Liam Amarku
๐ค SpeakerAppearances Over Time
Podcast Appearances
I was able to see where they were connecting, where they were hosting, how they were routing their traffic, how we could become part of that routing, how we could see some of their messages, how we could infiltrate, how they communicated, and that was super, super important in understanding the entire attack.
The way this malware routes across the planet is fascinating to me.
The way they were protecting their identity was they were routing their traffic through infected machines so that if someone like me or a law enforcement tried to trace them to their original location, it would be very difficult to do that because they would jump through multiple infected machines in multiple countries.
So if you saw their first IP address and you tracked that down, you would get a victim.
And even if you monitored that victim machine, you would get another victim in another country.
And to go and trace it all the way back to their home machine would be very, very difficult.
So it was a really smart way for them to hide their traces.
It all started off under my desk, actually, in the office.
I had my little test machine under my desk, and I set it up there, and I ran the malware, and I was very disappointed to see that they never connected to my machine.
And then I started to realize, oh, there's an algorithm that they're using to decide which machine to connect to.
So then I understood that if you had a higher bandwidth, you had a better chance of being used.
If you were in different geographies, you had a better chance of being used.
So it went from underneath my desk to a server in the west coast of the U.S., then to a server in the east coast of the U.S.
And eventually they would connect to my machine as their first machine in the chain, which meant I got their home, or what I thought was their home IP address.
So I was getting these addresses in Romania, in Bucharest, and in the town called Brasov.
every now and again they would slip up and you would see that that's exactly where they were coming from.
So by using those proxies, not only was I able to see where they were coming from originally, but also I got to see like an absolute treasure trove of information that they sent across that network because they felt they were protected.
So we would see, first of all, they would see them setting up their campaigns.