You might be naive enough to think that, if a hacker does something bad to you, you can, in turn, do something bad to them. If a hacker holds your computer for ransom, for example, you might think you have the right to do the same to them or at least go after them and cause them some discomfort. If you believe this, however, you are not only mistaken, you are far more likely than the hacker to find yourself in prison. In the real world, you can carry a gun. In the cyber world, you cannot.
You may think this is ridiculous, but there is some basis for this stance. It’s called, attribution. It’s very difficult for a victim to tell who the attacker actually is. Criminals may mask their origin in a number of ways. So, if you strike back, you might hit one of the devices they laundered their address through rather than theirs. It’s as if you defended yourself against a punch from an attacker by hitting his mother. If you make a mistake and disable the wrong computer or network, you could be accused of hacking. How would anyone know what your true motives were?
Nonetheless, many believe that victims of cyber crimes should have more weapons at their disposal. Representative Tom Graves of Georgia is one of them. He has proposed the Active Cyber Defense Certainty Act to address this imbalance. He wants to give the victim the opportunity to “gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.” Admittedly, this is a little vague. The proposed act adds the following clarification. Such defense “does not include conduct that destroys the information stored on a computers [sic] of another; causes physical injury to another person; or creates a threat to the public health or safety.”
So, apparently, you could hack into a computer of someone you feel is an attacker, look around for evidence that they attacked you, and give that information to law enforcement authorities. It seems the act will also allow you to “disrupt’ further attacks against you or your enterprise, but this is open to a wide range of interpretations, especially since you cannot destroy any information on the criminal’s computer.
In a DDoS attack, one enterprise may be attacked by thousands, if not millions, of computers. So who do you hack back against? True, there is always some organizer behind a botnet attack, but, if cybersecurity experts can’t figure out who that is, how can the average guy running an IT department? In other words, though the proposed act does try to give victims more power, it ends up getting caught in the net of reality. In short, there is little that the average firm can do without either getting themselves into trouble or causing harm to innocent individuals. To add to the confusion, former FBI Director, James Comey, dissuaded companies from hacking back because they may trip over FBI employees who are trying to infiltrate the same computers. In other words, you may start by trying to unmask an attacker and end up being investigated by the FBI.
Currently, individuals and enterprises have few options for turning the tables on hackers. What they do have are honeypots, honeynets, and sinkholes. These use points on a network that offer seemingly attractive data for hackers but which are, in fact, points of false data. Hackers looking for specific information may be lured in by the data and end up either getting nothing or giving up identifying information. Honeynets are whole false networks which can make it difficult for a hacker to get out of once they get into them. Sinkholes redirect attackers to another domain. Such architecture may frustrate hackers but does not really cause them harm. They are also hard to maintain and can be detected by good hackers. In short, they are expensive, passive, malware information collectors. They work only after an attack has already occurred.
Recently, a new attack-detecting program has been getting some attention. It is more active and, to some extent, even proactive. That is, it can sometimes detect an attack even before it begins. This new defense strategy goes under the banner of Malware Hunter and is produced by the developers of the Shodan search engine. I have no connection to the firm. I simply see this as an interesting twist that may be tweaked into a new level of cyber defense. Call it a reverse search engine, if you like. Malware Hunter pretends to be an infected computer/device/network calling back home to its commander. Just like every mother can identify the cry of their own baby, malware command and control (C2) centers detect the specific cry of a device infected by their malware. By responding to such a cry, the commanders give away the servers upon which they lay in wait. They give away their locations, which is the last thing they want to do.
But Malware Hunter does not shoot. It only hunts. Once it finds the C2, it hands the information over to others who may take more direct action. To date, it has found thousands of C2 locations. Those subscribing to the service can get this information and, if they are in charge of a company network, use it to block attacks before they ever occur. New remote access trojans (RATs) have been found before they began their nefarious careers because they were tricked into responding to fake calls created by Malware Hunter. The same C2s used by other RATs unwittingly responded to these calls, thus, giving themselves away. It is not a happy development for criminals.
Below is an example of a server that delivers the RAT, DarkComet. It is a comprehensive description of this device, including a map showing its general location. This owner of the device probably has no idea it is being used as a server and may be an innocent victim. The device exists to serve up the RAT and then receive information that it can send on to the C2.
If you were a network administrator, you could block communications with this server.
Malware Hunter searches for open ports and accessible IoT devices. During such a search, Malware Hunter will find devices using default passwords. After receiving the results of one of these searches, I found a router still using a default password. I was offered to sign into it and did so.
This led me to a page where I could have reconfigured the router and changed the login information. However, this would have made life tough for a naive user in Thailand.
Actually, it seems that I could arrange for remote access if I wanted to.
So, couldn’t hackers use aspects of Malware Hunter to further their attack strategies? After all, if attackers subscribed to Malware Hunter, they could find out if their servers have been uncovered, right?
Such uses are possible but, these negative points aside, programs like Malware Hunter may become more mainstream if the U.S. government allows firms and individuals to be more proactive in their responses to hacking. For the moment, hackers have the upper hand. The chances of getting caught are low and the chances of paying a price for their crimes are even lower. Malware Hunter might not catch the perpetrator outright, but it may disturb their peace of mind. It is a step in the right direction which could easily be upgraded with, perhaps, a little help from U.S. government intelligence software. Such integration could allow victims to hack back with more precision and more devastation. In short, anything that endangers hacker anonymity is a step in the right direction