Trojans for the Bundestag – German PD acquired Finfisher

FinfisherIn December of last year, the German public prosecutors’ office had declared that there was no legal basis for the use of the so-called “Bundestrojaner” spyware, which was used to spy on German citizens. On top of it being illegally used, it was also found to be of very poor quality by extensive research performed by the Chaos Computer Club. In a surprising turn of events, German political platform has now uncovered secret documents belonging to the Ministry of Finance, that the Ministry of the Interior sent to the Bundestag (the political seat of Germany) that reveals the German Federal Police’s intention to use Gamma Group’s Finfisher spyware to do the exact same thing.

Finfisher is quite an elaborate suite that allows for remote take-over of both computer systems and mobile devices such as iPhones, Androids, Blackberries and Windows Mobile-phones by pretending to be a software update. Gamma Group sells this product to dictatorial regimes all over the world, and that says a lot. What is also quite interesting is the presence of the logo for the UK’s Home Office and a link to its’ premier Security & Policing Exhibition. Does this imply that the UK government also purchased this product? Wikileaks recently published a document that looks like Finfishers’ marketing brochure and it is certainly geared towards the more modern police forces, as it sports solid integration with LEMF, which stands for Law Enforcement Monitoring Facility.

In august of last year, Bloomberg published an article that reported Finfisher presence on 5 continents and analysis performed by Rapid7 indicated its presence in at least Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, Bahrain  and the United States.  Now, of course this is not concrete proof that these governments actually use Finfisher, but Gamma Group is based in the UK and they have placed this software in the category of goods requiring an export permit because of the restrictions on exporting such digital weapons. Combined with how Gamma specifically markets Finfisher as ‘Governmental IT intrusion‘, it is highly unlikely that the British government would allow legitimate export to be done to just anyone. In a similar story posted by the New York Times, Bloomberg spoke to Martin J. Muench, who is managing director of Gamma International, and he stated that they had not sold their product to Bahrain and the malware that was found must have either been a stolen demonstration copy, or reverse-engineered by criminals.

To be clear, the use of this software is highly questionable. A while back the Dutch Minister of Safety and Justice Ivo Opstelten revealed that a plan was in the works to change the law so that it became allowed for the Dutch police to hack systems belonging to suspects. This led to international resistance and an open emergency letter [PDF warning – Dutch] was sent to the Minister to have this plan terminated because it was a gross violation of privacy. Apparently Germany is already at least one step further than this, having purchased the software already. Is this the future for the Netherlands as well? Will Minister Opstelten dust off his ill-advised plan and follow Germany in purchasing this software? I hope not. Not only is the Dutch police severely understaffed as it is, it also has a serious history of bending (or outright breaking) the rules and violating people’s rights when it comes to (ab)using technology such as this. And just how long will it take before hacking a suspects’ computer will no longer require an approval from a court judge? Where is our oversight then?

The Dutch and the Dorifel

Unless you happen to live in the Netherlands, chances are that you missed the outbreak of a ‘new’ piece of malware a few weeks ago called Dorifel, also known as XDocCrypt. With over 3000 infections in a matter of hours, of which 90% were systems in the Netherlands, this triggered the Dutch National Cyber Security Center almost instantly. XDocCrypt/Dorifel is a new trojan that encrypts executables, Excel- and Word files that it finds on USB drives and network disks, causing companies to come to a grinding halt almost immediately after infection. Later investigation by Digital Investigations turned up that it also distributes phishing banking websites for ING Bank, ABN AMRO and SNS Bank (all banks with a strong presence in the Netherlands). With such distinctive traits, you would expect that it would be ransomware, but it’s not. It doesn’t ask for money, and there are no real clues what the point is of encrypting those files. It may simply have been a trial run just to find out how good this technique works, but it’s all conjecture at this point.

As an aside, it should be mentioned that the malware’s efforts in encryption did uncover something I found interesting: it exploits the RTLO Unicode Hole, which uses a Windows standard Unicode “Right-to-left override” that are more commonly used in Arabic and Hebrew texts (meaning it’s a Feature, not a Bug). Through this use of the RTLO Unicode Hole, they make filenames such as testU+202Ecod.scr appear in the Windows Explorer as testrcs.doc, and effectively make a harmful executable look like a simple Word doc.

What worries me most, and this is the reason for this article, is the delivery vehicle used by this new piece of malware. You see, it doesn’t exploit some new weakness. Instead, it’s being delivered by systems previously infected with the Citadel/Zeus trojan. This means that over 3000 systems in the Netherlands –systems belonging mostly to ministries, local government and hospitals- already had active botnets inside their networks before getting infected with this new malware! Mind you, virtually all of these systems and networks had active antivirus and IDS systems, and NONE detected either the Citadel/Zeus botnet already in place, nor the new XDocCrypt/Dorifel malware. If anything should be a severe wake-up call for Dutch firms who still half-ass their security, this is it.

Major AV vendors such as Kaspersky and McAfee now address this piece of malware, but it does make you wonder: If this Trojan hadn’t gone through the trouble of encrypting all those files, would it ever have been caught? Clearly, with only a couple of thousand infections, it is not that big of an outbreak. Chances are good that Dorifel would have stayed below the “economic feasibility to fix” line that most antivirus corporations adhere to. With malware code mutation getting increasingly easier and more mature, will this be our future? No more large infections, but a lot more small ones to stay below the collective AV radar? It seems plausible. It certainly makes the dim future of the current AV Modus Operandi that much dimmer. When will we finally see a paradigm shift in our approach to defeating malware?

Monetary Value per System Owned – The Evolution of Endpoint Attacks

Endpoint Security remains the name of the gameRecently some people working for a client of mine expressed the sentiment that they felt that their business wasn’t a target for an actual hacker (as opposed to automated attacks). This despite the fact that they had been attacked on two different occasions in a manner that indicated it was the same (thankfully clueless) attacker. Also, the company in question is doing business in a field that seems especially ripe for the proverbial plucking; a lot of money is being made by virtually every player there. One would think that security would be a bigger issue for these folks, but apparently the message hasn’t fully landed everywhere.

This got me thinking about endpoint security and how incredibly understated (and often underestimated) the need for security is on these machines. In many companies it is the largest group of machines in the network, owned and operated by the least technically skilled and security-ignorant users in the company, yet most companies consider the protection of these systems as an afterthought. “Just install AV, Jimmy. That’ll do!” they say, and turn back to tweaking their firewalls (if you’re lucky).

At the same time, an attacker simply lures the gullible users to a specially crafted malicious website or sends out a mass mailing of an infected PDF. Despite having been told thousands of times before not to open attachments from people you don’t know (or that you don’t expect), you just know that someone will do it anyway. And really, all it takes is a single user to take leave of their senses to create a backdoor into your network. I would also like to point out, because this thought seems to float around a lot, that no amount of Group Policy settings will change the outcome. What you need is user sensibility and proper endpoint protection.

Considering the above point and observing the evolution of the purpose behind botnet malware, it becomes clear that the shift is financially motivated. A few years ago botnets were used mostly for DDOS purposes, but ever since there has been a change towards monetary gain. From basic DDOS, the botnets were deployed to make money through click-advertisement programs and surfing behavior studies. After that came the stealing of financial information, often leading to credit card fraud, and identity theft. Currently we’re seeing the re-emergence of ransomware, where user data is being held hostage until the user pays a certain amount before a deadline. If they don’t pay, their data is lost forever.

The criminals involved (often organized crime) seem to be refining their strategy. Where they once made relatively small amounts with a large number of systems they now aim to make a larger amount per system. Essentially they realized that there is a Monetary Value per Owned System, and by becoming more efficient they are raising that value per system to maximize profits.

This idea swam around in my head for a while. What would I do to make the most money? If the idea is to squeeze the most cash out of each system, then we should be looking for the systems that have the most potential cash to be stolen. For me, this ruled out the average internet user. You’d have to be very lucky to stumble onto a rich and clueless target, there just aren’t that many around. Also, how would you know that your target is actually wealthy?

The answer was simple: Companies. Companies usually have deeper pockets than the average internet user and the ways to exploit them are myriad: extortion, data theft, corporate espionage, credit card fraud; you name it. There’s another upside to this approach: most companies deploy their workstations through imaging. That often means that if one workstation is vulnerable to a certain attack, chances are good that the other workstations in the network are too. More targets mean more potential access to the information I’d want. Also, in most cases the users of said workstations are a lot less motivated to be secure; its not their workstation and its not their money.

Following this logic, the future of corporate security looks grim. Workstations are a hell of a lot more tempting a target than any server; they are easier to crack and there’s a lot more of them. Administrators need to realize that attackers (both real and automated) won’t attack the shield you hold up, but rather go after the target behind the shield in any way possible. This means that the hard-shell/soft-interior methodology in securing a network is dead, and actually has been so for quite some time.

Endpoint protection will remain the name of the game, and what software vendors are doing right now isn’t working. Its a failing approach, something that’s becoming increasingly obvious with each new report of a major breach. A change needs to be made before Organized Crime realizes its full potential.