Unique Pack –

uu

going_along51

NOTE: the possible author of the pack. 

Indication of author is not tantamount to owner of pack or operator of pack.

Most of these things are coded collaboratively from many authors and geographic locations.

For perspective this would be a true realization of the distruptive nature of open source software.

The only real intelligence value of these things are:

What unique identifiers are in the kits that could allow for detection.  See GOOGLE hacking.

["unique sheaf sploits" "Vparivatel" "All Vpars" "Totals/Loads"]

What language is used, can the implementation be exploited.

How can you pwn the server to monitor usage? Exploitable??

Are the operators stupid enough to connect directly or do they come in via proxied connections such as Tor?

WHERE is the DROP SITE?  Can we Trojan the drop site with a payload to track the movement of its data?

Can we poison Pill the data (via Cryptographic attack or assured destruction Secure delete) or the systems that use the data?

I’m calling

senanigans

Ok, I’m am starting to get a little pissed.  As you know I have been questioning why researchers are not more proactive about taking out botnets and hacking malware and its infrastructure.  Common refrains are NONONONO ooooo that would be illegal blah blah blah.

Now see the following.. just from today.  There are many more such examples if you troll around.

Here is an article from the highly overhyped Brian Krebs who I think does a good job reporting but really does’nt go far enough in his questions or the depth of levels needed to really discuss the important issues in his articles.  Even investigative reporters of the crappy kind go deeper than his content which is sad, because if he chose to do so would dramatically up the level of discussion and populate the idea pool with more useful ideas.  He has the audience now he just needs to up his game to be more effective as a thought leader instead of just a reporter.  Reporters are boring from a research standpoint and do little to add to the cumulative public knowledge base to really solve problems.

“Prior to site’s demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program.”

Now explain to me how they were able to do that without breaking any use laws.  I want to be clear here.  I am not supporting breaking of laws, I am noting that said laws are used as an excuse to really SOLVE the malware infrastructure problem and support the Security products industries bottom lines.

Based on an alternative is needed for protection… Awesome Title BTW

Storm Worm Botnet Lobotomizing Anti-Virus Programs

Any and all of these attempts would run afoul of some narrow minded anal retentive lawyer and somehow break a computer law somewhere.  However the key thing here is authority and intent.

If its illegal to walk on the grass, yet you see a lady getting mugged on the other side of the really nice garden, do you run across the grass and help her or walk ALL the way around and hope that the scumbag does’nt off her and make off with her valuables.

If there is a technical way to disable, subvert, dismantle, neuter, compromise, impact, DOS, surveille a botnet, malware author, cybercrime crew, criminal organization then it should be investigated and done if possible provided it does not make the system inoperable and unusable.  The problem here is that you need extremely sophisticated techniques to do so.  You cant have a bunch of jackass cybervigilantes running amok and causing more havoc then good.

Actions should be given to competant organizations / researchers based on a validated and widespread threat.  Sort of like what a CyberInterpol would do, but we know that will never happen.  Essentially what we need is a vetting process whereby through a collaborative cooperative of security responders/researcher get a free pass to conduct offensive surgical strikes on malware infrastructure and Run ops against these crews.

Here is an attempt to that was dead on arrival because there was no will and balls behind the effort.

Result would be degradations of malware infrastructure, sowing distrust and discord among organizations, infiltration through stings, paying rival organizations to rat out their competitors, higher bounties, snatch and grab operations, poison pilled exfiltration data from high level targets, arrest and PREEEESSSUREEEE on the low level schmucks to roll on their buddies, leadership chain attacks, exploitation of malware binaries to render them inert, integrity attacks on command and control channels to render them disrupted or get them to disable or delete themselves, updating the malware do doing something beneficial like disable functions or change its communication mechanism so it is no longer reachable by its command and control at all.  The field is WIDE OPEN for research to discuss and innovate but do you see it being done??  NO.  I repeat NO>

And thats why I am calling SHANANIGANS on the whole lot of them.  When people ever bring the subject up they give you the standard BS responses, however in the background they do things as shown in the previous articles that would clearly be construed as illegal.

I am calling for a Cyber Free Fire Zone.

081110170523

For example.  Make a law that says that all machines that are compromised and attacked, entitle the user or its designated parties via a special use license to make any modifications or actions against said invading party.  This basically protects the user from legal recourse and could fall under reasonable cyber self defense guidelines.  If you come into my house to steal my Playstation 3 or rape my wife I am going to beat the shit out of you.  Or worse in the second case, however if you come in to my computer and steal my vital data or work and compromise my identity or cause me extreme financial hardship I have no recourse and cant to anything?!?!

Now people that just doesnt make sense.  From the goverment side we need a Cyber Monroe doctrine which I believe is a great idea.  As well if you look at the statistics, many many of the malware operations are run from inside the United States to I dont believe for a second, that our laws long arms cant reach into Pukipsee.

A person who I know well, Lenny Seltser who teaches courses for SANS on malware analysis (SANS 610)  posted recently a that while has important points I respectfully disagree with.  I think you need to weigh the consequences between an active response and the impact of not acting.  That is the ethical equation.  If you can do more good then harm, you should serious consider the action.

Here some more on the BBC incident.  Unfortunately I do not see many advocating any counter malware actions, not to my suprise because that is the status quo.

So what do we do?  Prosecute security researchers for their intelligence actions that they try and keep on the downlow, while at the same time espousing support for the rule of law?  I dont advocate that.  I advocate the declaration of a Cyber Free Fire Zone, Establishment of a Cyber Monroe Doctrine, Creation of a counterhack implied user license for legal protection, and enhanced and publised experimentation and surgical counterstrike actions being conducted as I have stipulated above.

Here is an from Britian at least attempting to solve the problem, however present much opportunity for abuse and is only allowed by law enforcement which defeats the purpose and overall goal.  Regardless, Britian with all its security incidents is really in no way shape or form qualified to lead in security research or cyber actions due to its nightmareish list of compromises and general cyber ignorance from its military, goverment and intel sections.

Here is another example

Gee Boss, now whut?? (Scratches his head)  The answer is focused collaborative research on cyber course of actions.  DUH!  Thats what the military does all the time.  Establish course of actions against an enemy’s order of battle.  The acts.  No action here….
Here is another example from the Prevx group

Stolen-data trove offers look inside a botnet

Now how could researchers obtain this and not break the law?  Why was this box not infiltrated and monitored to prosecute, track and punish the people that connect and download said purloined information.

Caches of stolen data like these are hidden throughout the Internet, usually locked away inside password-protected websites or heavily fortified servers. Prevx’s researchers were able to infiltrate this site because it was protected with poor encryption.”

- Cut the bullshit about not being able to do something as a security researcher and whining about laws.  Researchers are already doing it.  however they are at risk of prosecution so this debate is about empowering them by giving them cover or implied authority.  A digital RobinHood / Zorro if you will.

I think the fact of the matter is, researchers dont want anyone else to do it, so use the cover of the law to keep public debate to a minimum.  As well, alot of their SENSOR networks and compromised honeypots used for intelligence yet are members of said botnets are operational and doing everything a full member of a botnet would be doing such as DDOS and spam.  Maybe even SqL injection attacks ala ASPROX.

It would be nice if guys who had the balls like Offensivecomputing had the same initiative and championed these counter cyber attack research options through public debate.  Currently right now I would imagine it is only debated in Military and Intel communities but those organizations are so hamstrung with policies and bullshit that I doubt anything rarely gets accomplished, or its not in their domain, or they just dont care.

FBI included.  They have only limited resources ya know and threshold for what warrants attention.  “So what you got hacked and lost 10grand to a russian guy who drained your brokerage account. Go call the local PD. Dial 911, Operator, whats the emergency.  Caller- some guy just hacked my computer and stole 10 grand from my brokerage account.  Operator, thats not an emergency. Police officer status not my problem, call the FTC.”  _get_THE_PICTURE?

The website that Prevx found, which was operating on a server in Ukraine, was still online for nearly a month after security researchers alerted the Internet service provider and law-enforcement authorities. The site was sucking up data from 5,000 newly infected computers each day.” – wow no action, i am not suprised…

They should have realized abuse complaints in that part of the world go straight to the bit bucket…. duh.. Next time act.  compromise the data in the trove with beacons and find the real culprits,  put crypto attack code in the documents so that whoever opens them gets their files cryptolocked with a Secret key and a message to contact a POC to get your files unlocked.   Other avenues of action are or could be equally disruptive and intersting.  Send the badguys information and keystrokes back to the victim.

Here is another great example of retarded action.

Two awesome researchers did excellent innovative work.  Then what happened.  NOTHING.  Great job management.  Next time set up a Skunkworks unattibutable group with resources that are untraceable and Fucking Do it.  Then destroy all traces of said action.  In the current environment this is the only recourse for real action.  Someone needs to stick their dick in the pool first.  Whose it going to be.  O yea right.  Your not supposed to find out.  Sorry you wont get the credit but youll be the one smiling in the room when its discussed…..

Pretty soon we need to start dealing with these issues effectively and dealing with the likes of these.

lens1552240_evilleprechaun

Or we can start expecting our data and vital operations to look like this…

beirut2

Follow

Get every new post delivered to your Inbox.