Damballa is missing the forest for the trees...
The computer attack which led Google to threaten leaving China and created a firestorm between Washington and Beijing appears to have been deployed by amateurs, according to an analysis by a U.S. technology firm.
"I would say this particular botnet group was not well funded, in which case I would not conclude they were state sponsored, because the level of the tools used would have been far superior to what it was," said Gunter Ollmann, vice president of research at Damballa, an Atlanta-based company that provides computer network security.
If the security hole in Internet Explorer was the smoking gun of the attacks, what Ollmann and his researchers looked at was "the occupants and driver of the getaway van," he said. They analyzed the global network of computers that attackers remotely used to deploy the attack, called a "botnet" -- computers that, unbeknownst to owners, are taken over remotely and used to spread malicious software, or malware.
What Damballa researchers found in the Google attack botnet was less '007' and more 'DIY,' using software that could be found and downloaded widely on the Internet. "This team launching the attack were unsophisticated amateurs," Ollmann said.
The botnet used in the attack began being tested in July, nearly six months before the attack, according to Damballa analysis.
He added, "Some of the codes within the malware were at least five years old" -- ancient, by software development standards. The attackers used technology "that had been abandoned by professional botnet operators years ago," he said.
The botnet is not the key to this. APT doesn't use many hosts in their attacks. They don't maintain some huge botnet, nor do they don't need to.
One of the key hallmarks of APT is using the minimum resources and least advanced techniques necessary to get the job done. You see old code, old tricks, and few hosts (which are often used by other groups). As long as it gets past the security solutions the target has in place, they don't care.
When you analyze APT activities, you see a clear division between teams doing the work. They do a 7-day week with 8 to 11 hour days.
These are all hallmarks of a non-amature outfit.
Stop thinking about the botnet aspect. Think like an intelligence operative. If you were targeting an organization, and you started by using your most advanced tools, what happens when you get caught? You start using less advanced tools? That's stupid.. You'd use your most basic assets, then when you got caught, you'd start using your next best set of assets. The P in APT is PERSISTENT.
Damballa doesn't get it...