Monday, April 23, 2007

OSINT Through Botnets

Open source intelligence gathering techniques from a government sponsored cyber espionage perspective have been an active doctrine for years, and that's thankfully to niching approaches given the huge botnet infected network -- government and military ones on an international scale as well. And yes, targeted attacks as well. It's a public secret that botnet masters are able to geolocate IPs through commercially obtainable databases reaching levels of superior quality. Have you ever thought what would happen if access to botnet on demand request is initiated, but only to a botnet that includes military and government infected PCs only? Here's a related story :

"The misuse of US military networks by spammers and other pond life is infrequently reported, but goes back some years. In August 2004, we reported how blog comment spams promoting illegal porn sites were sent through compromised machines associated with unclassified US military networks. Spam advertising "incest, rape and animal sex" pornography was posted on a web log which was set up to discuss the ID Cards Bill via an open proxy at the gateway of an unclassified military network."

From an OSINT perspective, part by part a bigger picture emerges from the tiny pieces of the puzzle, and despite that these would definitely be unclassified, a clerk's email today may turn into a major violation of OPSEC tomorrow. Moreover, the security through obscurity approach of different military networks might get a little bit shaken up due to the exposure of the infrastructure in a passive mode from the attacker's perspective.

In the wake of yet another targeted attack on U.S government networks in the form of zero-day vulnerabilities in Word documents neatly emailed to the associated parties, it's worth discussing the commitment shown in the form of the Word zero day, and the attach congressional speech to Asian diplomacy sent to Asian departments :

"The mysterious State Department e-mail appeared to be legitimate and included a Microsoft Word document with material from a congressional speech related to Asian diplomacy, Reid said. By opening the document, the employee activated hidden software commands establishing what Reid described as backdoor communications with the hackers. The technique exploited a previously unknown design flaw in Microsoft's Office software, Reid said. State Department officials worked with the Homeland Security Department and even the FBI to urge Microsoft to develop quickly a protective software patch, but the company did not offer the patch until Aug. 8 — roughly eight weeks after the break-in."

The life of this zero day vulnerability started much earlier than anyone had predicted, and obviously specific emails of various departments are known, are harvested or obtained through the already infected with malware PCs - pretty much everything for a successful targeted attacks seems to be in place right? But what makes me wonder is where are the attacking emails originating from, an infected ADSL user somewhere around the world whose spoofed .gov or .mil email somehow made it not though and got undetected as spam, or from an already infected .gov or .mil host where the attackers took advantage of its IP reputation?

In the majority of news articles or comments I come across to, reporters often make the rather simplistic connection with China's emerging cyber warfare capabilities -- a little bit of Sun Tzu as a school of thought and mostly rephrasing U.S studies -- whenever an attacking email, or attack is originating from China's netblocks. Perhaps part two of my previous post "from the unpragmatic department" sparkled debate on physically bombing the sources of the attacks, just to make sure I guess. Engineering cyber warfare tensions nowadays, providing that China's competing with the U.S for the winning place on botnet and spam statistics for the last several years speaks for itself -- the U.S will find itself bombing U.S ISPs and China will find itself bombing Chinese ISPs. So the question is - why establish an offensive cyber warfare doctrine when you can simple install a type of Lycos Spam Fighting screensaver on every military and government computer and have it periodically update its hitlists?

Black humour is crucial if you don't want to lose your real sense of humour, and thankfully, for the time being an offensive cyber warfare provocation -- or the boring idleness of botnet masters -- isn't considered as a statement on war yet. The Sum of All Fears's an amazing representation of engineering tensions in real-life, so consider keeping your Cyber Defcon lower.

Open source visualization courtesy of, MakeLoveNotSpam's effect courtesy of Netcraft.

UPDATE: Apparently, seven years ago North Korea's hyped cyber warfare unit was aware of the concept of targeted attacks so that :

"Kim Jong Il visited software labs and high-tech hubs during his rare trips to China and Russia in 2000 and 2001. When then-U.S. Secretary of State Madeleine Albright visited Pyongyang in 2000, he asked for her e-mail address."

On a future visit, in a future tense, perhaps IM accounts would be requested to rotate the infection vectors. Meanwhile, read a great article on North Korea's IT Revolution, or let's say a case study on failed TECHINT due to a self-serving denial of the word globalization.