Tag Archives: Malware

Android adware can install itself even when users explicitly reject it

image

A while back, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

From that point on, the app has the ability to display popup ads that install highly intrusive adware. Even in cases where a user rejects the invitation to install the adware or takes no action at all, the Shedun-spawned app uses its control over the accessibility service to install the adware anyway.

“Shedun does not exploit a vulnerability in the service,” researchers from mobile security provider Lookout wrote in a blog post published Thursday morning. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

For a video demonstration and the original story follow this link to Ars Technica.

As previously reported, Shedun is one of several families of adware that can’t easily be uninstalled. That’s because the apps root the device and then embed themselves into the system partition to ensure they persist even after factory reset. Lookout refers to them as “trojanized adware” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

The ability to use social engineering to hijack the Android Accessibility Service is yet another sign of the creativity and ingenuity put into this new breed of apps. As always, readers are reminded to carefully weigh the risks and benefits of using third-party app markets. They should also remain highly suspicious of any app that asks for control of the Android Accessibility Service.

Chinese Marketing Firm Spreads Adware to Promote Its App Portfolio

image

A Chinese company that markets itself as a mobile app promoter has been cheating its clients by deploying adware to install their apps on unsuspecting victims.

The company, named NGE Mobi/Xinyinhe, activating in China and Singapore, has been using popular apps, repackaged with the malicious adware code, which it distributes through unofficial Android app stores.

When users install these apps on their smartphones, the adware comes to life, collects information about the device, sends it to a C&C server, and then waits for new commands.

The adware can gain root access and boot persistence

When the server answers, the app moves to install a root backdoor and a series of system daemons that allow it to survive system reboots.

Here is where the fun begins, because once the adware is firmly implanted on the victim’s phone, it starts serving apps and ads, all from NGE Mobi/Xinyinhe’s portfolio.

As FireEye found out in their research, most of the times pornographic apps and ad interstitials are displayed on the user’s home screen, all harmless but very annoying.

Currently, the adware has been found on Android versions ranging from 2.3.4 to 5.1.1. with the most infected users in countries like Russia, China, Brazil, Argentina, Egypt, Spain, France, Germany, Sweden, Norway, Saudi Arabia, Indonesia, India, the UK, and the US.

The NGE adware campaign was first observed in August and has grown at a constant pace ever since.

image

The adware can be hijacked to deliver more dangerous malware

What’s even worse, as FireEye researchers point out, is that the adware’s creators were extremely careless when they put together the malicious code.

Because the C&C server communications are carried out via blind HTTP channels, a second attacker could easily intercept these transmissions.

Since the adware gains root privileges and boot persistence over all infected devices, another attacker could use this to serve much more dangerous apps compared to silly adult apps and ads.

The first example that comes to mind is when the second attacker adds infected phones to a botnet and uses them to carry out DDOS attacks. Worse scenarios are when attackers decide to go snooping through your private pictures or install ransomware on your phone.

For more information and more photos follow this link to Softpedia

New Android Malware Sprouting Like Weeds

image

Information stored on an Android smartphone or tablet is vulnerable to almost 4,900 new malware files each day, according to a report G Data SecurityLabs released Wednesday.

Cybercriminals’ interest in the Android operating system has grown, the firm’s Q1 2015 Mobile Malware Report revealed.

“The report suggests that Android devices are becoming a bigger target for the bad guys and more profitable than in previous years,” said Andy Hayter, security evangelist for G Data.

The number of new malware samples in the first quarter increased 6.4 percent (440,267) from the fourth quarter of last year (413,871). The number of malware strains rose by 21 percent compared with the first quarter of 2014 (316,153).

More than 2 million new Android malware strains are likely to surface this year, G Data security predicted.

Just the Start

The 2 million figure is very realistic, due to the increasing use of Android devices for banking and shopping online, G Data suggested.

“The report shows that the OS has a bigger market share than the others, and thus is more interesting to security researchers and malware authors alike. Also, a lot of vendors offer Android devices varying in quality standards, but that is not a problem of the OS itself, but rather of the vendor in question,” Hayter told LinuxInsider.

Google introduced premium SMS Checks last year. After that, the malware models started to spread out, he noted.

“Before that time there were a few very active malware families, such as SMS FakeInstaller,” Hayter said. “Since then there are lots of small families.”

Financially Motivated

At least 41 percent of consumers in Europe and 50 percent in the U.S. use a smartphone or tablet for their banking transactions. Plus, 78 percent of Internet users make purchases online.

The new malware files have a financial foundation, according to the G Data report. At least half of all Android malware now in circulation includes banking Trojans, SMS Trojans and similar malware components.

The actual percentage of malware-infected Android apps easily could be higher, the researchers warned. They only studied malware with a direct financial purpose — many other types of cases might exist.

For example, a malware program might install apps or steal credit card data as an additional process after a payment is made. Because that type of malware would not seem to be financially motivated, it would not have been included in the report’s statistics.

Thin Dividing Line

Free Android apps offer particularly attractive attack vectors to cybercriminals. Many apps, especially free apps, rely on advertising to fund their development.

Bad apps can hide themselves in the background or conceal functions from users. Bad apps also can send legitimate apps’ data to additional advertising networks.

Apps that do such things — like programs running on PC OSes — are called “Potentially Unwanted Programs,” or PUPs. The report categorizes such apps as adware, noting that they often hide in manipulated or fake apps that are installed from sources other than the Google Play Store.

Malware Magnet

Android is a derivative of Linux, an operating system generally considered less likely to be targeted by viruses and malware. However, Android is less rigorous and less secure than other mobile platforms, said Rob Enderle, principal analyst at the Enderle Group.

“There is much more sideloading, which means there is a far easier path to getting viruses on Android devices than any other mobile platform,” he told LinuxInsider.

Google historically has been less focused on security and customer satisfaction than firms that are more closely tied to user revenue, Enderle said. Another reason for Android’s vulnerability is that mobile platforms generally don’t run security software.

Historically, they have been somewhat protected because of their tight ties to curated stores, “but now that smartphones have PC-like performance, they are becoming a magnet for malware,” noted Enderle.

“Google’s lack of focus on this problem, reminiscent of Microsoft’s similar mistake in the late 1990s — which resulted in their having to rethink their OS and create Windows XP — has created a massive exposure for Android users,” he said.

To read more follow this link to Linux Insider.

New malware used to attack energy companies

malware
The Trojan program is used for reconnaissance and distribution of additional malware, researchers from Symantec say

 

A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.

The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.

The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.

The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.

“If the user opens the email attachment, which is typically an Excel file, then the exploit code is executed,” the Symantec researchers said Monday in a blog post. “If the exploit succeeds, it drops Trojan.Laziok, kicking off the infection process.”

Trojan.Laziok is mainly used to determine if a compromised system is worth further attention from the attackers. It collects information like the computer’s name, RAM size, hard disk size, GPU and CPU type, as well as a list of installed software, including running antivirus programs.

The information is sent back to the attackers, who then decide if they want to deploy additional malware that can provide them with remote access to the infected system. For this second stage of attack they use customized versions of Backdoor.Cyberat and Trojan.Zbot, two well known malware threats.

“The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market,” the Symantec researchers said. “However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind.”

For more information and the original story follow this link to Computerworld

Worst WordPress hole for five years affects 86% of sites

image

An estimated 86 per cent of WordPress websites harbour a dangerous cross-site scripting (XSS) hole in the popular comment system plugin, in what researcher Jouko Pynnonen calls the most serious flaw in five years. The bug could provide a pathway for attacking visitors’ machines.

The WP-Statistics plugin lets attackers inject JavaScript into comments, which can then infect reader computers or those of administrators.

The flaw has existed for about four years, affecting versions between 3.0 to 3.9.2 – but not version 4.0, which handles regular expressions differently.

Version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.

Klikki Oy security bod Jouko Pynnonen revealed the earlier flaw last week in technical advisory.

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication,” Pynnonen said.

He continued:

Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.

Such operations include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.

In light of the server-side impact the unauthenticated default exploit is “probably the most serious WordPress core vulnerability that has been reported since 2009”, according to Pynnonen.

He developed a proof-of-concept exploit that mopped up evidence of injected scripts before quietly using the plugin editor to write attacker-supplied PHP code on the server, changing the user’s password and creating an administrator account.

Attackers could then write more PHP code to the server through the editor. This code was instantly executed using an AJAX request to gain operating system-level access.

Other plugins that allow unprivileged users to enter HTML text could offer more attack vectors, Pynnonen said.

He has created a work-around plugin for administrators who are unable to upgrade their WordPress servers.

A third set of recently patched XSS in WP-Statistics has been discovered by Sucuri researcher Marc-Alexandre Montpas. The stored and reflected XSS in versions 8.3 and below of the WordPress plug-in also turned attackers into admins, permitting black hats to inject search engine optimisation (SEO) content into unrelated blog posts.

“… the problem is very simple,” Montpas wrote in a Nov 20 blog post. “The plugin fails to properly sanitise some of the data it gathers for statistical purposes, which are controlled by the website’s visitors.”

“If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

To finish the article and for more information follow the source link below! 

Source: The Register

Sophisticated malware has been spying on computers since 2008 (updated)

image

Highly sophisticated malware isn’t limited to relatively high-profile sabotage code like Stuxnet — sometimes, it’s designed to fly well under the radar. Symantec has discovered Regin, a very complex trojan that has been spying on everyone from governments to individuals since at least 2008. The malware is highly modular, letting its users customize their attacks depending on whether they need to remote control a system, get screenshots or watch network traffic. More importantly, it’s uncannily good at covering its tracks. Regin is encrypted in multiple stages, making it hard to know what’s happening unless you capture every stage; it even has tools to fight forensics, and it can use alternative encryption in a pinch. Researchers at Symantec suspect that the trojan is a government-created surveillance tool, since it likely took “months, if not years” to create.

If it is meant for spying, though, it’s not clear just who wrote the malware or why. Unlike Dragonfly and other instances of professionally-made malware, Regin’s origin hasn’t been narrowed down to a particular country or region. About half of the infections have taken place in Russia and Saudi Arabia, but you can also find victims across India, Iran and multiple European nations. Also, it’s definitely not limited to telecoms or other high-value targets — 48 percent of known victims are people and small businesses. While Regin could easily be part of an online espionage campaign, it’s hard to rule anything out at this point.

Update: Kaspersky Labs did some extra sleuthing and found that Regin can attack cellular’ networks GSM base stations, mapping their infrastructure. Also, sources tell The Intercept that Belgian carrier Belgacom found the trojan on its internal networks. That’s potentially worrisome — while there’s no hard evidence of a connection so far, it suggests that Britain’s GCHQ may have used Regin to infiltrate Belgacom and spy on its users.

For more information and the original story follow the source link below.

Source: Engadget

For a year, gang operating rogue Tor node infected Windows executables

image
A flowchart of the infection process used by a malicious Tor exit node.

Attacks tied to gang that previously infected governments with highly advanced malware.

Three weeks ago, a security researcher uncovered a Tor exit node that added malware to uncompressed Windows executables passing through it. Officials with the privacy service promptly shut down the Russia-based node, but according to new research, the group behind the node had likely been infecting files for more than a year by that time, causing careless users to install a backdoor that gave attackers full control of their systems.

What’s more, according to a blog post published Friday by researchers from antivirus provider F-Secure, the rogue exit node was tied to the “MiniDuke” gang, which previously infected government agencies and organizations in 23 countries with highly advanced malware that uses low-level code to stay hidden. MiniDuke was intriguing because it bore the hallmark of viruses first encountered in the mid-1990s, when shadowy groups such as 29A engineered innovative pieces of malware for fun and then documented them in an E-zine of the same name. Written in assembly language, most MiniDuke files were tiny. Their use of multiple levels of encryption and clever coding tricks made the malware hard to detect and difficult to reverse engineer. The code also contained references to Dante Alighieri’s Divine Comedy and alluded to 666, the “mark of the beast” discussed in the biblical Book of Revelation.

“OnionDuke,” as the malware spread through the latest attacks is known, is a completely different malware family, but some of the command and control (C&C) channels it uses to funnel commands and stolen data to and from infected machines were registered by the same persona that obtained MiniDuke C&Cs. The main component of the malware monitored several attacker-operated servers to await instructions to install other pieces of malware. Other components siphoned login credentials and system information from infected machines.

Besides spreading through the Tor node, the malware also spread through other, undetermined channels. The F-Secure post stated:

During our research, we have also uncovered strong evidence suggesting that OnionDuke has been used in targeted attacks against European government agencies, although we have so far been unable to identify the infection vector(s). Interestingly, this would suggest two very different targeting strategies. On one hand is the “shooting a fly with a cannon” mass-infection strategy through modified binaries and, on the other, the more surgical targeting traditionally associated with APT [advanced persistent threat] operations.

The malicious Tor node infected uncompressed executable files passing through unencrypted traffic. It worked by inserting the original executable into a “wrapper” that added a second executable. Tor users downloading executables from an HTTPS-protected server or using a virtual private network were immune to the tampering; those who were careful to install only apps that were digitally signed by the developer would likely also be safe, although that assurance is by no means guaranteed. It’s not uncommon for attackers to compromise legitimate signing keys and use them to sign malicious packages.

Tor officials have long counseled people to employ a VPN use encryption when using the privacy service, and OnionDuke provides a strong cautionary tale when users fail to heed that advice.

This post was updated to remove incorrect statements concerning the use of virtual private networks.

For the complete story follow the source link below.

Source: Ars Technica

Android SMS worm Selfmite returns, more aggressive than ever

image

A new version of an Android worm called Selfmite has the potential to ramp up huge SMS charges for victims in its attempt to spread to as many devices as possible.

The first version of Selfmite was discovered in June, but its distribution was quickly disrupted by security researchers. The worm—a rare type of malware in the Android ecosystem—spread by sending text messages with links to a malicious APK (Android Package) to the first 20 entries in the address book of every victim.

The new version, found recently and dubbed Selfmite.b, has a similar, but much more aggressive spreading system, according to researchers from security firm AdaptiveMobile. It sends text messages with rogue links to all contacts in a victim’s address book, and does this in a loop.

“According to our data, Selfmite.b is responsible for sending over 150k messages during the past 10 days from a bit more than 100 infected devices,” Denis Maslennikov, a security analyst at AdaptiveMobile said in a blog post Wednesday. “To put this into perspective that is over a hundred times more traffic generated by Selfmite.b compared to Selfmite.a.”

At an average of 1,500 text messages sent per infected device, Selfmite.b can be very costly for users whose mobile plans don’t include unlimited SMS messages. Some mobile carriers might detect the abuse and block it, but this might leave the victim unable to send legitimate text messages.

Unlike Selfmite.a, which was found mainly on devices in North America, Selfmite.b has hit victims throughout at least 16 different countries: Canada, China, Costa Rica, Ghana, India, Iraq, Jamaica, Mexico, Morocco, Puerto Rico, Russia, Sudan, Syria, USA, Venezuela and Vietnam.

The first version of the worm used goo.gl shortened URLs in spam messages that pointed to an APK installer for the malware. Those URLs were hardcoded in the app’s code, so once they were disabled by Google, the operator of the goo.gl URL shortening service, Selfmite.a’s distribution stopped.

The worm’s authors took a different approach with the new version. They still use shortened URLs in text messages—this time generated with Go Daddy’s x.co service—but the URLs are specified in a configuration file that the worm downloads periodically from a third-party server.

“We notified Go Daddy about the malicious x.co URLs and at the moment both shortened URLs have been deactivated,” Maslennikov said. “But the fact that the author(s) of the worm can change it remotely using a configuration file makes it harder to stop the whole infection process.”

The goal of Selfmite is to generate money for its creators through pay-per-install schemes by promoting various apps and services. The old version distributed Mobogenie, a legitimate application that allows users to synchronize their Android devices with their PCs and to download Android apps from an alternative app store.

Selfmite.b creates two icons on the device’s home screen, one to Mobogenie and one to an app called Mobo Market. However, they act as Web links and clicking on them can lead to different apps and online offers depending on the victim’s IP (Internet Protocol) address location.

Fortunately, the worm’s distribution system does not use exploits and relies only on social engineering—users would have to click on the spammed links and then manually install the downloaded APK in order for their devices to be infected. Furthermore, their devices would need to be configured to allow the installation of apps from unknown sources—anything other than Google Play—which is not the default setting in Android. This further limits the attack’s success rate.

Source: Network World

Shellshock makes Heartbleed look insignificant

image

Somehow there always seems to be another Internet security disaster around the corner. A few months ago everyone was in a panic about Heartbleed.

Now the bug, Shellshock (officially CVE-2014-6271), a far more serious vulnerability, is running uncontrolled over the Internet. It’s never a good time to panic, but if you’re discouraged I don’t blame you; I know I am.

In retrospect, the grave concern over Heartbleed seems misplaced. As information disclosure bugs go it was a really bad one, but it was only an information disclosure bug and a difficult one to exploit. The sky’s the limit on attacks with Shellshock and it’s so easy to exploit that it’s already being widely-exploited according to research firm Fireeye, which says they have already observed several forms of attack:

• Malware droppers
• Reverse shells and backdoors
• Data exfiltration
• DDoS

Of course it’s not just Fireeye; everyone is reporting widespread sightings of exploits. See Kaspersky, Trend Micro, HP Security Research and many others.

Speaking of HP, their TippingPoint unit states that their network IPS has been updated to recognize known attacks using Shellshock. A vigorously updated IPS, deployed not just at the perimeter but also at critical points within the network, may be the only effective systemic protection you have against Shellshock for now. HP is not the only IPS around of course. And remember that an IPS is more of a protection against known exploits than against the vulnerability generally.

This particular bug has been in the Bash shell for over two decades. The implications of this are really bad. First, it means that an extremely important and popular program either went unscrutinized or poorly-scrutinized. Surely there are many other such problems out there. Don’t be surprised if several of them have been used carefully and surreptitiously for targeted attacks for years. In fact, don’t be surprised if Shellshock has been used in the past.

All sorts of horrible scenarios are possible with Shellshock. It’s not just limited to web server attacks. Fireeye shows how different Internet services, even DHCP and SSH, can be exploited to perform the attack, as long as Bash is the shell, and it usually is. They demonstrate automated click fraud, stealing the host password file, several DDOS attacks using the server and several ways to establish a shell on the server without any malware running on it.

For more information and the original article follow the source link below. 

Source: ZD Net

Visit the Wrong Website, and the FBI Could End Up in Your Computer

image

Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes.

Now the technique is being adopted by a different kind of a hacker—the kind with a badge. For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.

The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it’s also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants. Critics also worry about mission creep, the weakening of a technology relied on by human rights workers and activists, and the potential for innocent parties to wind up infected with government malware because they visited the wrong website. “This is such a big leap, there should have been congressional hearings about this,” says ACLU technologist Chris Soghoian, an expert on law enforcement’s use of hacking tools. “If Congress decides this is a technique that’s perfectly appropriate, maybe that’s OK. But let’s have an informed debate about it.”

The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates.

What’s changed is the way the FBI uses its malware capability, deploying it as a driftnet instead of a fishing line. And the shift is a direct response to Tor, the powerful anonymity system endorsed by Edward Snowden and the State Department alike.

Tor is free, open-source software that lets you surf the web anonymously. It achieves that by accepting connections from the public Internet—the “clearnet”—encrypting the traffic and bouncing it through a winding series of computers before dumping it back on the web through any of over 1,100 “exit nodes.”

The system also supports so-called hidden services—special websites, with addresses ending in .onion, whose physical locations are theoretically untraceable. Reachable only over the Tor network, hidden services are used by organizations that want to evade surveillance or protect users’ privacy to an extraordinary degree. Some users of such service have legitimate and even noble purposes—including human rights groups and journalists. But hidden services are also a mainstay of the nefarious activities carried out on the so-called Dark Net: the home of drug markets, child porn, murder for hire, and a site that does nothing but stream pirated My Little Pony episodes.

Law enforcement and intelligence agencies have a love-hate relationship with Tor. They use it themselves, but when their targets hide behind the system, it poses a serious obstacle. Last month, Russia’s government offered a $111,000 bounty for a method to crack Tor.

The FBI debuted its own solution in 2012, in an investigation dubbed “Operation Torpedo,” whose contours are only now becoming visible through court filings.

Operation Torpedo began with an investigation in the Netherlands in August 2011. Agents at the National High Tech Crime Unit of the Netherlands’ national police force had decided to crack down on online child porn, according to an FBI affidavit. To that end, they wrote a web crawler that scoured the Dark Net, collecting all the Tor onion addresses it could find.

The NHTCU agents systematically visited each of the sites and made a list of those dedicated to child pornography. Then, armed with a search warrant from the Court of Rotterdam, the agents set out to determine where the sites were located.

That, in theory, is a daunting task—Tor hidden services mask their locations behind layers of routing. But when the agents got to a site called “Pedoboard,” they discovered that the owner had foolishly left the administrative account open with no password. They logged in and began poking around, eventually finding the server’s real Internet IP address in Bellevue, Nebraska.

They provided the information to the FBI, who traced the IP address to 31-year-old Aaron McGrath. It turned out McGrath was hosting not one, but two child porn sites at the server farm where he worked, and a third one at home.

Instead of going for the easy bust, the FBI spent a solid year surveilling McGrath, while working with Justice Department lawyers on the legal framework for what would become Operation Torpedo. Finally, on November 2012, the feds swooped in on McGrath, seized his servers and spirited them away to an FBI office in Omaha.

A federal magistrate signed three separate search warrants: one for each of the three hidden services. The warrants authorized the FBI to modify the code on the servers to deliver the NIT to any computers that accessed the sites. The judge also allowed the FBI to delay notification to the targets for 30 days.

image

This NIT was purpose-built to identify the computer, and do nothing else—it didn’t collect keystrokes or siphon files off to the bureau. And it evidently did its job well. In a two-week period, the FBI collected IP addresses, hardware MAC addresses (a unique hardware identifier for the computer’s network or Wi-Fi card) and Windows hostnames on at least 25 visitors to the sites. Subpoenas to ISPs produced home addresses and subscriber names, and in April 2013, five months after the NIT deployment, the bureau staged coordinated raids around the country.

Today, with 14 of the suspects headed toward trial in Omaha, the FBI is being forced to defend its use of the drive-by download for the first time. Defense attorneys have urged the Nebraska court to throw out the spyware evidence, on the grounds that the bureau concealed its use of the NIT beyond the 30-day blackout period allowed in the search warrant. Some defendants didn’t learn about the hack until a year after the fact. “Normally someone who is subject to a search warrant is told virtually immediately,” says defense lawyer Joseph Gross Jr. “What I think you have here is an egregious violation of the Fourth Amendment.”

But last week U.S. Magistrate Judge Thomas Thalken rejected the defense motion, and any implication that the government acted in bad faith. “The affidavits and warrants were not prepared by some rogue federal agent,” Thalken wrote, “but with the assistance of legal counsel at various levels of the Department of Justice.” The matter will next be considered by U.S. District Judge Joseph Bataillon for a final ruling.

The ACLU’s Soghoian says a child porn sting is probably the best possible use of the FBI’s drive-by download capability. “It’s tough to imagine a legitimate excuse to visit one of those forums: the mere act of looking at child pornography is a crime,” he notes. His primary worry is that Operation Torpedo is the first step to the FBI using the tactic much more broadly, skipping any public debate over the possible unintended consequences. “You could easily imagine them using this same technology on everyone who visits a jihadi forum, for example,” he says. “And there are lots of legitimate reasons for someone to visit a jihadi forum: research, journalism, lawyers defending a case. ACLU attorneys read Inspire Magazine, not because we are particularly interested in the material, but we need to cite stuff in briefs.”

Soghoian is also concerned that the judges who considered NIT applications don’t fully understand that they’re being asked to permit the use of hacking software that takes advantage of software vulnerabilities to breach a machine’s defenses. The Operation Torpedo search warrant application, for example, never uses the words “hack,” “malware,” or “exploit.” Instead, the NIT comes across as something you’d be happy to spend 99 cents for in the App Store. “Under the NIT authorized by this warrant, the website would augment [its] content with some additional computer instructions,” the warrant reads.

From the perspective of experts in computer security and privacy, the NIT is malware, pure and simple. That was demonstrated last August, when, perhaps buoyed by the success of Operation Torpedo, the FBI launched a second deployment of the NIT targeting more Tor hidden services.

This one—still unacknowledged by the bureau—traveled across the servers of Freedom Hosting, an anonymous provider of turnkey Tor hidden service sites that, by some estimates, powered half of the Dark Net.

image

This attack had its roots in the July 2013 arrest of Freedom Hosting’s alleged operator, one Eric Eoin Marques, in Ireland. Marques faces U.S. charges of facilitating child porn—Freedom Hosting long had a reputation for tolerating child pornography.

Working with French authorities, the FBI got control of Marques’ servers at a hosting company in France, according to testimony in Marques’ case. Then the bureau appears to have relocated them—or cloned them—in Maryland, where the Marques investigation was centered.

On August 1, 2013, some savvy Tor users began noticing that the Freedom Hosting sites were serving a hidden “iframe”—a kind of website within a website. The iframe contained Javascript code that used a Firefox vulnerability to execute instructions on the victim’s computer. The code specifically targeted the version of Firefox used in the Tor Browser Bundle—the easiest way to use Tor.

This was the first Tor browser exploit found in the wild, and it was an alarming development to the Tor community. When security researchers analyzed the code, they found a tiny Windows program hidden in a variable named “Magneto.” The code gathered the target’s MAC address and the Windows hostname, and then sent it to a server in Virginia in a way that exposed the user’s real IP address. In short, the program nullified the anonymity that the Tor browser was designed to enable.

As they dug further, researchers discovered that the security hole the program exploited was already a known vulnerability called CVE-2013-1690—one that had theoretically been patched in Firefox and Tor updates about a month earlier. But there was a problem: Because the Tor browser bundle has no auto-update mechanism, only users who had manually installed the patched version were safe from the attack. “It was really impressive how quickly they took this vulnerability in Firefox and extrapolated it to the Tor browser and planted it on a hidden service,” says Andrew Lewman, executive director of the nonprofit Tor Project, which maintains the code.

The Freedom Hosting drive-by has had a lasting impact on the Tor Project, which is now working to engineer a safe, private way for Tor users to automatically install the latest security patches as soon as they’re available—a move that would make life more difficult for anyone working to subvert the anonymity system, with or without a court order.

Unlike with Operation Torpedo, the details of the Freedom Hosting drive-by operation remain a mystery a year later, and the FBI has repeatedly declined to comment on the attack, including when contacted by WIRED for this story. Only one arrest can be clearly tied to the incident—that of a Vermont man named Grant Klein who, according to court records, was raided in November based on an NIT on a child porn site that was installed on July 31, 2013. Klein pleaded guilty to a single count of possession of child pornography in May and is set for sentencing this October.

But according to reports at the time, the malware was seen, not just on criminal sites, but on legitimate hidden services that happened to be hosted by Freedom Hosting, including the privacy protecting webmail service Tormail. If true, the FBI’s drive-by strategy is already gathering data on innocent victims.

Despite the unanswered questions, it’s clear that the Justice Department wants to scale up its use of the drive-by download. It’s now asking the Judicial Conference of the United States to tweak the rules governing when and how federal judges issue search warrants. The revision would explicitly allow for warrants to “use remote access to search electronic storage media and to seize or copy electronically stored information” regardless of jurisdiction.

The revision, a conference committee concluded last May (.pdf), is the only way to confront the use of anonymization software like Tor, “because the target of the search has deliberately disguised the location of the media or information to be searched.”

Such dragnet searching needs more scrutiny, Soghoian says. “What needs to happen is a public debate about the use of this technology, and the use of these techniques,” he says. “And whether the criminal statutes that the government relies on even permit this kind of searching. It’s one thing to say we’re going to search a particular computer. It’s another thing to say we’re going to search every computer that visits this website, without knowing how many there are going to be, without knowing what city, state or countries they’re coming from.”

“Unfortunately,” he says, “we’ve tiptoed into this area, because the government never gave notice that they were going to start using this technique.”

For more information follow the source link below.

Source: Wired