[Dailydave] Watermarking Intrusions.

Thomas Quinlan tom at thomasquinlan.com
Fri Mar 11 05:00:36 EST 2016


When's the book coming out? I'd read that.


On 10 Mar 2016, at 16:15, dave aitel wrote:

> So here I am as a Chinese tool developer and operator on one of the
> lesser known, but higher skills teams, sitting at my desk drinking
> Starbucks, uber-ironicially, as I like to do.  We work for the PLA out
> of an office in Shanghai, but we don't have a catchy name. Just the
> world's most boring cover company that in theory does IT Support for the
> local businesses, but in reality does anything but.
>
> I'm finishing up a heap overflow in Flash, technically an integer
> overflow, that leads to heap corruption, if you must know. The PLA group
> I work for has given me about a few million 32-bit key numbers, which
> are stored on a laptop that has never been connected to any network, and
> is itself stored in a safe in the back room. I open it up, and run a
> quick script to find a 32-bit number from the set that has no bad bytes
> in it, and also is a NOP for the purposes of this exploit.
>
> I use that as the fill-string for my exploit, and then for my Javascript
> obfuscator pick another one of the numbers and use that as my XOR key.
> The third one I use inside the shellcode itself. I mark these three
> numbers as used in a file so I don't reuse them later. All my other
> variables names are unrelated 32-bit numbers, because why not? But this
> is a heap overflow, and not an MFC application, so I don't have room to
> sign giant cryptographically secure blobs of random numbers with a
> private key of any sort.
>
> What I'm hacking today is a concrete company. They compete with the
> Chinese concrete companies in many places of the world, but that's not
> the point. They also supply the US Military's Asian bases. So while I
> will be pulling down their entire Exchange server, once I get into their
> network, which is basically a forgone conclusion, I'm not here for
> industrial espionage purposes. Likewise, knowing how much they are
> selling goes into our larger economic reports, which are used to make
> decisions by the State in terms of interest rates and that sort of
> thing. Stuff above my level.
>
> I fire my exploit off at my target three times, to three different
> people. One of them succeeds, and I've made my coffee money for the day
> (and a bunch more, let's be honest, this is a good gig). I have been
> told that if I give any email from this target to my friend who works in
> construction, I will of course be fired.
>
> But one of them gets silently caught, and Mandiant includes it in a
> report, along with a long detailed description about my trojan, which I
> stole from a Russian criminal group. Later, because that concrete
> company has been losing a lot of business in Asia a DHS official is
> asked if this intrusion is a potential violation of our agreement. He
> looks at the very detailed internal Mandiant report on the initial
> intrusion, and runs each interesting constant in the report through his
> oracle, forwards and backwards, and he says, "I cannot say whether or
> not it is the Chinese or the Russians, but they are CLAIMING to follow
> our norms process, at least."
>
> -dave
>
> On 3/9/2016 10:29 AM, Konrads Smelkovs wrote:
>> PKI for APT then :)
>> --
>> Konrads Smelkovs
>> Applied IT sorcery.
>>
>>
>> On Wed, Mar 9, 2016 at 3:04 PM, Kevin Noble <terraplex at gmail.com> wrote:
>>> I don't agree, this is more like finding a rifle and knowing it has smart
>>> components and being able to classify the weapon because it has an orange
>>> stripe sprinkled with a software taggant.  It has forensic value, not
>>> masking the threat.
>>>
>>> On Wed, Mar 9, 2016 at 7:19 AM, Konrads Smelkovs
>>> <konrads.smelkovs at gmail.com> wrote:
>>>> Was difficult to read your piece, but if I understand the gist, then
>>>> doesn't your proposal suffer from the same problem as toy guns that
>>>> were supposed to have a non-removable one-inch-wide orange stripe
>>>> running down both sides of the barrel and the front end of the barrel?
>>>> if I take my AK-47 and paint it brightly, cops won't shoot.
>>>> --
>>>> Konrads Smelkovs
>>>> Applied IT sorcery.
>>>>
>>>>
>>>> On Tue, Mar 8, 2016 at 7:10 PM, dave aitel <dave at immunityinc.com> wrote:
>>>>> http://cybersecpolitics.blogspot.com/2016/03/a-technical-scheme-for-watermarking.html
>>>>>
>>>>> It'd be great to hear from some non-US people in the industry as to
>>>>> whether they think this sort of thing is doable on their end. Likewise,
>>>>> it's not clear what parts of a technical proposal are most important?
>>>>> Are we most worried about non-state actors pretending to be State
>>>>> actors, or having a high confidence level in our result?
>>>>>
>>>>> In any case, hopefully ya'll enjoyed reading it!
>>>>>
>>>>> -dave
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Dailydave mailing list
>>>>> Dailydave at lists.immunityinc.com
>>>>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>>> _______________________________________________
>>>> Dailydave mailing list
>>>> Dailydave at lists.immunityinc.com
>>>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>>
>>>
>>>
>>> --
>>> Thanks,
>>>
>>> Kevin
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 522 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160311/bf23f0cb/attachment.sig>


More information about the Dailydave mailing list