back to article Chinese cyber-spies hid botnet controls in MS TechNet comments

Cyber-spies are increasingly attempting to hide their command and control operations in plain sight by burying their command infrastructure in the forums of internet heavyweights, including Microsoft. FireEye and Microsoft have successfully shut down the Chinese threat actor APT17’s use of the MSFT TechNet blog to hide their …

  1. John Miles
    Joke

    Could they be using TheReg's comments

    would explain the a AManFromMars comments?

    1. Michael Wojcik Silver badge

      Re: Could they be using TheReg's comments

      On a slightly more serious note: It's quite easy to use plausible(-ish) generated text as a covert channel. One method which should be familiar to anyone who's worked in the area is to adapt Shannon's technique for gauging the efficacy of a natural-language parser, which is basically to run it backward and see it produces natural-sounding text.

      So, you take a natural-language model like a PCFG or a MEMM, "tap" it to expose the internal stochastic state,1 and stick it in your sender and receiver. There are plenty of open-source ones available.

      To send data, you take the datastream and feed it through the model backward as the state probabilities, picking suitable words pseudorandomly. This produces a stream of text that fits the model, so if the model is decent, you get plausible generated text.

      The receiver parses the resulting text and records the state as the model evaluates it, recovering the stream.

      It's not clear from the article or blog post how BLACKCOFFEE was encoding the message on the TechNet forums, and the PDF link doesn't work, but since they were just encoding an IP address they probably weren't doing anything this sophisticated. But yeah, you can use techniques like this to get a pretty fat covert channel out of plain text - fatter than what you could do with regular steganography (like varying word choice, whitespace, typos, etc), and less obvious than simply blatting control data out.

      1Note this turns your Hidden Markov Model into one that isn't hidden, which is mildly interesting from a theoretical point of view.

  2. Alister

    Ooh! Can I use El Reg comments to send messages to my Volcano of Doom Command and Control Headquarters?

    Wait! I've worked it out! That's what amanfrommars2's posts are all about - they're not just disjointed drivel with lots of capital letters!

    Damn, John Miles beat me to it by a second!

  3. Anonymous Coward
    Anonymous Coward

    This is not true

    Completely false and inflammatory article.

    [DL SHELLSHOCK HEARTBLEED POODLE GHOST VIPER][EXEC ALL][WIPE REMOTE]

    1. Tanuki

      Re: This is not true

      BADGERBADGERBADGERBADGERBADGER!

      1. Kevin Fairhurst

        Re: This is not true

        MUSHROOM MUSHROOM!

  4. Anonymous Coward
    Alert

    K5QXE3TJNZTSAIJAK5SSA2DBOZSSAYTFMVXCAZDFORSWG5DFMQQCCICTNB2XIZDPO5XCAYLMNQQHGZLSOZSXE4ZAMFXGIIDUOJQW443GMVZCAY3PNZ2HE33MEB2G6IB2EAZEMM2FGAYTGQJSIFCDQNCC

    1. Vic
      Joke

      K5QXE3TJNZTSAIJAK5SSA2DBOZSSAYTFMVXCAZDFORSWG5DFMQQCCICTNB2XIZDPO5XCAYLMNQQHGZLSOZSXE4ZAMFXGIIDUOJQW443GMVZCAY3PNZ2HE33MEB2G6IB2EAZEMM2FGAYTGQJSIFCDQNCC

      The Product Key used to install Windows is invalid. Please contact your system administrator or retailer immediately to obtain a valid Product Key.

      Vic.

  5. tony2heads

    Trouble is

    Anything at all could be a botnet control; this is just like the Queen of Diamonds for the Manchurian Candidate (60's version!). It is what is next that is the key. Whatever is used should ideally hide in plain sight, liek a typeau: 'rm -Rf /'

    1. Michael Wojcik Silver badge

      Re: Trouble is

      Or more generally, all channels are channels. If you can send a signal, you can send information.

      Research in this area basically boils down to a form of traffic analysis. It's essentially the same as, say, trying to identify machine-generated online reviews, or any other sort of channel abuse.

      People have been demonstrating all sorts of deliberate and accidental covert channels in modern IT systems for decades, with things like EMF leakage, power analysis, IP over DNS, etc.

  6. emmanuel goldstein

    you can listen to an example of a real numbers station here:

    the lincolnshire poacher

  7. waldo kitty
    Facepalm

    A little something from 1996

    ===============================================================

    The proposal that any system will be able to keep encrypted

    messages off it is false. It is too easy to hide messages in

    traffic. Any claim that review by a sysop will even slow it

    down is extremely overoptimistic. It is a trivial task to

    hide anything in a message. Even if you read every message

    in all the echos, you cannot find all the hidden ones.

    I guarantee that those that claim to remove encrypted messages

    off their message base will be those most likely to have them

    posted on their machine unknowingly. How many people can even

    try reading all messages on their systems? Not many...

    I can reassure you that even those who don't have a life, it

    is impossible you can review every permutation of a message.

    Having stated that you will review your message base for

    all the hidden meanings only makes you more liable for your

    messages.

    ===============================================================

    Hint: Read the second column vertically for the example the post carries ;)

    Note: Easier to read with a monospaced typeface.

  8. Stevie

    Bah!

    Does this also explain those Amazon book listings where one might obtain, for example, a secondhand copy of Unix in a Nutshell for $1400 (or alternatively, a new copy for $4)? I used to keep a list of the more outrageous and inexplicable prices quoted by ANY_BOOK.

    1. Destroy All Monsters Silver badge

      Re: Bah!

      No, these are bots trying to "follow the price" of another bot that has a programming error as I understand it.

      A possible experiment would be to take a bog-standard book and set its price outrageously high, then see bot-set prices rocket up to your price, just 10 cents less...

      1. Michael Wojcik Silver badge

        Re: Bah!

        No, these are bots trying to "follow the price" of another bot that has a programming error as I understand it.

        The initial high price that causes other bots to inflate their prices needn't be a bug. It could be one seller trying to inflate all the bot-controlled prices when that seller has another channel for advertising a real, much lower price.

        If I had a used book store, and lacked ethics, I'd be looking at ways to surreptitiously inflate book prices on Amazon Marketplace and the like, to improve my store's competitiveness. And that's one obvious way to do it.

  9. Destroy All Monsters Silver badge
    Paris Hilton

    It's a conspiracy!

    The PDF has disappeared from the Internet? What happened?

  10. Keith Langmead

    Explains

    Well that would certainly explain some of the weirder questions and replies I've seen on Technet, including some from MSFT CSG posters! All this time I assumed they were morons, but perhaps they were C&C bots! :-)

  11. Michael Wojcik Silver badge

    Twitter C&C

    some zombie networks have previously made use of Twitter profiles as a communication channel

    Reviewing the reports of that incident, it appears they were using regular tweets, not Twitter profiles, as the channel.

    There are plenty of legitimate applications that use Twitter as a channel. It's easy for programs to send and receive tweets, so Twitter is basically hosting a fairly reliable broadcast message service. Why build your own, if Twitter will give you one for free? And one that's easy for developers to monitor and inject messages into in the bargain?

    Using Twitter isn't sneaky. It's an obvious choice of an appropriate technology for many applications. Not those that need high reliability or confidentiality or authentication, etc; but there are many that don't.

  12. bbaskin

    More detail on the attack

    FireEye decided not to release any real details on this activity. RSA published a blog post showing exactly how the IP address was encoded and how to decode it. As well as signatures and rules to look for malware on your system that uses it. FireEye just gave a few MD5 hashes for a small set of samples it saw.

    https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/

  13. Anonymous Coward
    Anonymous Coward

    This exact malware and usage of technet for command and control was actually discussed last year - https://twitter.com/bbaskin/status/603206465864667138

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like