Whenever you do work for a long period of time, you tend to become a bit jaded, and security research is no exception. Rest assured however, this is not a post about being bored or complaining, but instead a reason why I love the work I do. The recent news of the IE 0day being exploited caused a stir on all of the collaborative mailing lists which is both good and bad. Bad because some fools have no problem destroying insight into an infrastructure (you know who you are) and good because analysis of all the samples is done quickly.
Anyway, it was last Thursday that someone had started reviewing a sample when they explained that a chat window had popped up with the operator asking what they were doing. The exchange between the research and operator was short, but the second I saw it, I had to experience it myself. I pulled the sample, ran it in one of my setups and was greeted with an operator almost instantly only I didn’t get a chat window, I got a shutdown command passed to my machine…cool.
Booting my machine back up and re-infected got me back to where I started, but this time I saw an addiitonal connection come into the box (3 in total) and a chat window pop-up on my screen. The first message passed was a ” 🙂 “. We exchanged greetings and the operator asked what I was doing to which I responded, talking to them. They asked why I wasted time with virtual machines and what I did for work. I answered and was then greeted with my machine being logged off.
Despite being shutdown, logged off and messed with, I always came back to try and chat more. This went on for about two hours before I was able to get some answers to my questions.
I also seemed to make the operator upset because I wouldn’t leave the connection alone.
Unfortunately, I wasn’t able to save all of the logs because of the random shutdowns, but I took a couple pictures. I didn’t gain too much from the chats other then the operator was always the same, seemed to enjoy talking and knew some pretty interesting English words (“nagging”, “pestering”, “dreadfully”, “despise”, etc.). By the end of our chats I had been told that the operator was a female and lived in Korea (didn’t mention North or South). She said to leave her server (the C2) alone and told me to stop running her malware in virtual machines. I agreed to the terms and we bid farewells ony this time my machine was left running.
Could all the data be fake? Sure. Would some call me foolish for talking with them? Sure. But if there is one thing I know, it’s that whether you are running an operation, writing malware or reverse engineering it, you are still human (for now) and what you are doing is just a job. I imagine operators seldom get to chat, so when presented with a nagging researcher, it is probably fun to fill their day with a couple pointless exchanges.