Ringy Ringy…Beacon Callbacks – Why dont you just tell them their pwned…

March 12, 2010


This thread might be controversial but I must assume that things will progress that way anyways.  This has to do with advanced evolution of digital threats.  A very very large majority of malware is very noisy on the wire.  The fact that bots especially conduct callbacks to their Command and Control systems in the first place on a regular basis, HELLO, IM HERE, HELLO, IM HERE, YO! IM HERE is on its face completely rediculous.  If organizations can’t get their collective asses in gear to remediate their networks when malware is screaming out every minute to malicious IPs then someone needs a good career spanking. 

Awesome products like FireEye and Damballa which focus their attention on the real problems of botnets instead of larger AV Companies that just sit back and soak up your IT budget are going to be the change changers here and eventually drive botnet evolution in a new direction, Ironically rendering their products useless.  Thats the main problem with solving problems comprehensively – it kills your business plan. 

Heres a thought.  Instead of spending a billion dollars and 3 years to rev out the next version of Einstein3, shim into the security stack FIREEYE/DAMBALLA with custom APT sigs.  For those that don’t know or havent been reading the press Einstein is DHS’s hope/vision for a big old digital condom from all that nasti hackiness thats been eroding our countries competitive edge for o say like 10 years.  Better hurry up guys, we probably on have about 5 years of Research and Development left to lose before we are facing adversaries that are technologically advanced as us.  And o ya 4 times the population.  There wont be much need for us in the future.

Thus leads to the controverisal piece.    MALWARE EVOLUTION #1  HUNTER/KILLER

Evolution of autonomous malware with preprogrammed directives.  Malware is just code, code is the digital representation of logical directives.  Directives are a language construct of what fleshbots want or need.  Namely us.  It has suprised me for some time that much of the malware requires a series of manual control command sets to do its job.  Cant you just go tell a piece of malware “look man, do this, this this, and uh if you see this piece of information or event do this”  These type of autonomus functional intelligence is what I would have expected from some of the prevalent threats today.   One of the theories behind the lack of sophistication in malware is the Lowest SHIT that works theory.  Namely if it works, why expend resources to advance the art.  While they may be right it certain keeps things boring on the technical malware analysis side.  Implementing a level or sentient intelligence based on certain low level information primitives would not be too hard of a research and development project.  The goal being to implement a handful of the tools of cyberwar, but have them automonously conducted with the goals of taking the operator out of the loop, and meeting certain operational criteria.  This way no Beacon beaconing like a goddam rooster and actually forcing the industry to start looking at the root of the problem which is the host and its built in internals and functions which enable all this crap in the first place. 

I will probably expand on this concept further later but from a defense side it seems that having your shit beacon, and requiring an operator to do basic shit all the time is just plain stupid.  Fire and forget malware bombs that can steal shit, and then encrypt it and blast it once with a special signature as a digital blob onto a Peer to Peer network  or to 500 places at once on the Internet for pickup would make things alot more interesting.

Well thats it, Cats out of the bag. Lets see what happens. 

-disclaimer  This blog was designed to explore futuristic concepts and memes of cyberwar and all their implications.  This is a conceptual thought exercise only, Not an endorsement.

Advertisements

4 Responses to “Ringy Ringy…Beacon Callbacks – Why dont you just tell them their pwned…”

  1. Just curious, but are you aware that this blog post was mentioned in one of the HBGary Federal emails that was released by Anonymous?

    Suspect your traffic is going to go up 🙂

  2. 0ped0ut said

    i have a few variations of stuxnet, AV see’s it everyyyyyytime no matter where it comes from. but good read man, agree with you 100%.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: