I couldn’t really believe my ears when I heard the judge declare that:

Here is a copy of the MIT license. One of the well-known open source licenses. It is, effectively, the only license that I’ve used for software I wrote or contributed in the last 10 years:

Recent events have made me reflect on a few things in my life I was already thinking about for a while. Also, responses on social media have made me realize that people have strange expectations from me, and what my role in the Bitcoin Core project is.

I’ve put up a (read-only) mirror of various bitcoin-related git repositories at nxshomzlgqmwfwhcnyvbznyrybh3gotlfgis7wkv7iur2yj2rarlhiad.onion. This is a Tor v3 hidden service, which means that at least Tor 0.3.2.9 is required to access it.

Here I’ve taken the environment from the BLATSTING Command-and-Control protocol article and extended it, so that the emulator works as a router between an internal network with our victim and an external network, a mock version of the internet with just our attacker and one web server:

SECONDDATE is the most well-known of the spy toys in the EQGRP dump. It is a Man-in-the-Middle attack tool that is installed on intermediate routes. It can be used to fake DNS replies as well as inject HTTP redirects. This intercept article does a great job of explaining the operational side.

This time I will be taking a cursory look at a different malware framework in the EQGRP free dump: BUZZDIRECTION. BUZZDIRECTION is another modular rootkit, but more extensive than BLATSTING. This list classifies it as “a firewall software implant for Fortigate firewalls”, just like BLATSTING. Maybe it is just a successor for the same purpose, but maybe it is something more.

(this showed a terminal session from showterm.io of a session controlling BLATSTING, but the content is no longer available)

In this installment I’m going to describe the Command-and-Control (or C&C) protocol of BLATSTING. This the protocol used in the network traffic between the malware and what is used by the person controlling it. I’m also going to see whether this traffic can be detected.

The one mystery module in the BLATSTING rootkit/malware/implant/… in the Equation Group dump is m12000000, or TADAQUEOUS. There is only one mention of it in the various documentation and scripts: