Fujitsu has been commissioned to develop ‘seek and destroy’ malware, reportedly designed to track and disable the sources of cyber-attacks. The fledgling cyber-weapon is the result of a three-year $2.3 million project that also involved developing tools capable of monitoring and analysing the sources of hacking attacks, The …
I call bullshit on this.
>" The most distinctive feature of the new virus is its ability to trace cyber-attack sources. It can identify not only the immediate source of attack, but also all "springboard" computers used to transmit the virus.
The virus also has the ability to disable the attacking program and collect relevant information. "
What a bunch of utter sci-fi garbage. Whoever wrote that has been watching too many hacker movies. Most computers don't just freely allow remote access to anything running out there on the internet; how's it supposed to get in? Does it email itself to the operator of the PC and hope they double-click an attachment? There's no way any of this is even possible. I call marketing snakeoil and cyberwar-propaganda-fud on the whole thing.
Depending on the type of cyber attack, this could be possible. If its a phishing attack for example, the information being stolen needs to be sent to a computer under the hackers control. If you can attach some means to piggy back on this info and then send details back of the hackers computer back to the "good guys", then you have your working system.
Additionally, even if a botnet is being used, if you can trace back to the infected zombie computer then installing another program on to the zombie is probably less difficult then you would think (the zombie computer probably isnt very well defended in the first place if its already in a botnet). Once on the zombie, it could be possible to trace back to the command and control computers of the botnet.
So frankly whilst being very difficult tfrom a technological point of view, and difficult from a legal point of view, the truth is that anytime you want information from someone, you need a return path and that leaves open a door for someone else to trace you.
No, really, what you say just cannot happen.
>"Depending on the type of cyber attack, this could be possible. If its a phishing attack for example, the information being stolen needs to be sent to a computer under the hackers control. If you can attach some means to piggy back on this info and then send details back of the hackers computer back to the "good guys", then you have your working system."
What does "attach some means to piggy back onto this info" even mean? Data doesn't work like that, it's passive, you can't magically add active behaviour to it. Let's consider your phishing attack in detail, rather than vague hand-wavey metaphors: during a typical phishing attack, the user's PC - either directly under their control, because they've followed a dodgy link and been fooled by a fake login page, or perhaps automatically, because they've been infected by e.g. a banking trojan - does indeed send some data to a computer under the hacker's control. This will typically be done over HTTP by sending a POST request. How are you, as some random third party at a distance across the internet, proposing to "attach" anything to that? It's a transaction taking place between two computers, and you won't even know in advance when it's going to take place; unless you're in control of one of the two endpoints, or you're one of the intermediate ISPs, there's no way you can tamper with the packets. Even supposing you could, what's going to happen to that data at the far end? It gets logged into some DB or CSV file and it just sits there, as a record in a database, with something you've added to it. Data doesn't jump up and start doing stuff all by itself; how is that data you've added supposed to phone home in the way you've suggested?
>"Additionally, even if a botnet is being used, if you can trace back to the infected zombie computer then installing another program on to the zombie is probably less difficult then you would think (the zombie computer probably isnt very well defended in the first place if its already in a botnet)."
This isn't the case either. That computer probably got zombified when the owner double-clicked on an attachment in email, or surfed with a vulnerable browser to a malicious website, or ran something infected they downloaded. It required voluntary action on the part of the operator; there aren't any self-propagating worms to speak of these days. So just because they got themselves infected at some point in the past doesn't mean you can just send something to their machine and it'll be wide open; how are you proposing to get the operator to click on a dodgy link at a time that's convenient to you? And what do you do if they won't play ball?
>"Once on the zombie, it could be possible to trace back to the command and control computers of the botnet."
Yes, indeed that would be the case IF it was possible to get onto the zombie in the first place.
>"So frankly whilst being very difficult tfrom a technological point of view,"
Not just difficult, but impossible in the general case, for the reasons I've explained above. And what is described in the Daily Yomiuri is clearly meant to be some sort of self-propagating virus that jumps from hop to hop through a botnet. This could be done if there's a vulnerability in the botnet client, and you write code to exploit it, but you'd have to do that individually for each different strain of malware, it wouldn't work on any strains that were well enough coded not to have remotely triggereable bugs, and it isn't something that you could code up a generic tool to do automatically in the way that the article suggests.
Who said "generic" and "automatic"?
I don't think AC is wrong in the analysis to say,
"isn't something that you could code up a generic tool to do automatically in the way that the article suggests"
but the article doesn't say that. It doesn't even say it is deployed without the victim's (i.e. owner of the infected machine) knowledge.
My baseless speculation is they are building a framework that they can plug specific tools for different malware into, with the aim of having a easy way to deploy countermeasures to a class of malware. It is easy to find zombies, but difficult to organise a investigation to identify the command and control centres by tracing the connections from the zombies, then getting access to trace where the C&C is controlled from, and back up several layers to the originator multiplies the difficulties. A tool (downloaded, or on a usb stick) that automates the trace would be useful. If it can be easily updated with a module to attack a vulnerability in specific C&C software, then you have the potential to spread through the C&C network, take out the whole botnet and trace the originator of the attack. Finding vulnerabilities in the C&C software is left as an exercise...
Currently, a small number of botnet developers dominate, selling to bot herders. If buying, say, Zeus and deploying it quickly gets you arrested, then the economics will change. Of course, the botnet developers will bring out new versions, that's why the trace software is modular. The arms race continues, but at a higher technical level, and hopefully some potential criminals are persuaded to drop out.
One point just to mention - you kept saying that its not possible to know when someone will have an infection thats useful or to how they get infected, etc. But my response to that is simple - ever heard of a Honeypot?
As for appending information to data, this is relatively easy, its how many computer viruses/malware operate, by having one program (legit or otherwise) which is desired and thus installed willingly by the operator, but with a small payload attached which is the virus and which is installed at the same time. Depending on the data being sent between the victim and the upstream, this could potentially be a vector for attack.
But theres no point arguing about this, until someone gets off there butt and codes it into reality, i think were going to be suffering from malware and zombies for a while yet to come...
I can't wait 'til this gets released into general use....
.....oh, wait a minute.
Very funny that the first commenter is someone sporting the crudentials of the group that is probably one of the driving forces behind the software’s creation. Say it does work, what are you going to sue because you where “working” and got your computer taken out, go to law enforcement. ROFL
I'm a programmer, network engineer and sys admin.
That's how I know about this stuff. I'm saying it won't work because I understand the engineering principles behind computers and networks and I know that they can't be made to do what the article claims they're going to try and make them do. You're a self-deluded fool if you think that someone would only say this stuff can't work because they think it'll affect them and wish it wouldn't; I have no personal interest apart from not wanting to see large IT contractors get the idea that it's ok to scam taxpayers' money out of governments by selling them hyped-up bullshit on the back of cyberwar FUD.
This is not the Beyond!
People who downvote AC here are clear into Kuang Grade Mark 11.
"closed network environment"
Well that's a tried and tested way to prove absolutely nothing about a bit of software.
I don't believe it either, that line looks more like "cover all bases" and deny accountably just in case our code is out there mutating as we speak.....
> how's it supposed to get in?
Not heard of zero-day vulnerabilities? Not really your field, is it?
Yes, of course I've heard of zero day vulns, I've even discovered a few.
90% of the kind of home machines that get recruited into botnets are behind broadband routers that serve as NAT boxes. Windows firewall is switched on everywhere. It doesn't matter what vuln you've discovered if the damn thing doesn't have any listening ports and you can't get a packet onto its LAN segment anyway. The suggestion that you can take over any old machine regardless of whether it's running any public-facing services or not is ludicrous. Haven't you noticed that there hasn't been a Code Red or Slammer for so many years now? That pretty much the only active vectors these days are email, browser exploits and infected torrents/other p2p downloads - all of which require user intervention? That these mechanisms are not useful for directly targeting a zombie bot? Do you have the slightest plausible mechanism that can overcome these problems, or are you just asserting a baseless belief?
Guess this isn't really *your* field, after all, since you belive in magic sci-fi super auto-hacking viruses.
Get Real .....Nothing is Real in a Temporary Space. IT is an Imaginative Place.
"The suggestion that you can take over any old machine regardless of whether it's running any public-facing services or not is ludicrous." ….. Anonymous Coward Posted Tuesday 3rd January 2012 17:57 GMT
You think so, AC? I hope you aren't responsible for cyber security anywhere for anyone, for I would disagree with your ludicrous statement, for man is flawed and easily hacked to deliver access to any old or new machine. There are billions of weakest links in that vital viral chain of control and command.
Oh and for those who would be bothered to be interested in Super Astute Hyper Virtualisation for Future Advanced Remote Control of HPC Function and Abilities [Calpurnian firmware for CAESARs hard-wired] you will probably definitely need to know a lot about this ……. http://eprint.iacr.org/2011/710.pdf
Yeah, I do think so.
You can disagree with my statement all you like, but so far I'm the only one presenting facts and arguments, everyone else is merely claiming as an article of faith that it is possible to break into any given machine at any given time. Well put up or shut up, I say. Remember, we're not arguing whether or not there are /some/ insecure machines /somewhere/ out there on the 'net; we're arguing about whether Fujitsu could really write software that can break into *any* machine at any time it needs to.
Vague suggestions of socially engineering the operator don't do anything to explain how Fujitsu could write software that, based on seeing a network packet with some bad data in it, could know who to phone up and try and trick into switching off their firewall or downloading and running some virus. I am responsible for my own computer security, so here's a free pass: you have my permission to go ahead and install something on my PC - if you can - and I won't complain to the law. I'll even give you my IP address to get you started: 220.127.116.11. You won't get in.
The paper you linked to suggests that someone with a trillion dollars to spend on GPUs could crack some AES encryption in a month. Given that that's a fifteenth of the entire US national debt, I can't see them just throwing around that kind of money. And even if they could crack AES, how exactly would that let someone take over someone else's computer?
Hmmm....... San Francisco Intellectually Challenged?
NEUKlearer HyperRadioProActive IT from the Land and Houses of the Rising Sun, Fujitsu San? Now that is what I consider is an absolutely fabulous fabless move. Calpurnian firmware for CAESARs hard-wired.
'The malware is reportedly been tested in a "closed network environment".'
Surely, if programmed correctly, this software would have, immediately upon execution, identified and destroyed itself?
AC of Cambridge @ 17:57
So because you haven't discovered such a vulnerability it's therefore logically impossible for any to exist?
Glad we've got that sorted out.
(I haven't claimed this is my field. (It isn't.) I've noted it doesn't seem to be yours.)
I thought they had those already
they're called IT outsourcing contracts.
The most effective search and destroy cyber-weapon imaginable.
Cue evil cackle
Top o the hat for using both miscreant and nefarious. I'm off to dig out my black cape ...
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...