I am glad to be writing once again with some theories I have been considering as the potential evolution of malware as a whole.
This post regards specifically the use of Malware, anonymous networks and attempts to automate the process of long term attacks against a target.
-----------------------------------------------------------------------------------------------------------------------
I will set this post up as a question answer kind of thing to help make it easier to explain.
Question: How will DDoS attacks of the future look like and be capable of?
Answer: As many of you are aware malware mutates/evolves as time goes on. Some of the features and types of targeted attacks I have witnessed take little to no technical skills to accomplish. The real threat is the malware writers who view things from the long term perspective. DDoS attacks of the future will incorporate advanced Artifical Intelligence programming to scan and find vulnerable services on a companies IP range they own. These services will include fax machines, phone systems, and online chat systems on a companies site to DDoS all customer avenues of reaching out to the company for help in the first place. Also, the last type of DDoS attack could crash many small to mid sized business out there, that is to perform spam attacks against a target set of company email addresses, this spam will end up being things likely to bypass spam filters such as email list signups and such.
Question: What are the methods to help mitigate the above mentioned types of DDoS attacks?
Answer: This is a complicated issue as they will be targeting any means of communication that a customer could use to get in contact with a company. In regards to mitigation methods to help make the attack less effective the common and most used method is to simply blackhole the targeted IP Address for 24 hours, possibly get a DDoS protection service such as cloudflare, etc. However, DDoS targeting phone systems and email systems and fax systems are basically unprotected. There needs to be a evolution of defensive stratedgies and techniques because the employees at each of the top companies are nearly completly unprotected from many types of these attacks.
Question: What services and how would these services be attacked from malware on tens of thousands or even millions of infected machines?
Answer: I will shortly cover what and how these would be attacked.
- Fax Machines - The attacker would have his malware us its programmed AI to scan the company owned phone numbers on a 6~12 hour interval which would be randomized. Basically it would scan every phone number and look for any and all fax machines and save them to an internal list. Then the infected machine would move onto the next set of checks.
- VoIP Phone Systems - Again the malware would automatically scan the company phone numbers except this one would scan once a day and just recheck the phone systems for active phone lines. Then the malware would move onto the next step.
- Online Chat Support Systems - The malware would need to be programmed with a database of tactics on how to initiate and send messages to major companies, this database would need to be able to be updated if and when the attacker wants to add a new target. Therefor this would be done through an anonymous service like I2P or ToR. Again as mentioned in the Swatting post it would have a decentralized connection setup to avoid single points of failure. The malware would then move onto the last and final check.
- The last and final check is to check if the target has been blackholed. It would check to see response times and for timeouts from dropped packets. If this is the case then it will perform a very fast network scan for the companies website that has been updated/changed to bypass these attacks.
- Now finally, in regards to the attack these are the logical steps after all the checks passed.
- Step one - Attack all detected fax machines with pure black ink images so all fax machines would run out of ink and be unusable this entire time. The method for this would be to hide the origin traffic through tor or I2P which would let your infected machine maintain behind a constantly change web of new jump points. Every 15 minutes the tor route should be changed to keep the attack ever changing and to make it nearly impossible to block based on IP Address.In regards to bypassing any attempts of detecting pure black ink images the attack could shift random white areas and sizes into the image/scan sent to the fax. That should elude any of the protective measures for trying to stop this attack median.
Step Two - Now that your infected system is actively attacking the companies fax machines the malware will active its next layer of attack. This would consist of loading the list of active phones that were in the companies phone range of numbers owned. The malware would then send a call to each of the lines in question again while hiding behind Tor or I2P and have it be totally random static combined with some random silence. This should defeat any detectable/blockable methods.
Step Three - Online chat support systems. This step would query the internal database that is up to date within the malware from the earlier checks. Then it would take the needed steps to initiate a support chat with the company, using an advanced chatbot backend with decent AI would allow you to drag the conversation out to fill up the chat support systems. Also, it could look for things like "Support Rep. John Smith terminated the support chat". And then it would repeat the same process again and again non stop. This attack would only hault if the site became unreachable, which could be from simple overload or possibly the IP/site being blackhold. If it was blackholed then it will scan the company IP range again and look for which IP the company changed the website to that the old IP was handling. Once found the process would begin again.
Step Four - Spam/Email DDoS attack. Now this one would need to be done from the attacker itself, reason being is because it would require the attacker tosign up for tens of thousands of newletter sites, news updates, etc and that means youll need a list of emails to sign up with from the get go.This final attack would complete the whole range of ongoing and non-stop attacks. Once this attack was launched and all the attacks initiated and used then effectively the company will be unable to function.
Question: So in summary how much impact would this type of attack have against a company?
Answer: Finally, heres a short summary of how big of an impact this will have against a target company. The targeted company would have to replace every fax machines ink cartidge multiple times a day costing 10's of thousands of dollars per effected office. The company would be unable to take sales, support or billing calls so the customers would be unable to receive support so the company would lose potential future customers and current customers costing 10's of thousands a day or more depending on how much this attack keeps them from operating. To completly shutdown a companies site the attacker would want to consider having a seperate set of pool of machines to act like webspiders, the machines would spoof to appear to be spiderbots and not repetatively query the same URL, this would help bypass detections of session attacks, traffic attacks, etc. You could have the malware randomize the next url that was detected to have enough randomniss in the queries to bypass pattern and session based attack detection/protections. This attack would be geared towards the companies dns url so it follows it even after changes in IP's are made. The companies email systems would be unable to filter all the legitimate list signups as spam so intercompany emails would be rather useless and intercompany calls since the phone lines would be down aswell.
The future evolution of malware will be geared towards remaining anonymous as much as possible and bypassing future detection/pattern recognition detection attacks against malware. It will slowly turn into a stuxnet like beast of a malware trend in which the attacker will need only to launch the attack from a untraceable method and then never have to work on it again. DDoS attacks are expected to end after 24 hours however a non-stop continuous set of attacks will be the future.
The future evolution of malware will be geared towards remaining anonymous as much as possible and bypassing future detection/pattern recognition detection attacks against malware. It will slowly turn into a stuxnet like beast of a malware trend in which the attacker will need only to launch the attack from a untraceable method and then never have to work on it again. DDoS attacks are expected to end after 24 hours however a non-stop continuous set of attacks will be the future.