of Microsoft Vista SP1 SP2 out of the box.

Several CODE samples to compare your submission to for innovativeness and complexity.

Kraken, Storm, Conficker,Waldec, Rustock, Asprox, Pinch, Zeus, Bancos, Coreflood, Tigger/Syzoor

Participation by the research community and security vendors that might have the balls to discuss will get mad props for actually supporting research.

WELL let the games begin:

Awards and Ranking will be from 1 to 10.  If im impressed I will paypal monetary goodness maybe possibly if I actually feel something in my pants after reading.

Dio

gladiator

Cyberwar and attribution

December 31, 2008

One thing I dont understand is why bad guys are’nt smarter.  For example.  Attribution.  If your Chinese government trying to steal US goverment secrets, Why the hell would you use Chinese code and exfil data to Chinese drop sites, and use Chinese hosted malware download locations.  To me thats just stupid.  If I was chinese I would code in Brazilian, and attack from Ghana, exploit from England, and exfil to Australia.  You get the point?  Cyberwar has not crossed the multi-lingual barrier to become cross language enabled and geographically obfuscated.  Geographic Obfuscation and misdirection would be a very interesting area to research  from an attack perspective.  One of the primary tenents in Information Operations is Deception. 

oj_if_i_did_it

I give the current attack community an F for Deception.  At least how its played out in the press.  Its practically obvious the Chinese are hacking the shit out of US on a daily.  And its practially obvious that Russians are in control of RBN out of Saint Petersburg, protected by politically connected powerful parties.  RBN controls the Storm worm and other cybercrime botnets, as well as being some of the best coders around (Reference Rustock). 

NOTE:  NAME THE EFFIN guys behind the Storm worm already, certain parties know who they are but ain’t talkin.  Put up detailed bios of them in the mass media.  I think its pretty sucky that the security community doesnt combine intelligence with Security technology.  There are lines that they draw and dont cross them when you get a much well rounded picture when you are not afraid to amp up a 1000Watt Spotlight on something and expose it to the public. 

Another side note.  Hey security community.  Start posting graphics, code and info on the Backend software and consoles for some of the more powerful botnets like Rustock, Storm, Asprox.  Lets do a Dissection of a C&C for these, and post about it for the research community.   Has anyone found the Builders for any of these?  How about Source code.  I would imagine it can either be stolen, compromised or someone bribed.  Have we fingerprinted where its coded and identified via coding methods how many are involved and tracked identities that way?  Also, There needs to be way way more research on EXPLOITING these botnet binaries.  Not just for monitoring sake.  YOUVE been monitoring for years.  DO something already.  If you can Internationally capture and prosecute then for pete’s sake Run an operation on these guys.  Or maybe this is all one big scam operation get everyone to buy more Security software and purchase Credit monitoring services and insurance.

One example of a botnet being repurposed to massive detrimental effect is Asprox.  They are now P2P/FastFlux and have a automatic SQL injection engine as well as Password stealing capabilities.  I was wondering when botnets where going to adapt to do something other than the same bullshit propagation, spam, and DDOS.  That shits boring. 

Back to Attribution.  If the Chinese and Russians had done things right We would’nt be screaming about them, people would still be scratching their heads and wondering WTF?!   Maybe they are just unsophisticated or lazy, maybe they dont care.   Probably both, Maybe thats why you never hear about American cyberwar attacks.  Either A, we are too scared and dont do it (lawyers got our balls in a cinch) or B we have been doing it all along and are just way way to good to get caught because we do it right.  My vote is on B.  BTW anyone know who ran that operation that Bugged the Greece Prime Minister and trojaned their Erriccson wireless teleco switches to effectively wiretap them for 6 months.  NOW that was a hack.   Only the best do that shit, I havent heard anyone name names but I have a clue.

Enuff about that.  The point is.  If you run an op whatever it is.  but non-atributable bet geographically distributed, or better yet attack from YOUR enemys back yard.  Let him take the heat.

flames1

So is innovation dead in Malware development?  I have been perplexed at the lack of innovation with regards to Internet level hacks/events that have occured over the past years.  I think Money and the crime angle has certainly been a distraction.  Most innovative ideas that Im thinking of have more of an Offensive Cyberwar aspect to them vice  a espionage (read stealth) or infostealing (crime) or propagation (read worm/spam).  If your not following me let me try and explain.  When was the last time you have heard of a really interesting Internet event (by this I mean an event that impacts Large sections of the net) does something totally wack, and has a large impact. 

I would call this as something so unique its a singularity.  They advent of mobile malicious code (IE a worm) I would consider a singularity that changed the whole game.  The advent of the buffer overflow another, the advent of remote control (trojans – Lets hear it for BO woot!) and the advent of P2P decentralized networks, and double fast flux networks, as well as the advent of Software armoring andpolymorphism.  All of these factors dramatically changed the playing field and force everyone else to adapt to new rules of engagement.   But I digress.

death20angel120200

Let me shoot out some memes that I have NOT seen or heard about and ponder why?

Why isn’t there whistleblower malware?  That would be pretty bad ass.  Think of a piece of code that seeds the net with information that is senstive to achieve a certain effect.  Could be a sensitive document, could be a database export.  One piece of malware that did this was Nimda which mailed random documents from your My Documents folder to your entire email list.  Now that was cool.  Businesses failed and people got arrested or divorced over that type of stuff.  Pretty crazy.  The goal of whistleblower malware would be some type of enforcement of social justice.

Ive also wonder about why malware doesnt use database tools to dump databases and post them to P2P networks where they would be rapidly replicated.  Once something goes P2P there is no way to retrieve it.  (Think about celebrity sex vids)  Do you really think Paris Hilton could have put her cooch pix back in the genies bottle once they got out to the net?

I dont advocate stealing of data for destructive effect, In this blub I am just wondering why I have not seen malware that targets Databases more effectively.  Why is it always credit card databases that are stolen and not the Bazzillions of other interesting databases that exist out there with much more important data in them.   One hypothesis is once again the crime angle distraction.  The other is that most hackers are just one technology ponies and couldnt scratch their way around a database even if they tried.    Illustrates how an effective attack organization would have to highly skilled and multi-disciplined to be useful.

Anti Malware Malware

December 31, 2008

So I was thinking of an interesting idea.  Create a target list of all malware and hacker sites.  Take a massive database of MD5 hashed malware, hacking tools, ectera, create a crawler bot that can autopwn sites and then upon detection, Secure Delete or AES 256bit encrypt the files upon detection and then destroy the AES key.  It would be pretty interesting and have massive undetermined effects. You could call it White Friday.  The result would be like a mass cleaning of malware from the net in one big swoop putting them back to the drawing board a bit.   One of the primary reasons for this is that the center of gravity I believe for this type of malware development is very small if actually studied versus the rest of the poser community that just uses the tools and extends or customizes them.  The Malware/hacker site list would ensure that unintended victims are not impacted.  You could also furter refine your targeting.  It would most likely have to be architected as a worm of some sort with a Software as a Service type back end to a MD5 Hash DB.  Or the malware could just AES encrypt all underground sites out there.  NOW that would be interesting.    An AES encryption attack would not be destructive, yet simply TRANSFORM the look of their data (Thats what encryption essentially does)  You could actually embed the SECRET key randomly dispersed somehow into their encrypted files or elsewhere on their systems so that They had the power to unencrypt them if by some infentessimal probability they could find the key.  You could also actually somehow get around legalities by justifying the if the Site accepts user input in any way shape or form you can essentially run the attack and not have any repercussions legally.  But of course this would be a non attributable black OP.

This is to start a thought meme on this until I refine it more later.  Feel free to comment.

I think I will call this the WhiteFriday event horizon.   Im going to add more way out there ideas.

angel

HackBackJack U up.

August 14, 2008

So the concept of hacking back is very simple.  The problem is no one wants to talk about it.  And it rarely gets done.  At least in the public domain.  There have been a ton of examples where malware has exploited vulnerbilities in bots/zombies to take over the Command and Control and update them with their own malcode.  There have been other examples of researchers exploiting botnets for research to identify C&C and decode the command sets.  

Then there is the actual  such as the ever popular STORM.   This is the really cool stuff unfortunately some people consider this research area TABOO which I think is bullshit.  Lots of malware have features to delete themselves and clean up their systems.  An attack on a bots commandset that tell it self to delete itself would have all kinds of benefits.

This is an from Bitsec who is reverse engineering malware trojans for bugs, writing exploits to them and then sending software to the attackers computer.  Hopefully to identify their name, and IP address.    This guy is pissed and “he aint gonna take it no Moe!”

The trojan he exploited was Bifrost which is a BAD ass Remote Access Tool “read TROJAN” that freaking does everything under the sun.  Its like Poison Ivy and other RATS which seem to be templated in code these days.  They are very very full featured.  A bunch of them can grab mic audio for bugging, and video capture from webcams giving a whole new voyeuristic side adventure to malicious attackers. 
 

Theres actually a ton of Youtube video on these things in action.  One of them showed HUNDREDS of webcams being viewed on the screen after the attacker logged in and connected to a ton of people that he compromised.  Can you say privacy is DEAD!! Or did it every exist. Do you feel violated yet?

Back to hackbacks.  There are a ton of opportunities for this, and it sort of comes from the Honeypot philosophy yet instead of sitting there waiting to be attacked, you do the attacking.  Recently

The real purpose.

August 14, 2008

So I was pondering the content I have posted here and thought back to the original reason for why I wanted this blog.  It was about hacking the constructs of security itself, not the actual tools, and methods for how people hack.  I want to use this site as a thought incubator and (Patent idea – preestablisher).  This content will be more or less an evolving stream of conciousness on some of the things I have been evaluating of late.

Infowar Construct Meme #1 – TAR and FEATHER results in digital mob effects

Why in the hell do you hear alot about what attack tools do against vulnerabilities and what the effects were in real world situations, and you always here about the “Authorities”  that are on the “case”, but you NEVER see the bad actors actually SPLASHed in the global media conciousness.  Ok so it think its already preestablished that you can use technology and code to pretty much do anything you want.  So there goes any time of theory about how LEET you are because you developed some kick ass piece of code.  Back in the day, hacking for reputation and props was the modus operandi. 

Now with cyberespinage and cybercrime we need to reconsider the concept of NOT identifying the perpertrators and start to SERIOUSLY expose every part of them, their lives, their networks, and their belongings to EXTREME scrutiny.  With Internet mob effects, there would rapidly result in a large drop in activity or at least drive it underground more, or deter their actions in to more legitmiate activities, or spend their resources protecting themselves more vs doing bad things.  

This is a thought exercise in the concept of using extreme justice (Namely Total personal privacy exposure of the attacker on a global “read Internet” scale) in order to advance the deterrent effect.  Attackers are people too, they live places, the use technology, they have friends and family, they have jobs, they need to eat, they need to learn and go to school, they have reputations, and they have Bank accounts, and credit records. It is highly unlikely that these people would enjoy having their lives ripped apart through identity theft and other actions. 

In the old days if you did antisocial behaviors you where ostricized, discriminated against, and pilloried in the community.  We need to establish a series of digital actions that can be leveraged against targets that are known bad actors.  And I am not talking about giving then F#$ing book deals, movie deals, intel or computer security jobs.  I am talking about a series of digital and real world actions similiar in the vein of how a penetration tester will perform target recon on a organization, its systems, processes and people.  But this will be in the context of personal destruction from a digital, reputation and real world side of things.

I guess an example of things would start like this.  Identification of the real name, address, social security or national id number, identification of digitial identifiers, such as email, IM, social network and user accounts, where they work, what they do, what they own, how much money they have, where they conduct business, digital images of where they live, their health records, their credit records, they military histories, job histories. 

Every single thing that “Personalizes a target”  This information is gleaned from a billion data sources and real world actions and exposed, dosseier style on the open web.  Along with it are the proven actions that they have done, to who, and how long they where involved in that activity.  This is called target intelligence except its done in the open forum of the Web, reachable by everyone and providing a very real and unwanted look in to the personal lives of the attacker.   Not to many people can stand this kind of scrutiny without seriously reconsidering their future actions.

THESE ACTIONS if levyed against anyone will support a very very very Real detterent affect which is the entire point. There are no detterants to current cybercrime/espinonage at the moment that would put a real dent in the problem. This is a step in the right direction. 

Targets would need to be selected carefully such as the most prolific spammers, phishers, identity theives, industrial espionage, paedophiles, bot herders, denial of service attackers, and ransomware users.  Its blatently obvious that digital attacks are not see or treated like real crimes and you could reference a whole host of bullshit penalties from some of the most egregious sitations.  Many individuals and companies never report their incidents for a number of reasons.  This is a serious inequity of justice that is out of balance due to victims not being empowered to strike back at their attackers. and even being legally prevented from doing so. 

The fallacy here is that legally you can’t do “BAD things to BAD people, even though they deserve it”  which will be a second or third stage area of research after researching another vexing problem.  Target identification through attack attribution.  Atribution is one of the hardest research problems there is due to the advanced ways of cloaking your identity and actions via anonymity software, proxies, multihops, encryption, and obfuscation. 

Researchers who discover flaws, and developers who write code are irrelevant, these things are just considered tools, like a real world gun is,  CYBER activity should be evaluated on what you do with the tools, what your intentions are, and what the actual effects where.  This is the equation that should be used in determining the level of digital retribution

This is a RAW concept, not fully refined and should be taken as such and used as a starting point for further research and possible tool development.  This can be lumped onto social network research currently used in Law enforcement/Intel against organized crime, white collar crime, and terrorist organizations.

Follow

Get every new post delivered to your Inbox.