It is a critical moment when hackers unleash their malware into the wild and have to get in touch with the outside world. They expose themselves for a short moment and risk to leave traceable tracks that may reveal their identity. We read and see regularly in the media malware is spreading successfully and unnoticed over the Internet. If done properly it is hardly possible to nip the propagation in the bud and to determine its originator.

The days where attackers were just hobbyists are definitely over. They posses deep knowledge in  their field and know where their plan is critical and is asking for caution. The methods how to unleash malware are thoroughly tested and far more advanced compared to earlier methods. I will explain in this article how attackers proceed to cover their tracks and stay on the safe side.

Anonymity

We have already considered how hackers propagate malware and you know they proceed. But we ignore for now what way and which tool  they’ve chosen. Let’s go one step back and examine the preconditions that are essential for all the attacking vectors and tools they choose. It is eminent to set up the system and the tools used for propagation in an anonymous state. This means every interface to the “outside” has to be anonymized to make traceability not only  hard but impossible. We take a concrete example and assume an attacker plans to use a free webmail account to send a victim an infected attachment. The following parts in the communication chain could reveal an attackers identity or give valuable hints

Operating system/User profile : Propagation without computer is only in the rarest cases feasible, e.g. with removable data storage devices. Normally this is done in front of a computer. Remember you log into a system by identification and authentication. All my logins are somehow related to my realname, email address or a project name.  An initial step among all the preparations an attacker makes is to anonymize his user profile under which he will  propagate malware .

Tool set : The tool set used to propagate malware normally consists of browser, mail client or file sharing software and was downloaded from the Internet. We don’t exactly know what tell-tale information client software transmits to a network peer  and analyzing its data stream with a sniffer would be a recommended for the sake of safety. Normally if necessary somewhere inside the tool configuration the transmission of such data can be  disabled or anonymized; that way it doesn’t leave hints that lead back to the attacker.
But not only the client software itself can give hints to an attackers identity. If the software supports plugin mechanisms that can influence and direct the client software the attackers opponents could worm out valuable secrets he wants to keep for himself. Therefore its recommended to disable any unneeded plugins like Java, Javascript or even the Adobe Flash plugin. They can leak information about the system, its configuration like the browser version or the IP address.

Networking interface controller: A networking card is identified by its worldwide uniquely assigned MAC address. But as network administrators probably experienced already some manufactorers ignore the recomended practices and assign their NICs MAC addresses at their own discretion and these addresses are not that unique anymore as expected. Also changing the MAC address on Windows is done without bigger effort and an attacker will change the MAC address of his connected NIC to protect his identity.

IP address : The IP address is the most critical point the attacker wants to hide. Once it is possible to determine the attackers IP address the game is over. The address is traced back to the IAP (Internet Access Provider) and together with the connection timestamp this leads directly to the person behind the attack. It’s mandatory for an attacker to hide his real IP address or to use an untraceable one.  There are two main ways and several sub variants how to proceed to be on the safer side which I will explain in the two following chapters.

In part two …

As some of the other articles I wrote before also this one has grown larger than expected and I decided to split it up in two parts. In the second part I will explain the possibilities how to connect to the Internet anonymously by using proxy servers and other people’s infrastructure like WLAN or a landline phone.