Tracking Hacker Forums with Traffic Analysis

A study conducted by the Intelligence firm RecordedFuture demonstrates the efficiency of the analysis of hacker forums through traffic analysis-like techniques.

Hacker forums still exist, hacking communities are with good shape and growing. Hacker Forums are normally hard to find and once you find them you will see them change again.

Most prolific Hacker forums are mainly located in Russia, China, Brazil and in Arabic countries, so its normal face with the further problem of the language.

Hacker Forums are excellent aggregators, they represent a good place to sell/buy exploit kits, to talk about new vulnerabilities, and to get opinions (but again, you will not be able to understand it).

A study conducted by the Intelligence firm RecordedFuture has analyzed a hacker forum through traffic analysis-like techniques, a technique that resulted effective even if the authors of the research did not had any knowledge about foreign languages used in the hacker forum.

“Analysts can detect patterns in timing, forum participant product and vulnerability, etc. and use this knowledge to determine whether forum participants are a threat. Further, such insights can be used to set up appropriate alerting based on forum activity and help network defenders keep pace with developments around vulnerabilities and exploits.” states the analysis published by Recorded Future.

The data presented in the study was collected over 900 days during which the experts analyzed a Russian hacking forum, the first thing the researchers did was the identification of the principal language used in the forum, it was Russian.

In a second step they focused the analysis on the vulnerability coding, the Common Vulnerabilities and Exposures (CVE), in this way the researchers discovered that the hacker forum was focused mainly on CVE related with Microsoft, Adobe Flash, but surprising Linux was also present most likely because of Shellshock flaw.

In terms of vulnerabilities, Heartbleed and Shellshock were on the top, but other important vulnerabilities were in the list too, and heavy discussions about it:

“Patch Tuesday … Exploit Wednesday”

The expression “Patch Tuesday … Exploit Wednesday” was referred in a Trend Micro post, back in 2006, and revealed that after the release of new discovered vulnerabilities with Tuesday Microsoft Security Bulletin, a exploit week would start, trying to take advantage of these new discovered vulnerabilities. Nowadays this expression continues to be valid. The next image shows a period starting in March 2013 and ending in September 2015, the blue section is the general forum traffic, the green section is for traffic concerning CVEs and the red one, is related with traffic concerning Microsoft products specifically:

The research provided also interesting info on hackers’ habits, for example, participants to the hacker forums are latecomers in the day, especially when it comes to traffic concerning vulnerabilities. This data reveals that probably the participant have a different job during the entire day.

I strongly suggest you to read the report, the research demonstrated how hacker forums can be analyzed at the message/post-traffic level. This technique is very efficient because frees researchers from the knowledge of the language or tracking individual posts.

“Analysts can detect patterns in timing, spikes in forum participation, mentions of products or vulnerabilities, etc. and use this knowledge to determine whether forum participants are a threat.” states Recorded Future.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs –  Hacker Forums, Intelligence)