Incident Response, Malware, TDR

Malware writers: Don’t screw up

Remember the Wet Bandits in the movie Home Alone? Marv, one of a pair of bumbling burglars, thought it would be a cool move to leave a faucet running in each of the houses they burglarized, like a calling card. The downside was that, when the police finally nabbed them, it was obvious exactly which houses the Wet Bandits had hit.

The “Hangover” operation my company recently documented was a bit like that. The attackers did not leave the tap running, but they used the same customized malware for every sting, the same infrastructure for wildly different attack targets, and the same modus operandi for the maintenance of this infrastructure.

At first, we were surprised by how commoditized it all was. How malware creation was doled out in neat monthly tasks. How manpower was acquired from legitimate freelance employment services. And, how the attack infrastructure was possible to track – not because every computer did something malicious, but because arrays of attack computers were configured identically.

We should not have been surprised, though, as all these attributes serve to demonstrate a development that has been going on for years. These days, targeted attacks designed to steal intelligence are easy, cheap and convenient.

The truth is: You don't need a lot of resources to start an offensive operation. This is one reason I am now assuming malware-assisted surveillance to be a natural part of ongoing conflicts all over the world. This has been abundantly illustrated in the Middle East, where espionage against various parties during the Arab Spring uprisings has been well-documented. Less known are the trojan attacks directed at FARC sympathizers in Colombia, or the recent disclosures of monitoring of Ethiopian and Angolan dissidents. If you have enemies, watch your inbox. Actually, just watch your inbox.

However, even as the push for offensive cyber capabilities grows stronger in public discourse, I must point out that offensive action in this realm is not without liability. Security professionals are constantly looking for targeted attack malware, and will document and map these once found. It's not personal. People like me are paid to combat malware, and the motives of the malicious creator aren't evident. Whether driven by good or bad, right or wrong, if you make malware, you and I are adversaries.

That means that if you represent a state or any other entity for that matter, and are sponsoring the malware-based monitoring of your enemies, you must assume that information about your actions will become public. For some, this might not be a problem, but for others it could mean no end of trouble. 

The same rule applies in this realm as in other more conventional covert operations: Don't get caught. The risk of getting nabbed is reduced by following rules that are simple, but expensive: Hire skilled professionals, vary your methods and keep a keen eye on operational security. This is why cyber operations may not turn out to be so cheap and easy after all. 

The Hangover operation should be a cautionary tale. It appears to have been a case of someone trying to get a lot for a little, because the attackers were not skilled. They had some sophisticated elements, but only a few.

At the time of writing, we don't know who the real clients in the Hangover case were. We speculate that there were several. If so, their various operations were mixed together in an unsightly hairball of attacks. When one was uncovered, the rest unraveled too. But then, that's what you get when you hire the Wet Bandits.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.