Backdooring Your Backdoors – Another $20 Domain, More Governments(labs.watchtowr.com)

429 pointsby mooreds5 days ago11 comments

Lammy5 days ago
To avoid my comment being entirely a terminology nitpick I will say this is very cool work that I would be too afraid of CFAA to ever attempt. Especially funny to see four parasites on one government domain. Do skiddies not excise other skiddies' backdoors when pwning systems so they can have them all to themselves?
> We then hooked that up to the AWS Route53 API, and just bought them en-masse. Honestly, it’s $20, and we’ve done worse with more.
> We’re incredibly grateful for the support of The Shadowserver Foundation, who have agreed yet again to save us from our own adventures and to take ownership of the domains implicated in this research and sinkhole them.
I wish we could collectively stop using the terms “buy” and “own” with regard to domains. Try “leased” or “rented”. If they could be bought then they wouldn't have been available again for this exercise.
- judge20205 days ago
  What would buying even mean in this sense? Even countries don't "own" their ccTLDs, but ICANN has made considerable efforts to outline policies that go "we really need to treat ccTLDs like the countries own them to avoid tensions over internet namespaces". That's why most gTLD rules don't apply to ccTLDs.
  Countries "own" their ccTLD in the sense that they (or most) have the military prowess to defend their usage of their ccTLD if ICANN, or the servers at root-servers.net, were to stop resolving TLDs appropriately.
  - NewJazz5 days ago
    The root servers hold the real power, and IIRC over 50% are operated in the US, with many of them being operated by the US military and others educational institutions.
    I can only assume that the US has tolerated varied use of ccTLDs for the sole purpose of avoiding a competing alternate DNS root zone becoming more prominent.
    preciousoo4 days ago
    I’m sure the NSA does their best to make sure the US doesn’t politically fuck that up
    croemer5 days ago
    But root servers aren't a democracy, are they? If US root servers went bonkers, people would just use different root servers. Doesn't matter whether it's 50% or 90% that are in US if they can be ignored?
    NewJazz5 days ago
    Yeah that's the point. If US acted up, and pressured other operators to follow suit, the root zone could split up. They don't want that to happen.
  - BobbyTables25 days ago
    DNS is then a weapon of mass destruction
- awwaiid5 days ago
  All property, physical and digital, is rented if you squint just right.
  - noduerme5 days ago
    I'm curious if this is a socialist lament about landlords or a libertarian complaint about governments.
    lazyasciiart5 days ago
    Maybe it's an existential comment about the fleeting existence of life.
    noduerme17 hours ago
    That was actually the first way I squinted at it, and it doesn't have to be existential - the lack of ownership in the fourth dimension is stated well in most religions. But for some reason I doubt they meant it that way.
    nightpool5 days ago
    I think it's just acknowledging the reality that property is a social construct, one that's created by the social contract.
    mathieuh5 days ago
    Well, Rousseau himself would say property is theft in not exactly those words
    From his discourse on inequality
    > The first man who, having enclosed a piece of land, thought of saying "this is mine" and found people simple enough to believe him, was the true founder of civil society. How many crimes, wars, murders; how much misery and horror the human race would have been spared if someone had pulled up the stakes and filled in the ditch and cried out to his fellow men: "beware of listening to this imposter. You are lost if you forget that the fruits of the earth belong to everyone and that the earth itself belongs to no one!"
    short_sells_poo5 days ago
    Ultimately it comes down to force. The person with the pointiest sticks will likely be able to enforce their view about ownership over others.
    Taken quite literally, property is armed theft from the commons I guess. Unfortunately, it's tricky to do otherwise in a loosely organized swarm of barely tribal actors, because any peaceful society based on shared ownership will be prone to exploitation by malicious actors. It's basically a very large prisoner's dilemma: the global optimum would be to abolish private property, but as long as there are (enough) people around to exploit the situation for their own benefit (and to the massive detriment of everyone else), we have to stick to a sub-optimal system where everyone is worse off than the optimum.
    noduerme17 hours ago
    How would the global optimum be to abolish private property when you just stated that without it we live in a swarm of barely tribal actors?
    The alternative to large-scale force is small-scale theft. Which is not so small-scale when you multiply it across every village and province. Ever been in the middle of a full social breakdown? Or a riot? Anyone who's seen what actual anarchy looks like would beg for some sort of order, even if it has to be imposed by force. It requires a very sheltered understanding of how the world actually works to think that anything good will come from unleashing chaos.
    nightpool4 days ago
    > Ultimately it comes down to force. The person with the pointiest sticks will likely be able to enforce their view about ownership over others.
    This is a common but simplistic view that ignored e.g. concerns about popular legitimacy and support that often lead to the downfall of strongman regimes. Many people think they can enforce their views of ownership over others, but find that it's not quite that simple when they try to put it into practice. That's why I mentioned the social contract.
    robertlagrant5 days ago
    > the global optimum would be to abolish private property
    The Soviet Union had this I believe, at least with buildings, and it didn't necessarily work out optimally.
    short_sells_poo5 days ago
    Certainly, and to be clear I'm not arguing for communism as a realistic system. It would be ideal in an ideal world without greed and selfishness. As long as those exist, we need to have a system that functions when the individual actors place their own interests far above the interests of others.
    foobarbecue5 days ago
    I like to think of it biomimetically. Organisms and ecosystems have both competition and collaboration at every level of organization.
    If I were to design a government from scratch I think it would actually be relatively easy to know what's best nationalized and what's best privatized. Nationalize the things that you do not want to be driven by the profit incentive because they need to be fair and accessible to all (mass transit, healthcare, utilities, communication networks, science), and privatize everything else (entertainment, retail, food, services).
    throw56739854 days ago
    > privatize everything else [including] food
    yet:
    > Nationalize the things that [...] need to be fair and accessible to all
    Should food be accessible to all?
    Or is food production privatized because market economies more accurately meet consumer demand?
    short_sells_poo4 days ago
    Food is tricky. The food supply is one of the highest national security concerns IMO. Free market proponents love to go about saying that growing food should be left to countries and regions who do it well (due to climate and infrastructure), but if your country cannot grow enough food to supply it's own citizens' basic calorie needs, you are literally living on borrowed time. If the food supply is cut off for any reason, things go down very-very rapidly and the government has days, if not hours to sort things out before things descend into chaos.
    At the same time, governments do not have a good track record of running the food/ags industry. I guess a system where the government heavily subsidizes it and incentivises domestic production, but lets farmers do their thing is probably as good as we can do?
    noduerme17 hours ago
    Countries that allow markets to control food prices have a far better track record of not starving, spiraling into hyperinflation, and losing wars than do countries which attempt to regulate food prices.
    robertlagrant4 days ago
    > Free market proponents love to go about saying that growing food should be left to countries and regions who do it well (due to climate and infrastructure),
    I think this is globalism rather than free market.
    noduerme17 hours ago
    I agreed with your first statement about competition and collaboration both being necessary. But if you extend that over time you see that those states in nature exist in a state of endless conflict, not in parallel. So in the realm of governing economies (democratically or otherwise), one of the most unfortunate but profitable outcomes of the human desire to oscillate between competition and collaboration is to be something like Argentina: Nationalize those things you want to be fair and accessible every 10 years and then privatize them again every other 10 years. This way, each new generation can lean capitalist or communist and make a killing by raiding whatever wealth was built by the previous generation in the name of fixing the system. Because after all, neither system is real. Both are just ways to paper over the fact that each new generation of young people are animals who kill their parents.
    foobarbecue5 days ago
    Wow, he sure can write! Proudhon literally wrote "property is theft" (see my other comments).
    mathieuh5 days ago
    I'm aware, I was quoting Rousseau because the person I was replying to mentioned the social contract which was an area of particular concern for Rousseau. I would recommend reading Rousseau's Discourse on Inequality if you're interested, it's very accessible.
    foobarbecue5 days ago
    Thanks, I will!
    SkyBelow4 days ago
    Maybe a deeper truth that is harder to put into words but which feeds into both of them. Something captured in much higher dimensional concept space that, when forced into our 3D world (and our <whatever>D political discussion space), looks like a sphere in one projection and a cube in the other, but which is neither.
    short_sells_poo5 days ago
    I tend to think is neither of those, but meant very literally. For that reason I like it and I think it's an interesting subject.
    What is ownership after all? The universe does not seem to have any form of ownership embedded in it's fundamental laws. If ownership is a human construct, then it is only meaningful insofar as a group of humans agrees on it.
    I can stroll up to the White House and declare that I own it, but I'll struggle to convince a sufficient number of other people that this is true. If I can't assert my ownership, then I don't really own it, do I? It doesn't matter whether it is just, or fair (again - purely human constructs), ownership only matters if it can be enforced.
    Being a human construct, it is also by definition temporary. It is only valid as long as humans are around to enforce it, and humans are fleeting. Humanity might endure, but there's no reason to think we are going to be around for eternity.
    So it looks like ownership is not only temporary, but it is also fickle. People routinely disagree on ownership and are willing to kill- or be-killed for asserting their claims.
    It looks like neither the communists, nor the liberatarians are in the right. Things will be owned by whoever has more pointy sticks :D
    noduerme17 hours ago
    It's not a human construct. If you have ever spent time around a cat, you can understand ownership completely without any legal constructs. What we as humans are somewhat proud of, or the definition of civilization, is that we spend most of our time trying to create systems to define boundaries and property rights without resorting to violence. Those systems can be fair and well-distributed or unfair and hereditary, or somewhere in-between; they inevitably hand over the violence to some arbiter or government (whether market-driven or communist dictatorship, it's the same in terms of a structure enforcing who gets what, even if the incentives and dynamics are skewed); but the point is that we code them into law so that any arbitrary cat can't just post up inside another cat's borders and terrorize the house.
    The point of PROPERTY writ large isn't the piracy or acts of violence that people here make it out to be. Property doesn't arise from the law. Legal frameworks arise from the existence of property. And legal frameworks are an unadorned good in a world without them, because normal, domestic, and peaceful life does not exist where laws don't exist.
    robertlagrant5 days ago
    > Things will be owned by whoever has more pointy sticks :D
    That sounds like the feudal or socialist systems. Isn't one of the points of modern democracies that we have the pointy sticks for outside invaders, and a legal system that replaces the system of internal-facing pointy sticks with an economic system and a justice system?
    krapp5 days ago
    No. All systems of law, regardless of their "democratic" nature, are based on the principle of the state's monopoly on violence, and that violence is always directed towards the citizenry.
    No matter how civil your society may seem, resistance to the state will eventually mean you get shot or beaten with truncheons.
    short_sells_poo5 days ago
    Exactly. Democratic and highly civilized countries still enforce property rights with pointy sticks. They maintain their claim on their territory against outside invaders with the army, and internally they enforce the laws of ownership using the police.
    foobarbecue5 days ago
    Property is theft from the state
    noduerme5 days ago
    A curious assertion, considering that the protection of private property and enforcement of contracts is one of the foundational reasons for the existence of most modern states.
    Stop me if I missed the sarcasm.
    foobarbecue5 days ago
    This was intended to be a wry comment referencing a communist idea that has always tickled my brain. Somehow I had it in my head that Marx said this (probably because of another joke-- "why did Karl Marx only drink herbal tea? Because proper tea is theft").
    Checking my facts now, I see it was actually Proudhon, not Marx (although Marx did discuss the idea here: https://www.marxists.org/archive/marx/works/1865/letters/65_..., but seems to say it has a self-reference problem, and seems to delight in insulting Proudhon).
    I think the "from the state" part is an accidental addition either of my own or from whoever explained the "proper tea" joke to me the first time. I just thought it always referenced the extreme philosophy that all property should be communal and therefore private property was theft from everyone, or equivalently from "the state".
    noduerme16 hours ago
    Hah! I love the proper tea joke. Hadn't heard that one.
    Extreme philosophy or not, I reject the idea that "everyone"=="the state". Most (all?) states which confiscate property in the name of "everyone" don't distribute it fairly anyway, so it's all a bit of a sham. Even if it wasn't, I still don't fancy having the 7 or 8 drunks I know at the local bar showing up to sleep on my floor, shower in my toilet and claiming it in the name of everyone, or the state, or whatever. Screw those people.
    robertlagrant5 days ago
    Drinking tea is in itself an act of theft - he drank that tea and now no-one else can drink it.
    hhh4 days ago
    what's the difference?
    sgjohnson5 days ago
    I read it as a libertarian complaint about governments.
    i.e. own real estate? Try not paying the property tax on it, and see who really owns it. :)
- bell-cot5 days ago
  > I wish we could collectively stop...
  That's a "feature" of human nature and English. People say "my car" and "my phone number" when those are leased. "My house" when they have a new zero-down mortgage. And all sorts of other conceptual contractions - with the messier reality assumed to be common knowledge. Or just irrelevant to the point at hand.
- TacticalCoder5 days ago
  [dead]
fn-mote5 days ago
I loved this write up. Light-hearted. Conscious of the impact of any disclosure. Everything substantiated, but not taking themselves too seriously. Enjoying read, and at the same time talking about a serious issue.
- ipdashc5 days ago
  Thank you for putting it in words. I felt the same way, both about this and the writeup for their previous .mobi thing. Well explained with plenty of context, no buzzwords, light hearted and cool (while not trying too hard to make themselves sound cool), and plenty of substance with no fluff. A lot of blog posts or security write-ups violate some of these; this is a breath of fresh air.
- taspeotis5 days ago
  I also loved the appearance of WordArt, shame they did not do the rainbow one.
Thorrez5 days ago
I wonder what would happen if they exploited these webshells' backdoors to delete the webshells...
- abound5 days ago
  If you're the FBI (and maybe also have a court order), you can do this [1]. If you're a grey hat hacker in Russia, you can maybe do this [2]. If you're a random person in the US, you're likely exposing yourself to a lot of (CFAA) risk.
  As the authors of this post note, they were careful to only receive + log traffic and not otherwise send interesting responses/engage with the webshells.
  [1] https://www.malwarebytes.com/blog/news/2024/02/fbi-removes-m...
  [2] https://www.zdnet.com/article/a-mysterious-grey-hat-is-patch...
croemer5 days ago
I'm not sure I understand this correctly:
> This is a line of CSS, specifying that the ‘menu’ style should fetch a background image from the given URL. On loading the page, the web browser will attempt to fetch the specified .gif file from the w2img.com server.
> Note: Disclosing just the domain in referrers is a relatively recent browser change, and indeed attackers using older browsers were sending us full shell URLs.
In particular re "attackers using older browsers": haven't the (original) attackers taken over the _server_ that's serving the CSS and the browser belongs to unsuspecting _users_ of the pwned server? Isn't it wrong to say the attackers use the browsers then, as the browser is used by a victim?
Under which circumstances would _attackers_ be using a browser? I can't make sense of this.
- TazeTSchnitzel5 days ago
  A webshell is a page (typically a .php file) uploaded to a site by an attacker after a compromise (e.g. an RCE), which is then used by an attacker through their browser to perform further actions on the compromised webserver. These premade webshell files however have been made by other attackers and come pre-compromised with a backdoor. In this case the CSS in the webshell makes the attacker's browser snitch the webshell's location to a domain controlled by the author of the webshell.
  - croemer5 days ago
    Thanks that makes sense, not sure how I could miss that.
croemer5 days ago
> with the hopes of painting a paint a clear picture.
Typo: "a paint" is superfluous
> Taking a look through the results for high-value domains within our referrers, we the following stood out like a shining beacon:
Typo: superfluous "we" in "we the following"
> Atleast there will be memes on the record, and an awkward explanation of a raccoon.
Typo: "Atleast"
busymom05 days ago
Slightly off topic but what's going on with the font for the "y" character in this article? It sticks out like a sore thumb.
- 8organicbits5 days ago
  I find this sort of thing bothers me often enough that I've disabled downloadable_fonts. I think of the web as a place where I read things, so custom fonts that hurt readability are undesirable. I get why designers want a unique style, but I rarely want that as an end user.
- sosborn5 days ago
  It's the font design: https://abcdinamo.com/typefaces/favorit
  - roygbiv25 days ago
    Wow what is going on with that website.
    lioeters5 days ago
    I guess it's "Brutalism" or something, but I had a physical revulsion to the entire site design and all their fonts. It's so ugly it's almost charming.
    yencabulator4 days ago
    Brutalism is a form of unapologetic minimalism, specifically the kind that does not spend effort covering up structural components.
    Adding visual crap and animation isn't minimalism at all.
  - busymom05 days ago
    Looks like the font provides an "alternative y" which looks normal. But the default one has that ugly broken look.
  - alt2275 days ago
    That website had me in tears of laughter.
    From the amazing picture at the top, to the hand offering cookies, to the over the top shaking and spinning of everything on hover. This is one funny website.
- npteljes5 days ago
  I think some fonts do this so that they have a distinguishing feature. Fonts seem to be a very saturated market, so this might help being noticed in a crowd of sameness and copycats, and many people don't look at a font otherwise either, even people who use them in designs.
  I think the sticking out part is supposed to irritate somewhat, but it still needs to make some sense, like a hot take. I noticed some online personalities use the same strategy with pronunciation, consciously and consistently mispronouncing specific words, play up their accent. Media analysts also recognize verbal tics as a trope, for similar effect.
  Back to fonts, another site that I remember using a similar thing is the Genius lyrics site. For a long time, while establishing their presence, they used the square character forms from the Programme font, which you can see on my link. They still use Programme, but use the normal forms for some time now though, presumably, because it was indeed irritating, and it hurt legibility.
  https://www.typewolf.com/programme
  - pessimizer4 days ago
    If you can't compete on quality, you compete by being difficult to compare to better things.
    npteljes4 days ago
    I think this is too cynical to be true. I brought up saturation and uncare of primary users (designers) specifically to address that quality is not enough. You put your heart and 1000 person-hours into a lovely font, but many will still opt for whatever ships with their OS or design tool. Quality is simply not enough, and sometimes don't even enter the picture, very similarly to creative work - for a musician, talent itself does nothing. Same for well-written code for software engineers - nobody cares, maybe only themselves in the future. Software achieving business goals, and being well written, or by brilliant people are two different things, with very weak correlation.
    Usually the recipe for success includes good quality / talent, sure. But it also usually includes something that is markedly different from others. People, searching for this distinct something, can seem tryhard, or just throwing sh!t at the wall, to see what sticks - and maybe they are - but they are also doing something that's an organic part of the road to success.
    For a font-related example, that might be easier on the eyes, could be Fira Code. One of the immediate distinguishers is the ligatures. Check it out if you haven't already, it's quite neat, and it was the talk of the town for quite some time.
pea5 days ago
Blast from the past seeing h0no mentioned.. Brings me back to days of darpanet/m00/#darknet/dikline
croemer5 days ago
I wonder why they redacted almost all domains but the Federal High Court of Nigeria's? It's not mentioned explicitly, so I hope they did responsible disclosure.
m3kw94 days ago
Should be called front dooring your backdoor
1oooqooq4 days ago
so, it was 99% based on dns hijack, but he says nothing about how it was done?
- aneutron4 days ago
  Have you actually read the article ? He explains everything in sufficient detail. He didn't "hijack" the DNS records, he bought the ones that were expired and available.
  The only thing he doesn't explain (for obvious reasons) is the how he found the shells online (because as he puts it, they fell off the back of a truck).
  - 1oooqooq4 days ago
    they do mention the dns are still owned by advertising agencies fronts...
    aneutron4 days ago
    Yes, but they did not touch that DNS specifically.
Its_Padar5 days ago
Technically this is a dupe as this has been submitted twice before in the last week
https://news.ycombinator.com/item?id=42658405
https://news.ycombinator.com/item?id=42633273
- blendergeek5 days ago
  It only counts as a dupe if it received discussion/upvotes last time.
  - 5 days ago
    undefined
- catoc5 days ago
  The first link is also watchtwr, but a different post