Giving hackers a dose of their own poison

Technique allows agencies to turn hackers' tools against them

Hackers who attack federal Web sites may soon be in for a dose of their own poison. The government is able to use hackers' own malware to strike back, and some may already be doing so, according to reports.

Security consultant Andrzej Dereszowski last week demonstrated his proof-of-concept idea at Black Hat Europe. While illegal for companies, some government agencies may be able, or already are, using such techniques, reported Kelly Jackson Higgins this week in Dark Reading. These techniques are similar to those used for botnet infiltration research, he added.

While an IT professional would need to know reverse engineering and exploit-development techniques, the method is generic and could be applied to any case, allowing organizations to quickly analyze and respond to malware attacks, said Dereszowski.

Dereszowksi’s PoC exploited a buffer overflow bug in the malicious Poison Ivy trojan, which was in an infected PDF sent to a pharmaceutical company. He ran the attack via his virtual machine against its own command-and-control server.

Dereszowski began by assuming the malicious code was publicly available online, and then broke the code to a run static analysis of it. He then ran a Metasploit shell code to open an active connection to the command-and-control server. The counterattack would be invisible to the attacker, and would exit the system once finished, leaving the exploit behind with a window into the server.

This form of counterattack could apply to other trojans, such as the pervasive Zeus Trojan, said Dereszowski, as long as there is access to the attacker's server and the malware code. While the counterattack could theoretically “do lots of damage because you would have full permission on their host," the actual effects depend on how well the attacker's own systems are protected, he said.

Targeted attacks on government agencies are common and on the rise, and are frequently done by other governments to steal data. In a recent poll at FOSE, reported by GCN, 94 percent of government and related information technology professionals believe federal agencies and networks get attacked every day. The findings were similar to CDW-G’s November 2009 Federal Cybersecurity Report.

A copy of Dereszowski's white paper on the counterattack research, released March 15, is available here for download (PDF).

About the Author

Kathleen Hickey is a freelance writer for GCN.

inside gcn

  • automated security (Oskari Porkka/Shutterstock.com)

    How to create a secure cyber environment

Reader Comments

Fri, Apr 23, 2010

Said John K " ... Better to expose the attacker than start a game of escalation?" NO! Better to track the perpetrator down through however many servers one needs to and bring him or her back for a public hanging on the Mall in Washington.

Thu, Apr 22, 2010 JackB San Bernardino, CA

Printable format, nice. Emailable format good too. Readable format, missing?

Thu, Apr 22, 2010 Editor

Editor's note: To the reader who asked about the link to the white paper, the link does work. Maybe you could try pasting in the URL: http://www.signal11.eu/en/research/articles/targeted_2010.pdf

Thu, Apr 22, 2010 Southeast US

If the counterattack is used only as an information gathering tool to learn about the attackers, it should become obvious within days, if not hours, if the server is the hacker's or a compromised server acting as a 'bot. Gather enough information from the server and one might find the source of the malware on the server. Tracking it back far enough should lead to the hacker's system(s). By the way, could someone at GCN fix the link to the white paper. I can't seem to download it.

Thu, Apr 22, 2010 Todd W

I disagree that a counter attack on a compromised server would be a friendly fire incident. If their server is being used to attack a government system then it is not a friendly target. If their security is lax enough to become compromised then they deserve to at least have their systems shut off so they know there is a problem. I would suggest sending the controller of the system an email from the server detailing the compromised state of the server.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group