Most Recent News from the Lab
 

Tuesday, February 17, 2015

 
The Equation Group Equals NSA / IRATEMONK Posted by Sean @ 13:20 GMT

On December 29, 2013, Der Spiegel, a German weekly news magazine, published an article about an internal NSA catalog that lists technology available to the NSA's Tailored Access Operations (TAO). Among that technology is "IRATEMONK".

"IRATEMONK provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution."

IRATEMONK, ANT Product Data
Source: Wikimedia

"This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives."

On January 31, 2014, Bruce Schneier deemed IRATEMONK his "NSA Exploit of the Day" which prompted this from Nicholas Weaver.

NCWeaver on IRATEMONK

"This is probably the most interesting of the BIOS-type implants."

"yet the cost of evading the 'boot from CD' detection is now you have guaranteed 'NSA WAS HERE' writ in big glowing letters if it ever IS detected."

Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky's research paper refers to a threat actor called the "Equation group" whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA's ANT catalog.

Ars Technica has an excellent summary here: How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last.

 
 

 
 
Wednesday, February 11, 2015

 
An Early History of the Crypto Wars Posted by Sean @ 14:17 GMT

Stanford University's Alumni Association Magazine recently published a very interesting article on the early history, politics, and publication of academic (non-classified) encryption research. The article, Keeping Secrets, focuses on Martin Hellman, who is known for his work on public key cryptography.

Work that in retrospect, even Bobby Ray Inman (NSA Director, 1997-1981) thinks he should have been less concerned about.

Stanford_Magazine_Keeping_Secrets

"Rather than being careful to make sure they were[n't] going to damage [our collection capabilities]… I would have been interested in how quickly they were going to be able to make [cryptosystems] available in a form that would protect proprietary information as well as government information."

Proprietary information such as Lockheed Martin's F-35 fighter jet.

(Hat tip to Thomas Rid.)

 
 

 
 
Tuesday, February 10, 2015

 
The Ear of Sauron Posted by Sean @ 14:31 GMT

A recent story by The Daily Beast seems to have ignited a real firestorm over Samsung's "smart" television terms and conditions. Which is somewhat surprising to us as we read about it months ago via Mikko. But anyway, things that listen are topical.

So… do the words "always-listening voice search" sound good to you? Or do they give you the creeps?

Because that's the potential future of Google's Chrome browser:

Always-Listening Voice Search
Image: How-To Geek

The "always-listening" feature is currently available via: Google Voice Search Hotword (Beta)

And as always, the interesting details are in the fine print:

plus a few seconds before
Video: Talk to Google on Chrome

Interesting phrasing: plus a few seconds before.

That's the thing about voice "activated" devices. They're always listening. Always recording (to a buffer). The question is: how much gets uploaded to the voice recognition service?

Are you comfortable with a "few" seconds?

 
 

 
 
Monday, February 9, 2015

 
CTB-Locker Infections on the Rise Posted by Artturi @ 15:12 GMT

We have recently observed a significant increase in infections from a nasty strain of file-encrypting ransomware called CTB-Locker.

CTB-Locker infection statistics
Daily CTB-Locker infections in relation to the total number of such infections this year.

CTB-Locker is most commonly spread through email spam. These emails usually contain an attached .zip file that contains a second .zip file that finally contains an .scr executable file. This executable is a malicious downloader known as Dalexis. If the user executes the .scr file, the downloader will attempt to contact a predetermined list of compromised websites hosting encrypted copies of CTB-Locker. It will then proceed to download, decrypt and execute CTB-Locker. In other cases, the malicious attachment won't be a .zip file, but instead it'll be a .cab file. Again, the .cab file is actually Dalexis which will proceed to infect the victim's computer with CTB-Locker.

Example of spam used to spread CTB-Locker
An example of spam used to spread CTB-Locker.

Upon infection, CTB-Locker will encrypt the victim's files and append the original filenames with a randomly generated 7 character long extension. Additionally, it will proceed to write a copy of itself to the users local temporary files folder with a randomly generated name of 7 characters and the extension .exe. To ensure CTB-Locker is kept running, it will create a scheduled task with a randomly generated 7 character name. Lastly, CTB-Locker will present the victim with a ransom notice and countdown timer showing how long the victim has left to pay the ransom. CTB-Locker will also change the victim's desktop background picture to an image containing the same ransom payment instructions. Finally, a copy of the same instructions will also be stored to the victim's My Documents folder as both an image and a text file, with the names Decrypt All Files [random 7 characters].bmp and Decrypt All Files [random 7 characters].txt respectively. The ransom instructions will direct the victim to pay the ransom, in Bitcoins, to a specified Bitcoin address. In most cases, we have observed the ransom to be 3 BTC (about 650USD or 575EUR).

CTB-Locker ransom notice
The ransom notice displayed by CTB-Locker.

There is no known way to break the encryption used by CTB-Locker. Therefore the only way for a victim to get their files back is from back ups or by receiving the decryption key from the malware operators. However, you should never pay the ransom, as you'll only help finance the criminal activities of malware operators! There is also no guarantee paying the ransom will actually get you your files back. That's entirely up to the trustworthiness of the criminals.

To protect against threats such as CTB-Locker and other file-encrypting ransomware, you should ensure you are running an up-to-date antivirus solution. You should also take care to not open executable files received as email attachments. In addition to preventative actions, it might be a good idea to attempt to minimize the damage a ransomware infection can cause. Most importantly, you should take regular back ups of all your data. If you use network shares, you should additionally be aware that CTB-Locker will search all mounted drives for files to encrypt including network storage or other mapped shares. In such cases, we recommend you consider restricting write permissions to such shares and keeping them mounted only when strictly necessary.

We detect CTB-Locker variously as Trojan.CTBLocker.Gen.1 and Trojan.Downloader.CryptoLocker.F

We also detect the malicious attachments leading to CTB-Locker as Trojan-Downloader:W32/Dalexis.B

Sample hashes:

6eb03d6cb4f9a5aae49a9d85652a4daa4f984ba8 (Dalexis)
f1897120c2bbcd5135db0295249118aa5f5eb116 (Dalexis)
81f68349b12f22beb8d4cf50ea54d854eaa39c89 (CTB-Locker)

Files suggesting a CTB-Locker infection:

%TEMP%\[random 7 characters].exe
%USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].bmp
%USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].txt
Any files with an extension of 7 random characters

 
 

 
 
Monday, February 2, 2015

 
The Message: Consent Matters Posted by Sean @ 17:15 GMT

Go read this: Privacy is non-negotiable: We have the right to cover our arse — or expose it

A post by Laura — whom I'm very proud to have as a colleague.

 
 

 
 
Thursday, January 29, 2015

 
Apple iOS 8.1.3 Terms and Conditions Posted by Sean @ 13:18 GMT

This may already be old news since everybody always reads the terms and conditions of the software they install, but we sometimes don't — and we think this section of iOS 8.1.3's terms to be of interest.

Privacy:

iOS 8.1.3 Terms, Privacy

Location Services part we kind of assumed.

iOS 8.1.3 Terms, zip code and location

But automatically including your zip code? New to us. We didn't notice that bit earlier.

Anyway… now you know.

 
 

 
 
Tuesday, January 27, 2015

 
Low Hanging Fruit: Flash Player Posted by Sean @ 17:13 GMT

Flash Player version 16.0.0.296 is now available.

Flash Player Versions

In Windows, you can check what version you have installed via Flash's Control Panel applet.

Settings Manager, Flash Player 16.0.0.296

According to Adobe Security Bulletin APSA15-01, users who have enabled auto-update will have received the update starting on January 24th. Manual downloaders needed to wait a couple of days.

Adobe Bulletin CVE-2015-0311

We're not exactly sure why manual downloads were delayed, but whatever the reason, auto-updates are recommended.

And not only that, but more. At this point, we recommend enabling "click-to-play" options. Here's an example from Firefox with the "Ask to Activate" configured.

Firefox, Flash, Ask to Activate

Google Chrome also offers options in its "advanced" settings.

Why do we recommend click-to-play? Because Flash Player is currently the application most aggressively targeted by exploit kits.

Here are some stats from last week from which you can see that Angler, which was targeting a Flash Player 0-Day vulnerability, was leading the exploit kit market.

Finland:

Exploit Kits, January 2015 FI

Germany:

Exploit Kits, January 2015 DE

United Kingdom:

Exploit Kits, January 2015 UK

And Angler was number one in several other regions as well.

So, update your Flash Player, set it to auto-update, and configure click-to-play.

Updated to add on February 2nd:

There's another zero-day Flash Player vulnerability in-the-wild that's being actively exploited. Adobe has issued a security advisory and yet another update is in the works this week.

Meanwhile, seriously, consider click-to-play options! Here's how via How-To Geek. (A hat tip to @Bart for the link.)