Today, the benefits of malware seem to be greater for attackers than the risks of undertaking the criminal activity. Cyberspace offers criminals a large number of potential targets and ways to derive income from online victims. It also provides an abundant supply of computing resources that can be harnessed to facilitate this criminal activity. Both the malware and compromised information systems being used to launch the attacks have a low cost, are readily available and frequently updated. High speed Internet connections and increased bandwidth allow for the mass compromise of information systems that renew and expand the self-sustaining attack system. By contrast, communities engaged in fighting malware face numerous challenges that they cannot always address effectively.



  • Programming languages are standard and known by malicious actors: C C+ CFM, RUBY,ASP, PERL, PHP, JAVA or NET. They are experts in coding, scripting and markup languages.


  • Malicious actors understand operating systems and servers like Windows IIS (internet information servers), Linux and Unix and Apache. They often scan servers to utilize web server banners (fingerprinting Operating System & Applications) known as Web Server- Enumeration technique which also gathers information about computer systems on a network and the services running and ports. The goal is to get root access, trying to get shellcode (SHELL- screen you use to interface with os/ROOT-highest level of authority) payload and prompt.


  • The hackers study and understand a mixed bag of systems that businesses routinely run like  Windows, Linux, Solaris, HP-UX, and AIX, plus different versions of each OS. Not only are there different operating systems, but also they are deployed in a wide array of implementations. Some are running relatively small, self-contained servers and desktops that use native file system types. Others use large RAID, SAN, or NAS storage or employ a mixture of various file systems. The environment might also be heavily integrated with many support systems, such as database, LDAP, or other component servers.


  • Hackers have time to due reconnaissance to know enterprise systems comes in a variety of flavors. Systems could be accessed by either direct or virtual consoles. A single system could have one or more administrators. Authentication could be local or via domain administrative access. Two-factor authentication that is based on “something you know” such as a password and “something you have” such as an RSA SecurIDR token might be required. What this means is that investigators can often find it difficult to gain administrative access because of technical issues, complex paperwork, hard-to-locate administrators, or complex access control lists (ACL).


  • They take advantage of the vulnerabilities in the widespread use of Content Management Systems, from SharePoint’ WordPress, Drupal and Joomla. CMSs are literally everywhere. CMS Scanning Tools, CMSmap, WPscan, JoomlaScan See:



Malware is now spread around the world and rankings60 tend to show that a whole host of countries across the developed and the developing world are home to online criminals using malware. Although attacks originating from one country may have local targets, the predominant trend is attacks that originate internationally relative to their targets. In addition, geography may play a role depending on the end goal of the attacker. For example, broadband Internet speeds differ from country to country. If an attacker wishes to maximize network damage, he/she may use compromised computers located in countries where broadband is prevalent. If the goal is to degrade service or steal information over time, the attacker may use compromised computers from a variety of geographical locations. Geographical distribution allows for increased anonymity of attacks and impedes identification, investigation and prosecution of attackers


  • By 2020 the number of devices connected to the internet will outnumber people 6 to 1     
  • In 2011, at least 2.3 billion people, the equivalent of more than one third of the world’s total population, had access to the Internet.
  • Over 60 per cent of all Internet users are in developing countries, with 45 per cent of all Internet users below the age of 25 years.
  • By the year 2017, it is estimated that mobile broadband subscriptions will approach 70 per cent of the world’s total population.
  • By the year 2020, the number of networked devices (the “Internet of things”) will   outnumber people by six to one, transforming current conceptions of the Internet. In  the hyper-connected world of tomorrow
  • Upwards of 80 per cent of cybercrime acts are estimated to originate in some form of organized activity, with cybercrime black markets established on a cycle of malware creation, computer infection, botnet management, harvesting of personal and financial data, and data sale.




  • Low risk high reward, no extradition treaties in China/Russia. 
  • Lack of worldwide coordinated effort to combat cybercrime on a global scale.
  • Automatic attacks are to difficult to trace. So Who attacked Sony?
  • Tools mapping of applications, infrastructure, server identification and automative   



Botnets Proxy Web hosting servers, Hijacked Web servers Deepweb/darknet : Onion router, a suite of software and network computer like Tor/ IP2/FreenetCD, USB Based Operating Systems, Internet Anonymizers, Virtual Private Networks (VPNs) Proxy Servers,Web Browser Ad-ons, Search Engines, Email and Communication Encryption and other. Learn More ........



Attributing Cyber Attacks.pdf
Skilled hackers use proxy machines and false IP addresses to cover their tracks or plant false clues inside their malware to throw investigators off their trail. Reverse engineering malware to find attribution based off a compiled on a machine that uses a foreign language. The encoding language on a computer; computer users can configure the encoding language so that content on their machine renders in a language they speak. But an attacker can set the language on a compilation machine to any language they want and, can even manipulate information about the encoded language after a file is compiled to throw investigators off. Hackers at times use wiper components to destroy data. To do the wiping, they used drivers from commercially-available products like RawDisk, that allow administrators to securely delete data from hard drives or for forensic purposes to access memory. See:

  • Dynamic DNS fast flux
  • Money Mules
  • Domain Generated Algorithms

       *Must trace evidence to suspect