Cyberwar and attribution

December 31, 2008

One thing I dont understand is why bad guys are’nt smarter.  For example.  Attribution.  If your Chinese government trying to steal US goverment secrets, Why the hell would you use Chinese code and exfil data to Chinese drop sites, and use Chinese hosted malware download locations.  To me thats just stupid.  If I was chinese I would code in Brazilian, and attack from Ghana, exploit from England, and exfil to Australia.  You get the point?  Cyberwar has not crossed the multi-lingual barrier to become cross language enabled and geographically obfuscated.  Geographic Obfuscation and misdirection would be a very interesting area to research  from an attack perspective.  One of the primary tenents in Information Operations is Deception. 


I give the current attack community an F for Deception.  At least how its played out in the press.  Its practically obvious the Chinese are hacking the shit out of US on a daily.  And its practially obvious that Russians are in control of RBN out of Saint Petersburg, protected by politically connected powerful parties.  RBN controls the Storm worm and other cybercrime botnets, as well as being some of the best coders around (Reference Rustock). 

NOTE:  NAME THE EFFIN guys behind the Storm worm already, certain parties know who they are but ain’t talkin.  Put up detailed bios of them in the mass media.  I think its pretty sucky that the security community doesnt combine intelligence with Security technology.  There are lines that they draw and dont cross them when you get a much well rounded picture when you are not afraid to amp up a 1000Watt Spotlight on something and expose it to the public. 

Another side note.  Hey security community.  Start posting graphics, code and info on the Backend software and consoles for some of the more powerful botnets like Rustock, Storm, Asprox.  Lets do a Dissection of a C&C for these, and post about it for the research community.   Has anyone found the Builders for any of these?  How about Source code.  I would imagine it can either be stolen, compromised or someone bribed.  Have we fingerprinted where its coded and identified via coding methods how many are involved and tracked identities that way?  Also, There needs to be way way more research on EXPLOITING these botnet binaries.  Not just for monitoring sake.  YOUVE been monitoring for years.  DO something already.  If you can Internationally capture and prosecute then for pete’s sake Run an operation on these guys.  Or maybe this is all one big scam operation get everyone to buy more Security software and purchase Credit monitoring services and insurance.

One example of a botnet being repurposed to massive detrimental effect is Asprox.  They are now P2P/FastFlux and have a automatic SQL injection engine as well as Password stealing capabilities.  I was wondering when botnets where going to adapt to do something other than the same bullshit propagation, spam, and DDOS.  That shits boring. 

Back to Attribution.  If the Chinese and Russians had done things right We would’nt be screaming about them, people would still be scratching their heads and wondering WTF?!   Maybe they are just unsophisticated or lazy, maybe they dont care.   Probably both, Maybe thats why you never hear about American cyberwar attacks.  Either A, we are too scared and dont do it (lawyers got our balls in a cinch) or B we have been doing it all along and are just way way to good to get caught because we do it right.  My vote is on B.  BTW anyone know who ran that operation that Bugged the Greece Prime Minister and trojaned their Erriccson wireless teleco switches to effectively wiretap them for 6 months.  NOW that was a hack.   Only the best do that shit, I havent heard anyone name names but I have a clue.

Enuff about that.  The point is.  If you run an op whatever it is.  but non-atributable bet geographically distributed, or better yet attack from YOUR enemys back yard.  Let him take the heat.



Get every new post delivered to your Inbox.