Skip to content
Naked Security Naked Security

Return to sender: military will send malware right back to you

'The threat could be a large nation-state or a 12-year-old' - so is weaponizing malware and sending it back the right tactic?

Planning to weaponize malware against the US? The US military will grab it, reprogram it and send it right back to you, warned lieutenant-general Vincent Stewart of the US Defense Intelligence Agency last week.

Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use against us. We must disrupt to exist.

Stewart was speaking at the Department of Defense Intelligence Information System Worldwide Conference, which includes commanders from American, Canadian and British military intelligence.

Attendees included the FBI, the CIA, the National Security Agency, the National Geospatial-Intelligence Agency and the Office of the Director of National Intelligence, along with organizations such as Microsoft, Xerox, the NFL, FireEye, and DataRobot.

The meeting focused on the growing and international nature of cyberattacks. Commander William Marks of the US Navy explained why discussing cybersecurity is important for them:

Threats are no longer constrained by international borders, economics or military might; they have no borders, age limits or language barriers, or identity. The threat could be a large nation-state or a 12-year-old hacking our network from a small, isolated country.

Janice Glover-Jones, chief information officer of the DIA, added:

In the past, we have looked inward, focusing on improving our internal processes, business practices and integration. Today we are looking outward, directly at the threat. The adversary is moving at a faster pace than ever before, and we must continue to stay one step ahead.

There are concerns about the DIA’s strategy of retooling malware and sending it back like a boomerang to attackers. Sophisticated attacks make it even more difficult to determine an origin and specific attacker – what if the malware the DIA sends attacks a teenage script kiddie? What if the DIA ends up attacking people who are unaware that their computers are part of a botnet? There’s also the concern of the DIA’s counter-attacks damaging innocent bystanders such as ISPs and web hosts.

Is this a good tactic? What do you think?


10 Comments

It’s a poor choice to blindly shoot in the direction a shot came from, especially when they know that it’s unlikely to hit it’s intended target. I’d bet when Stewart re-engineers malware and sends it back, “if” it gets the intended target, they will be able to use and abuse the new coding he just sent the hackers….. Better off just chasing them down

Its not a good idea at all, if an attacker is utilizing an exploit don’t you think that most of the high threat and medium threat actors would already have ways to protect themselves from the vulnerability being exploited? Also, lets say Hacker X doesnt like Person Y so he spoofs an attack from Person Y then suddenly the DIA is attacking Person Y..

I get that security is necessary in any business, but why of all organizations was the NFL attending? I guess they really want football exclusive to their networks 0.0

I personally think it’s a great idea. Yes, a few innocent people MAY get attacked, but overall it will force the responsibility of security back onto service providers, where it belongs.

Yes, let’s forget entirely about zombie PCs and proxies, makes sense to launch attacks back almost certainly to the wrong targets. Oh I have an idea, let’s take over some 12 year old’s PC in a country USA wants to point its grubby finger at so they can blame them for all that is wrong in this world.

The above post contains sarcasm BTW.

So some hacker spoofs a group my company’s email users and I get attacked by the military. Nice. I hope my Sophos email gateway is ready for it.

It’s interesting that many of the commenters accept that the US intelligence agencies have the ability to reengineer an adversary’s malware, but don’t believe they are aware of botnets or spoofing. My reaction to this is that the approach is OK in those few instances where the identity of the attacker is known with reasonable certainty. On the other hand, using the same tool on them that they used on us means they are going to be very familiar with it and will probably know how to defend against it. It would be better to hit them with something they aren’t expecting, I would think. I suspect that General Stewart’s comments were “get tough” rhetoric rather than an actual strategy.

I’ve been doing this for years. Just go back through the mail headers, and choose the one before the list of redirects. I then publish any plain text malware (Usually javascript) on PeerLyst, to warn others.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?