Name: Anonymous 2018-06-13 14:03
1. OSINT: research which infosec company you wanna own, figure out which tools they use, i.e. sandboxes/hypervisors/etc, maybe @ them on twitter and straight up ask -- worth a shot
2. Acquire VM escape vulnerability -- might not even necessarily need to be a 0-day, could be a known vulnerability, depending on their patch cycle, or settings for configuring things
2b. if you can't find anything publicly, go to a zero-day broker, or maybe just run a fuzzer for like a zillion years, or less than that if you have a cluster, or pay out the ass for AWS or some shit
3. tell the antivirus company you're a software developer and their antivirus software falsely detects your software as malware, and ask if they can change that
4. they might either ignore you, do nothing, or perhaps -- and this is the scenario you want -- analyze your software to verify it's not malicious
5. they run your software with the VM escape exploit
6. establish reverse shell
7. pivot, exfiltrate their shit
8. remember the ken thompson compiler backdoor? wouldn't it be cool to do something like altering someone's checksum tools, process monitoring tools (top, htop, system monitor, task manager, SIEM, IDS/IPS, logs, etc) and also alter their malware research tools to make it so that it wouldn't show your malware?
I know this is all easier said than done, but it's just a high-level casual idea, not something too serious
why go after individual targets when you can go after companies that a lot of people trust? AV companies routinely have users run their software with elevated privileges, and they often do MITM and cert bullshit too, for doing browser-based AV garbage, which puts users at risk
so if you could own an av company, imagine all their customers too
when willie sutton was asked why he robbed banks, he said "because that's where the money is"
don't waste your time with shitty small-fry phishing campaigns that lead nowhere
btw this is all 100% hypothetical/satire and I would never encourage people to do anything actually malicious or illegal
2. Acquire VM escape vulnerability -- might not even necessarily need to be a 0-day, could be a known vulnerability, depending on their patch cycle, or settings for configuring things
2b. if you can't find anything publicly, go to a zero-day broker, or maybe just run a fuzzer for like a zillion years, or less than that if you have a cluster, or pay out the ass for AWS or some shit
3. tell the antivirus company you're a software developer and their antivirus software falsely detects your software as malware, and ask if they can change that
4. they might either ignore you, do nothing, or perhaps -- and this is the scenario you want -- analyze your software to verify it's not malicious
5. they run your software with the VM escape exploit
6. establish reverse shell
7. pivot, exfiltrate their shit
8. remember the ken thompson compiler backdoor? wouldn't it be cool to do something like altering someone's checksum tools, process monitoring tools (top, htop, system monitor, task manager, SIEM, IDS/IPS, logs, etc) and also alter their malware research tools to make it so that it wouldn't show your malware?
I know this is all easier said than done, but it's just a high-level casual idea, not something too serious
why go after individual targets when you can go after companies that a lot of people trust? AV companies routinely have users run their software with elevated privileges, and they often do MITM and cert bullshit too, for doing browser-based AV garbage, which puts users at risk
so if you could own an av company, imagine all their customers too
when willie sutton was asked why he robbed banks, he said "because that's where the money is"
don't waste your time with shitty small-fry phishing campaigns that lead nowhere
btw this is all 100% hypothetical/satire and I would never encourage people to do anything actually malicious or illegal