Comments on: Chatter… http://www.nartv.org/2010/01/14/chatter/ Internet Censorship Explorer Fri, 23 Jul 2010 04:52:43 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Roger http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271482 Roger Mon, 25 Jan 2010 12:51:05 +0000 http://www.nartv.org/?p=943#comment-271482 @Tim The answer to your question is Yes. There was code that used Dcom and ran it on Elevated privileges ..so it was not necessary to be running as admin. In a second incident investigated - The malicious code executed on simply right clicking the exe file. It is so common for admins to right click a file and try to look at the properties to see if its signed etc before taking the next step ... @nart You mention Hydraq as the possible malware currently used , in the incidents i investigated it appeared to be Hupigon . Would you have any means to know if hydraq and hupigon share similar code ? Also the registry entry created had obfuscated the path to the executable to avoid detection from tools It never appeared that there was a specific information they were targeting - it always appeared as a grab all that you can get! .. This makes one issue clear that the front line attacker is pulling files out and someone else in the back is sifting thru it for further use @Tim

The answer to your question is Yes. There was code that used Dcom and ran it on Elevated privileges ..so it was not necessary to be running as admin.

In a second incident investigated – The malicious code executed on simply right clicking the exe file. It is so common for admins to right click a file and try to look at the properties to see if its signed etc before taking the next step …

@nart

You mention Hydraq as the possible malware currently used , in the incidents i investigated it appeared to be Hupigon . Would you have any means to know if hydraq and hupigon share similar code ?

Also the registry entry created had obfuscated the path to the executable to avoid detection from tools

It never appeared that there was a specific information they were targeting – it always appeared as a grab all that you can get! .. This makes one issue clear that the front line attacker is pulling files out and someone else in the back is sifting thru it for further use

]]> By: mike http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271471 mike Wed, 20 Jan 2010 14:52:15 +0000 http://www.nartv.org/?p=943#comment-271471 It is great to see a company like google want to offer the people of china the freedom of being uncensored ! However it is a pipe dream. As new ways are developed for the people of China to express themselves or have complete freedom, the Chinese government will develop “laws on the fly” baring that freedom. I wish Google much support in their efforts – the people of China need a free uncensored internet – everyone does , but they will do whatever it takes to shut google down. Its a shame if google bails out of China, the Chinese government will get their way and win the censorship war! It is great to see a company like google want to offer the people of china the freedom of being uncensored ! However it is a pipe dream. As new ways are developed for the people of China to express themselves or have complete freedom, the Chinese government will develop “laws on the fly” baring that freedom.
I wish Google much support in their efforts – the people of China need a free uncensored internet – everyone does , but they will do whatever it takes to shut google down. Its a shame if google bails out of China, the Chinese government will get their way and win the censorship war!

]]> By: Tim http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271469 Tim Wed, 20 Jan 2010 07:43:55 +0000 http://www.nartv.org/?p=943#comment-271469 @roger, Thanks for your reply. Its certainly a very interesting topic to discuss, so thanks for your time. You note an interesting point: "The local user had local admin priv". Sure the local user was tricked by the malicious email, and sure the malicious code is very sophisticated, but is the core problem simply that the user is running as admin? Or to put it another way, if the victim was not running as admin, could the malware have achieved anything more significant than toasting the user's account and associated data? I don't mean to labor this point; I'm just trying to understand what advice I can give people which is both realistic and satisfactory. Thanks again, Tim. @roger,

Thanks for your reply. Its certainly a very interesting topic to discuss, so thanks for your time.

You note an interesting point: “The local user had local admin priv”. Sure the local user was tricked by the malicious email, and sure the malicious code is very sophisticated, but is the core problem simply that the user is running as admin? Or to put it another way, if the victim was not running as admin, could the malware have achieved anything more significant than toasting the user’s account and associated data?

I don’t mean to labor this point; I’m just trying to understand what advice I can give people which is both realistic and satisfactory.

Thanks again,
Tim.

]]> By: Joel http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271467 Joel Tue, 19 Jan 2010 22:55:02 +0000 http://www.nartv.org/?p=943#comment-271467 Thanks for the article. This is the most informative piece of writing I have found on this topic. It's all over the news, but not in enough detail. Regular news never goes into enough detail to get a thorough understanding of what's actually going on with something that is clearly very complicated. Thanks for the article. This is the most informative piece of writing I have found on this topic. It’s all over the news, but not in enough detail. Regular news never goes into enough detail to get a thorough understanding of what’s actually going on with something that is clearly very complicated.

]]> By: Taemojitsu http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271458 Taemojitsu Mon, 18 Jan 2010 06:37:37 +0000 http://www.nartv.org/?p=943#comment-271458 uk visa lawyer, silly, all states engage in espionage to some degree or another. It isn't necessarily an activity ordered by the leader of that state. See <a href="http://en.wikipedia.org/wiki/Enercon" rel="nofollow">Enercon</a> for example and someone at the NSA passing their tech to a US firm via super-secret spy satellites. Not to get political, but... the "what is yours, is ours" is an attitude that many people would identify much more strongly as being expressed by the US, not by China. uk visa lawyer,

silly, all states engage in espionage to some degree or another. It isn’t necessarily an activity ordered by the leader of that state. See Enercon for example and someone at the NSA passing their tech to a US firm via super-secret spy satellites. Not to get political, but… the “what is yours, is ours” is an attitude that many people would identify much more strongly as being expressed by the US, not by China.

]]> By: Roger http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271454 Roger Sun, 17 Jan 2010 03:01:03 +0000 http://www.nartv.org/?p=943#comment-271454 @tim You do raise an important issue of over simplification but on the contrary the points you listed are very easy to get past, in fact they hardly play a role in a windows pc. Do read on as you may find this interesting. I have personally been involved in one such investigation more than a year ago. The trojan arrived by a socially engineered email The exe name of the file was wupdmgr - antiviruses have an exclusion or exceptions defined on this file name - first weakness The local user had local admin priv - most common with home users and small to mid companies who do not have a large it budget Upon execution of wupdmgr - it created firewall exceptions and registered it self as a service - the communication back to command center had already started If u see the services list nothing looks out of the ordinary - this service was called Internet Connection Manager - under normal circumstances there is no such service - even a good eye may not catch it The level of sophistication was just unbelievable - they directly elevated dcom privileges and ran Interestingly once the backdoor was in place - more sophisticated tools arrived to the pc - one such tool took the lm hash of the domain admin - used the hash and injected directly to spwan a cmd shell - they could then map c$ d$ on servers If you look at the overall scenario - it simply preys on the fact that the pc is never ever secure and will never be given the kind of IT budgets these end users have or the small orgs that nat is referring to - it also shows how blind sided Msoft is as well @nat great article and yeomen work @tim

You do raise an important issue of over simplification but on the contrary the points you listed are very easy to get past, in fact they hardly play a role in a windows pc. Do read on as you may find this interesting. I have personally been involved in one such investigation more than a year ago.

The trojan arrived by a socially engineered email
The exe name of the file was wupdmgr – antiviruses have an exclusion or exceptions defined on this file name – first weakness
The local user had local admin priv – most common with home users and small to mid companies who do not have a large it budget
Upon execution of wupdmgr – it created firewall exceptions and registered it self as a service – the communication back to command center had already started
If u see the services list nothing looks out of the ordinary – this service was called Internet Connection Manager – under normal circumstances there is no such service – even a good eye may not catch it
The level of sophistication was just unbelievable – they directly elevated dcom privileges and ran
Interestingly once the backdoor was in place – more sophisticated tools arrived to the pc – one such tool took the lm hash of the domain admin – used the hash and injected directly to spwan a cmd shell – they could then map c$ d$ on servers

If you look at the overall scenario – it simply preys on the fact that the pc is never ever secure and will never be given the kind of IT budgets these end users have or the small orgs that nat is referring to – it also shows how blind sided Msoft is as well

@nat great article and yeomen work

]]> By: Better than CSR « Gallo blog http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271452 Better than CSR « Gallo blog Sat, 16 Jan 2010 17:25:59 +0000 http://www.nartv.org/?p=943#comment-271452 [...] Villeneuve excellent summary of the [...] [...] Villeneuve excellent summary of the [...]

]]> By: china vs google | FocusBlog http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271450 china vs google | FocusBlog Fri, 15 Jan 2010 16:35:14 +0000 http://www.nartv.org/?p=943#comment-271450 [...] analiza a incidentului recomandata de Google este cea facuta de Nart [...] [...] analiza a incidentului recomandata de Google este cea facuta de Nart [...]

]]> By: nart http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271449 nart Fri, 15 Jan 2010 14:36:38 +0000 http://www.nartv.org/?p=943#comment-271449 @Tim -- Yes, it is a simplification as I was generalizing what happens in such attacks. But yes, many of the Adobe Reader exploits can be mitigated by turning off Javascript in Adobe Reader, but since it is on by how many people actually do? MS Office products are also being exploited, in general, some explots require specific service packs and so on but the attacks work on most people. Also, there's the question of AV's and while they don't detect the malicious doc or pdf they may detect the binary that gets dropped. So not all attack will work on all targets. (I mean, really most of these are targeting WindowsOS too). Also, if you read McAfee's assessment of the new IE 0day you can see how bad it can be -- fully up-to-date OS/IE and no AV detection. That's pretty bad, if you click the link an attacker sends you're gonna get whacked. That's why I was emphasizing the part about tricking the user, that's the most important part. @Tim — Yes, it is a simplification as I was generalizing what happens in such attacks. But yes, many of the Adobe Reader exploits can be mitigated by turning off Javascript in Adobe Reader, but since it is on by how many people actually do? MS Office products are also being exploited, in general, some explots require specific service packs and so on but the attacks work on most people. Also, there’s the question of AV’s and while they don’t detect the malicious doc or pdf they may detect the binary that gets dropped. So not all attack will work on all targets. (I mean, really most of these are targeting WindowsOS too).

Also, if you read McAfee’s assessment of the new IE 0day you can see how bad it can be — fully up-to-date OS/IE and no AV detection. That’s pretty bad, if you click the link an attacker sends you’re gonna get whacked. That’s why I was emphasizing the part about tricking the user, that’s the most important part.

]]> By: uk visa lawyer http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271448 uk visa lawyer Fri, 15 Jan 2010 10:18:04 +0000 http://www.nartv.org/?p=943#comment-271448 One of the comments on the Wired article said: "This, my friends, is war. Much like the current war on terror, this war will not be lead by nations. It will be fought in 1s and 0s and our casualties will be our most precious information." The Chinese have a less than ideal view of IP, summarised by what ours is ours, and yours is ours. IMO the world should take notice of this event and what Google is doing and support them wholeheartedly. I see the historical parallel when the world doing nothing when Stalin put a barbed wire fence around Berlin. Had the world taken prompt and strong action then; there's a good chance we wouldn't have had the Berlin Wall. Microsoft has taken the short-term view that it's OK for the Chinese to steal IP from US companies; particularly galling when part of the hacks appears to be weakness in their Internet Explorer that was exploited. Yes, it's very easy for Microsoft and others to turn a blind eye and think of the money but Google is doing the right thing; the others will watch their values decline as rapidly as their Intellectual Property flows into Chinese servers. Google is doing the right thing; they appear cognitive of Edmund Burke's 'The only thing necessary for the triumph of evil is for good men to do nothing'. One of the comments on the Wired article said:
“This, my friends, is war. Much like the current war on terror, this war will not be lead by nations. It will be fought in 1s and 0s and our casualties will be our most precious information.”
The Chinese have a less than ideal view of IP, summarised by what ours is ours, and yours is ours.
IMO the world should take notice of this event and what Google is doing and support them wholeheartedly. I see the historical parallel when the world doing nothing when Stalin put a barbed wire fence around Berlin. Had the world taken prompt and strong action then; there’s a good chance we wouldn’t have had the Berlin Wall.
Microsoft has taken the short-term view that it’s OK for the Chinese to steal IP from US companies; particularly galling when part of the hacks appears to be weakness in their Internet Explorer that was exploited.
Yes, it’s very easy for Microsoft and others to turn a blind eye and think of the money but Google is doing the right thing; the others will watch their values decline as rapidly as their Intellectual Property flows into Chinese servers.
Google is doing the right thing; they appear cognitive of Edmund Burke’s ‘The only thing necessary for the triumph of evil is for good men to do nothing’.

]]> By: Lon Bordin http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271446 Lon Bordin Fri, 15 Jan 2010 03:56:26 +0000 http://www.nartv.org/?p=943#comment-271446 Thanks for the synopsis. Well done. Thanks for the synopsis. Well done.

]]> By: Ancora su Google, la Cina e altro | Grande Globo http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271445 Ancora su Google, la Cina e altro | Grande Globo Fri, 15 Jan 2010 03:33:58 +0000 http://www.nartv.org/?p=943#comment-271445 [...] Execution. Altre informazioni si trovano nel post di Kim Zetter su Threat Level (Wired) e in una nota del solito Nart Villeneuve. Come dire che il problema non è il cloud computing in sé, ma [...] [...] Execution. Altre informazioni si trovano nel post di Kim Zetter su Threat Level (Wired) e in una nota del solito Nart Villeneuve. Come dire che il problema non è il cloud computing in sé, ma [...]

]]> By: The curious case of the Chinese Goooogling http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271444 The curious case of the Chinese Goooogling Fri, 15 Jan 2010 03:18:57 +0000 http://www.nartv.org/?p=943#comment-271444 [...] best-detailed analysis I have been able to find is by Nart Villeneuve on his blog. In his report he suggests that a [...] [...] best-detailed analysis I have been able to find is by Nart Villeneuve on his blog. In his report he suggests that a [...]

]]> By: Tim http://www.nartv.org/2010/01/14/chatter/comment-page-1/#comment-271443 Tim Fri, 15 Jan 2010 03:02:48 +0000 http://www.nartv.org/?p=943#comment-271443 'afternoon Nart, Great blog! One quick question on the quote from Mikko: > If the user open that attachment with a vulnerable version > of Adobe Reader or Microsoft Office their computer > will be compromised. Is that not oversimplifying the situation. For the computer to be compromised, don't a couple of other requirements also need to be met including: 1) Running with privileges that allow the malware to open ports, modify OS settings, etc. 2) Have no outgoing firewall protection, so that the malware can open its backdoor ports. 3) In the Acroread case, have Javascript enabled; I'm not sure what the scripting requirements are for IE. Could I ask your opinion please? Thanks, Tim. ‘afternoon Nart,

Great blog!

One quick question on the quote from Mikko:

> If the user open that attachment with a vulnerable version
> of Adobe Reader or Microsoft Office their computer
> will be compromised.

Is that not oversimplifying the situation. For the computer to be compromised, don’t a couple of other requirements also need to be met including:

1) Running with privileges that allow the malware to open ports, modify OS settings, etc.

2) Have no outgoing firewall protection, so that the malware can open its backdoor ports.

3) In the Acroread case, have Javascript enabled; I’m not sure what the scripting requirements are for IE.

Could I ask your opinion please?

Thanks,
Tim.

]]>