On December 29, 2013, Der Spiegel, a German weekly news magazine, published an article about an internal NSA catalogthat lists technology available to the NSA's Tailored Access Operations (TAO). Among that technology is "IRATEMONK".
"IRATEMONK provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution."
"This is probably the most interesting of the BIOS-type implants."
"yet the cost of evading the 'boot from CD' detection is now you have guaranteed 'NSA WAS HERE' writ in big glowing letters if it ever IS detected."
Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky's research paper refers to a threat actor called the "Equation group" whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA's ANT catalog.
Stanford University's Alumni Association Magazine recently published a very interesting article on the early history, politics, and publication of academic (non-classified) encryption research. The article, Keeping Secrets, focuses on Martin Hellman, who is known for his work on public key cryptography.
Work that in retrospect, even Bobby Ray Inman (NSA Director, 1997-1981) thinks he should have been less concerned about.
"Rather than being careful to make sure they were[n't] going to damage [our collection capabilities]… I would have been interested in how quickly they were going to be able to make [cryptosystems] available in a form that would protect proprietary information as well as government information."
Proprietary information such as Lockheed Martin's F-35 fighter jet.
A recent story by The Daily Beast seems to have ignited a real firestorm over Samsung's "smart" television terms and conditions. Which is somewhat surprising to us as we read about it months ago via Mikko. But anyway, things that listen are topical.
So… do the words "always-listening voice search" sound good to you? Or do they give you the creeps?
Because that's the potential future of Google's Chrome browser:
We have recently observed a significant increase in infections from a nasty strain of file-encrypting ransomware called CTB-Locker.
Daily CTB-Locker infections in relation to the total number of such infections this year.
CTB-Locker is most commonly spread through email spam. These emails usually contain an attached .zip file that contains a second .zip file that finally contains an .scr executable file. This executable is a malicious downloader known as Dalexis. If the user executes the .scr file, the downloader will attempt to contact a predetermined list of compromised websites hosting encrypted copies of CTB-Locker. It will then proceed to download, decrypt and execute CTB-Locker. In other cases, the malicious attachment won't be a .zip file, but instead it'll be a .cab file. Again, the .cab file is actually Dalexis which will proceed to infect the victim's computer with CTB-Locker.
An example of spam used to spread CTB-Locker.
Upon infection, CTB-Locker will encrypt the victim's files and append the original filenames with a randomly generated 7 character long extension. Additionally, it will proceed to write a copy of itself to the users local temporary files folder with a randomly generated name of 7 characters and the extension .exe. To ensure CTB-Locker is kept running, it will create a scheduled task with a randomly generated 7 character name. Lastly, CTB-Locker will present the victim with a ransom notice and countdown timer showing how long the victim has left to pay the ransom. CTB-Locker will also change the victim's desktop background picture to an image containing the same ransom payment instructions. Finally, a copy of the same instructions will also be stored to the victim's My Documents folder as both an image and a text file, with the names Decrypt All Files [random 7 characters].bmp and Decrypt All Files [random 7 characters].txt respectively. The ransom instructions will direct the victim to pay the ransom, in Bitcoins, to a specified Bitcoin address. In most cases, we have observed the ransom to be 3 BTC (about 650USD or 575EUR).
The ransom notice displayed by CTB-Locker.
There is no known way to break the encryption used by CTB-Locker. Therefore the only way for a victim to get their files back is from back ups or by receiving the decryption key from the malware operators. However, you should never pay the ransom, as you'll only help finance the criminal activities of malware operators! There is also no guarantee paying the ransom will actually get you your files back. That's entirely up to the trustworthiness of the criminals.
To protect against threats such as CTB-Locker and other file-encrypting ransomware, you should ensure you are running an up-to-date antivirus solution. You should also take care to not open executable files received as email attachments. In addition to preventative actions, it might be a good idea to attempt to minimize the damage a ransomware infection can cause. Most importantly, you should take regular back ups of all your data. If you use network shares, you should additionally be aware that CTB-Locker will search all mounted drives for files to encrypt including network storage or other mapped shares. In such cases, we recommend you consider restricting write permissions to such shares and keeping them mounted only when strictly necessary.
We detect CTB-Locker variously as Trojan.CTBLocker.Gen.1 and Trojan.Downloader.CryptoLocker.F
We also detect the malicious attachments leading to CTB-Locker as Trojan-Downloader:W32/Dalexis.B
%TEMP%\[random 7 characters].exe %USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].bmp %USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].txt Any files with an extension of 7 random characters
This may already be old news since everybody always reads the terms and conditions of the software they install, but we sometimes don't — and we think this section of iOS 8.1.3's terms to be of interest.
Location Services part we kind of assumed.
But automatically including your zip code? New to us. We didn't notice that bit earlier.