Infiltrated dot Net

Written by J. Oquendo   

"Intelligence analysts should be self-conscious about their reasoning processes. They should think about how they make judgments and reach conclusions, not just about the judgments and conclusions themselves." Richard J. Heuer

As I performed my analysis of the attack that led to the compromise of the RSA Corporation, I choose to follow the information that was visible to me. I chose specifically to avoid following the herd an in doing so, I believe it enables me to get a clear picture of what companies and analysts miss when it comes to "defense" whether in depth or not. From an analytical perspective, it would have been quick and effective to tout the same run of the mill response as other analysts have done in the past: "It was China! I have proof! See the IP." In the end, it is hard to attribute the source of the attack however, I will stick to my guns and go with an RBN based attacker as opposed to a Chinese APT.

    "Initial exposure to blurred or ambiguous stimuli interferes with accurate perception even after more and better information becomes available" [1]

    "Once an observer thinks he or she knows what is happening, this perception tends to resist change. New data received incrementally can be fit easily into an analyst's previous image. This perceptual bias is reinforced by organizational pressures favoring consistent interpretation; once the analyst is committed in writing, both the analyst and the organization have a vest interest in maintaining the original assessment" [1]

Information being what it is, and what it was, let's take a step to the side and observe the following statement: "Well I think someone in high places just kicked China in the financial teeth." ... "This is big it makes China look weak so beware China will strike back soon. We should be ready….." [2] Statements such as these in relevance to "cyberwarfare" lead to cloudy intelligence. According to the "cyber-expert" on that blog, we are to believe that the attack on the Hong Kong Exchange was possibly retaliation from the United States in response to "Shady Rat" attacks. An amazing statement to write when no information to support that statement was available. Pure speculation and in the end, the attacker was found in Hong Kong. There was no mystical US Cyber Attack Squad. [3] Was there a follow-up to that initial statement on the "cyberwarfare" blog? No. This means that anyone reading that page was lead to believe that some grandiose "campaign" occurred or is occurring. This means that anyone who in the future, stumbles upon that blog is led to believe there are all sorts of cyber-counter-cyber-counter-cyber-ad-nauseaum campaigns.

Moving away from that site and comments there, I will now shift to more "satisficing" statements being made by the experts in the industry. "The culprit in the RSA was obviously yuange1975! It is all over his twitter account!" [4] Let us go back to the beginning here, attribution of the RSA and other attacks are being done solely based on IP information alone. However, there is no mechanism to validate who is behind an address. This is something that ALL network and security engineers know, yet many security professionals want to tweak this information to conform to their analysis.

    "Satisficing" ... most analysis is conducted in a manner very similar to the satisficing mode (selecting the, first identified alternative that appears "good enough") The analyst identifies what appears to be the most likely hypothesis that is, the tentative estimate, explanation, or description of the situation that appears most accurate. Data are collected and organized according to whether they support this tentative judgment, and the hypothesis is accepted if it seems to provide a reasonable fit to the data. The careful analyst will then make a quick review of other possible hypotheses and of evidence not accounted for by the preferred judgment to ensure that he or she has not overlooked some important consideration. [1]

Let us look at the RSA attack unbiasedly for a moment. We have an "advanced threat" who has compromised a company to extract data. They have successfully gained access to and stolen data from a company. They turn around, brag and taunt [5] us. They have never done so before, but right now, they decide to start using Fast Flux DNS servers, much like those used by RBN spammers. They also move away from using their "time proven" methods and tools namely, gh0st preferring to use droppers and bloated attack techniques. That makes little sense. Perhaps China is receiving schooling from the RBN and purposely using RBN tactics to deflect attention.

    "Major intelligence failures are usually caused by failures of analysis, not failures of collection. Relevant information is discounted, misinterpreted, ignored, rejected, or overlooked because it fails to fit a prevailing mental model or mind-set. " Christopher Brady, "Intelligence Failures: Plus Ca Change" Intelligence and National Security, Vol. 8, No. 4 (October 1993).

The theme of "China" being behind this attack started from a blog entry by FireEye [6]. In their writing, they use the name of who last saved the file mailed to the victims: Linxder. They then use uber Google searching, to associate that name with someone in China. Perhaps the search yielded the true identity of who sent the file no? This is no more concrete evidence other than relying on an IP. Who knows, maybe Linxder was selling his exploits on eBay [7]. What state sponsored hacker doesn't sell stuff on eBay. Perhaps he sold the whole RSA attack theme in a bundle to the highest bidder. A++++

So what else did FireEye and others miss? The "fact" - not speculation - that the original exploit DID NOT, and I quote, "affect flash player and earlier versions." Something so simple that was proven in my analysis video that can be seen here. So we have a company (FireEye) that digs out a name, associates that name with a quick Google search, associates an IP with a country and labels it a threat. Compiles a half-checked dynamic malware analysis and calls it a day. Those are the facts according to FireEye and others, here are mine.

Whomever is behind the RSA attack used tactics similar to the RBN and a network known to be used by the Russian Business Network (RBN). In most previous cases of "APT" attacks, the attackers followed a pattern. Usually a compromise followed by exfiltration of data via HTTPS, not UDP ports. In most previous cases of "APT" attacks, the attackers did not use Fast Flux DNS servers.


a) In my analysis, Flash versions prior to were not all vulnerable / According to FireEye they were [7]
b) Attackers connected back to a network with known RBN ties / Network happens to be in South Korea part of APNIC (APNIC therefore must be China!)
c) Attackers changed from using tried and true (htran, gh0st) methods to something else
d) Attackers, if related to the Chinese interpretation of APT, first known use of Fast Flux DNS
e) Attackers like to curse in English (see video)

When I state contradictory, I mean it on the face value. Beginning with a), FireEye's write-up occurred within days of the initial exploit. How many versions of Flash player did they test to make their conclusion? Clearly in the RSA video, we see that multiple versions are tried and none are "exploited" with the same consistency that were mentioned/tested by FireEye and others. In b), the correlation of RBN ties has been documented and proven as well. [8,9,10,11,12]. In c) as a researcher, it is very simple to get samples of malware. For APT related samples, Contagio [13] houses a variety of malware used in APT attacks. None match the modus operandi (MO) of this RSA attack. Same goes for d) and e). New modus operandi for the "Chinese APT?" I think not.

Others also overlooked was the delivery method in the RSA attack. Few have reported that the initial e-mail came from a "trusted" source within their own blocks. By this I mean, according to the e-mail headers, the mail came from within their organization, or someone trusted to relay mail through their network. It is possible that someone compromised a machine from someone in RSA, then escalated the attack from a trusted host. This is fact, not speculation:

Received: from mail176-tx2 (localhost.localdomain []) by mail176-tx2 (MessageSwitch) id 1299170895355519_1400; Thu,  3 Mar 2011 16:48:15 +0000 (UTC)

Received: from mail176-tx2 (localhost.localdomain [])    by (Postfix) with ESMTP id A01071BD8396; Thu,  3 Mar 2011 16:48:15 +0000 (UTC)

Received: from ( []) by (Switch-3.4.3/Switch-3.4.3)
with ESMTP id p23GmF5F011742 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);    Thu, 3 Mar 2011 08:48:16 -0800

Received: from phlspmx001.Beyond.local ([]) by phlspmx001.Beyond.local ([]) with mapi; Thu, 3 Mar 2011 11:48:06 -0500

Received: from ( by ( with Microsoft SMTP Server id; Thu, 3 Mar 2011 16:48:06 +0000

Received: from (unknown []) by (Postfix) with ESMTP id 508F11AB0050; Thu,  3 Mar 2011 16:48:15 +0000 (UTC)

Received: from ( by ( with Microsoft SMTP Server id; Thu, 3 Mar 2011 11:48:58 -0500

Received: from ( []) by (Switch-3.4.3/Switch-3.4.3) with
ESMTP id p23Gmuic019054    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);    Thu, 3 Mar 2011 08:48:57 -0800

Received: from ( []) by (Switch-3.4.3/Switch-3.4.3)
with ESMTP id p23GmoVu006577; Thu, 3 Mar 2011 08:48:52 -0800

From: "web master" < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >

We have no concrete connection to China as being the attacker of RSA outside of an IP address and its association to APNIC, along with a correlation of a name (Linxder) and a Google search of that name. Yet at the same time, we have concrete information about the origination of the domain used in the attack ( and that correlation to RBN networks [8,9,10,11] and tactics known to be used by the RBN. In closing, we'd like to remind other experts [5] some of whom try to convey as being "in the know", not to overlook their own "known knowns" [14]. Meaning, stop tilting the evidence to their own benefits.  It is "known" - not assumed - that Russian once set up shop in China for spam [13] and then shifted to using Korean addresses. [7,8,9,10]. These are the known facts brought to light by the same experts who turn around and tweak the same information into whatever is popular at the moment. Take this write-up it how you'd like. RBN or China, if you ask me, its inconclusive but points more to RBN than APT.