NEWS FROM THE LAB - February 2015


Tuesday, February 17, 2015

The Equation Group Equals NSA / IRATEMONK Posted by Sean @ 13:20 GMT

On December 29, 2013, Der Spiegel, a German weekly news magazine, published an article about an internal NSA catalog that lists technology available to the NSA's Tailored Access Operations (TAO). Among that technology is "IRATEMONK".

"IRATEMONK provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution."

Source: Wikimedia

"This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives."

On January 31, 2014, Bruce Schneier deemed IRATEMONK his "NSA Exploit of the Day" which prompted this from Nicholas Weaver.


"This is probably the most interesting of the BIOS-type implants."

"yet the cost of evading the 'boot from CD' detection is now you have guaranteed 'NSA WAS HERE' writ in big glowing letters if it ever IS detected."

Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky's research paper refers to a threat actor called the "Equation group" whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA's ANT catalog.

Ars Technica has an excellent summary here: How "omnipotent" hackers tied to NSA hid for 14 years—and were found at last.


Wednesday, February 11, 2015

An Early History of the Crypto Wars Posted by Sean @ 14:17 GMT

Stanford University's Alumni Association Magazine recently published a very interesting article on the early history, politics, and publication of academic (non-classified) encryption research. The article, Keeping Secrets, focuses on Martin Hellman, who is known for his work on public key cryptography.

Work that in retrospect, even Bobby Ray Inman (NSA Director, 1997-1981) thinks he should have been less concerned about.


"Rather than being careful to make sure they were[n't] going to damage [our collection capabilities]… I would have been interested in how quickly they were going to be able to make [cryptosystems] available in a form that would protect proprietary information as well as government information."

Proprietary information such as Lockheed Martin's F-35 fighter jet.

(Hat tip to Thomas Rid.)


Tuesday, February 10, 2015

The Ear of Sauron Posted by Sean @ 14:31 GMT

A recent story by The Daily Beast seems to have ignited a real firestorm over Samsung's "smart" television terms and conditions. Which is somewhat surprising to us as we read about it months ago via Mikko. But anyway, things that listen are topical.

So… do the words "always-listening voice search" sound good to you? Or do they give you the creeps?

Because that's the potential future of Google's Chrome browser:

Always-Listening Voice Search
Image: How-To Geek

The "always-listening" feature is currently available via: Google Voice Search Hotword (Beta)

And as always, the interesting details are in the fine print:

plus a few seconds before
Video: Talk to Google on Chrome

Interesting phrasing: plus a few seconds before.

That's the thing about voice "activated" devices. They're always listening. Always recording (to a buffer). The question is: how much gets uploaded to the voice recognition service?

Are you comfortable with a "few" seconds?


Monday, February 9, 2015

CTB-Locker Infections on the Rise Posted by Artturi @ 15:12 GMT

We have recently observed a significant increase in infections from a nasty strain of file-encrypting ransomware called CTB-Locker.

CTB-Locker infection statistics
Daily CTB-Locker infections in relation to the total number of such infections this year.

CTB-Locker is most commonly spread through email spam. These emails usually contain an attached .zip file that contains a second .zip file that finally contains an .scr executable file. This executable is a malicious downloader known as Dalexis. If the user executes the .scr file, the downloader will attempt to contact a predetermined list of compromised websites hosting encrypted copies of CTB-Locker. It will then proceed to download, decrypt and execute CTB-Locker. In other cases, the malicious attachment won't be a .zip file, but instead it'll be a .cab file. Again, the .cab file is actually Dalexis which will proceed to infect the victim's computer with CTB-Locker.

Example of spam used to spread CTB-Locker
An example of spam used to spread CTB-Locker.

Upon infection, CTB-Locker will encrypt the victim's files and append the original filenames with a randomly generated 7 character long extension. Additionally, it will proceed to write a copy of itself to the users local temporary files folder with a randomly generated name of 7 characters and the extension .exe. To ensure CTB-Locker is kept running, it will create a scheduled task with a randomly generated 7 character name. Lastly, CTB-Locker will present the victim with a ransom notice and countdown timer showing how long the victim has left to pay the ransom. CTB-Locker will also change the victim's desktop background picture to an image containing the same ransom payment instructions. Finally, a copy of the same instructions will also be stored to the victim's My Documents folder as both an image and a text file, with the names Decrypt All Files [random 7 characters].bmp and Decrypt All Files [random 7 characters].txt respectively. The ransom instructions will direct the victim to pay the ransom, in Bitcoins, to a specified Bitcoin address. In most cases, we have observed the ransom to be 3 BTC (about 650USD or 575EUR).

CTB-Locker ransom notice
The ransom notice displayed by CTB-Locker.

There is no known way to break the encryption used by CTB-Locker. Therefore the only way for a victim to get their files back is from back ups or by receiving the decryption key from the malware operators. However, you should never pay the ransom, as you'll only help finance the criminal activities of malware operators! There is also no guarantee paying the ransom will actually get you your files back. That's entirely up to the trustworthiness of the criminals.

To protect against threats such as CTB-Locker and other file-encrypting ransomware, you should ensure you are running an up-to-date antivirus solution. You should also take care to not open executable files received as email attachments. In addition to preventative actions, it might be a good idea to attempt to minimize the damage a ransomware infection can cause. Most importantly, you should take regular back ups of all your data. If you use network shares, you should additionally be aware that CTB-Locker will search all mounted drives for files to encrypt including network storage or other mapped shares. In such cases, we recommend you consider restricting write permissions to such shares and keeping them mounted only when strictly necessary.

We detect CTB-Locker variously as Trojan.CTBLocker.Gen.1 and Trojan.Downloader.CryptoLocker.F

We also detect the malicious attachments leading to CTB-Locker as Trojan-Downloader:W32/Dalexis.B

Sample hashes:

6eb03d6cb4f9a5aae49a9d85652a4daa4f984ba8 (Dalexis)
f1897120c2bbcd5135db0295249118aa5f5eb116 (Dalexis)
81f68349b12f22beb8d4cf50ea54d854eaa39c89 (CTB-Locker)

Files suggesting a CTB-Locker infection:

%TEMP%\[random 7 characters].exe
%USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].bmp
%USERPROFILE%\My Documents\Decrypt All Files [random 7 characters].txt
Any files with an extension of 7 random characters


Monday, February 2, 2015

The Message: Consent Matters Posted by Sean @ 17:15 GMT

Go read this: Privacy is non-negotiable: We have the right to cover our arse — or expose it

A post by Laura — whom I'm very proud to have as a colleague.