Monthly Archives: September 2015

Shifu <3 Great Britain

I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.

First time I encountered that threat : 2014-10-08

Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path
At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.

So two days ago in UK traffic :

2015-09-22 - An Angler EK dropping  0598ee3e06c681d7f9e05d83bb7ea422
via malvertising on GBR traffic
I saw that banking trojan again. (note : contacted,  Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,

Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422 

Apache Config

Data folder of the Apache installation

Customers of 4 financial institutions are targeted by the injects stored in the config.xml

The same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:

Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83

Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu ..and fast confirmed it looking at the sample. (Edit reaction to twitter : He also told me that Shifu is based on Shiz)

So here we are: Shifu <3 GBR

Shifu <3 GBR
Side note : Here are some of the DGA in case main domain stop working.

Files : Password : malware

Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).

Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.

Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee

Post publication Reading:
3,000 High-Profile Japanese Sites Hit By Massive Malvertising Campaign  2015-09-30 - Trenmicro

SWAMP, the Software Assurance Marketplace


I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace- it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.



Highlights from five years of StopBadware work

The Cambridge-based StopBadware team is signing off this week after more than five years of community building and collaboration with some of the best people in the security business. As we turn full operations over to Dr. Tyler Moore and his excellent team at the University of Tulsa, take a look at some of the highlights of our work these past five-plus years. 


Untangling the Spider’s Web: Is Lisbeth Salander a real hacker now?

The Girl in the Spider's Web, A Lisbeth Salander novel, Millennium seriesThe release of The Girl in the Spider’s Web marks a new era for the Millennium Series, which details the exploits of the badass hacker Lisbeth Salander.

Originated by Swede Stieg Larsson, these novels have thrived in their ability to draw readers into a world where the injustices of the powerful are exposed and stifled thanks to heroine’s super hacking powers. There’s no doubt this formula was successful as more than 80 million copies of the original trilogy have been sold worldwide. But the vividness of the unconventional characters and the thrill of the drama was not matched by the authenticity of the author’s depiction of the realities of cyber security.

 Salander was often depicted pulling off plausible cyber attacks but in completely implausible ways.

That was supposed to change for the latest episode. Author David Lagercrantz — the first author to take over the Millennium series since Larsson’s 2005 death — a decided to do something different: Get the hacking right.

Lagercrantz consulted a computer security expert with experience compromising high-level systems. The goal was to present realistic hacks in a way average viewers can understand intuitively. This challenge was heightened by making the United States’ National Security Agency one of Salander’s targets.

So can “The Girl” finally be called a real hacker?

Our Cyber Security Advisor Erka Koivunen dug into the novel to give us his read on the technical details and then allowed us to ask him a few questions about what made sense, what didn’t and what would have made this book a cyber classic. 


Could Lisbet’s hack of “NSANet” actually happen?

Lisbet is nuts enough to try to hack the NSA and she takes huge risks of getting caught. She appears to be bright, skilled and focused enough to succeed. At least she got in and got material out. Did she go unnoticed? No!

She herself acknowledges that she is making OpSec mistakes — but still decides to plow ahead. The mistakes she makes are not necessarily enough to stop her on her tracks, but they definitely help trace the attacks to her physical location, and connect her online credentials with her real identity. She is reckless enough to not care, which I find human. Amateurish, but human.

The attacking methods described in the book appear to follow the basic Kill Chain model of a targeted attack. She did her due diligence in the form of identifying weak points and possible attack vectors. She did enough fuzzing, testing and debugging to find a previously undetected vulnerability, i.e. a zero day. Good for her. Nothing really remarkable there, but clearly shows some dedication and ability to focus on the objective. She weaponized her tools not only to succeed in getting in but also to evade some of the burglar alarms. She naturally only could guess what kind of detection systems the NSA would employ in their networks. But yes, this shows that she is methodical and experienced.


How about when she got into the network? Did she behave like a pro?

Lisbet also experienced the same confusion that every attacker faces when they eventually get in and start charting the new territory inside the network. She was moving laterally and making inventory of the material available to her. She also took a deliberate risk when she exfiltrated some of the material that she needed to get her hands to. The book never describes how she was able to identify the really interesting stuff out of huge volumes of secrets NSA possesses (there is a mention of keyword searches, however…) and how she was able to fly under the radar for so long (unless all the detection tools that “NSANet” administrators claimed to have been deployed were, in fact, disabled…).

I admit that for the sake of narrative, it was probably not interesting to dive deep into the exact techniques. However, while the book makes a brave attempt to cater for us geeks in terms of dropping tool names, attack techniques and following a plausible attack chain, it sorely misses credibility in the trickiest parts of the attacks: how to succeed to proceed and stay unnoticed in unfamiliar territory.

Showing true tradecraft in that field would have elevated the book into epic must-read in the genre of hacker literature alongside William Gibson’s NeuromancerThis Machine Kills Secrets by Andy Greenberg, Mark Bowden’s Worm, and Ghost Fleet by P.W. Singer and August Cole. The TV hit Mr. Robot also appears to have realism in terms of hacking. And everything that has come out from NSA’s ANT division catalogues is fascinating to read, even if it doesn’t strictly fall under the category of literature. 🙂

Speaking of staying undetected…

For some reason Lisbet decided — once inside the NSANet — to start showing off and play games with the folks at NSA. Interactively. She really *is* nuts. A real hacker would have scripted some kind of “gotcha” message once a way out had already been secured and traces of the visit had been carefully cleaned off the systems.


How about her attempts to cloak her activities?

The book details how Lisbet has tried to hide the true attack origins by utilizing a foreign mobile phone data subscription. There is also a faint mention that she has taken other measures to ensure that her endpoints are not traced back to her identity or location.

However, she realizes that she makes an OpSec fail by staying at her own flat, served by Telenor mobile base station. She also appears to treat her flat as a safe house, counting on the fact that no one knows she lives there. In real life, her address would have been a waving red flag not only to law enforcement officials and SIGINT organizations but also to the criminals seeking to find out where “Wasp” directs her operations.

There are also many references to encrypted communications tools for mobile phones. While these tools definitely provide communications secrecy they also show up on a SIGINT radar like a sore thumb. This is reflected in the book — the hackers were closely monitoring Millennium and were reading its information systems like an open book. Until they started — on Lisbet’s orders — to retrofit more secure systems in place. For an eavesdropper, it was clear that something was up – even if they weren’t able to read the contents. (Metadata is strong on this one!) It is the same story that the old HUMINT officers tell from Cold War times: imminent military attacks were believed to be (and often were) preceded by staff staying up late (with the intelligence headquarters office lights lit up) and ordering pizza out from the nearby restaurants.


How about the novel’s depiction of data deletion?

The book suggests that Frans deleted his life work by removing a single large file on his laptop. The laptop was then stolen by the gansters who were not able to recover the file. Yet they saw that the file was missing.

The book tells us the laptop contained the only copy of the secret. No backups? Anywhere?

Deleting secrets is difficult. There is a consensus that there is no other sure way other than physically destroy all the devices that ever contained the material. And yet, Frans simply pressed delete. Maybe he was using a secure delete that would overwrite the stuff several times with random nonsense. Maybe. Everyone who has ever attempted that would know that it takes ages and requires preparations other than simply pressing delete.

Furthermore, the laptop was obviously connected to the Internet as the AI grid was accessible over the net. It cannot have been an impossible task to obtain a copy of the secret prior to the killing. Given that Frans was one of the most sought-after persons in the cyber security, his laptop would have been easy target. The secret was sitting in a file system of the laptop instead of on a tamper-resistant detached storage unit.


Are there any glaring examples of amateurish cyber skills?

What can I say about the gangsters? It looks like they were booting up the professor’s stolen laptop and sifting through the file system. Hardly a professional way of conducting forensics when what you are looking for is the world’s only instance of a super-secret file that you are in a hurry to salvage before the author of that file decides to destroy that.


How would you stop Lisbet if you were the NSA or a similar organization?

In the case of Bradley Manning and SIPRNet, most of the security controls designed to either prevent or reveal attempts to search for, acquire and exfiltrate sensitive information were turned off. This in a global network storing material classified up to SECRET. In Edward Snowden’s case there were supposed to be controls in place to limit the users’ ability to elevate privilege and conduct any privileged operations once elevated. Except that at least in Hawaii facility there weren’t, which Snowden knew well as he was one of the privileged admins. This in a global system storing material up to (and beyond?) TOP SECRET!

So, if even the best, brightest and most well-resourced organizations that should know (and do know) better fail, is there a way to stop Lisbet?

Probably not.

Our auditors tell they have never failed to get through the security controls. They may face obstacles here and there but there is always an unpatched system or poorly configured service that is exposed enough for the attacker to take advantage of for malicious purposes.

Whenever you design your defenses against particular kind of attack scenario, the attacker will seek to find a way around that. You may be – as a defender – in a position to write a rulebook. Don’t be, however, surprised to find that the attacker will cheat.

So, stopping, identifying and catching a lone renegade with an attitude should be doable, no matter how bright she is. She might get in, but you will find traces of what happened (or is about to happen) if you harden your network and care to look for signs of intrusions, or anomalies in lack of warning sirens blasting off.

What then if the attacker throws whole teams of HUMINT and SIGINT specialists with a multi-year project plan, vast budgets and sci-fi tools at your business? What if they already have “owned” your cloud provider, your upstream ISP, your IT integrator and your business partners? And what if you have failed to set up or enforce even the basic security controls?

What’s left? Luck.

[Image by michael_hamburg69 | Flickr]