This post was just brought to my attention. I don't know how much more I'm going to share my thoughts about Damballa's take on this stuff, because it's just getting frustrating... I don't take enjoyment from sitting around telling people they are wrong when they clearly are not listening to anyone.
Does anyone really believe that the botnet operators behind the Aurora attacks chose to use the most basic and amateurish malware they had on hand because they didn’t need anything more advanced? That sounds about as silly as a bank robber choosing to leave his gun at home in favor of taking an 18 inch wooden baton along because he hears that the guards are only armed with 16 inch batons.
When these guys get caught, they step up their techniques and tools. I've seen it play out at least three times in the past year. It's a key aspect of the Sino-APT groups' MO. Ask Mandiant.. Ask FBI.. Ask someone at ShadowServer.. Many people have seen it play out. You should stop ignoring people who have dealt with these specific groups. (Update: See the bottom of the full post for more details about this.)
I’ve also heard a few people say that the botnet operators were so smart that they may have created the malware to look like it was developed by a bunch of amateurs. It’s all beginning to sound like a conspiracy theory – next we’ll hear that aliens have landed and are subtlety infiltrating online businesses as they proceed with their plan for world domination…
You are totally locked into the mentality that attackers need advanced botnets to get the job done. Get over it. Sino-APT has nothing to do with advanced botnets. Your product has to do with advanced botnets... From a distance, the comments coming from Damballa amount to "if our product can't help with battling Sino-APT, than Sino-APT doesn't exist as you define it."
One question I’ve got to ask though is “Why didn’t they just use a DIY kit?” Malware generated using one of the kits would have offered greater functionality, armoring, and would generally have had less likelihood of detection. Some possible reasons for not using a DIY kit:
They didn’t trust the kits that are out there. Many of the free and pirated kits are backdoored – meaning that any malware created from them have hidden CnC’s built in, and report back to the kit author/pirate.
Again, Sino-APT doesn't use (or need) botnets. At any given time, Sino-APT uses less than five hosts to receive beacons and c&c connections per-victim.
Using DYI kits increases the likelihood of detection, as eventually every DYI kit is going to get some analysis done on it by a security vendor if it becomes even remotely widespread. Crafting tools specific to the victim, o... [ Read More (0.5k in body) ]