cyberwart

For the past few weeks, I’ve spent considerable time investigating and discussing the botnet DDoS that attacked US and South Korean government sites.

I’ve had numerous discussions regarding the attacks. Overall, I’m very unimpressed by the traffic. Reports indicate that on average, sites saw ~25Mbs of traffic. My home network has a 20MB uplink, so I cannot imagine that signifigantly impacts government organizations or even mid-sized enterprises. Reports also indicated brief throughputs of upto ~120Mbs which is by far more considerable but, again, should be easily mitigated.

The most surprising aspects of the attack was the response by investigators. The term ‘Cyber War’ starting being flung around. Everyone said the North Korean military must be involved. I looked at the bot software. To me, it looked like a bunch of random code snippets clumsily tied together. The idea that a nuclear armed nation state or even a notable organized crime entitiy bewilders me.

I wrote a paper that broke down my opinion into a repeatable methodology. Basically it formalized that if you have people that write similar code, RE malware, and execute pen tests look at a sample and say a teenager with metasploit should do better — it’s not a nation state. But alas, the paper made me feel like a tool. Basically, formally detailing my (experienced) opions didn’t seem more relavant or thoughtful than simply stating them — which were widely ignored as cyber war is much sexier than pimply boys having fun with a botnet.

The article published by Microsoft a few months ago ago has been widely discussed. Many argue that contradictory evidence suggests conclusions different than the paper. On several levels I’d have to agree. The two most basic arguments are:
1. A sophisticated 0day or botnet platform has innate worth that’s far more valuable than data presented in the paper suggest. Having both written similar software for hire (as a pen tester) and having seen similar items sold online, I have no doubt that the report underestimates values.

2. A lemon market isn’t necessarily bad when you’re anonymous on the Internet selling virtual goods.

With the second point we begin to diverge into economic theory. I am not an economist. While I believe I can weigh economic arguements doing so would necessarily lead me astray of my strengths. However, as a Baltimore native, which has some *cough* minor criminal problems I can assure you people often buy gold at silver prices. I was admiring a co-worker’s keyboard. It sells for $150 retail. He bought it for $30, brand new, but out of the back of someone’s car.