On the outside, peering into the incomprehensible.

March 23, 2011


Malware has reached the point of overwhelming the collective average intelligence of the normal operator.  With a plethora of threats, and an infinate amount of possibilities and variations the complexity of such threats will eventually overwhelm the singular human cognition capacity.  This is why we have seen over the past few years the “dumbing down” of ability for AV protections which struggle to deal with tens of millions of samples a year and hundreds of thousands of signatures.  Lost in all the automated analysis is the digital nuggets of intelligence that are missed, or only noted in some obscure report with no operational context. 

One case in point is the clear chaos and confusion of the antiquated CARO naming convention for categorization and naming of malware.  EVERY single AV company does it differently.  No one can agree on a naming convention.  Names of bots/trojans are OBFUSCATED for pointless worthless reasons, adding to the confusion and noise level.  For example, our latest Adobe Flash O-day threat combined with targeted attacks.  F-Secure, after analyzing a very important Zero day attack launched in a highly targeted fashion by actors that are causing a tremendous amount of digital carnage, does its analysis of the exploit, and then decides to name the actual (digital weapon) payload some ridiculous name (Trojan.Agent.ARKJ).   Granted this name (dumbing down) has been going on for years, however when the context of important attacks increasing public awareness to such a high degree, the Tools and arsenal of threat actors should be made known to the general public.  One of the reason security response teams just sort of reimage and move about their business is that they have no ability to triage a really damaging threat unless they do a full static and dynamic analysis of it.

The APT threat group based in Shanghai Military Region Tactical reconnaissance Bureau that has been discussed in earlier posts has malware and malware analysis (for example threat expert) and Virus Total reports that link that specific malware and its evolution back to 2005!  Coincidently this is one of the threats that gets automatically analyzed and classified as blah blah Trojan/backdoor-DSG or whatever the stupid CARO implementation spits out.  additionally some malware is named but the name is a scrambled variant of the Author, the callback domain, the Victim, or some attribution string or mutex in the malware but for some reason AV companies feel its “important” to protect the privacy of malicious cyber actors.  This helps absolutely no one and serves to dissipate the tactical/operational/and strategic importance of a particular attack, as well as misdirect attention of the public away from the victim and the damage being done.  

The espionage attacks of Aurora/Ghostnet/Shadownet and others have not only popularized the naming of malcode but given it a tremendous amount of publicity and attention from researchers WITH the time to rip apart the code and possibly connect the dots to support actor attribution.  additionally its this kind of publicity that engenders the non-geek world to stand up and take notice that their lunch is getting eaten on a daily basis.  AV companies in the past decade and in the early days sought to take away the EGO tripping of virus writers by refusing to grant them infamy by naming a virus after then.  I say the times have changed.  I say that true attribution intelligence should be disgorged from the holder of it and attached like a stinking rotting corpse to the samples. 

Props to FireEye for actually doing this by naming this latest Payload Trojan.Linxder after the Chinese CNE operators hacker handle.   Of course Fireeye is not a AV company per say but the days of just having AV companies is long gone as now everyone is in the cyber space vendor community and managed service sector.

Here is a challenge to Any Reverse Engineer / Malware Analyst / Cyber Intelligence Threat Analyst / or Security Researcher.

  • Go to Mila’s excellent Contagiodump.blogspot.com site
  • Download the excellent archives of 99.99% APT attack payloads
  • Discover the hidden nuggets of Attribution Intelligence
  • Identify specialized techniques that are used and write a small analysis of these findings. 
  • I will post them as a comment to this blog and I will approve them for review by the entire community.

There are tons of techniques that are being used, abused, and engineered that are enabling the horrible detection rates we are seeing today.

If the new rules of the road are that governments, militaries, and critical infrastructure, and commercial and non-profit organizations are going to be targets for the long term, we might as well serve ourselves by quit calling it APT and start calling it by its real name.  The actual units and operators that are responsible for you getting fucked

If threat actors use highly customized code this is a Weakness.  This means that if a victim gets attacked with a specialized piece of espionage malware, its analyzed, dissected, and publicized, then other organizations can digitally investigate their own infrastructures looking for the same threat.  If they find it, they know they just got screwed as well.  This is called HERD Defense.  An attack on one member of the herd might take out an individual, but the rest of the herd is now alerted and on the defense whenever they see the same thing or similar.

RSA can start by giving us samples to analyze, and full disclosure briefing.

One of the things AV companies can do is start writing in depth public analysis reports/blogs about the bunch of malware threats that they see used in attacks on say 10 victims or less.  Thats where you find the gooodness. 

Take any random PDF Spearfishing attack from Contagio.  See what kind of nuggets of intelligence you can glean from it, do your due diligence open source research and social network analysis, put your detective/investigator hat on.  And then ask your self why people continue saying they got pwned by the APT, instead of when instead they should just point to the bastards Baidu profile and Send him a little present as a token of thanks.

Thanks for getting added to the Pwned list.  Join the club.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: