API tools faq
paste
Advertisement
Guest User

Flame On! The battle for cyber hearts and minds

a guest
Jun 12th, 2012
737
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.82 KB | None | 0 0
raw download clone embed print report
  1. Flame On! The battle for cyber hearts and minds
  2. Immanuel Hume
  3.  
  4. On or close to summer of 2008 I was privy to an analysis of a variety of types of malicious samples that affected many differing organizations. Samples varied between ransomware, command and control architectures, financial crimebots and an assortment of mobile based attacks. Variants sampled coincided with many samples submitted to sites such as VirusTotal and other submission based websites. This was corroborated by the checksums of each variant as it came across my desk.
  5.  
  6. During many of my analysis' I would at times search out other experts' views on what their perception of a particular variant was. Humorous to see the amounts of differing opinions on the same strains of malware. For example, when analyzing a financial strain, it was not uncommon to see how the security companies played the game.
  7.  
  8. Had you asked Mandiant what their answer was, it would have been China immediately. This followed by an influx of Whitepapers on the "Advanced Persistent Threat" which was overhyped for the sake of raking in business. Mandiant then turned to another APT cheerleader, Richard Bejtlich. Richard for those unfamiliar with him is a semi technical individual with a typical USAF penchant for living in a single-sighted world. Anyone who has ever dealt with USAF types can understand this statement. If you are not in the USAF, your word is worthless, they solely call whatever makes their heart warm. One could offer counter-evidentiary proof yet USAF types are quick to ignore all of the warning signs. Cognitive dissonance 101.
  9.  
  10. Had you asked Kasperky, the answer would have been structured to sway the attention away from any of their "homeland" based organizations. These "organizations" are all criminal in nature. Much like that of their current gangster in charge Vladimir Putin. To counter the culture of corruptness would be suicidal for anyone in Kaspersky. This is not theoretical nor hearsay, simply common sense. Kaspersky has and will always omit the true culprits behind a high percentage of cyber-related crime. Whether these come via way of APT, RAT, ransomware or otherwise.
  11.  
  12. Symantec and McAfee, these companies are likely to come post Mandiant and Kaspersky and offer their analysis each mirroring one another all pointing back to the previously named companies. While there are extremely talented individuals in each company named, they are all guilty of turning blind eyes at factual information.
  13.  
  14. Returning back to the summer of 2008, I had begun to analyze a framework consistent with both Flame and Stuxnet however back then, there was no name for it. I watched it for about 14 months. This is not uncommon for any serious security organization intent on tracking the culprits. What was visible in most cases, was that most samples each borrowed from one another. This is nothing revealing, it is easier for criminals to mix, match and steal code from one another. We have all at one time or another heard of 'botwars' and for those who have not, this is simply where one botnet operator attempts to take control of another botnet.
  15.  
  16. While watching frameworks morph, being mixed and matched, the sources of the frameworks always pointed back to about one and a half dozen individuals or groups. These groups were always in the now broken states of Russia (Ukraine, Georgia and so forth). Irrespective of where C&C servers were deployed, I would see much tunneling return back to the named countries. Code analytics made it easy to piece together which of the groups unleashed which code.
  17.  
  18. Flamer and Stuxnet's coding come from many of these frameworks. Not from those of any government organization. Most AV and Malware companies are aware of this but albeit more profitable to have an actual enemy. In order to understand this concept we need to look no further than the two sets of perspectives put forth. That of the private sector and that of any government.
  19.  
  20. Vendors are in the game to make money. There are no morals or ethics involved contrary to popular beliefs. The banking industry is an attestation to morals and ethics. Do not believe for a moment that any security company is into the business of truth or compassion. Their bottom line is profit. Profits come from sales. Sales of security applications that these companies swear will protect you, only to have history dictate otherwise.
  21.  
  22. For vendors, the money does not come from the lowly home based users. The real money is in government. Thus the reason each and every one of these companies have "government divisions" of salesmen and women.
  23.  
  24. Governments' roles vary depending on what is in season. To think that say the United States Government or Israel is behind Stuxnet or Flamer is ludicrous. This theory is mainly due to posturing from both governments as it would make more sense to scare other countries into believing that the 'cybercapabilities' of both of these countries would overpower and overwhelm a country.
  25.  
  26. For both governments, it becomes a deterrence to want to go to 'cyberwar' with them. After all, news reports state that these countries can shut down the grid, shut down nuclear facilities and so on. The reason for this posturing is likely due to not only the US government and Israel's fears, but of any country's worst fear. That worst fear is 'loss of control.' Arab springs is an attestation of 'loss of control' where a government is helpless.
  27.  
  28. Imagine for a moment the outcome of any government making a statement such as "an unknown criminal organization can control anything at will and they cannot track them nor stop them." Can you envision the damage economically to society? Most individuals would likely provoke bank runs. After all, there is no one around to protect their assets. Imagine a scenario where government is held hostage? If you cannot, I can remind you: "FBI Probes Hacker's $10 Million Ransom Demand for Stolen Virginia Medical Records"
  29.  
  30. Imagine for a moment this same ransom scenario placed on the grid or on say a nuclear power facility. Do you think a country like Iran would not be willing to pay $10 million to keep their nuclear program running had it been held for ransom? Is the picture becoming a little more clear now?
  31.  
  32. Stuxnet, Flamer and other variants are not what these security companies are scaring you into thinking they are. They are worst than government controlled cyberweapons because they are uncontrollable, much like Arab Springs. It is better for business and politics to address this as a 'cyberwar' as both sides win. Reality dictates otherwise.
  33.  
  34. Most security companies posting information regarding these being anything grandiose are either lying to you, or not in tune with reality. It cannot be both ways where on the one hand we state a government backdoored a chip yet had to make something completely different to get their feet in.
  35.  
  36. Most news media will report about grand encryption schemes which is mainly based off on misrepresented information. Reality dictates otherwise as there have been more focused and extreme attacks that are well documented such as Sotirov's SSL hack using Sony Playstation 3's in 2008. Sotirov was not state sponsored and he managed to pull off a high level attack. These attacks are not off the radar nor capabilities of anyone considering cloud computing is cheap, sometimes even free.
  37.  
  38. While I would have loved to post an article somewhere concerning these matters, the reality is I cannot speak on record because of the nature of sensitivity regarding these matter. Obviously they are above many individuals' payscales, politics, ideologies and so forth. They are complex in nature not because of the attack, but because of the fallout behind them. Fallout being either economic, life (one does not really want to step on the toes of Russian criminal organizations, nor intelligence agencies). Make of this what you will however, just know that not only are the security companies lying to you, so too are the governments in this matter.
  39.  
  40. For news media and researchers speculating about little tidbits such as "signed drivers" get over it. Any respectable security researcher will tell you that many frameworks have stolen certificates. Qakbot, SDBot and many more all use stolen certificates. What you fail to capture was the rogue companies who knowingly issue these certificates. This is another can of worms for companies like Verisign, Microsoft, Comodo and others. Let me now digress, do not be so quick as to believe everything you see and hear. There is a reason why you are being spoon fed nonsense. Use your brain people.
  41.  
  42. Veritas vos liberabit
  43.  
  44. R/
  45. Immanuel Hume
  46.  
  47. http://www.foxnews.com/story/0,2933,519187,00.html
  48. http://www.guardian.co.uk/technology/2012/may/29/cyber-attack-concerns-boeing-chip
  49. http://erratasec.blogspot.com/2012/05/bogus-story-no-chinese-backdoor-in.html
  50. http://www.zdnet.com/blog/security/ssl-broken-hackers-create-rogue-ca-certificate-using-md5-collisions/2339
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!