[Dailydave] Ants in your pants

Dave Aitel dave.aitel at gmail.com
Wed Nov 29 18:06:40 UTC 2017

Recently at RPISEC and on Twitter people have asked me what the design
differences are between INNUENDO and something like Meterpreter. I think
these are quite large really, and worth trying to explain. Really it boils
down to a fundamentally different algorithmic approach to distributed

So the following chart talks about various types of algorithms and how they
might apply to our world. An Emergent algorithm is one where lots of tiny
bits of state and different pieces of code are all sent out on your
framework, where the end goal is achieved without any one piece of it
really understanding how it all works. Realistically INNUENDO is not all
there yet: We're still worker-slave with initiated actions for the most
part. But the design is built to enable it, and we spent a lot of time
future-proofing our underlying assumptions from the lessons learned from
twenty years of implant construction.

[image: pasted3]
"There are multiple different interesting classes of algorithms," is how I
would start any conversation at an RPI party. It was pretty much just play
with CORBA in the lab, read all of USENET and blearily eat morning donuts
at 4am with the truckers at the local Dunkin Donuts as far as my university
time went. This hasn't really changed, based on Immunity's recruitment
mission to RPISEC last week. :)
Frankly, I still open up with that line at most parties, because these days
BITCOIN is so popular that even the local PTA moms are in on the bubble.

In infosec we often talk about "command and control" as if hierarchical
instruction was the only way to do distributed computing.  And Immunity is
just as guilty as anyone else: MOSDEF was designed from the beginning to be
a theoretical minimalist extensible remote computing loop.

MOSDEF is a loop that executes shellcode, essentially while(1){eval(input)}
in machine code. To do this, you also have to store and send a minimum
amount of state (aka, the file descriptor for the socket you are using),
and you have to have some small conventions about protecting certain
registers and the stack location, not blocking, error handling and
returning, a few minor things like that.

At the same time, CORE was also doing quite a lot with syscall proxying,
which has similar requirements except you send data instead of code.

Meterpreter and MOSDEF and CORE and EMPIRE and almost all simple implants
have the same basic form. Command to control with maybe a wheel and spoke
routing model. The same real model the IP network runs on - with addresses
and destinations and a path between A and B.

In almost all cases, publicly available implants don't even have full
routing modules built in, they're just simple tree formations where if you
lose one node you lose all the nodes under it.

As you can annoy people at RPI with, this model is just one kind of really
boring algorithm, and the interesting class of distributed algorithm is
what ants and other social insects use:

One thing you learn about ants is that initial colony sizes were quite
small, and all the ants looked the same, even if they had different roles.
But you can't be a self respecting colony of kitchen sugar ants without
five major body types these days and a colony size of tens of thousands.
And yet, when we look at implants we tend to look at them fairly separately
as if they were not built to all work together. . .

In any case, the simple operational difference between current Meterpreter
and INNUENDO is you can send your request for a screenshot down in INNUENDO
over a HTTPS connection, and get the response two days later over ICMP or
DNS as the implant itself sees fit. These things are independent actors for
the most part, when done right, much as an ant is.

It's like, once you've used the internet for a while, you understand that
what you really wanted was MESH NETWORKING. But these days, people think
Mesh networks are niche applications.

In other words: The implants of the future are autonomous agents, and
probably operate using a class of algorithms which is poorly studied. ;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20171129/8e25b2ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pasted3
Type: image/png
Size: 80719 bytes
Desc: not available
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20171129/8e25b2ee/attachment-0001.png>

More information about the Dailydave mailing list