U.S. firm helped the spyware industry build a potent digital weapon for sale overseas

http://www.washingtonpost.com/world/national-security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-videos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593-da634b334390_story.html

 

CloudShield Technologies, a California defense contractor, dispatched a senior engineer to Munich in the early fall of 2009. His instructions were unusually opaque.

As he boarded the flight, the engineer told confidants later, he knew only that he should visit a German national who awaited him with an off-the-books assignment. There would be no written contract, and on no account was the engineer to send reports back to CloudShield headquarters.

His contact, Martin J. Muench, turned out to be a former developer of computer security tools who had long since turned to the darkest side of their profession. Gamma Group, the British conglomerate for which Muench was a managing director, built and sold systems to break into computers, seize control clandestinely, and then copy files, listen to Skype calls, record every keystroke and switch on Web cameras and microphones at will.

[Read: How to implant a Trojan Horse: a user manual]

According to accounts the engineer gave later and contemporary records obtained by The Washington Post, he soon fell into a shadowy world of lucrative spyware tools for sale to foreign security services, some of them with records of human rights abuse.

http://www.washingtonpost.com/world/national-security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-videos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593-da634b334390_story.html

Over several months, the engineer adapted Gamma’s digital weapons to run on his company’s specialized, high-speed network hardware. Until then CloudShield had sold its CS-2000 device, a multipurpose network and content processing product, primarily to the Air Force and other Pentagon customers, who used it to manage and defend their networks, not to attack others.

CloudShield’s central role in Gamma’s controversial work — fraught with legal risk under U.S. export restrictions — was first uncovered by Morgan Marquis-Boire, author of a new report released Friday by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. He shared advance drafts with The Post, which conducted its own month-long investigation.

 

The prototype that CloudShield built was never brought to market, and the company parted ways with Gamma in 2010. But Marquis-Boire said CloudShield’s work helped pioneer a new generation of “network injection appliances” sold by Gamma and its Italian rival, Hacking Team. Those devices harness malicious software to specialized equipment attached directly to the central switching points of a foreign government’s national Internet grid.

The result: Merely by playing a YouTube video or visiting a Microsoft Live service page, for instance, an unknown number of computers around the world have been implanted with Trojan horses by government security services that siphon their communications and files. Google, which owns YouTube, and Microsoft are racing to close the vulnerability.

Citizen Lab’s report, based on leaked technical documents, is the first to document that commercial spyware companies are making active use of this technology. Network injection allows products built by Gamma and Hacking Team to insert themselves into an Internet data flow and change it undetectably in transit.

The report calls that “hacking on easy mode,” in which “compromising a target becomes as simple as waiting for the user to view unencrypted content on the Internet.”

Attacks of that kind were the stuff of hacker imaginings until this year, when news accounts based on documents provided by former National Security Agency contractor Edward Snowden described a somewhat similar NSA program code-named QUANTUMINSERT.

 

“It has been generally assumed that the best funded spy agency in the world would possess advanced capability,” the Citizen Lab report says. “What is perhaps more surprising is that this capability is being developed by Western vendors for sale on the commercial market.”

Hacking Team and the company that now owns CloudShield denied any wrongdoing. Messages left with Gamma went unreturned.

The “custom payload” that Hacking Team uses to compromise YouTube injects malicious code into the video stream when a visitor clicks the play button. The user sees the “cute animal videos” he expects, according to Citizen Lab, but the malicious code exploits a flaw in Adobe’s Flash video player to take control of the computer.

Another attack, custom-built for use on Microsoft pages, uses Oracle’s Java technology, another common browser component, to insert a back door into a victim’s computer.

Security and privacy advocates have identified those vulnerabilities before, but the two companies regarded them as hypothetical. In response to a bug report in September 2012, which warned of a potential YouTube attack, Google’s security team responded that the use of unencrypted links to send video “is expected behavior.” Google closed the discussion with the tag “WontFix.”

‘Against our will’

After Marquis-Boire disclosed to them confidentially last month that their services are under active attack, Google and Microsoft began racing to close security holes in networks used by hundreds of millions of users.

“I want to be sure there’s no technical means for people to take a user’s data against our will,” Eric Grosse, Google’s vice president for security engineering, said in an interview. “If they want to do that, they need to use legal means and we pursue that.”

Google and Microsoft executives said they are accelerating previous plans to encrypt their links to users across a wider range of their services. Encryption scrambles e-mail, stored files, video and other content as it travels from their servers to a user’s computer or mobile device. That step, as far as security engineers know, effectively prevents most attacks in current use.

Since learning of Marquis-Boire’s findings in mid-July, Google has encrypted a majority of YouTube video links, and Microsoft has changed default settings to prevent unencrypted log-ins on most live.com services.

“There’s a lot of products to update so we’re not at 100 percent yet but we’re actively engaged with all the teams,” Grosse said, acknowledging that Google Maps, Google Earth and other services still connect to users in ways that can easily be intercepted.

Grosse said comprehensive use of encryption should now be regarded as a basic responsibility of Internet services to their users.

“We’re probably already [encrypted] to a sufficiently high level that I would guess our adversaries are already having to scramble and shift to some other widely-used service that has not gone to SSL,” he said, referring to a form of encryption called the secure socket layer, which is indicated by a padlock icon on some browsers.

Matt Thomlinson, Microsoft’s vice president of security, said in a statement that his company “would have significant concerns if the allegations of an exploit being deployed are true.”

“We have been rolling out advanced security across our web properties to continue to help protect our customers,” he added.

In computer circles, any unencrypted data is known as “cleartext.” Marquis-Boire, expanding on a theme that other security researchers have emphasized since disclosures of National Security Agency programs began 14 months ago, said “the big take-away is that cleartext is just dead.”

“Unencrypted traffic is untrustworthy,” he said. “I would describe this as a sad reality of today’s Internet. The techno-Utopian, libertarian ideology of the ’90s didn’t foresee that the Internet would be as militarized as it is now. People with authority and power have decided to reserve the right to ‘own’ Internet users at the core. So in order to be safe you need to walk around everywhere wrapped in encryption.”

‘Lawful intercept’

The computer exploitation industry markets itself to foreign government customers in muscular terms. One Gamma brochure made public by WikiLeaks described its malware injection system, called FinFly ISP, as a “strategic, countrywide” solution with nearly unlimited “scalability,” or capacity for expansion. Hacking Team, similarly, says it provides “effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”

In rare comments to the general public, the companies use the term “lawful intercept” to describe their products and say they do not sell to customers on U.S., European or U.N. black lists.

“Our software is designed to be used and is used to target specific subjects of investigation,” said Eric Rabe, a U.S.-based spokesman for Hacking Team, in an extended e-mail interview. “It is not designed or used to collect data from a general population of a city or nation.”

He declined to discuss details of the Citizen Lab report, which is based in part on internal company documents leaked to Marquis-Boire, but he appeared to acknowledge indirectly that the material was authentic.

“We believe the ongoing Citizen Lab efforts to disclose proprietary Hacking Team information is misguided, because, if successful for Citizen Lab, it not only harms our business but also gives the advantage to criminals and terrorists,” he said.

CloudShield’s founder, Peder Jungck, who oversaw the company’s relationship with Gamma before departing for a job with the British defense giant BAE Systems, did not respond to requests for comment.

Confidants of the CloudShield engineer, who has since left the company after becoming disillusioned with its surveillance work, identified him as Eddy Deegan, a British citizen. Deegan’s LinkedIn profile says he worked for the company as a professional services engineer during the period in question. Reached by telephone in France, Deegan declined to confirm or deny the identity of his external customer in late 2009.

“Nothing came of the work I was involved in at the time,” he said. “I asked, and was assured that nothing illegal was undertaken. I have no further comment.”

U.S. export restrictions, enforced by the Commerce Department, require a license for any foreign sale of technology described in the relevant statute as “primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.”

Jennifer Gephart, the media relations director for Leidos, which now owns CloudShield, declined to say whether the company had applied for an export license for the Gamma project. The transactions in question took place “prior to our company’s acquisition of CloudShield,” she said, but “to our knowledge” they were “handled in accordance with applicable regulations.”

Gephart confined her statement to the sale of CloudShield’s CS-2000 hardware. When asked about the company’s development of custom software to turn the device into a spyware delivery system, she declined to respond.

Robert Clifton Burns, who specializes in export controls at the law firm Bryan Cave, said that “surreptitious listening devices are covered and the software for that is also covered on the Commerce Control List.”

The regulations are complex and inconsistent, he said, and an authoritative legal judgment would require more facts. CloudShield might argue, he said, that malware injection is not “primarily useful” for surreptitious eavesdropping because it can also be used to track a target’s location, take photographs or steal electronic files. Although more intrusive, those attacks were not covered under the rules that applied in 2009.

The Gamma Group lists no e-mail address or telephone number on its Web site. No one responded to a lengthy note left on the company’s “Contact” page.

Muench, who has left his old job for a new position in France, read a LinkedIn message requesting an interview. He did not respond. In the past he has dismissed human rights concerns as unproven and defended Gamma’s products as vital for saving innocent lives. “The most frequent fields of use are against pedophiles, terrorists, organized crime, kidnapping and human trafficking,” he told the New York Times two years ago.

Security researchers have documented clandestine sales of Gamma and Hacking Team products to “some of the world’s most notorious abusers of human rights,” said Ron Deibert, the director of Citizen Lab, a list that includes Turkmenistan, Egypt, Bahrain and Ethiopia.

At CloudShield, executives knew the identity of at least one prospective customer for the system Deegan built. A former manager told The Post, with support from records obtained elsewhere, that CloudShield sent Deegan to Oman to plan a deployment for one of the country’s internal security services. The sale did not go through.

In its annual assessment of human rights that year, the State Department reported that Oman “monitored private communications” without legal process in order to “suppress criticism of government figures and politically objectionable views.”

‘A push market’

CloudShield did not see itself as a cloak-and-dagger company. It made its name for high-end hardware that could peer deeply into Internet traffic and pull out and analyze “packets” of data as they flew by.

The flagship product five years ago, the CS-2000, could not only look inside the data flow, but select parts of it to copy or reroute. That made it a good tool for filtering out unwanted data or blocking certain forms of cyberattack.

But hardware that could block data selectively could also rewrite innocent traffic to include malicious code. That meant the CloudShield product could be used for attack as well as defense, a former executive said.

CloudShield began pitching its product for offensive use, focusing on U.S. customers because of export controls.

“The basic motivations are pretty straightforward,” said one former senior manager there. “It was a push market. We were trying to sell boxes. It was a very conscious effort to target lawful intercept as a space where you could legitimately apply these kinds of technologies.”

Two former employees said that Muench, the Gamma executive, traveled to Sunnyvale, Calif., in 2009 in hopes of striking a business relationship. Jungck, CloudShield’s founder and chief technology officer, said he could not export that kind of technology and sent Muench home.

But the leadership team reconsidered, and hit upon a plan. They believed that Deegan could do the work for Gamma without triggering U.S. export controls as long as CloudShield’s U.S. operations had nothing to do with it.

“I think we all had qualms in the beginning,” said one former executive who took part in the deliberations. “I think we rationalized a way in which we felt comfortable with it. Part of that rationalization was to keep it outside the U.S., limit it to that environment where that project was.”

What first appeared as an absorbing technical challenge for Deegan began to take a darker cast. His prototype system could inject any of “254 trojans,” or all of them, into a targeted computer. If it failed once, it would keep trying, up to 65,000 times.

He was proud of his technical accomplishments, he told confidants, but was no longer sure he had done the right thing. After meeting prospective customers in Oman, his qualms grew worse.

In the end, the Oman deal fell through, and other efforts, with other partners failed, too. CloudShield and Gamma parted ways, and Gamma found another hardware supplier. Deegan’s prototype, according to Marquis-Boire and a CloudShield insider, may have sped development of the flagship surveillance product that Gamma brought to market the following year.

Julie Tate contributed to this report.

 

 

Security firm shows Xiaomi smartphones secretly stealing your data

Dari: http://www.hardwarezone.com.sg/tech-news-security-firm-shows-xiaomi-smartphones-secretly-stealing-your-data-updated

Nampaknya telepon Xiaomi mengirimkan data dari telepon langsung ke pusatnya Xiaomi.

Menurut dokumen ‘Privacy Policy’ Xiaomi di https://i.mi.com/privacy_en.htm , nampaknya memang ada data-data tertentu yang dikirim dari smartphone tersebut ke Xiaomi.

====

Security firm shows Xiaomi smartphones secretly stealing your data (Updated)

Update 2: Hugo Barra has now confirmed with us that the OTA update that will make MIUI’s Cloud Messaging service opt-in will be available for all Xiaomi phones.

Update: Hugo Barra has now addressed F-Secure’s findings, stating that the data being uploaded is part of MIUI’s Cloud Messaging service. An update rolling out today will now make MIUI opt-in, and will no longer automatically activate for new users:

These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change.

After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

Following allegations that Xiaomi phones may be silently uploading user details to a remote server, Finnish security firm F-Secure set out to investigate.

The firm has now published a blog detailing how a brand new Xiaomi RedMi 1S smartphone silently uploaded a users’ phone number, the network being used, the phone’s IMEI number, as well as the phone’s entire list of contacts to a Xiaomi server.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

  1. Inserted SIM card
  2. Connected to WiFi
  3. Allowed the GPS location service
  4. Added a new contact into the phonebook
  5. Send and received an SMS and MMS message
  6. Made and received a phone call

F-Secure said, “We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server.”

Xiaomi data
Xiaomi data

The company then repeated the above steps but this time connecting to the Mi Cloud service. This time around the IMSI details (used to identify the user of a cellular network) were sent to api.account.xiaomi.com, as well as the IMEI and phone number.

This evidence seems contrary to Xiaomi Vice President Hugo Barra’s claims when he addressed Xiaomi security concerns in a Google+ post last week, stating “Xiaomi is serious about user privacy and takes all possible steps to ensure our Internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users.”

Source: F-Secure

 

How to bypass Zeus trojan self protection mechanism

http://int0xcc.svbtle.com/how-to-bypass-zeus-trojans-self-protection-mechanism

Hacking spammer’s for Dummies

or

How to bypass Zeus Trojan’s self protection mechanism

 

Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was

Hi

A Person from your office was found dead outside . Please open the picture to see if you know him .

Regards

Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon .

Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .

h.jpg

After successfully unpacking and fixing the dump we get the following output

h.jpg

OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service .

If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection

For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program .

h.jpg

h.jpg

So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it .

Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed .

h.jpg

And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE”

In my case the RC4 Key was

h.jpg

Packer integrity

h.jpg

We can copy that 0x200 byte data from the packer into the overlay of our unpacked file.

And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure.

The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that 0x200 Data Structure.

During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher .

h.jpg

structZeus_packer_overlay{
    DWORD  SIGNATURE;SetBackColor( cRed );
    DWORD Crc32HASH;SetBackColor( cBlue );
    WORD iSizeOfPacket;unsignedintSizeOfDecodedData;unsignedintUnknown1;SetBackColor( cRed );unsignedintXorKey;}Zeus_Packer_OverLay;

Before decoding the installer routine CRC32 hash is checked and SizeOfDecodedData data is copied to heap location in this function.

h.jpg

The installer and injector is differentiated by iSizeOfPacket field, if the size is 0x0c then it is still in installation phase if it is 0x1e6 then it has been replaced by installation routine with a new packer data structure .

The installation subroutine is then decoded using Xorkey with a data buffer of size SizeOfDecodedData using this simple XOR function.

h.jpg

During the installation phase the Packer data structure is rewritten and encrypted using RC4 resulting in data of length 0x1e6 which mainly consists of installation data like

1 : Registry Keys
2 : Random Numbers Generated for Seeding .
3 : Local Path Name
4 : Computer Name and Version

h.jpg

Replacing this Packer Overlay data with the old one will let you skip the installation phase and binary wont be relaunched again using CreateProcessA in %appdata%. Yet we will have to patch a jump after it Compares its path in the overlay data with the current path.

h.jpg

Owning a Zeus C2C panel / Spammer

There exists a publicly known RCE vulnerability in some versions of Zeus ( as well as Zeus lite, KINS,ICE-IX) As described in detail here (http://xs-sniper.com/blog/2010/09/27/turning-the-tables/) . Our good friend Xylitol has already provided a ready to use tool to exploit such vulnerability : http://cybercrime-tracker.net/tools.php

All we need for that is C2C we address and RC4 communication key . Both of them you can get from Base Config Decoding Subroutine which is again based on simple XOR cipher

h.jpg

After getting C2C and RC4 key . It can be submitted here to get a shell on that C2C web panel .

h.jpg

Once you get the shell you can then edit the cp.php ( login file for Zeus panel ) and boost up your Metasploit exploit after the bot master has logged in .

h.jpg

And if you know how to proceed further and you can get a meterpreter shell on the spammers machine . webcam_snap is one beautiful Meterpreter script command which I personally like ( http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics#webcam_snap)

It takes a webcam capture from the victims computer and saves it in the target machine.

And if you enter that , you might get back something like this in your computer 🙂 h.jpg

h.jpg