Schneier on Security

Clive Robinson • January 28, 2021 9:06 AM

@ ALL,

From the article,

“Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new target”

Err not realy true as has been demonstrated in the past.

If the attackets can gain control of a router or similar that is upstream of the target machines but downstream of the Law Enforcment infrastructure, then they can simply imitate the LE infrastructure.

Whilst their are other tricks that can be used to make this more dificult, at the end of the day it’s a competition as to who ends up controling the “root of trust”(RoT) on the bot machines and by what means[1]

consider the following,

1, They attackers sent out phishing bait.
2, Some users bite and get hooked.
3, The attackers gain access to the users machines.

Now comes the question of what did they do to these machines whilst in that privilege position?

In the past some attackers have patched user machines after they have installed a Remote Access Trojan/Tool (RAT) or similar as a way back in. The OS and Application patching was to keep others from taking the users machine away from the attackers.

Thus most such “bot herder” attackers are aware that they can loose their machines, either to competitors or Law Enforcment(LE).

There are several things they can do to contingency plan. One of which is to keep not just machines they have owned but spare control networks. All using different techniques, so attackers or LE only see part of their assets or think there is more than one set of attackers. However keeping reserves the attackers can just bring up what were formally unknown quiescent bots on-line when needed is safer than trying to regain control of lost bots.

The reason is that lost bots can become Honney Pots to track the activities of the attackers either to locate them or to block the method by which they regain control.

Is there anything the attackers can do to stop any Honey Pot being effective? Well yes they can stop using very vulnerable control systems[1] and implement systems that are difficult if not effectively impossible to stop unless all the bots are not just cleaned up but patched etc[3] on an individual basis. I’ve yet to see evidence that the bot herders have resorted to such measures. Probably because the Internet is such a target rich environment loosing bots is just a minor inconvenience to an effectively run organisation.

[1] As I’ve pointed out before you do not need a “Command and Control Communications”(3C) hierarchical system[2]. In fact you should avoid using such a system if you want resilience. Because when someone else gets control of the 3C Server or even just it’s DNS or IP Address then the original bot herders get taken out of the game.

[2] The only reason to have a 3C server hierarchy and server is because the original attackers have not thought about how to establish effective communications under hostile attack. That is the bots “phone home” which is a very fragile way of doing the communications. For reliability a Broadcast, or continuously evolving and thus self healing Mesh system would both be more resilient.

[3] There are various tecuniques that can be used to deter LE activities “deadmans switches” activated by lack of a heart beat on the bots is one way. Various payloads have been used in the past from back in the early days in networking right up to current times. We’ve seen the power of DDoS attacks and whilst there are ways to “sink hole” attacks on specific targets a DDoS on many targets in a rotating or other manner would prove a very real problem for which the Internet in it’s current incarnation is not realy designed to deal with. Causing all the bots to destroy the data or even some hardware on users machines so they become “bricked” is another. However petty revenge tactics such as these are becoming more of a nuisance than a deterant. From a bot herders point of view making the bots effectively attack proof except from the front panel would be a better objective. There are ways this can be done as a first resort to anyone trying to gain control of the bot.