Create an Account
username: password:
  MemeStreams Logo

Yet even more ranting about Damballa and APT...


Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
   Sci-Fi/Fantasy Literature
  Tech Industry
  Telecom Industry
Health and Wellness
   Using MemeStreams
Current Events
  War on Terrorism
Local Information
  SF Bay Area
   SF Bay Area News
  Nano Tech
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
   Intellectual Property
   Computer Security
   PC Hardware
   Computer Networking
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!

Yet even more ranting about Damballa and APT...
Topic: Computer Security 3:45 pm EDT, Apr  1, 2010

This post was just brought to my attention. I don't know how much more I'm going to share my thoughts about Damballa's take on this stuff, because it's just getting frustrating... I don't take enjoyment from sitting around telling people they are wrong when they clearly are not listening to anyone.

Does anyone really believe that the botnet operators behind the Aurora attacks chose to use the most basic and amateurish malware they had on hand because they didn’t need anything more advanced? That sounds about as silly as a bank robber choosing to leave his gun at home in favor of taking an 18 inch wooden baton along because he hears that the guards are only armed with 16 inch batons.

When these guys get caught, they step up their techniques and tools. I've seen it play out at least three times in the past year. It's a key aspect of the Sino-APT groups' MO. Ask Mandiant.. Ask FBI.. Ask someone at ShadowServer.. Many people have seen it play out. You should stop ignoring people who have dealt with these specific groups. (Update: See the bottom of the full post for more details about this.)

I’ve also heard a few people say that the botnet operators were so smart that they may have created the malware to look like it was developed by a bunch of amateurs. It’s all beginning to sound like a conspiracy theory – next we’ll hear that aliens have landed and are subtlety infiltrating online businesses as they proceed with their plan for world domination…

You are totally locked into the mentality that attackers need advanced botnets to get the job done. Get over it. Sino-APT has nothing to do with advanced botnets. Your product has to do with advanced botnets... From a distance, the comments coming from Damballa amount to "if our product can't help with battling Sino-APT, than Sino-APT doesn't exist as you define it."

One question I’ve got to ask though is “Why didn’t they just use a DIY kit?” Malware generated using one of the kits would have offered greater functionality, armoring, and would generally have had less likelihood of detection. Some possible reasons for not using a DIY kit:

They didn’t trust the kits that are out there. Many of the free and pirated kits are backdoored – meaning that any malware created from them have hidden CnC’s built in, and report back to the kit author/pirate.

Again, Sino-APT doesn't use (or need) botnets. At any given time, Sino-APT uses less than five hosts to receive beacons and c&c connections per-victim.

Using DYI kits increases the likelihood of detection, as eventually every DYI kit is going to get some analysis done on it by a security vendor if it becomes even remotely widespread. Crafting tools specific to the victim, or that are not widely used, even if they are less advanced, is a way better method of avoiding detection.

Just about every kit I tend to come across is menu driven and relies upon English, Portuguese or Spanish (sometimes Catalan) to use properly. Perhaps the botnet operators couldn’t find a kit that supported their language preference and they couldn’t understand them? (sounds like a market opportunity for some would-be DIY kit author)

They have an excellent command of the English language, as is evident from spearphishing emails... You get occasional misspellings, but the grammar is quite good. Exploits attached to spearphishing emails usually give away that they use XP Professional Chinese Edition on Lenovo boxes. Other things seen indicate a Chinese character set as their preferred default, so they are no doubt bi-lingual, which isn't at all uncommon in Beijing, Shanghai, Hong Kong, et cetera.

The malware authors may have wanted to “learn on the job” and treated the whole thing as a learning experience. As crazy as it seems, this is a popular experiment amongst the newbie hackers and computer science undergrads.

Perhaps the malware authors have led a sheltered life and naively thought they could do it better than the professionals.

These guys know what they are doing. They are very good at planning around getting caught. They have a rigid daytime (+8GMT) work schedule and a 7-day work week. These aren't script kiddies. These are very organized groups.

Furthermore, it's not like there is just one group doing all this. Multiple groups using the same general technique I've been describing have been identified. There is a fucking APT cottage industry in China . . . which you're basically ignoring the existence of..

Everything I'm saying here has made it's way outside of the classified space in various forms. This isn't conspiracy theory stuff.

The profile of this threat Damballa is working under is completely wrong.

Update: Just to reinforce some of what I said about how Sino-APT starts with basic tools and scales up as necessary, here are a few excerpts from the NorthropGrumman paper:

These attackers have also demonstrated an awareness of a targeted organization’s information security measures according to forensic analysis of attacker activity, and appear able to alter their operations to avoid detection, reflecting the highly detailed reconnaissance that they—or others on their behalf—conduct. The attackers in these operations likely use tools or techniques that are only as sophisticated as they need to be for the environment in which they are operating, holding their more capable tools in reserve until genuinely required.

* Attackers have demonstrated some ability to respond to adjustments in security configurations to ensure maximum time “on station” to accomplish their collection mission. These responses include, but are not limited to, shifting to stealthier communications channels, jumping to different C2 servers, the rapid deletion of toolkits upon detection of defender presence and the harvesting of configuration files to support further target analysis.

* The individuals responsible for maintaining access have demonstrated flexibility in responding to unexpected changes in network defenses by the targeted organization, suggesting they prepare for these contingencies in advance, similar to conducting an “enemy course of action” analysis. Generally, this preparation has involved the pre-placement of redundant communication channels, C2 nodes on multiple external servers, and multiple breach points in a targeted network (usually other computers in the targeted network that have already been compromised and are held in reserve until needed).

Yet even more ranting about Damballa and APT...

Powered By Industrial Memetics