Viewing a single comment thread. View all comments

JohnPlayerSpecia1 t1_j5zar0h wrote

website seizure is like confiscating business cards of a criminal.


JohnGillnitz t1_j5zdus8 wrote

Once malware gets onto a system it typically tries to contact a Command & Control (C&C) server for the attacker to really get in there and mess with things. The C&C server is usually hard coded into the malware, so if you take that down all the infected hosts that try to connect to it will remain inert. Much of this takes place over Tor traffic, so one of the best things a Network Admin can do is block all Tor traffic. For some reason that isn't a default.


HamOfWisdom t1_j5zhk70 wrote

I remember reading a story about how a hacker who made a banking virus later ended up solving a massive ransomware attack by simply obtaining the domain and routing it back to oblivion, essentially.

Probably skimming over a lot but it was a pretty interesting story. I think the channel Disrupttv (or maybe just disrupt) was who posted it. Fun watch, I'll find a link once I'm not at work!


arnielsAdumbration t1_j5znkdw wrote


ferrusmannusbannus t1_j63tnbn wrote

Damn, glad this kid didn’t get completely screwed. I remember those early hackforums days and people used to do wiiiiiiild shit on there.


Noocawe t1_j63yoso wrote

That's a great read, I had never even heard of this guy before. Thanks for sharing.


E_D_D_R_W t1_j5zxxv3 wrote

If the other commentor is correct and you're thinking about WannaCry, that's kind of the gist of it. The malware was hard-coded to only do its thing if it couldn't connect to a particular (previously unregistered) DNS domain. Thus registering that domain "triggered" the kill-switch and stopped any future infections of that version of WannaCry. Per wikipedia, later versions didn't have that vulnerability.


L00pback t1_j606gpu wrote

Oh god I hated wannacry. Self-replicating shit was a pain in the ass because lab owners don’t patch shit.


pegothejerk t1_j5zib92 wrote

Those websites are rarely run on the servers the malware points to, you'd have to be too stupid to write malware to point the drones to the same servers your public face was presented on for exactly this reason. It's the first thing feds can legally and technically take down.


JohnGillnitz t1_j5zjy46 wrote

I would guess that is what they actually mean when they say web site. It's pretty easy to find what IP address or domain they are going to from an infected host. They just don't go into that much detail in the article. One would hope. If it is just a web site, you are right. Taking it down wouldn't stop the malware and more of a badge of honor for the attacker.


[deleted] t1_j601132 wrote



dakotahawkins t1_j61jzaq wrote

AFAIK network admins are probably MITM-ing https traffic. I’ve looked into doing it at my house because you’d have to in order to set up a network-wide adblocker, but businesses do it because reasons. If they can’t MITM tor or similar, they could still use their MITM system to block unrecognized encrypted traffic, probably.


justmy2loonies t1_j62ablr wrote

You don’t have to mitm to Adblock. DNS filtering isn’t exactly mitm


dakotahawkins t1_j65eub5 wrote

Sorry for the delayed response.

Sure, but it's nowhere near as thorough. Some ads are served by domains you probably wouldn't want to blacklist, and otherwise you may want to block specific page elements like your in-browser adblocker does (or should).

If you MITM your own traffic you can do that kind of matching to block individual requests. Does that make sense? I had a raspberry pi running pihole for quite a while and when something broke with it I just gave up on it as I didn't feel it was buying me that much.


wasdninja t1_j6021k7 wrote

> For some reason that isn't a default.

Tor exists for the sole reason of not being easy to block. That might just be a reason.


L00pback t1_j6064kf wrote

Everyone worries about ingress traffic rules and never egress. A good network admin controls both for just this reason.


JohnGillnitz t1_j60dkod wrote

Yup. One of my clients got hit a couple of years ago. Nasty. We had all the security boxes checked at the time, but it got in anyway. Encrypted everything, which was the bad news. The good news is that we could check the router logs and confirm that none of the data had been exfiltrated. All attempts were blocked because Tor was blocked.
That sucked, but we were able to recover everything from offline backups. Even the delta from them was recovered when a decryption tool became available a couple of months later. We didn't have to go out and get a credit monitoring service for the entire customer base, which would have bankrupted the place.


Stinkyclamjuice15 t1_j61z4rp wrote

Thank you for having a huge pair and working infosec, that shit seems really stressful king


Xivvx t1_j602sye wrote

If it isn't normal, it should be. I know everything is going all zero trust and all that, but the perimeter is still important.


xCryptoPandax t1_j62m2ik wrote

That’s highly inaccurate, idk why that’s gotten so many upvotes.

Most malware use sketchy top level domains ex.) .xyz .makeup .me, etc not to mention most ransomware gangs compromise legitimate sites and host malware on them in order to bypass new domain creation and add that level of legitimacy.

One indicator for a ransomware gang which I think is actually this one was official government sites of Texas after they themselves were victim of ransomware.

Source: I work Incident Response


JohnGillnitz t1_j62vyqs wrote

I'm not sure how what I said was any different from what you said. No matter if they use an IP address or domain, those C&C servers are still set at the time of deployment. One of the first things they do is phone home (or homes) and get an updated list of C&C servers. That still leaves them dependent on reaching a limited number of sites that can be shut down effectively killing the that variant of the malware.
Do you live in Corpus and drive a Tesla? We may have met.
Edit: The CISA notice with the deets:


itsthebeans t1_j5zynqv wrote

Do you really think the FBI is so clueless as to try to stop a ransomware gang by simply shutting down a web domain? Or do you think there might be more to the story than the headline suggests?

Click the link and read even the first sentence if you really want to know.


Supanini t1_j608j3p wrote

He’s got top comment, his jobs done here


wizardbase t1_j60o7i2 wrote

>Wray said the FBI would continue to track the people behind Hive ransomware and try to arrest them. It was not immediately clear where those people were located. The Department of Health and Human Services has descried Hive as a “possibly Russian speaking” group.

Should read the last sentence too, they didn't catch shit


DuckDuckJeeper t1_j68yalc wrote

Exactly. You don’t “shut it down” until you’ve deployed your real assets……


PGDW t1_j606c0j wrote

If it were just their popup webpage, okay. But it's not.

Typically when they seize a domain or ip or server, they are stopping the malware from functioning properly as most these days phone home, and in this case can hopefully provide some decryption keys back to some victims.


Manny-Both-Hanz t1_j5zi5qr wrote


Kriegmannn t1_j5zwgrh wrote

I dont get it


E_D_D_R_W t1_j5zyxxl wrote

The joke is that the servers with the CIA's public-facing webpage are almost certainly completely separate from their servers with the intel they collect or any other relevant info, i.e. gaining control of the former would get you no closer to the latter.


zakabog t1_j60bb2j wrote

Imagine someone got the password to your Facebook account. They have no access to your PC whatsoever. They didn't hack into your computer and they have no access to your files or banking information, they just have access to post things on your Facebook. Same thing here, the CIA public facing website is not on the CIA network, it's an external service.


tronpalmer t1_j60m6tp wrote

That's really not true. Especially for ransomware or botnets.


TzarKazm t1_j5zg5e8 wrote

But they would have to come up with an entirely new unique email name in order to be able to create a new website! Unless they use another hosting site.