Monday, July 27, 2009

Mobile malware: Blackberry

Also in July we have the UAE's mobile cellular provider Etisalat serving up hostile Blackberry updates to their subscribers that includes interception code. From Wired:

The update was billed as a “performance-enhancement patch” by the UAE-based phone and internet service provider Etisalat, which issued the patch to its 100,000 subscribers.

The patch only drew attention after numerous users complained that it drained their BlackBerry battery and slowed performance, according to local publication ITP.

Nigel Gourlay, a Qatar-based programmer who examined the patch, told ITP that the patch contained “phone-home” code that instructed the BlackBerries to contact a server to register. But once the patch was installed, thousands of devices tried to contact the server simultaneously, crashing it and causing their batteries to drain.

“When the BlackBerry cannot register itself, it tries again and this causes the battery drain,” he said, noting that the spyware wouldn’t have drawn any attention if the company had simply configured the registration server to handle the load.

The spying part of the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server.

The spyware appears to have been developed by a U.S. company, which markets electronic surveillance software.

Gourlay obtained source code for the patch after someone posted it on a BlackBerry forum. He said the code contained the name “SS8.com,” which belongs to a U.S. company that, according to its web site, provides surveillance solutions for “lawful interception” to ISPs, law enforcement and intelligence agencies around the world.

Chris Wysopal from Veracode has a short breakdown of the code on his site that's worth perusing. From his conclusion:

The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. "Here I am, software is installed!") got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.

The final thing to mention is that the spyware does appear to be installed in a non-running state by default, where it's not actually exfiltrating data once the initial registration packet has gone out. However, using the command and control mechanism we described earlier, the carrier can remotely start/stop the service at will on a per-device basis.

The best technical breakdown of the code that I've seen is from Zensay labs and available here. The author's blog (company?) is here and talks at length about the whole situation, possibly remedies, future work, etc.

More interesting from my perspective how little coverage this mass distribution of spyware seems to be getting and the obvious lessons for someone trying to deploy malicious code on this scale. Also of interest is the reasoning behind pushing the code to the client instead of using the network as most other providers are probably doing today. A few people pointed out that this was probably done to circumvent the strong encryption mechanisms that RIM has put in place, which implies that the UAE doesn't have the ability to succesfully crack or MITM (man-in-the-middle) their encrypted data at the network.

Clearly testing these applications before massive field deployments would seem to be a good idea. The application itself, while naive seems to be sufficient for what they wanted to accomplish. But by not properly factoring the network requirements or thinking about various modes of failure the entire thing blew up in their faces. Or not, given that nothing seems to be happening yet.

A much more successful approach to spying on citizens using the cellular network is detailed in the "Athen's Affair", the UAE/Etisalat spying community should have read that first. In the "Athens Affair" an unknown party surrepticiously monitored a number of key government personnel for a good length of time and the personnel behind it remain undetected, it was only stumbled upon by chance.

Client-side spyware is difficult to deploy/monitor on massive scales, and will increase in complexity as people screw up the deployment and allow them to be detected and raise concern for all other future software deployments. And users and defenders have an equal challenge of determining trust... if you can't trust the software from your provider, manufacturer, or government (just found out about this INSLAW thing, some interesting reading/viewing on that one), or open source software, who do you trust?

Mobile malware: Symbian

Interesting developments in the mobile community this month. First I wanted to highlight the Symbian-signed trojan and I'll discuss the interceptor software deployed on the Blackberry phones in the UAE in another post

Symbian:
To give you some background, I'll quote an excerpt from Dancho Danchev:
Earlier this month, a mobile malware known as Transmitter.C, Sexy View, Sexy Space or SYMBOS_YXES.B, slipped through Symbian’s mobile code signing procedure, allowing it to act as a legitimate application with access to device critical functions such as access to the mobile network, and numerous other functions of the handset.

Upon notification, the Symbian Foundation quickly revoked the certificate used by the bogus Chinese company XinZhongLi TianJin Co. Ltd, however, due to the fact the revocation check is turned off by default, the effect of the revocation remains questionable.

What happened was some malicious group slipped one past the automated Symbian mobile code signing process (Express Signature, which doesn't require human analysis), causing a piece of Malware to receive a Symbian-signed digital signature. This problem doesn't scale well, as they currently have over 2,000 applications receieving a signature each month and they are trying to drastically increase that number to compete with Apple's iPhone.

The problem points to the larger question of code validity, integrity and automated detection of malware in binaries. Even with extensive human analysis, an attacker can hide bad things in legitimate software, or fool/attack legitimate servers providing the code. In the cases we've seen this occuring it's often because the attacker makes a mistake or someone gets lucky and stumbles across it, not because the overall system is robust to attack.

There are numerous papers and projects out there trying to figure out how to automatically catch these types of attacks, (here, here, here, etc. but they are all bounded by the halting problem... it's not possible to build code that automatically determines what other code will do in all cases (as shown in Fred Cohen's 1984 thesis and follow on work by him and others. That said, it is certainly possible to catch lots of things most of the time... the question is how much and how often. DARPA has an interesting problem trying to automatically detect bad things in chips in the TRUST program. I haven't seen anyone try to figure out what the theoretical upper limit of these types of research efforts are, or frankly how to even quantify the problem sufficiently, that's where I'd be spending my energy if engaged in this area.

The other problem that the code signer community has to deal with is trust. Mikko Hyppönen from F-Secure says that "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all." While that's probably a true statement, there is a big qualifier that goes with it... by digitally signing something and stating that it's valid/secure/trustworthy, you drastically change the equation on the part of the user when they install something. In today's Wild West model on the Internet most users know they cannot trust any application and they have to be cautious about the source, content, etc. When companies like Symbian are digitally signing applications as valid, when that trust is compromised you have to wonder if they are just doing it to ensure a monopoly/control over the platform and charge the application developers, or what liability they incur by inappropriately validating these third party applications?

Wednesday, July 8, 2009

Korean cyber-activities

Ahn Young-joon/Associated Press
Employees of the Korea Internet Security Center inside a monitoring room in Seoul on Wednesday.


Over the fourth of July weekend 14 government web sites in the United States including the The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web and 11 in South Korea were attacked by an unattributed Distributed Denial of Service (DDOS) attack. The sites in South Korea included the Presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank and other well known sites. According to an article by Robert McMillan,
"On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of bandwidth per second, about 10 times the rate of a typical DDoS attack, one security expert said after being briefed by the US-CERT on Tuesday. "It's the biggest I've seen," said the expert, who asked not to be identified because he was not authorised to discuss the matter. By Tuesday it was averaging about 1.2 gibabytes per second, he said."
The New York Times (and others) quote a South Korean paper: "Although the National Intelligence Service did not identify whom they believed responsible, the South Korean news agency Yonhap reported that the spy agency had implicated North Korea or pro-North Korea groups.A spokesman at the intelligence agency said it could not confirm the Yonhap report, which said that the spy agency briefed lawmakers about their suspicions on Wednesday." Given the targets it seems like an intuitive conclusion, the question of course would be what actual technical intelligence / SIGINT says.

Some other interesting points on this attack is that most of the bots used were located in South Korea, with South Korean officials stating at least 12,000 were in S. Korea. Also of interest is the allegation by unnamed S. Korean intelligence officials that N. Korea routes its attacks through Chinese Internet connections. Again, would seem intuitive, where else are they going to go through?

All sorts of guesses an innuendo out there... some point out a single anti-capitalist controlling the bot-net might have launched the attacks, while the S. Korean National Intelligence service is quoted in the NYT article saying that "“This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level".

What I found interesting in reading all the articles on this story was the lack of tie-in to prior stories on cyber activity on the Korean peninsula. Of particular interest to me were these two stories:

The first, from Kevin Coleman at DefenseTech, claims that "North Korea Poised for Cyber Salvo" He claims in his April 20th, 2009 story that
Most military strategist agree that cyber attacks are an excellent first strike weapon. In these specific circumstances, cyber attacks might be considered by Pyongyang as an appropriate and proportional response to the U.N. Security Council's condemnation and reinforcement of existing sanctions. High probability targets if DPRK launches cyber attacks include South Korea and the fifteen countries that make up the current U.N. Security Council that include -- permanent members-China, France, Russian Federation, the United Kingdom and the United States -- and ten non-permanent members Austria, Japan, Uganda, Burkina Faso, Libyan Arab Jamahiriya, Vietnam, Costa Rica, Mexico, Croatia and Turkey. This calls for increased vigilance by cyber security professionals guarding the critical infrastructure of those targets identified above.
He also posts some unsubstantiated but intriguing claims regarding the state of North Korean capabilities:
  • Unit: 121

  • Established: 1998

  • Force Size: 12,000 declining

  • Cyber Budget: $56+ million.

  • Goal: To increase their military standing by advancing their asymmetric and cyber warfare capabilities.

  • Experience: Hacked into South Korea and caused substantial damage; hacked into the U.S. Defense Department Systems.

  • Threat Rating: North Korea is ranked 8th on the cyber capabilities threat matrix developed in August 2007 and updated February 2009.

  • Cyber Intelligence/Espionage: Basic to moderately advanced weapons with significant ongoing development into cyber intelligence.

  • Offensive Cyber Weapons: North Korea now has the technical capability to construct and deploy an array of cyber weapons. They have moderately advanced distributed denial of service (DDoS) capabilities with moderate virus and malicious code capabilities. Hacking capabilities are moderate to strong with an experience rating of limited to moderate.

I'm guessing he nailed it on the head. There's some garbage in the talk back section of his article, but a posting this his speech for the hearing before the U.S.-CHINA economic and security review commission on "CHINA’S PROPAGANDA AND INFLUENCE OPERATIONS, ITS INTELLIGENCE ACTIVITIES THAT TARGET THE UNITED STATES, AND THE RESULTING IMPACTS ON U.S. NATIONAL SECURITY". I've included a link to the transcribed notes here. If you look into it he's a Senior Fellow at Technolytics, which focuses on policy type work in cyberspace. In his testimony he said he was formerly the Chief Strategist at Netscape, so he appears to be a technically sharp guy who can follow where Internet/technology trends are heading. It could always be a random group or individual but I believe his prediction appears to have been prescient.

The second series of articles of interest relate to articles describing North and South Korean plans for military operations in Cyberspace. While there is lots of data out there, some recent articles are interesting. First, an unnamed intelligence official quoted in South Korean Yonhap news service led to this May 5th AP story:

SEOUL, South Korea — North Korea runs a cyberwarfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service, a news report said Tuesday.

The North's military has expanded the unit, staffing it with about 100 personnel, mostly graduates of a Pyongyang university that teaches computer skills, Yonhap news agency reported, citing an intelligence agency it didn't identify.South Korea's Defense Ministry said it is aware that Pyongyang has been training hackers in recent years but did not provide details and had no other comment.The National Intelligence Service — South Korea's main spy agency — said it could not immediately confirm the Yonhap report.

Not even two months later on June 26th news developments came out regarding a South Korean Cyber Command, analogous to recent developments in the US towards a comprehensive Cyber Command, created specifically in response to North Korean Cyber activities. The articles don't say much but mention the creation of the cyber command and some of their staffing plans.

While I'm on the topic of communist countries and military operations cyberspace, I stumbled across an article on "Peopledaily" saying that 94% of Chinese "Netizens" favor the creation of a Chinese Cyber Command. Pretty funny... do they not realize how active their government already is? Or maybe they are really saying they just want them to come out of the closet and be more transparent? Either way I found it amusing... (tongue-in-cheek:) hopefully those PRC leaders take this advice to heart and get moving on it!

Update:
The Washington Times reported that according to the mass circulation South Korean newspaper JoongAng Ilb:

The spy agency told lawmakers Friday that a research institute affiliated with the North's Ministry of People's Armed Forces received an order to "destroy the South Korean puppet communications networks in an instant," the mass-circulation JoongAng Ilbo newspaper reported.

The paper, citing unidentified members of parliament's intelligence committee, said the institute, known as Lab 110, specializes in hacking and spreading malicious programs. The Ministry of People's Armed Forces is the secretive nation's defense ministry.

The NIS - South Korea's main spy agency - said it couldn't confirm the report. Calls to several key intelligence committee members went unanswered Saturday. The agency, however, issued a statement late Saturday saying it has "various evidence" of North Korean involvement, though it has not reached a conclusion.


Also on July 10th 2009 the 20,000+ machines that were infected by a bot-net and used to launch the DOS attacks begin wiping themselves out:

The malicious code will attempt to locate files with any of more than 30 different extensions, such as .doc, .pdf, and .xls, copy the data to an encrypted file that's inaccessible to the user, and then overwrite the data in the original files. It targets files associated with office, business, and development applications.

The malicious code is also programmed to modify infected computers' Master Boot Records. The change renders computers inoperable following any attempt to reboot.

This will primarily affect machines in S. Korea, which represents the bulk of the bot-net.

And finally, S. Korea was warned in advance of the attacks but both countries (particularly S. Korea) were poorly prepared to deal with the DOS. Potential methods for dealing with the DOS include distributing their sites across multiple nodes, cutting off adversarial IPs/ranges quickly, and adding contingency bandwidth.

More updates:
According to police investigating: "The DDoS attackers hacked two Korean Web sites, based in Seoul and Busan, and switched the program update files of the sites with their malicious codes". Furthermore the zombie computers were primarily infected by those two hacked web servers, according to 21 of the 27 zombie machines that they sampled. The command and control servers were all based in other countries: London, Miami, and others. Still working to identify the sources...

Wednesday, July 1, 2009

China's Green Dam

China has mandated in early June of 2009 that all PC's sold in the PRC as of July 1st, 2009 must have their Censorware software, known as "Green Dam", installed before delivery to a customer. This software (shown below) is ostensibly to protect the innocent youth of China from pornography, violent video games, homosexual topics and drug information, but could easily be used to prevent access to foreign news sources or other "undesirable" web sites. It was also shown that it intercepted and blocked certain queries on the Falun Gong and other politically oriented topics.

Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan, published a brief paper describing remotely exploitable vulnerabilities in this mandatory software. Within a short period of time exploit code was on milw0rm and a module had been posted to Metasploit.

At this point China has pulled the mandatory requirement while they spend some time reconsidering their potential creation of a Billion node botnet. Adding an interesting twist to the story is the claim by Solid Oak Software that some of the code for Green Dam was ripped off their CYBERSitter product by "unknown sources"... although something tells me they were Chinese.

UPDATE:
August 14th:
After massive blowback, China has changed their mind on mandatory installation of Green Dam, according to several sources... and apparently, the rest of the universe was confused, it was never intended to be mandatory in the first place!

From the WSJ: "Mr. Li said Thursday the software was always intended to be optional and not a mandatory installation, adding that the regulations were unclear when first released by the Ministry of Industry and Information Technology in May.

The regulation "wasn't fully considered, and not expressed clearly, and gave everyone the impression that this is mandatory," he said... Mr. Li said Thursday the ministry's intention was always for the software to be installed on a voluntary basis by individuals or their parents. "The head of the family has the right to choose," he said, adding that China "fully respects everyone's freedom to choose."" Of course they do, who else would think otherwise?