SourceAvengers Blog

0x00-0xff, Indiana, United States
SourceAvengers Blog - I am a Junior in College, have competed and won in multiple Capture the Flag events, competed in the Indiana CCDC for two years, and founder of The Computer Security Group of Indiana University Southeast. I enjoy network security, penetration testing and programming. I also greatly enjoy video games and action movies.

Thursday, November 27, 2014

The Future of DDoS attacks - How they will evolve to bring companies to their knees.

Hello,

I am glad to be writing once again with some theories I have been considering as the potential evolution of malware as a whole.

This post regards specifically the use of Malware, anonymous networks and attempts to automate the process of long term attacks against a target.

-----------------------------------------------------------------------------------------------------------------------
I will set this post up as a question answer kind of thing to help make it easier to explain.

Question: How will DDoS attacks of the future look like and be capable of?
Answer: As many of you are aware malware mutates/evolves as time goes on. Some of the features and types of targeted attacks I have witnessed take little to no technical skills to accomplish. The real threat is the malware writers who view things from the long term perspective. DDoS attacks of the future will incorporate advanced Artifical Intelligence programming to scan and find vulnerable services on a companies IP range they own. These services will include fax machines, phone systems, and online chat systems on a companies site to DDoS all customer avenues of reaching out to the company for help in the first place. Also, the last type of DDoS attack could crash many small to mid sized business out there, that is to perform spam attacks against a target set of company email addresses, this spam will end up being things likely to bypass spam filters such as email list signups and such.

Question: What are the methods to help mitigate the above mentioned types of DDoS attacks?
Answer: This is a complicated issue as they will be targeting any means of communication that a customer could use to get in contact with a company. In regards to mitigation methods to help make the attack less effective the common and most used method is to simply blackhole the targeted IP Address for 24 hours, possibly get a DDoS protection service such as cloudflare, etc. However, DDoS targeting phone systems and email systems and fax systems are basically unprotected. There needs to be a evolution of defensive stratedgies and techniques because the employees at each of the top companies are nearly completly unprotected from many types of these attacks.

Question: What services and how would these services be attacked from malware on tens of thousands or even millions of infected machines?
Answer: I will shortly cover what and how these would be attacked.
  1. Fax Machines - The attacker would have his malware us its programmed AI to scan the company owned phone numbers on a 6~12 hour interval which would be randomized. Basically it would scan every phone number and look for any and all fax machines and save them to an internal list. Then the infected machine would move onto the next set of checks.
  2. VoIP Phone Systems - Again the malware would automatically scan the company phone numbers except this one would scan once a day and just recheck the phone systems for active phone lines. Then the malware would move onto the next step.
  3. Online Chat Support Systems - The malware would need to be programmed with a database of tactics on how to initiate and send messages to major companies, this database would need to be able to be updated if and when the attacker wants to add a new target. Therefor this would be done through an anonymous service like I2P or ToR. Again as mentioned in the Swatting post it would have a decentralized connection setup to avoid single points of failure. The malware would then move onto the last and final check.
  4. The last and final check is to check if the target has been blackholed. It would check to see response times and for timeouts from dropped packets. If this is the case then it will perform a very fast network scan for the companies website that has been updated/changed to bypass these attacks.
  1. Now finally, in regards to the attack these are the logical steps after all the checks passed.
  2. Step one - Attack all detected fax machines with pure black ink images so all fax machines would run out of ink and be unusable this entire time. The method for this would be to hide the origin traffic through tor or I2P which would let your infected machine maintain behind a constantly change web of new jump points. Every 15 minutes the tor route should be changed to keep the attack ever changing and to make it nearly impossible to block based on IP Address.In regards to bypassing any attempts of detecting pure black ink images the attack could shift random white areas and sizes into the image/scan sent to the fax. That should elude any of the protective measures for trying to stop this attack median.
    Step Two - Now that your infected system is actively attacking the companies fax machines the malware will active its next layer of attack. This would consist of loading the list of active phones that were in the companies phone range of numbers owned. The malware would then send a call to each of the lines in question again while hiding behind Tor or I2P and have it be totally random static combined with some random silence. This should defeat any detectable/blockable methods.
    Step Three - Online chat support systems. This step would query the internal database that is up to date within the malware from the earlier checks. Then it would take the needed steps to initiate a support chat with the company, using an advanced chatbot backend with decent AI would allow you to drag the conversation out to fill up the chat support systems. Also, it could look for things like "Support Rep. John Smith terminated the support chat". And then it would repeat the same process again and again non stop. This attack would only hault if the site became unreachable, which could be from simple overload or possibly the IP/site being blackhold. If it was blackholed then it will scan the company IP range again and look for which IP the company changed the website to that the old IP was handling. Once found the process would begin again.
    Step Four - Spam/Email DDoS attack. Now this one would need to be done from the attacker itself, reason being is because it would require the attacker tosign up for tens of thousands of newletter sites, news updates, etc and that means youll need a list of emails to sign up with from the get go.This final attack would complete the whole range of ongoing and non-stop attacks. Once this attack was launched and all the attacks initiated and used then effectively the company will be unable to function.

Question: So in summary how much impact would this type of attack have against a company?
Answer: Finally, heres a short summary of how big of an impact this will have against a target company. The targeted company would have to replace every fax machines ink cartidge multiple times a day costing 10's of thousands of dollars per effected office. The company would be unable to take sales, support or billing calls so the customers would be unable to receive support so the company would lose potential future customers and current customers costing 10's of thousands a day or more depending on how much this attack keeps them from operating. To completly shutdown a companies site the attacker would want to consider having a seperate set of pool of machines to act like webspiders, the machines would spoof to appear to be spiderbots and not repetatively query the same URL, this would help bypass detections of session attacks, traffic attacks, etc. You could have the malware randomize the next url that was detected to have enough randomniss in the queries to bypass pattern and session based attack detection/protections. This attack would be geared towards the companies dns url so it follows it even after changes in IP's are made. The companies email systems would be unable to filter all the legitimate list signups as spam so intercompany emails would be rather useless and intercompany calls since the phone lines would be down aswell.

The future evolution of malware will be geared towards remaining anonymous as much as possible and bypassing future detection/pattern recognition detection attacks against malware. It will slowly turn into a stuxnet like beast of a malware trend in which the attacker will need only to launch the attack from a untraceable method and then never have to work on it again. DDoS attacks are expected to end after 24 hours however a non-stop continuous set of attacks will be the future.
Posted by at No comments:

Thursday, November 20, 2014

Analysis of Swatting Methods and Potential Ways of Complicating Investigations in the Future


     Hello all its been a good long while since I posted any security related ideas or analysis and as such I felt it was time to post something new.

WARNING: I do not condone any types of malware as they are illegal to install on any other persons system, I also don't condone placing any fake/illegitimate calls to the police in order to initiate the prank itself, finally I do not condone anyone using any of the below mentioned techniques this is all simply theoretical and my beliefs on how the future of such calls will be made in order to prevent prosecution of the originating caller themselves. Please do not use either of the below methods or discussed specific ideas for anything other than educational reasons. The below 2 theories are only a hand full of the potential future methods hackers may use to abuse the protective systems of our Police SWAT members.

As most of you are aware a rather new type of commonly used prank has surfaced called "Swatting". This prank relies on 3 main factors.
  1. A target for the actual SWAT raid to be used against.
  2. A story that an emergency 911 operator can believe.
  3. Finally, the call must be made to start the process of the police actually performing the SWAT raid on your target.
What has been used thus far for many of these SWAT incidents are VoIP calling services, or burner phones that are bought with cash and then disposed of as soon as the call is made to the police station.
However, both of the methods used thus far have many issues that can result in the calls being able to be back traced or back logged to the original callers identity.

There is many ways these systems can be backlogged/reviewed to determine the callers identity that is why these methods have led to arrests of people in the past. However, there is other options for how to make such calls without them being backtraced to the actual caller in the first place. I will describe in detail below how a person could make these calls and remove any digital methods of backtracing who initiated the call itself.

Now it should be without saying that any use of a computer at all should be done on a system that has a virtual machine running on it that is encrypted and then deleted following any research or use of the system. Then obviously the physical drives should be wiped and the computer should never be used for any other reason. Also, as it may not seem obvious any IP's hardware addresses, etc should all be spoofed. Using any identifying median is just asking for trouble.
--------------------------------------------------------------------------------------------------------------------------

1st Theory - Using Malware to Create Degrees of Seperation.

A malicious individual who wants to make the call itself seem more legitimate might want to determine the best way to go about writing the malware that would allow this to take place in the first place. The language of the malware is not as important as the need to make it more universal as to the types of machines that it can affect. The potential features of such malware would include the following.

  1. A check for whether or not the GEOIP location of the infected machine has been registered as being infected in the past. This is important to limit the targets down to only 1 machine per GEOIP location, this will play into creating more authenticate looking calls to police stations.
  2. The backend connection would be made through either the I2P or Tor network to allow a more anonymous and harder to block method of communication. The check for whether a GEOIP location for the IP had been previously infected would be made through this network in a decentralized manner. If the reply back stated it had a machine already infected at that location then the malware would remove itself and take various methods to erase its digital tracks. The GEOIP lookup would be performed in a non-anonymous manner from the infected machine itself to get the public facing IP address location instead of the one I2P or Tor may provide.
  3. The malware would exploit a free online service such as https://www.spooftel.com/freecall/ to spoof the callerid and number origin that would initially be seen by 911 operators for the target police station, this would allow the police to take the callers word with more initial belief.
  4. The malware would also need to have its own set of default stories to draw from, the malware would want to have a realistic Text-to-Speech backend from one of the many public libraries for Text-to-Speech available.
  5. In order be able to launch a targeted attack(phone call to get SWAT to raid a target) the malware would need to perform a lookup every so often(randomized time value to eliminate pattern recognittion detections, however it would need to vary between 10-60 minutes to avoid extensive network traffic.). The lookup would request specifically whether a target had been named yet for the end result phone call, if it had then a secondary check would verify if any other infected host had made a phone call yet to the target phone number. The previous lookup would need to also have an address returned to the malware as to where the target's address is in order to read it off to the operator.
  6. The malware would then place the call using the text-to-speech library to read out one of the pre-written stories. The malware would need to monitor the incoming sound to the VoIP call itself in order to recognize if any operator had answered the phone call yet, if it detected that they had then it would begin to read the pre-written story into the VoIP call and then hang up as if the line had been forcibly disconnected by the target mentioned in the call. 
  7. Finally, the last step would be the malware would remove itself and any libraries or digital records that could prove that the malware had existed on the machine in the first place.
  8. The obfustication needed to bypass most if not all anti-malware detection services would be to use encryption that was based on a unique factor of the infected machine such as its listed mac address, that would be the encryption and decryption key for each section of the malware. The malware would also need to exploit types of file modification that are not able to be seen as malicious by anti-malware companies. An example would be to make changes to the files using packing software used by games and such. This would help bypass de-obfustication techniques while also making it so the anti-virus couldnt detect malicious file actions being taken. This would also make it much harder to deploy updates that could unpack the malware.
The pro's about the above plan are that backtracing the digital footsteps of the call origin would be nearly impossible. Also, the originating call would originate from or near the intended target in the first place to make the call more authentic. A simple check through online distance mapping software would be made for each infected machine before it made the call, this query would be made only if none of the infected machines had the same origin city/state as the target. The reply would be sent only if within lets say 50 miles of the target city or from the same city.

The cons are that first you would need to write the malware that bypassed the anti-virus/anti-malware services available, that bypassed behavior detection techniques(running a script from the origin program can commonly confuse behavior detection techniques, and finally a method of delivering the malware would need to be both very public aswell as appearing to be trustworthy. Also, the time required to infect tens of thousands of machines that had unique GEOIP locations could take a very long time. The person making the call would need to worry about their malware being detected aswell as how they could communicate to the malware in an anonymous manner to initiate the attack in the first place.
--------------------------------------------------------------------------------------------------------------------------
2nd Theory - Using mobile technology as an asset.

Now this theory would be harder to implement in both a reliable and hard to traceback manner. The requirments for this second theory are the following.

  1. The malicious caller would need to purchase phones for cash in a much harder to track manner. The ideas would be to travel out of state and purchase a burner phone for cash in a retail environment. The perfect time to do this would be during the winter as you have an excuse for wearing a jacket or coat that would help hide your physical identity.
  2. The burner phone would need to be off until the call is to be made against the target. This is to prevent any trackrecords of where and when the phone connected to the networks previous to the call.
  3. The call should also be made from a location/area that either has little to no cameras and probably it would be better to be made very early in the morning say 4-5am, this would give time for SWAT to prepare for the raid of the target.
  4. The caller should not use their own voice or even their own voice with a voice changer. Again relying on a text-to-speech software would help eliminate being traced back through your voice.
  5. All of this combined would make it so your not recognized through your voice, number, physical appearance when the phone was purchased. This would eliminate nearly every method of backtracing the original caller.
The pro's of this method are that the resources required to implement such a solution are very limited and by eliminating all the identifying factor then it should be nearly impossible to trace back to the origin.

The cons are that you would need to wait an extended amount of time before placing the calls after purchasing the phone. In this above example waiting 4-6 months or even a year might be best to eliminate video/audio records of in store cameras and witness statements about who actually bought the phone. If you made the call in a short time after purchasing the phone then people may still remember who and when the phone was purposed since it was a short time before they were questioned.
Posted by at No comments:
Subscribe to: Posts (Atom)