By nullmuse

What story should I tell you, lainon? A true one:

chattr +i ./\*

And then I begin my collection. I can imagine his face, see the glint of cold sweat breaking out on his brow. He moves to stop me, to attempt damage control.

rm: cannot remove 'svchost.exe': operation not permitted
rm: cannot remove 'xiao': operation not permitted
rm: cannot remove 'xynsyn': operation not permitted

On and on. My scp command continues, pulling their entire toolkit home with me. I watch carefully, spamming process list checks in a separate window. What is he doing? Where will his panic lead him next? Will he disconnect me before I grab every RAT and exploit in their bag?

He doesn’t. I get away with everything. I fire off a recursive sed, bestowing amnesia upon every log file that ever heard of my IP address, and then kill -9 $$. My trace disappears, and I return home with my cargo.

I run honeypots for a hobby. Sometimes I hack back. This time around a target from China was setting up one of my pots as an exploit kit server. I watched carefully, monitoring his actions closely. I often assume the persona of the trapdoor spider – sensing the vibrations of a cricket mere inches above me. Monitoring, waiting.

Upgrading my server. Installing nginx. Modifying PHP scripts.

Then he creates a backdoor. A useradd command flashes past my terminal. A password.

A thought passes: Is this stranger stupid enough to reuse passwords? I connect to a Ukrainian hop point, and then ssh to the intruder.

user: root
password: hu@ng!!23

A pound sign greets me and I laugh. id. uname -a. ps -eaf. netstat -tunalp. ls -la.

A massive directory structure rises to meet me. Dozens of tools scroll past my screen – RATs, exploits, trojans, rootkits. Linux, Windows, Mac, Mikrotik. Food for reversing. A veritable goldmine for new techniques and adversary tactics.

id. Someone else is here.

I wonder what I would do in his situation, if he saw me? Delete everything. Disconnect the attacker. I cannot control the later, so I recursively immortalize everything I see, and start grabbing. My adversary panics, a wonderful emotion, and I get away.

So here I am, tearing through Chinese malware with edb, vivisect, and bokken. These guys are good. Listening Post obfuscation, only discoverable through late nights staring at assembly. One RAT silences itself the moment Wireshark enters the process list. Rootkits modifying kmem. Flash exploits. Unknown ones.

I run honeypots. I like to catch the bad guys. But I don’t do it for the good guys. I just like to stay current.