Archives For spyware


While reporting about cyberwarfare and information security has been getting better and better as of late, there are still some articles that posit baffling ideas about how to prevent a massive cyber attack launched by a government. The strange idea in question this time is one which has a good starting point, but ends up imagining cyber attacks as one would imagine a conventional siege, somewhat reminiscent of The Battle of Thermopylae. Rather than envisioning an attack from the cloud able to hit a target out of the blue, it tries to portray network topologies as a kind of unseen battlefield on which one side can gain an advantage by exploiting the landscape…

Cyberspace depends on a physical infrastructure of computers and fiber, and this physical infrastructure is located on national territory or subject to national jurisdiction. Cyberspace is a hierarchy of networks, at the top of which a small number of companies carry the bulk of global traffic over the Internet “backbone.” International traffic, including attacks, enters the United States over this “backbone.” The backbone is a choke point, relatively easy to defend, and something that the NSA is already intimately familiar with (as are the other major powers that engage in signals intelligence). Sit at the boundary of the backbone and U.S. jurisdiction, monitor and intercept malware, and attacks can be blocked.

Technically yes, you can use the main switches where the fiber stretching across the oceans will reach your shores and have a deep packet inspector check the headers of incoming packets to flag anything suspicious. But this really only works for relatively straightforward attacks and can easily be avoided. If you’re trying to inject a worm or a virus into a research lab’s computer, you’ll have to get through an anti-virus system which will scan your malware and compare its bytes to as many virus and worm signatures in its database as it reasonably can. With the sheer amount of malware out there today, these tools are good at stopping existing infections and their mutant versions. However, brand new attacks require reverse engineering and being ran in a simulated environment to be identified. This is how Flame and Gauss went undetected for years and they were most likely not even spread via the web, but with infected flash drives, meaning that efforts to stop them with packet inspection would’ve been absolutely useless.

A deep packet inspector sitting at MAE-East or MAE-West exchange points (or IXPs) would have to work like an anti-virus suite if it is to do what the author is proposing, so it can stop someone from downloading an obvious virus or bit of spyware from a server in another nation or deny an odd stream of packets from China or Iran thought to be malicious, but it’s not a choke point in any conventional sense. IXPs are not in the business of being a traffic cop so having them take on that role could have serious diplomatic repercussions, and aggressive filtering could have all sorts of nasty downstream effects on the ISPs connected to them. Considering that trying to flag traffic by country could be foiled by proxies and IP spoofing, and that complex new attacks would easily be able to slip by an IXP-based anti-virus system, all the effort may might be worth it in the long run and simply cause glitches for users trying to watch Netflix or surfing foreign websites to read the news in another language while trying to prevent threats users can easily manage.

So if creating IXP chokepoints would do little to stop the kind of complex attacks for which they’d be needed, why has there been so much talk about the Pentagon treating the internet as a top national security concern and trying to secure networks across America, or at the very least, be on call should anything go wrong? Why is the Secretary of Defense telling businesspeople that he views cybersecurity as the country’s biggest new challenge and has the Air Force on the job? My guess would be that some organizations and businesses simply haven’t been investing the time and attention they needed to be investing in security and now see the DOD as the perfect, cost-effective way to secure their networks, even though they could thwart attacks and counter-hack on their own without getting the military on the case, perhaps not even realizing that they’re giving it a Sisyphean task. If they know they’re targets, the best thing for them to do is to secure their networks and be aggressive about hiring infosec experts, not call in the cavalry and expect it to stop a real threat from materializing since it simply can’t perform such miracles…


dead cyber spy

Nowadays, if you hack into a company’s servers, the company might hack you right back. No, it won’t wipe your hard drive or infect you with a virus of course. The goal is to figure out who you are and what you’re after, primarily because some of the most advanced hacks over the past few years have been cases of industrial and military espionage. And this is where legal wonks are arguing that the government should step in, lest a company issue a retaliatory cyberattack only to find that its target is actually a foreign intelligence agency. Case in point, Google. After a very sophisticated attack on its servers coming from China and a messy international incident which saw a heated back and forth between the Chinese Communist Party and the company, the tech titan hacked back and found that its attackers were targeting defense and other tech companies with meancingly complex scripts and the group, dubbed the Elderwood Gang, is still at it.

Their easy access to zero day exploits and the coordination equired to pull off their favorite type of attack points to backing from someone who can afford to employ highly skilled programmers and wants to spy on foreign defense and tech contractors, trying to steal blueprints, e-mail, and source code.Basically, what I’m trying to say is that prevailing rumor paints the Elderwood Gang as a part of the Chinese cyber-army long suspected of stealing classified documents from the U.N. and a lot of First World military contractors and government agencies via spyware. As the vast majority of the wired world knows, the United States isn’t exactly a hacking lightweight and it more than likely deploys some very sophisticated spyware and malware of its own. So, say the legal wonks mentioned above, have the Air Force and the NSA tackle sophisticated hackers, not companies that find themselves riddled with foreign spyware. It could’ve come from a Facebook game someone way playing at work and is trying to steal logins to PayPal, or it might be a worm from another government and hacking them back would provoke an international incident which would have to escalate all the way up to the military. But is that a workable approach?

No, not really. Fact is that the vast majority of infections are trying to steal financial information and/or turn your computer into a bot for DDOS attacks. Not only that, but the malware kits used to make viruses and worms are exploitable too. Only a tiny sliver of all the nasty stuff you might catch surfing random sites without some very heavy duty firewalls and strict privacy and browser settings, is actually complex malware from a nation state, and even then you’d have to be a very highly visible defense or tech company since these attacks tend to come from whailing (which is like spear-phishing but targeted to high level executives) and compromised industry message boards, blogs, and forums. Little fries don’t interest the spies much so they quickly lose interest, so it’s really the Lockheed Martins, EADS’, and Northrop Grummans of the world that should be worried, but considering their cozy relationship with the militares of their home states, they can always escalate things when they need to. And since all this is being done in secret, I’d highly doubt that a foreign intelligence agency hacked in retaliation will cry foul. That would just be an admission of guilt and the start of a major diplomatic clusterscrew.

Were we to start reporting hack attempt after hack attempt and infection after infection, we’d so quickly swamp cybersecurity experts at the NSA and the Air Force, that they’d be buried under a massive backlog of things to investigate in weeks while the torrents of reports keep on coming. Antivirus makers already have vast databases that can identify who was infected with what kind of virus and how to remove it running 24/7/365, and can keep up with 99.9% of infections out in the wild. Considering that they’re the primary discoverers of cyber weapons in use, they’re more than up to the job and can do it without defense establishments getting involved in their daily work. And when we take into account the sheer number of random trojans and worms out there, a hacked company has a 99.9% chance of pinging random hacker crews rather than something as threatening as the Elderwood Gang or as sophisticated as Flame or Stuxnet, and even then, no one on the other end will make a peep because doing so would be a lot worse than keeping quiet and let the retaliating businesses get away with it. Treaties and tens of billions in trade may be at stake so it’s best to just let the accusations die down and resume the spying later. So if you get hacked, go ahead and hack back. You’re not going to start any wars by doing it.


Contrary to the gripes of many security types, your antivirus software is not useless. Were you turn it off, many routine infections from contaminated websites, that nowadays are more likely to ask you to give to the poor than to pay for a live nude webcam show, would quickly turn your computer into a gold mine for a lazy identity thief armed with simple viruses. Really advanced and powerful malware using zero day exploits, however, will always elude it because that’s the nature of the arms race between virus writers and antivirus makers. Those with the means and motive attack systems and applications, the companies and researchers who discover a security breach either patch the vulnerability if possible, or add a new algorithm to look for the threat signature in the future, such a self-modifying files or local services suddenly trying to open an internet connection. And a piece of malware that slips by the antivirus and doesn’t get reported can work in silence for years, just like the widely reported cyberweapons Stuxnet and Flame did. To explain how these worms went unnoticed, both Ars Technica and Wired, published a self-defensive missive by an antivirus company executive which basically boils down to an admission of defeat when it comes to proactively recognizing sophisticated malware.

Slightly longer version? Some of the most advanced cyberweapons work a lot like typical software and uses a lot of the same tools, or uses legitimate frameworks and packages included in most legitimate software as a launching pad for deploying hidden code designed to act in the sort of malicious ways antivirus would flag as an attack but executed in a way that circumvents the channels through which it would scan. So when Flame is installed, the antivirus checks its components, probably saying to itself "all right, we got what looks like a valid certificate, SQL, SSH, some files encrypted using a standard hashing algorithm… yeah, it all checks out, that’s probably a network monitoring tool of some sort." And herein lies the problem. Start blocking all these tools or preventing their installation and you’re going to cripple perfectly valid applications or make them very difficult to install because every bit of them will have to be approved by the user. How does the user know which piece of software or what DLL is legitimate and which one is not? For the antivirus to help there, it would need to read the decompiled code and make judgments about which behaviors are safe to execute on your machine.

But having an antivirus suite decompile and check the code of every application you run for possible threats is not much of a solution because the decisions it makes are only as good as the judgment of the programmers who wrote it, and because a lot of perfectly legitimate applications have potentially exploitable code in them; a rather unfortunate but very real fact of life. Remember when your antivirus asked you if a program you installed just a couple of minutes ago could access the internet or modify a registry key? Just image being faced with a dialog asking you to decide whether some potentially exploitable function call in one of your programs should be allowed to run or not, faced with the following disassembly snippet to help you make a decision…

00000010 89 45 E4              mov    dword ptr [ebp-1Ch],eax
00000013 83 3D A4 14 9D 03 00  cmp    dword ptr ds:[039D14A4h],0
0000001a 74 05                 je     00000021
0000001c E8 5E 40 3D 76        call   763D407F

Certainly you can see why an antivirus suite that tries to predict malicious behavior, rather than simply watch if something suspicious starts happening on your system, simply wouldn’t be practical. No user, no matter how advanced, wants to view computer-generated flowcharts and disassembly dumps before being able to run a piece of software, and nontechnical users confronted with something like the scary mess above may just turn their computers off and sob quietly as they imagine their machines crawling with viruses, worms, back doors for identify thieves looking for their banking information, and other nightmarish scenarios. Conspiracy theorist after conspiracy theorist would start posting such disassembly dumps to Prison Planet, Rense, and ATS, and portray them as proof that the Illuminati are spying on them through their computers. Unless we want to parse every function call and variable assignment, look into every nook and cranny of every bit of software we’ve ever installed, or write our own operating systems, browsers, and applications, and never using the web, shutting off and physically disconnecting all our modems, we’ll just have to accept that there will always be malware or spyware, and the best we can do is keep our systems patched and basic defenses running.