Cenzic 232 Patent
Paid Advertising
web application security lab

Conversations With a Blackhat

I’ve been spending more and more time talking to blackhats lately. Frankly, I think they’re fascinating people, and have a lot to teach the rest of us. With the solemn promise that I won’t try to put them in jail, we can have free flowing conversations which aid us all in thinking about the problem space. I’ve certainly learned a lot. Anyway, I got into a conversation with one of them about how he believes that a lot of the security put in place is actually doing a pretty good job.

The basic premise of the problem, from his perspective, is that hacking directly just isn’t as easy as it used to be, if you are like him. He’s not the type to hack randomly, he’s only interested in targeted attacks with big payouts. Sure, if you really work at it for days or weeks you’ll get in, almost always, but it’s not like it used to be where you’d just run a handful of basic tests and you were guaranteed to break in. The risk is that now when he sends his mules to go cash out, there’s a chance they’ll get nailed. Well, the more I thought about it the more I thought that this is a very solvable problem for bad guys. There are already other types of bad guys who do things like spam, steal credentials and DDoS. For that to work they need a botnet with thousands or millions of machines. The chances of a million machine botnet having compromised at least one machine within a target of interest is relatively high.

So let’s say I’m badguy1 who wants to break into one or more companies of interest. Sure, I could work for days or weeks and maybe get into one or both of them, but at the risk of tipping my hand to the companies and there’s always a chance I’ll fail entirely. Or I could work with badguy2 who has a botnet. I could simply give a list of IPs, domains or email addresses of known targets to the bot herder and say that instead of paying a few cents to rent some arbitrary machine for a day, I’ll pay thousands of dollars to get a bot within the company I’m actually interested in.

This tactic reminds me a little of the movie Wall Street. You have a failing company (in this case a botnet that will probably only last a year or two). If the company continues on it’s course it’ll make a pretty good amount of money, but nowhere near as much as if the owners break up the company into pieces and sell them off one by one to the interested parties. Kind of an interesting/scary thought, but it could easily be used to avoid the cost and danger of individual exploitation against a company for a hacker interested in target attacks. Rather, a brokerage for commodities (bots that come from interesting IPs/domains) could be created and used to sell off the individual nodes. Using the existing backdoor into the company greatly reduces the risks involved for badguy1, because it’s guaranteed to be successful, without all the noise of a targeted attack.

If you were a blackhat, how much would you pay to have access to a machine inside of an organization that will lead to the big payout?

15 Responses to “Conversations With a Blackhat”

  1. thrill Says:

    I was going to argue that it might be hard to distinguish the specific company the machine is located at given the proliferation of internal domains (most of the time stupidly called .int), but then I realized that you really just need to watch mail traffic.. whether POP, IMAP or Exchange..

    I also guess that looking at the internal domain, whether LDAP or AD would still reveal quite a bit about the organization.. all hail pride of the workplace in exchange for information leakage.. :)

    –thrill

  2. roflwaffles Says:

    How do we get on to your “blackhat” list?

  3. RSnake Says:

    @roflwaffles - email is easiest. You can find it on our “about us” page.

  4. Matthew Wollenweber Says:

    That’s quite a clever strategy. I’m curious how the exchange might be implemented. Basic exchanges exist for credit cards and the buying and selling of botnets, but the details of this sound a bit more challenging.

    The attacker has to provide a target list and/or the botnet guy has to provide a list of compromised hosts. To do that there needs to be some measure of trust or a technical medium to ensure they’re not going to jail - for blackhats risk tolerance needs to be fairly low.

    The other thought is that many bot infections seem quite transient. Access to a particular bot has marginal value due to the common methods of generating revenue used by bot herders. You write above access to a particular box is a few cents - clearly not something “valuable”. The challenges of maintaining access to wait for a buyer are different than for pay-per-click, porn referrals, or fake-av. In those common cases, propagation and rapid activity are fruitful but for long term access further propagation is your enemy as that increases detection and lowers your chance to maintain access.

    The complexities are probably enough to get an economist thinking. But I suspect that if a trusted exchange emerged it would be quite lucrative.

  5. William McBorrough Says:

    Interesting post however I don’t see this idea as particularly novel. This is just the natural evolution of the concept of “botnets for rent”. I think the key here is being able to provide the bot herder a list a potential high value targets. This would seem a rather risky proposition for the herder, however, as he would be putting his botnet at greater risk. The secret sauce in a successful botnet is to have it under the radar as long as possible. Bigger risks = bigger rewards, I guess.

  6. skibear Says:

    Fantastic idea - and sure to be in use already by significant buyers of information.

    I read a great article about how the black-hat industry is splitting into various professional roles, depending on risk and knowledge, spreading risk and having multiple suppliers. The constraining factor would probably be trust and honey-pots (black or white hat).

  7. weev Says:

    @Matthew–

    Providing a target list isn’t a big deal. Security officers already assume that their network is under attack– it is the default model.

  8. Captain Erik Says:

    You are trading one risk for another. The botmaster has to get his name out to potential clients and becomes a more likely target for law enforcement. Not saying it is impossible, but just that adding one more transaction in the chain of transactions adds more risk.

  9. Joe McGean Says:

    Nice article, good idea….really gets one thinking. As far as how and all the naysayers go….. You said IT already, IP address & Mail Server. DNS MX Record for fortune 500. 500 records, do have yes or no? At that rate fortune 1000. So it would be a host on the same subnet of the mail server, that will do. As we all know already, BotNets are a real security issue, this article raises other interesting questions, that makes them more of a threat.

  10. Adam Muntner Says:

    @Joe - Why would a host on the same subnet as “the” mail server get one, anyway? And how would you know what their DMZ subnet network sizes are?

    @rsnake - cool idea but wouldn’t worry about this too much. The real big risk for these guys is getting the cash. For an even marginally cluefull attacker, internet-based attacks approach risk free. Whereas the risk of being caught electronically trying to contract for specific access to a company is high

  11. inrouted Says:

    A great idea on paper, but further expanding on your analogy with Wall St. Getting the pilots and the flight attendants on board for the purchase is problematic. Mr. Wollenweber touched on some modicum of trust being present in the deal, which I find highly unlikely (and completely ironic given the parties involved in the transaction). I vote to use credit cards as the payment method of choice :)

  12. butters scotch Says:

    please dont tell me its because of blackhats and of the like that i keep getting virus’s?! arg!! im begging you that i really wanna learn how to hack just to send the ppl who give me a virus a virus right back at them that completly damages their computer to where they have to get a new one! :) sounds like fun!

  13. Emily Says:

    Hey guys (and gals). Idk whether you all have heard but there’s a new con on the East Coast (Miami) - Hacker Halted. Anyone know neething bout it? Only thing I know was bout the rad party they had on a yacht last year. And their back in Miami again this year.

  14. Connie Says:

    I’m not interested in hacking into anyone’s email to see what they’ve got going on. What I would like to know is how I can be invited to House of Hackers to speak and exchange ideas with these fascinating people. Can anyone help me with this? I have an idea on a project that would not only be fascinating to them but challenging, and rising to a challenge is something I do well in all areas of my life. Any assistance would be appreciated. Thank you.

  15. Lindsay Says:

    Like Connie I have a question for a hacker and would like to speak with one. My request is for a black hat, which I am not sure if anyone on this site/ House of Hackers site are. I’m not even sure if my request can even be completed, but I guess that is the point of me trying to find the best computer hackers. Please contact me back so I can see if it is even possible. Thanks.