There has been a lot of talk about drones lately. There is no doubt that they are a valuable asset in the current war and they will most likely have a central role on upcoming wars.

But there is another kind of drone. The digital counterpart.

Digital drones are sophisticated little programs that hackers and security penetration testers have been using for years to recon their targets, to collect information, to download and upload malicious or utility code, to control the remote system or to attack it. They can also deliver a payload, execute it and self destroy.

This is not new, we’ve been using these kind of programs to attack/recon since the 90s, however due to the increase support for more intelligent interfaces on operating systems, the drones too has gotten more intelligent and capable through the years.

One early version of a drone we coded had the ability to recon the network, search for specific files, record sound (from laptops or computers with microphones) and take screenshots of the systems it was surveilling. This particular piece of code could also be used in real-time. If the drone detected a way to covertly egress information it would send a signal to one of many servers located around the world, letting us know we could control it. Then, we would open a command console on our end, connect to the IP the drone sent us and control it directly.

We could request for network information and it would send the intel a few moments later, we could request the search for specific files, which would be uploaded to a server at random intervals stealthily so the drone could remain undiscovered. We could also request for a shell. A shell is simply a command line terminal that allowed us to control the target system remotely by issuing command line instructions or running programs remotely.

Another newer drone we used, was able to install itself at kernel level, like a rootkit or device driver, and specifically monitor the system for the use of cryptography. If a known program was used, the drone could steal the private keys (in cases where a public key crypto like PGP was used) or simply record the keys as they were being pressed by the bad guys when they were entering the password. There were many ways to achieve all this back then and remain undetected, and there many more now.

A good recon program utilizes stealth techniques. For example, it can bypass or disable personal firewalls, antivirus or anti-malware software. It loads all the functions at runtime so monitoring software will have a harder timer detecting it, it exploits unknown vulnerabilities on the host operating system (also known as Zero-day attacks) and it utilizes covert channels to extract information or provide real-time control, for example – and without giving too much detail – by manipulating TCP packet headers or the data section, or by sending information in the form of DNS requests.