Technical OSINT innovation contest: the 2008 Malware Challenge

While the worlds of most OSINT analysts do not typically overlap with those working in the more rarified fields of digital network intelligence, forensic analysis, and network warfare, there are a highly specialized subset that may be interested in testing their skills as part of a challenge of their own. While clearly not as high profile as the recent DNI OSINT contest, the 2008 Malware Challenge promises interesting responses of its own.

The winners of the malware challenge will be announced at the 2008 Ohio Information Security Summit on 31 October 2008. We had not previously seen this conference, but it appears to be a small regional conference that is unusually well attended by the usual round of ex-spooks and ex-cops that have moved into the cyber security industry as of late.

The challenge scenario is reproduced below:

"A system administrator within your organization has come to you because a user's PC was infected with malware. Unfortunately, anti-virus is unable to remove the malware. However, the administrator was able to recover the suspected malware executable. Your job is to analyze the malware.
Participants should download the malware sample and analyze it. The end result should be a document containing details on the analysis performed. The analysis document can be written in any form, but the questions and statements below should be answered within it. Participants should note what questions are being answered.
The questions...
* Describe your malware lab.
* What information can you gather about the malware without executing it?
* Is the malware packed? If so, how did you determine what it was?
* Describe the malware's behavior. What files does it drop? What registry keys does it create and/or modify? What network connections does it create? How does it auto-start, etc?
* What type of command and control server does the malware use? Describe the server and interface this malware uses as well as the domains and URLs accessed by the malware.
* What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it.
* How would you classify this malware? Why?
* What do you think the purpose of this malware is?

Bonus questions: (These questions are not required to be answered but could be used to break a tie for prizes.)
* Is it possible to find the malware's source code? If so, how did you do it?
* How would you write a custom detection and removal tool to determine if the malware is present on the system and remove it?

Analysis documents should be submitted in PDF format to 2008challenge@malwarechallenge.info by 12:00 Midnight EST (5:00 AM GMT) on October 26, 2008."

Additional information, including other contest rules and FAQ, can be found at the challenge website.

Interestingly, we note that Steve Jackson Games is among the sponsors providing prizes for the winners. SJG was most famously the victim of a botched Secret Service raid in 1990, which seized files and texts that were part of one its published gaming lines. For those that are not familiar with this disastrous episode from the earliest days of the cyber intelligence account, it was best recounted in Bruce Sterling’s still timeless book, The Hacker Crackdown. (In our opinion, this is also a text which should be mandatory reading for those involved in SIGINT, MEDEX, or eCrime analysis. And while the USSS has indeed come a long way since then, we do from time to time encounter other shops still grappling to come to terms with the new threat environment with often equally absurd results.)


h/t Spy Logic

Medical intelligence and the PRC Olympic gymnastic team

The controversy over the allegedly altered official age records for the PRC’s Olympic gymnastic team has provided an excellent teaching example for the benefits of medical intelligence. There are a number of indicators which have been surfaced through open source reporting, including missing baby teeth, biometric anomalies, and altered official records and state agency news stories. These are compelling evidence in their own right to support further inference.

Of course, more sophisticated techniques are available for intelligence professionals. Such techniques have long been a staple of leadership analysis, in which foreign figures are closely examined for potential medical anomalies. The importance of accurate assessments of the health of foreign leaders was driven home after the failure to understand the severity of the Shah of Iran’s illness, which directly led the United States to underestimate the revolutionary climate of the country in 1979.

The discipline has been covered repeatedly in the intelligence literature, first in a (now declassified) Studies in Intelligence article, Remote Medical Diagnosis. The history of the methodology and its use was also revisited in an article published in the International Journal of Intelligence and Counterintelligence, “CIA’s Medical and Psychological Analysis Center (MPAC) and the Health of Foreign Leaders”. There is a robust and well tested tradecraft available to help address these outstanding questions, even based solely on media recorded to date.

One particular analyst of our acquaintance leveraged practice honed in the far less rarified world of gossip magazines into an uncanny talent at spotting plastic surgery in handheld imagery. Needless to say, it is competency that one does not often find listed in human capital inventories – even in leadership analyst or medical intelligence vacancy postings - but yet one that has numerous uses in the intelligence profession. (Including, one might add, settling informal wagers taken over particular points of dispute that from time to time circulate through the vault.)

The application of these analytic methodologies is certainly not infallible, particularly when assessing the age of young females. A number of high profile mistakes have occurred in cases involving online pornography (albeit mistakes usually made by less well trained criminal investigators carrying with them a host of cognitive biases, rather than objective medical professionals focused on the art and science). However, the International Olympic Committee could certainly avail itself of far more robust diagnostic options than remote analysis alone might otherwise afford in order to reduce the potential error rate.

Regardless of the outcomes of further medical assessment, the controversy itself offers additional insight for political and leadership analysis. The insecurities of an authoritarian leadership - so desperate to prove itself on a world stage that it resorts to unsportsmanlike conduct and faked ceremony - demonstrate the impulses of the Communist government’s decision-making process as clearly as any other operational code yet documented. The reaction – or lack thereof - from a disconnected internationalist body mired in its own Utopian fantasy has also been instructive (and equally, could easily have been predicted by anyone who has spent any amount of time in the cloistered and anti-intellectual environment of Lausanne).

The truth will out. If nothing else, the case also demonstrates the value of intelligence to a wide variety of non-traditional consumers in this new millennium.

Considering immunity

While there are those that believe the world of polite conversation and “good faith” in arms control and disarmament can trump the hard realities of proliferation, we see a world in which the technologies required to assemble and deploy a credible threat are increasingly within the reach of the most mundane of non-state actors. While we are rarely given to dwell exclusively on issues of threat, as threat is not always in fact the most interesting aspect of a particular problem account (despite what many outsiders may believe), there are a few areas in which our nightmares are never far from fruition in the hands of the wrong actors.

This is especially true in the areas of emerging biological threats. While we are very much aware of a particular academic effort that examined the matter recently, we found its results disappointing, to say the least, largely because its work focused far too much on an assessment of the present vice a truly predictive and forward looking estimate – one that would help to bound the future space of uncertainties, and would identify the drivers and forces moving on the horizon.

Nonetheless, we continue to see the faint indicators of these forces from time to time. These are best captured not in some formulaic collection of wiki pages dedicated to a highly geographic scope – as if disease somehow respected national borders. Rather, one looks for the trend lines, and those areas in which black swans may emerge without warning as sudden shocks to the unprepared perspective. And while there are those that will insist that a black swan event is inherently unpredictable by nature, we are reminded of Nassim Nicholas Taleb’s original formulation of the turkey’s day. The black swan event of meeting the butcher is only a shock to the turkey after a thousand days of being fed and cared for by other humans; it is an entirely normal course of a day’s work for the butcher. Likewise, for those who shift their perspective to the edges where the future is not evenly distributed, there may one find the first seeds of those events sown.

The difficulty of course lies in winnowing the signals of true predictive value from the noise of the overwhelming range of possibilities and potentials. This is fundamentally an insight problem. And the difficulties faced in approaching these problems are the epitome of the danger of treating mysteries as if they were puzzles suited for deterministic approaches and linear solutions that can be tied up neatly in sections and a nice cover page.

We happened to glance today at just such a faint indicator in which the merest hint of future insight might be reflected. It comes to us by way of the scientific community – always fertile ground for an intelligence professional to mine when examining fundamental issues of the physical and the living (as opposed to our more usual domain of the virtual and the dead). We find the development of simple replica immune systems for rapid testing of vaccines quite interesting in its own right, with the prospect of accelerated (and more accurate) clinical trials as the first clear benefit.

But our darker minds also take hold of the concept, and ponder the dual use implications that such a technique might offer in the hands of an adversary seeking to accelerate testing of modified biological agents designed to defeat immune resistance - whether human or otherwise. The footprint of such a facility would not be large, and would pose a very different kind of challenge to the intelligence community of tomorrow than the classic concept of an offensive bioweapons program. Threats abound in most futures that are easily envisioned.

At the same time, the technology presents the potential hope of opportunities not yet conceived. Just the other day before the University of Maryland findings began circulating, we found ourselves listening to an interesting discussion of the value that captive wildlife populations might bring to large scale bio-surveillance programs, both for sentinel warning as well as novel agent detection. The potential for cultivating accelerated immune responses as test models by which we might know the signs of outbreaks through wildlife (or domestic animal) populations is quite intriguing, especially given the other utility brought by captive populations in the urban settings of major zoos.

We ponder this as case study not solely in pursuit of any account in its own right – as that is more properly the domain for the line analyst, but rather as a teaching example. The case illustrates well the difference between intelligence done off a checklist which presumes a puzzle to be assembled from some mythic collection of dots, vice the kinds of implicit linkages that can only be found through creative exploration driven by fruitful obsession. Whether that which has been sketched here has any true value is a matter for the more disciplined application of analytic tradecraft. However, if one is not preparing analysts to begin to find reflections in the endless stir of these echoes that they may seek to later crystallize through more formal methodology, all that they will have to work with will be checklists and formulaic incantations - which alone will not keep the dark at bay.

The intelligence community and technological surprise in the Cold War

It has long been a maxim in the intelligence community that despite other types of intelligence failures – created by both collection shortfalls and analytic errors – the one remarkable area of success was the “fact” that no Soviet weapons system was deployed during the latter period Cold War without the US being aware of it in advance. In this version of the telling, the initial period of uncertainty regarding Soviet capabilities was ended by new technical collection methods, and the analysis to derive insight from those collection systems. From that point forward – usually dated to around the time of the introduction of the U-2 platform – the US intelligence community allegedly never again faced strategic technological surprise.

This story has been repeated so often that it is no longer even questioned, particularly given the fact that multiple DCI’s and their deputies have also supported the statement. Despite this, a recent conversation regarding certain the post-Cold War discoveries regarding certain historical intelligence controversies gave us reason to revisit this old success story. The public history regarding the IC’s true knowledge of the main enemy’s scientific and technical intelligence advancements has become more clear as declassification continues to bring these topics back into the realm of academic discussion. One can also now make far more useful comparisons the increasingly public statements of former Soviet scientists, defense planners, and other professionals that are now recording their own services’ histories.

And from these comparisons, we find the old maxim gravely wanting in the revised judgment of history. Perhaps the most serious area of strategic surprise were the revelations first made public by Ken Alibek, the defector who formerly headed the Soviet Biopreparat program, of an unsuspected strategic biological warfare capability. This capability included weaponized anthrax and smallpox warheads deployed on R36 / SS-9 SCARP and R-36M / SS-18 SATAN ICBMs. This surprising revelation was however preceded by an earlier intelligence failure regarding Soviet BW programs, which missed the development and first operational deployment of T2 mycotoxins - yellow rain - in Laos and Cambodia. That alone should have provided warning that all was not well with the IC’s supposed scientific and technical intelligence superiority, as also should have the Sverdlovsk anthrax release accident. However, the rapidly and intensely politicized public debate over these latter two cases in particular serves to illustrate well the long term damage that can be done to the community by the failure to remain objective, independent, and apart from the media-led scrum.

US technical intelligence regarding Soviet chemical weapons programs also allegedly suffered from similar surprise, failing to initially detect the development of the entirely new class of Novichok nerve agents – again learning about the capability only from post-Cold War defector reporting. What might have been in this matter is far less clear, but as an exception it certainly disproves the rule.

It is important that when holding up a standard for new intelligence professionals to emulate that we choose one that has actually been met before. Absolutely avoiding all forms of strategic surprise in the scientific and technical area is a laudable goal. But that is not the bar that was set by the Cold War era – despite what others may claim - and measuring today’s efforts through that prism does a great disservice to those who are responsible for chasing an impossible mission under what are arguably the far harder circumstances of the contemporary operating environment.

This does not in any way detract from the excellent service given by those responsible for the assessment of Soviet weapons programs, and for the countless successes which initially gave rise to the myth. While the IC does not need aggrandizement, it does have ample legends that have more than earned bragging rights never exercised in a quiet profession. History owes those that never sought recognition in their own time an accurate accounting of the deeds of their day.