Dailydave mailing list archives
Re: Watermarking Intrusions.
From: dave aitel <dave () immunityinc com>
Date: Thu, 10 Mar 2016 11:15:03 -0500
So here I am as a Chinese tool developer and operator on one of the lesser known, but higher skills teams, sitting at my desk drinking Starbucks, uber-ironicially, as I like to do. We work for the PLA out of an office in Shanghai, but we don't have a catchy name. Just the world's most boring cover company that in theory does IT Support for the local businesses, but in reality does anything but. I'm finishing up a heap overflow in Flash, technically an integer overflow, that leads to heap corruption, if you must know. The PLA group I work for has given me about a few million 32-bit key numbers, which are stored on a laptop that has never been connected to any network, and is itself stored in a safe in the back room. I open it up, and run a quick script to find a 32-bit number from the set that has no bad bytes in it, and also is a NOP for the purposes of this exploit. I use that as the fill-string for my exploit, and then for my Javascript obfuscator pick another one of the numbers and use that as my XOR key. The third one I use inside the shellcode itself. I mark these three numbers as used in a file so I don't reuse them later. All my other variables names are unrelated 32-bit numbers, because why not? But this is a heap overflow, and not an MFC application, so I don't have room to sign giant cryptographically secure blobs of random numbers with a private key of any sort. What I'm hacking today is a concrete company. They compete with the Chinese concrete companies in many places of the world, but that's not the point. They also supply the US Military's Asian bases. So while I will be pulling down their entire Exchange server, once I get into their network, which is basically a forgone conclusion, I'm not here for industrial espionage purposes. Likewise, knowing how much they are selling goes into our larger economic reports, which are used to make decisions by the State in terms of interest rates and that sort of thing. Stuff above my level. I fire my exploit off at my target three times, to three different people. One of them succeeds, and I've made my coffee money for the day (and a bunch more, let's be honest, this is a good gig). I have been told that if I give any email from this target to my friend who works in construction, I will of course be fired. But one of them gets silently caught, and Mandiant includes it in a report, along with a long detailed description about my trojan, which I stole from a Russian criminal group. Later, because that concrete company has been losing a lot of business in Asia a DHS official is asked if this intrusion is a potential violation of our agreement. He looks at the very detailed internal Mandiant report on the initial intrusion, and runs each interesting constant in the report through his oracle, forwards and backwards, and he says, "I cannot say whether or not it is the Chinese or the Russians, but they are CLAIMING to follow our norms process, at least." -dave On 3/9/2016 10:29 AM, Konrads Smelkovs wrote:
PKI for APT then :) -- Konrads Smelkovs Applied IT sorcery. On Wed, Mar 9, 2016 at 3:04 PM, Kevin Noble <terraplex () gmail com> wrote:I don't agree, this is more like finding a rifle and knowing it has smart components and being able to classify the weapon because it has an orange stripe sprinkled with a software taggant. It has forensic value, not masking the threat. On Wed, Mar 9, 2016 at 7:19 AM, Konrads Smelkovs <konrads.smelkovs () gmail com> wrote:Was difficult to read your piece, but if I understand the gist, then doesn't your proposal suffer from the same problem as toy guns that were supposed to have a non-removable one-inch-wide orange stripe running down both sides of the barrel and the front end of the barrel? if I take my AK-47 and paint it brightly, cops won't shoot. -- Konrads Smelkovs Applied IT sorcery. On Tue, Mar 8, 2016 at 7:10 PM, dave aitel <dave () immunityinc com> wrote:http://cybersecpolitics.blogspot.com/2016/03/a-technical-scheme-for-watermarking.html It'd be great to hear from some non-US people in the industry as to whether they think this sort of thing is doable on their end. Likewise, it's not clear what parts of a technical proposal are most important? Are we most worried about non-state actors pretending to be State actors, or having a high confidence level in our result? In any case, hopefully ya'll enjoyed reading it! -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave-- Thanks, Kevin
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Watermarking Intrusions. dave aitel (Mar 08)
- Re: Watermarking Intrusions. Konrads Smelkovs (Mar 09)
- Re: Watermarking Intrusions. Kevin Noble (Mar 09)
- Re: Watermarking Intrusions. Konrads Smelkovs (Mar 09)
- Re: Watermarking Intrusions. dave aitel (Mar 10)
- Re: Watermarking Intrusions. Thomas Quinlan (Mar 14)
- Re: Watermarking Intrusions. Kevin Noble (Mar 09)
- Re: Watermarking Intrusions. Konrads Smelkovs (Mar 09)