So the BBC did something pretty interesting.  They actually rented a botnet and did a bunch of stuff and got some great publicity.  Awesome work.  Would have been nicer if they used the command that most botnets have to either disable itself or delete itself on all machines.

and detection rates are plummeting for this stuff even though the vendors do their best.  Our government can figure out either what the hell it wants to do with a huge cyber turf war going on between the NSA and DHS.  I whole heartly endorse their idea of a , but if you can track these guys down and do something bad to them its kind of pointless.

I will repeat my point from earlier postings.

PEOPLE, YOUR SYSTEMS THAT YOU USE, BY DEFAULT ARE MEANT TO BE , , , , AND BY NATURE OF THE OS API CALLS AND THEIR DESIGN.  All while sometimes not even writing any files to the file system and running completely from a legitimate processes memory.

Thats why Live Forensics is such the rage now.  See Volitility, Mandiant, HBGary, and Recurity and other on this type of stuff.  Encase and Access data are also getting into the malware analysis in live memory game.

What is truly needed is a robust trusted secure interprocess communication mechanism.  Any process can be accessed, hooked, debugged, and malicious code written into is process space.  STOP,  THINK.  WHAT DOES THIS DO TO THE SANCTITY AND TRUST OF YOUR DATA AND OPERATIONS.  Malware uses this to its advantage and you wont know the difference until it is to late.

Here is the


Here is my response.

I completely applaud the BBC and their actions. They solved a good purpose illustrating the threats of these botnets to the mass public and probably cause many to be more aware of their personal computer security.

The fact of the matter is, the “industry” does not have the balls to infiltrate these underground organizations or technically disable these botnets, clearly establishes a causabelli for their business models. Ya Ya I know they do the best they can, hands tied by legal issues, whatever.

What is really needed is a security industry “zorro/robin hood” who basically technically takes these groups out or infiltrates the botnets and neuters them strategically via technical exploit means. It really should be the NSA or DHS that does that but neither of them have the balls to do it either.

We need a white hat underground, unattributable organization that can prioritize threats and met them head on with surgical precision attack capabilities. either that or track actors down and turn them informant with lots of money and then have them subvert their associates or the botnets themselves.

Everything I have seen in response to this issues conjoined with the data theft / espionage issue has been unimpressive completely from a criminal punishment/prosecution standpoint (major incident garner like 3 years), as well as being a useless repetitive exercise in arguably non-enforcement actions such as Monitoring, awareness, ineffective defense.

While I am constantly amazed at the advanced in malware evolution, and awed by the amount of compromises and data theft the industry has got to ask our selves if we are truly effective in our efforts and the answer here is NO.

Brian Krebbs (SANS) Symantec others are you freaking listening?? I like your reporting btw, however I said from day one, the Mcolo take down was pointless and worthless, and nothing changed and you served to ensure that malware authors further refine their code to be more resilient.

I won’t be impressed until people start taking these botnets out via good old fashion operations that intel and military agencies are used to doing against terrorist / organized criminal mafias and other Well defined and strategic threats to our nations security and safety.

Several researchers such as Fireeye, Arbor networks and Secureworks have gone right up to the edge in reverseing, monitoring, and exploiting Storm, Kraken, Conficker and other code but stopped short of doing anything useful. Nice try, no cigar.

Next time become unattributable, gather the resources covertly, go off the fucking grid and just do it. Get a backbone people. You have the expertise and capability and most will silently if not overtly cheer you for it.

Or how about this. Seed known systems with honeydocs or .exe’s and turn the malware authors world upside down. Who ever is the recipient of such booty would have to be extreme in protecting themselves or else they would have nice beacons straight back to their lairs. If data theft is the game, then dammit give them something to steal. O ya, if you hear a knock at the door. you better have an underground railroad escape hatch in your basement.

More of my views on

I don’t get much traffic here so and don’t actively market this as its a incubator for my own ideas, however I would love to see if there is some type of reponse to this or just plain ole standard crickets…..

Get every new post delivered to your Inbox.