Backdooring Your Backdoors – Another $20 Domain, More Governments
labs.watchtowr.com234 points by mooreds 7 hours ago
234 points by mooreds 7 hours ago
To avoid my comment being entirely a terminology nitpick I will say this is very cool work that I would be too afraid of CFAA to ever attempt. Especially funny to see four parasites on one government domain. Do skiddies not excise other skiddies' backdoors when pwning systems so they can have them all to themselves?
> We then hooked that up to the AWS Route53 API, and just bought them en-masse. Honestly, it’s $20, and we’ve done worse with more.
> We’re incredibly grateful for the support of The Shadowserver Foundation, who have agreed yet again to save us from our own adventures and to take ownership of the domains implicated in this research and sinkhole them.
I wish we could collectively stop using the terms “buy” and “own” with regard to domains. Try “leased” or “rented”. If they could be bought then they wouldn't have been available again for this exercise.
I loved this write up. Light-hearted. Conscious of the impact of any disclosure. Everything substantiated, but not taking themselves too seriously. Enjoying read, and at the same time talking about a serious issue.
I wonder what would happen if they exploited these webshells' backdoors to delete the webshells...
If you're the FBI (and maybe also have a court order), you can do this [1]. If you're a grey hat hacker in Russia, you can maybe do this [2]. If you're a random person in the US, you're likely exposing yourself to a lot of (CFAA) risk.
As the authors of this post note, they were careful to only receive + log traffic and not otherwise send interesting responses/engage with the webshells.
[1] https://www.malwarebytes.com/blog/news/2024/02/fbi-removes-m...
[2] https://www.zdnet.com/article/a-mysterious-grey-hat-is-patch...
Slightly off topic but what's going on with the font for the "y" character in this article? It sticks out like a sore thumb.
I find this sort of thing bothers me often enough that I've disabled downloadable_fonts. I think of the web as a place where I read things, so custom fonts that hurt readability are undesirable. I get why designers want a unique style, but I rarely want that as an end user.
I think some fonts do this so that they have a distinguishing feature. Fonts seem to be a very saturated market, so this might help being noticed in a crowd of sameness and copycats, and many people don't look at a font otherwise either, even people who use them in designs.
I think the sticking out part is supposed to irritate somewhat, but it still needs to make some sense, like a hot take. I noticed some online personalities use the same strategy with pronunciation, consciously and consistently mispronouncing specific words, play up their accent. Media analysts also recognize verbal tics as a trope, for similar effect.
Back to fonts, another site that I remember using a similar thing is the Genius lyrics site. For a long time, while establishing their presence, they used the square character forms from the Programme font, which you can see on my link. They still use Programme, but use the normal forms for some time now though, presumably, because it was indeed irritating, and it hurt legibility.
It's the font design: https://abcdinamo.com/typefaces/favorit
Looks like the font provides an "alternative y" which looks normal. But the default one has that ugly broken look.
Technically this is a dupe as this has been submitted twice before in the last week