This thread might be controversial but I must assume that things will progress that way anyways.  This has to do with advanced evolution of digital threats.  A very very large majority of malware is very noisy on the wire.  The fact that bots especially conduct callbacks to their Command and Control systems in the first place on a regular basis, HELLO, IM HERE, HELLO, IM HERE, YO! IM HERE is on its face completely rediculous.  If organizations can’t get their collective asses in gear to remediate their networks when malware is screaming out every minute to malicious IPs then someone needs a good career spanking. 

Awesome products like and which focus their attention on the real problems of botnets instead of larger AV Companies that just sit back and soak up your IT budget are going to be the change changers here and eventually drive botnet evolution in a new direction, Ironically rendering their products useless.  Thats the main problem with solving problems comprehensively – it kills your business plan. 

Heres a thought.  Instead of spending a billion dollars and 3 years to rev out the next version of , shim into the security stack FIREEYE/DAMBALLA with custom sigs.  For those that don’t know or havent been reading the press Einstein is DHS’s hope/vision for a big old digital condom from all that nasti hackiness thats been eroding our countries competitive edge for o say like 10 years.  Better hurry up guys, we probably on have about 5 years of Research and Development left to lose before we are facing adversaries that are technologically advanced as us.  And o ya 4 times the population.  There wont be much need for us in the future.

Thus leads to the controverisal piece.    MALWARE EVOLUTION #1  HUNTER/KILLER

Evolution of autonomous malware with preprogrammed directives.  Malware is just code, code is the digital representation of logical directives.  Directives are a language construct of what fleshbots want or need.  Namely us.  It has suprised me for some time that much of the malware requires a series of manual control command sets to do its job.  Cant you just go tell a piece of malware “look man, do this, this this, and uh if you see this piece of information or event do this”  These type of autonomus functional intelligence is what I would have expected from some of the prevalent threats today.   One of the theories behind the lack of sophistication in malware is the Lowest SHIT that works theory.  Namely if it works, why expend resources to advance the art.  While they may be right it certain keeps things boring on the technical malware analysis side.  Implementing a level or sentient intelligence based on certain low level information primitives would not be too hard of a research and development project.  The goal being to implement a handful of the tools of cyberwar, but have them automonously conducted with the goals of taking the operator out of the loop, and meeting certain operational criteria.  This way no Beacon beaconing like a goddam rooster and actually forcing the industry to start looking at the root of the problem which is the host and its built in internals and functions which enable all this crap in the first place. 

I will probably expand on this concept further later but from a defense side it seems that having your shit beacon, and requiring an operator to do basic shit all the time is just plain stupid.  Fire and forget malware bombs that can steal shit, and then encrypt it and blast it once with a special signature as a digital blob onto a Peer to Peer network  or to 500 places at once on the Internet for pickup would make things alot more interesting.

Well thats it, Cats out of the bag. Lets see what happens. 

-disclaimer  This blog was designed to explore futuristic concepts and memes of cyberwar and all their implications.  This is a conceptual thought exercise only, Not an endorsement.

So a researcher I admire for his willingness to reveal his to the general masses, especially through his top 10 lists of the largest.  He has also done excellent research on more sinister malware such as Coreflood which has evolved over the years.


Apparently he is presenting some similiar concepts at RSA soon that I have been espousing here such as my cyber Special OPs forces targing cybercrime networks.

Here is a quote from his

“Finally, on Thursday I’ll be delivering my own presentation entitled “Demonetizing Botnets” at 2:10 PM. This talk outlines my ideas for how we should restructure our efforts at fighting not just botnets, but cybercrime in general, both long and short-term. In this presentation, I will introduce a concept I call “offense-in-depth”, which I believe is the only approach that can address most of the cybercrime problems we are currently facing, given the current environment with respect to law enforcement’s challenges in cyberspace and pervasive vulnerabilities in computing and networking. I’m not saying my plan is any kind of silver bullet, but I hope it becomes part of the arsenal of everyone out there who is attempting to stem the tide of malicious software and computer intrusion. If you are interested in hearing my take on these matters, please attend. If anything I say inspires you to action, please meet up with me after the talk, and we can discuss the issues further. Hope to see you there!”

I love some of the . Titled….    (Joe I am behind you  on this one.)

Researcher wants hacker groups hounded mercilessly

Botnet expert Joe Stewart says ‘special ops’ teams could thwart cybercriminals

These concepts I have discussed in great depth in some of my earlier posts such as our Spotlight Shine Bright series, and my I call Shenanigans, and BBC Wussy Robin Hood articles.

A technology company employing some of the best and the brightest in the field just released an update to their product that actually implements an idea that I have been working on since late last year.  Clearly many in the security industry have realized that we need a couple of good game changing concepts to take us to the next level.  My focus was on how to change how we COMMUNICATE about malware.  If we are all working on the same sheet of paper, then we can focus our efforts on other high payoff challenges.

The company is called lead by the guys that literally wrote the book on Rootkits.


HBGary seems to have done a good implementation job building Digital DNA features into their flagship product Responder Pro which is an excellent live memory analysis tool.   More and more live memory analysis is critical to obtaining a full picture of what the malware does.


I have been researching similar concepts based on the extraction through observational analysis and generation of malware code DNA traits.  The goal being to identify and classify malware characteristics (what it is) from its functions (what it does).

For example the fact that a piece of code packs itself to hide from Antivirus or hinder reversing is a characteristic.  In and of itself it poses no threat.  A piece of code that can read/write files to your system and execute programs is a dangerous functionality all around.  That is a Function.

Possible implementation would involve creation of an Adobe Flex or HTML 5 based digital cyber dashboard which takes analyzed samples via backend systems, extracts automatically or manually the DNA, and created a signature for the malware that combined a representative string a bits that represented the DNA in combination with a hash and fuzzy hash signatures such as MD5, SHA-1, SHA-256, SHA-512, and SSDeep.

The dashboard generated a characteristic score and a functional score that resulted in an overall threat score.

The operational vision is to utilize this dashboard to describe the malware DNA in laymans terms so that cyber-operators and CIO types can RAPIDLY understand the threat and deal with it.  Not try to understand a bunch of gobblygook.

The third component is an intelligence component that combines raw multi-disciplined private and open source intelligence on the bad guys that are behind the campaigns into digital dossiers.

So one may ask your self, well anyone can host a page that has exploits.  But how do they manage the sheer scale and scope of the attacks we are seeing today.  The answer is through sophisticated Traffic Redirectors.

Here is an example of one.  It is called .  It provides for sophisticated reporting and statistics.  It basically monitors the traffic that is redirected based on a malicious IFrame placed on a compromised site.  The IFrame will then redirect to a exploit page.




Geographic origin of code

Language coded in: CGI possibly PERL

Black Market price range

Forums its marketed on: (Forums/IRC?)

Who the authors are?

Exploitable? TBD

Google identifier search strings.

Code derived from? Progeny.

How long its been in existence?

Number of Versions.

Apparently there are many many of these Traffic Redirector services and even for this traffic. 


I wanted to demonstrate the level of sophistication that is running the back end Command and Control servers for many of these web based usually p2p botnets.  Included are support contracts, fees for advanced services, reporting and sometimes the occasional backdoor! Duh.

As currently shown by the the following pack is now very popular..

, currently by many analysts to be at the head of the pack in terms of obfuscation and features.

The pack includes dynamically generated runtime creation of obfuscated Javascript in order to establish an encrypted communication session with the browser via asymmetric encryption.  The browser then sends its critical info such as user agent type, active x controls, plugins, and platform information.

Based on this exchange of information, the pack sends a crafted exploit JUST FOR THE VICTIM.  whee. How special.


Here is the admin page.


I’m calling


Ok, I’m am starting to get a little pissed.  As you know I have been questioning why researchers are not more proactive about taking out botnets and hacking malware and its infrastructure.  Common refrains are NONONONO ooooo that would be illegal blah blah blah.

Now see the following.. just from today.  There are many more such examples if you troll around.

Here is an article from the highly overhyped Brian Krebs who I think does a good job reporting but really does’nt go far enough in his questions or the depth of levels needed to really discuss the important issues in his articles.  Even investigative reporters of the crappy kind go deeper than his content which is sad, because if he chose to do so would dramatically up the level of discussion and populate the idea pool with more useful ideas.  He has the audience now he just needs to up his game to be more effective as a thought leader instead of just a reporter.  Reporters are boring from a research standpoint and do little to add to the cumulative public knowledge base to really solve problems.

“Prior to site’s demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program.”

Now explain to me how they were able to do that without breaking any use laws.  I want to be clear here.  I am not supporting breaking of laws, I am noting that said laws are used as an excuse to really SOLVE the malware infrastructure problem and support the Security products industries bottom lines.

Based on an alternative is needed for protection… Awesome Title BTW

Storm Worm Botnet Lobotomizing Anti-Virus Programs

Any and all of these attempts would run afoul of some narrow minded anal retentive lawyer and somehow break a computer law somewhere.  However the key thing here is authority and intent.

If its illegal to walk on the grass, yet you see a lady getting mugged on the other side of the really nice garden, do you run across the grass and help her or walk ALL the way around and hope that the scumbag does’nt off her and make off with her valuables.

If there is a technical way to disable, subvert, dismantle, neuter, compromise, impact, DOS, surveille a botnet, malware author, cybercrime crew, criminal organization then it should be investigated and done if possible provided it does not make the system inoperable and unusable.  The problem here is that you need extremely sophisticated techniques to do so.  You cant have a bunch of jackass cybervigilantes running amok and causing more havoc then good.

Actions should be given to competant organizations / researchers based on a validated and widespread threat.  Sort of like what a CyberInterpol would do, but we know that will never happen.  Essentially what we need is a vetting process whereby through a collaborative cooperative of security responders/researcher get a free pass to conduct offensive surgical strikes on malware infrastructure and Run ops against these crews.

Here is an attempt to that was dead on arrival because there was no will and balls behind the effort.

Result would be degradations of malware infrastructure, sowing distrust and discord among organizations, infiltration through stings, paying rival organizations to rat out their competitors, higher bounties, snatch and grab operations, poison pilled exfiltration data from high level targets, arrest and PREEEESSSUREEEE on the low level schmucks to roll on their buddies, leadership chain attacks, exploitation of malware binaries to render them inert, integrity attacks on command and control channels to render them disrupted or get them to disable or delete themselves, updating the malware do doing something beneficial like disable functions or change its communication mechanism so it is no longer reachable by its command and control at all.  The field is WIDE OPEN for research to discuss and innovate but do you see it being done??  NO.  I repeat NO>

And thats why I am calling SHANANIGANS on the whole lot of them.  When people ever bring the subject up they give you the standard BS responses, however in the background they do things as shown in the previous articles that would clearly be construed as illegal.

I am calling for a Cyber Free Fire Zone.


For example.  Make a law that says that all machines that are compromised and attacked, entitle the user or its designated parties via a special use license to make any modifications or actions against said invading party.  This basically protects the user from legal recourse and could fall under reasonable cyber self defense guidelines.  If you come into my house to steal my Playstation 3 or rape my wife I am going to beat the shit out of you.  Or worse in the second case, however if you come in to my computer and steal my vital data or work and compromise my identity or cause me extreme financial hardship I have no recourse and cant to anything?!?!

Now people that just doesnt make sense.  From the goverment side we need a Cyber Monroe doctrine which I believe is a great idea.  As well if you look at the statistics, many many of the malware operations are run from inside the United States to I dont believe for a second, that our laws long arms cant reach into Pukipsee.

A person who I know well, Lenny Seltser who teaches courses for SANS on malware analysis (SANS 610)  posted recently a that while has important points I respectfully disagree with.  I think you need to weigh the consequences between an active response and the impact of not acting.  That is the ethical equation.  If you can do more good then harm, you should serious consider the action.

Here some more on the BBC incident.  Unfortunately I do not see many advocating any counter malware actions, not to my suprise because that is the status quo.

So what do we do?  Prosecute security researchers for their intelligence actions that they try and keep on the downlow, while at the same time espousing support for the rule of law?  I dont advocate that.  I advocate the declaration of a Cyber Free Fire Zone, Establishment of a Cyber Monroe Doctrine, Creation of a counterhack implied user license for legal protection, and enhanced and publised experimentation and surgical counterstrike actions being conducted as I have stipulated above.

Here is an from Britian at least attempting to solve the problem, however present much opportunity for abuse and is only allowed by law enforcement which defeats the purpose and overall goal.  Regardless, Britian with all its security incidents is really in no way shape or form qualified to lead in security research or cyber actions due to its nightmareish list of compromises and general cyber ignorance from its military, goverment and intel sections.

Here is another example

Gee Boss, now whut?? (Scratches his head)  The answer is focused collaborative research on cyber course of actions.  DUH!  Thats what the military does all the time.  Establish course of actions against an enemy’s order of battle.  The acts.  No action here….
Here is another example from the Prevx group

Stolen-data trove offers look inside a botnet

Now how could researchers obtain this and not break the law?  Why was this box not infiltrated and monitored to prosecute, track and punish the people that connect and download said purloined information.

Caches of stolen data like these are hidden throughout the Internet, usually locked away inside password-protected websites or heavily fortified servers. Prevx’s researchers were able to infiltrate this site because it was protected with poor encryption.”

- Cut the bullshit about not being able to do something as a security researcher and whining about laws.  Researchers are already doing it.  however they are at risk of prosecution so this debate is about empowering them by giving them cover or implied authority.  A digital RobinHood / Zorro if you will.

I think the fact of the matter is, researchers dont want anyone else to do it, so use the cover of the law to keep public debate to a minimum.  As well, alot of their SENSOR networks and compromised honeypots used for intelligence yet are members of said botnets are operational and doing everything a full member of a botnet would be doing such as DDOS and spam.  Maybe even SqL injection attacks ala ASPROX.

It would be nice if guys who had the balls like Offensivecomputing had the same initiative and championed these counter cyber attack research options through public debate.  Currently right now I would imagine it is only debated in Military and Intel communities but those organizations are so hamstrung with policies and bullshit that I doubt anything rarely gets accomplished, or its not in their domain, or they just dont care.

FBI included.  They have only limited resources ya know and threshold for what warrants attention.  “So what you got hacked and lost 10grand to a russian guy who drained your brokerage account. Go call the local PD. Dial 911, Operator, whats the emergency.  Caller- some guy just hacked my computer and stole 10 grand from my brokerage account.  Operator, thats not an emergency. Police officer status not my problem, call the FTC.”  _get_THE_PICTURE?

The website that Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.” – wow no action, i am not suprised…

They should have realized abuse complaints in that part of the world go straight to the bit bucket…. duh.. Next time act.  compromise the data in the trove with beacons and find the real culprits,  put crypto attack code in the documents so that whoever opens them gets their files cryptolocked with a Secret key and a message to contact a POC to get your files unlocked.   Other avenues of action are or could be equally disruptive and intersting.  Send the badguys information and keystrokes back to the victim.

Here is another great example of retarded action.

Two awesome researchers did excellent innovative work.  Then what happened.  NOTHING.  Great job management.  Next time set up a Skunkworks unattibutable group with resources that are untraceable and Fucking Do it.  Then destroy all traces of said action.  In the current environment this is the only recourse for real action.  Someone needs to stick their dick in the pool first.  Whose it going to be.  O yea right.  Your not supposed to find out.  Sorry you wont get the credit but youll be the one smiling in the room when its discussed…..

Pretty soon we need to start dealing with these issues effectively and dealing with the likes of these.


Or we can start expecting our data and vital operations to look like this…


HackBackJack U up.

August 14, 2008

So the concept of hacking back is very simple.  The problem is no one wants to talk about it.  And it rarely gets done.  At least in the public domain.  There have been a ton of examples where malware has exploited vulnerbilities in bots/zombies to take over the Command and Control and update them with their own malcode.  There have been other examples of researchers exploiting botnets for research to identify C&C and decode the command sets.  

Then there is the actual  such as the ever popular STORM.   This is the really cool stuff unfortunately some people consider this research area TABOO which I think is bullshit.  Lots of malware have features to delete themselves and clean up their systems.  An attack on a bots commandset that tell it self to delete itself would have all kinds of benefits.

This is an from Bitsec who is reverse engineering malware trojans for bugs, writing exploits to them and then sending software to the attackers computer.  Hopefully to identify their name, and IP address.    This guy is pissed and “he aint gonna take it no Moe!”

The trojan he exploited was Bifrost which is a BAD ass Remote Access Tool “read TROJAN” that freaking does everything under the sun.  Its like Poison Ivy and other RATS which seem to be templated in code these days.  They are very very full featured.  A bunch of them can grab mic audio for bugging, and video capture from webcams giving a whole new voyeuristic side adventure to malicious attackers. 

Theres actually a ton of Youtube video on these things in action.  One of them showed HUNDREDS of webcams being viewed on the screen after the attacker logged in and connected to a ton of people that he compromised.  Can you say privacy is DEAD!! Or did it every exist. Do you feel violated yet?

Back to hackbacks.  There are a ton of opportunities for this, and it sort of comes from the Honeypot philosophy yet instead of sitting there waiting to be attacked, you do the attacking.  Recently

Well, one can’t really discuss the malware space without focusing on Bots, which are basically souped up trojans that get put onto machines due to a innumerable number of attack vectors, typically spam, SQL injection/malicious obfuscated JavaScript/multihop iframe redirections to multistaged malware dropper sites hosted by fast flux networks.  Data, information, and authentication and identity credentials such as passwords, usernames, SSNs get stolen off machines, encrypted and sent through P2P based HTTP outbound ports sent via encrypted proxy services and dumped onto drop site servers where the info is picked up and sold to the highest bidders in the underground for identity theft, more data stealing, and espionage.   Can you say are we having fun yet?!?!  Anyways, 

Heres a about what one of these puppies looks like. When you hear about things like Storm… This is what they are talking about. O ya, they are hidden by advanced rootkit technology and their binaries are packed and obfuscated, making effective reverse engineering way more difficult. O yea and they use anti Virtual Machine, anti debugger, tricks as well.


Get every new post delivered to your Inbox.