It’s No Fun When The Rabbit Has The Gun

by | May 12, 2020 | Behavioral InfoSec

Deploying Malware Means A Risk It Gets Adapted

Roman troops were well know to be equipped with a throwing spear called a pilum. If you see one, you may notice it looks odd. Why have such a thin shaft at the top? Wouldn’t that bend? Yes! Yes it does! Which is exactly the point! Making spears and arrows are hard. It was a popular tactic to pluck projectiles out of your shields and the ground, then shoot them back at those who fired them first! The Romans didn’t want this, so they made the pilum so it would warp and be unusable after hitting a target! Another example, because I am that kind of geek, is early stone cannonballs. They were made of the hardest rock possible, so when they hit the enemy, the enemy could fire them back. Later on, more brittle stone was used to make this impossible!

The point of those examples, is that for a long time generals have had to be cautious of what they deploy, in case it should be redirected back on them! This is a huge concern for nation state hackers. I believe it was a speech by an NSA exec at Defcon who talked about this worry of theirs. The NSA is the foremost power, with the most creative solutions and powerful malware. When that malware is deployed, it leaves behind traces. The victim if they are clever enough, will themselves learn new techniques. The worst case scenario is if the malware is find before it is deployed. Giving the target a sample to reverse engineer and learn in exquisite detail the enemies techniques.

In the NSA malware programming guide, they are very explicit about covering ones tracks. There is the obvious, making sure there aren’t comments in English, making sure there are no metadata stamps that sync to American work hours. All so malware doesn’t get traced back to the US. Then there is the more esoteric defenses. Ways to disguise how the malware works so the target doesn’t learn the vulnerability to exploit for themselves. If malware attacks port 22 exclusively, you know the vulnerability is there. But if they attack several ports, it is harder to know their goal.

Shadow Brokers

The Shadow Brokers organization is famous for having stolen NSA techniques. In this article a code piece is seen to have elements from both Chinese and Nsa proxy technology. Disturbing proof that nation state weapon are being adapted for 3rd party use.