If you follow my posts you have likely read some of my posts on malware reverse engineering or forensics. If you did, you'll know I am big on standards and telling folks how I come to a conclusion. Why? Well I like to have others verify that my assumptions and research makes sense, are validated and are as neutral as they can be under the circumstances and data I can collect in a given situation and time frame. There is always a tradeoff between reporting in near real time and details I can collect and analyze until then to be as sure as possible. Mistakes happen but they are never premeditated. It is an interesting place to be at the very least... Anyway to the topic at hand...

I have a honor code I do my best to adhere to, some of those rules of this code are:

Do no harm

Report the facts as best as possible

Don't report old malware as new (unless there are new components that avoid detection and new modules)

Don't sell snake oil, be a FUD'er (Fear, Uncertainty, Doubt)

Use standards and explain what you are using to customers and partners

If you have followed some of my posts (or all) you will (hopefully) find an entertainingly "right to the point" piece of literature that doesn't assume I (the author) knows everything and everyone else is dumb (because I don't claim to know everything as I learn more each day). That goes against my beliefs (thinking I am smarter than everyone else) in a big way. I refuse to believe business is not ethical and that there are regulations, laws and a code of honor all businesses MUST follow in order to have a justification to sell security services, products, training and consulting. If these companies are engaged in malware research and "cyber" security then they have this as a standard above all and everything else!

You may be guessing "what the heck are you talking about 1D1oT ;-). I'll explain what I mean right now. There are multiple companies out there that "sell" customers on new threats that are in fact old, not modified and attempting to get market share (I believe) by using information in a very misleading way, this has to stop. Its not honest and hurts us honest folks that really do the work and research. So now on to the actual topic.

I work with and for a world wide network of security community based researchers, we look everyday for new viruses, malware and "electronical nasties" (cyber warfare, espionage and crime). I use standard tools (IdaPro, VMs, Volatility, etc.) that I can explain, teach and use in normed ways. I use NIST CSF, ISO27001, etc. as a baseline for how I do things, also Forensics Science. Why? Well for starters because its published, anyone can verify and check it, uses a specific approach to collecting, analyzing and making decisions and assumptions on data or evidence. This is a crucial and important aspect for all of you that buy "cyber" security services, consulting and products. Always ask yourself what standards your products and services are using. In the process of doing this work for literally 1000's of hours you learn things and signs that either add up, don't add up or require more analysis as a team in order to create the final picture. Sometimes malware is so advanced I need to ask friends to help me out, other times they are so simple and easy that kids can literally find them and understand them. In the later case when I stumble across reports that look fantastic and spectacular, I really dig down into the details because I want to help protect my customers and partners from the new cyber threat. As I do this preliminary research and verification I usually compare code samples to find out if something is new, if there is I will give that "threat" a new name. It may be based on something old "which I will also state" and then say how the new piece has additional modules, attack patterns and piece together the IOC information I need to publish and pass on to other partners in the community. Sometimes though I find bad apples or wannabe companies that rehash something that is old as something new, if they do no new research or have new samples that prove the point then I dig even deeper. This has happened in the cases below.

I was asked to verify certain claims of a nation-state based campaign (or at least it was given to the press that way). In this case I asked myself what level of data and evidence quality was being used/collected/analyzed by the researchers or publishers of these specific cases (specifically) IBM/Trusteer / X-Force's malware reporting and research on the following reports:

Actually ROVNIX (Konnichiwa), a piece of malware that is not only older but also known in the security community for targeting countries in a round robin attack pattern does not indicate that it specifically targets any one nation. So its a stretch calling this a "campaign" against Japan or any specific country (TBH) because thats just how the virus/malware has worked since its been sighted in the wild. I would suggest that IBM / Trusteer / X-Force cut the drama by saying this and other malware are "specifically targeting" a specific country when the evidence and data does not back that assumption up. Japan has its share of attacks like every other country, currently there is no evidence to back up the claim that Japan is being specifically targeted any more than other countries (if I made a mistake then I am more than willing to check the evidence to the contrary). Shifu (first sighted in UK in 2014 not 2015) in fact was originally found in England and not Japan as the report suggests. I am wondering how the researcher backs up the claim that this is targeting Japan "specifically" and why?

These examples are very worrying for me and others in the community also see this the same way. While I agree awareness is a great thing, spreading FUD is not awareness it also is not good for society, good for you or good for the community (its actually very harmful and insidious). The difference lies in what your goal is for spreading news or information about something. If you are "assuming" something then its an assumption (not a fact). If your assumption harms a local economy or country well some "could" consider this a form of cyber (economic) terrorism and not legitimate threat intelligence.

In conclusion Japan has had its share of attacks before 2015 and the specific reports are about older malware not new ones unique to 2015 in most cases (they actually admitted this before). There are no credible neutral reports based on forensically solid evidence that the reports actually prove a targeted campaign against Japan (in this case) and the malware is also certainly not new. I (personally in in my own opinion) find this very unprofessional, (maybe even) unethical and certainly asinine (if the reports do not show really new versions of old malware that has been around since 2009 in some cases). In the case of Japan, they deal with malware like any other nation, if I want to say these above samples "are" a targeted campaign, I challenge and expect IBM/Trusteer / X-Force to submit its data in the community where we will look at the data in a neutral manner and determine "if" it is new malware, "if" evidence supports a national-state sponsored and sustained targeting campaign, and "if" it was collected in a manner that is neutral, unbiased and verified by third parties using published and court approved forensics analysis. If not, well its not really much value to me as a researcher...

So why should I even write this post to begin with you may ask? Well, everyone "says" they are "cyber" experts. Many (I am finding) have no real clue what they are talking about. Some companies "sell" reports as new malware versions, the facts (recently trend toward) pointing to the opposite (aka old threats reported as new attacks or totally wrong conclusions based on circumstantial evidence or incorrect interpretation). Many companies "say" they understand Threat Intelligence (more than hooking up network sniffers or honey nets), in truth "most" do not because that's not their focus. Threat Intelligence has become the new Anti Virus of tomorrow with lots of offers, not many standards and customers wondering who to trust, how to assess the solutions and looking for who the right partners are. The right partners don't need to sell "old" malware that is not modified as "new". The right partners don't claim someone else's research for their own. The right partners do what they do because they are dedicated, passionate about it and want to do great work. The right partners collect data in a communicated and forensically solid manner that is compliant to forensics principles. Its time the snake oil charmers, charlatans and trend seekers get the message. Don't spread BS, do the work, give credit where its due, publish information and research correctly.

DISCLAIMER: This is my opinion based on reports I read published by the companies mentioned, the conclusions are based on attack data I collected from various sources like CERTs, Governments, Agencies and open source based threat feed information as well as my own honey-net. If you disagree with this post I welcome neutral data and am more than open to a neutral interview from the BSides community or security research community to discuss the reports in detail. I in no may have been paid by anyone to write this, I do not profit from any competitor of the companies listed and am not accusing anyone of anything. I am stating the results of my analysis that I rechecked with the countries involved and malware samples I compared.

Your 1D1oT (Security Noob)

P.S. I don't feed trolls so don't bother commenting and expecting an answer if you are a troll..