Here you go....from my 2012 Blackhat presentation. It then shows the issues of attribution as everything comes from the infected machine...sorry it's dated but nothing has really changed
Nobody is disputing that, given a remote-access tool running on a machine, actions taken by that tool are seen to come from that machine.
What is being disputed is that making it look like it came from a Russian intelligence officer specifically, as opposed to from some random infected machine somewhere, is easy. I see that you're claiming that if you set up a botnet and start infecting people and wait, you'll eventually get someone who works for a bank or someone who works for the military, sure. But what are the changes that you'll find someone who happens to work for the specific intelligence agency that is widely suspected as being the actual perpetrator?
Are you claiming that lots of botnet operators happen to have infected so many machines that their chance of being able to get to the machine of an employee of any government agency in the world is high? That the average GRU officer has hundreds of RATs in their home from hundreds of bored teenagers around the world?
I believe that intelligence agencies are targeted all the time, and keeping machines clean is not that easy. Certain governments (like Singapore) adopted an air-gap approach, so the machines you use for work don't touch the internet.
But even then, it would be a lot easier to infect that persons's home machine.....Many of the people visiting Guccifers site were normal people, some were from intelligence agencies (proportionally probably a lot more than visit a normal site).
Assuming you had AWESOME undetectable malware, you'd have to infect the lot, get them to report in, and ferret out the interesting ones. Not exactly a weekend project, but if this was your passion in life, very achievable.
Spear phishing these guys is hard, watering hole may be easier.
Nice talk! I just 1.5x-ed thru the first ~30 mins.
I still think we're talking at cross purposes though - I'm not disputing Zeus works, I'm disputing that it's "super easy" to identify and then infect a machine attributable to "an intelligence official in another country".
I mean - if all I need to do is make a tcp connection - all I need is an <img> tag in a web page - the big problem is getting that webpage and/or RAT onto a GRU officer's work computer.
(And if you _do_ cover how to do that in the remaining bit of the talk, I'd love to know...)
What is being disputed is that making it look like it came from a Russian intelligence officer specifically, as opposed to from some random infected machine somewhere, is easy. I see that you're claiming that if you set up a botnet and start infecting people and wait, you'll eventually get someone who works for a bank or someone who works for the military, sure. But what are the changes that you'll find someone who happens to work for the specific intelligence agency that is widely suspected as being the actual perpetrator?
Are you claiming that lots of botnet operators happen to have infected so many machines that their chance of being able to get to the machine of an employee of any government agency in the world is high? That the average GRU officer has hundreds of RATs in their home from hundreds of bored teenagers around the world?