![](\"http:\/\/zapt2.staticworld.net\/images\/article\/2017\/03\/cia_cyber-100712441-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Evan Schuman| Date: Wed, 08 Mar 2017 06:48:00 -0800<\/strong><\/p>\n Having just spent much of the day browsing through\u00a0Wikileaks\u2019 latest batch\u00a0of documents<\/a> from the intelligence community \u2014 in which government agents discussed ways to circumvent mobile encryption and to listen in on conversations near smart devices including smart TVs \u2014 it\u2019s clear that government agents have long had the ability to grab mobile content before it\u2019s encrypted.<\/p>\n Some of the tactics have names that are quite explicit about their function, such as a TV mode called \u201cTV Fake-Off.\u201d These docs provide a fascinating look into the government teams that are emulating cyberthieves, trying to improve on their techniques rather than thwart them.<\/p>\n Personal security products (PSP) \u201csandboxes typically have a set time limit they analyze a program for before making a decision. PSPs do not want to impose unnecessarily long wait times on the user, which may cause the user to disable\u00a0PSP\u00a0components or try other products out of frustration,\u201d said one typical passage. \u201cA common technique of exploiting this mechanism is using a Sleep-like call at the start of a program to \u2018run out the clock.\u2019 PSPs caught on and many will skip the sleep calls in their sandbox environment. To counteract this, Malware authors will call a meaningless function which performs some kind of task or calculation that takes a while to complete, before performing any malicious action. This makes it harder\/impossible for PSPs to know what to skip, and the Malware can effectively \u2018run out the clock\u2019 while in a\u00a0PSP\u00a0sandbox.\u201d<\/p>\n Interestingly, the CIA and other intelligence firms are doing the same process as most security firms \u2014 studying cyberthief tactics \u2014 but instead of using that knowledge to improve defenses, the CIA is using those lessons to craft better attacks.<\/p>\n \u201cThis is a very impressive set of tools gathered,\u201d said Doug Barbin, principal cybersecurity leader of Schellman & Co., a CPA firm. \u201cBut it wasn\u2019t something that a security researcher would be too surprised by. It\u2019s so detailed, though, that it takes the debate out of whether or not these types of attacks are hypothetical.\u201d<\/p>\n Barbin added, though, that some of the initial reports have been misleading. The CIA\u2019s tested method of monitoring that smart TV, for example, he said, used a USB stick placed into the set to initiate any monitoring. That would require physical contact with the set, as opposed to an over-the-air method of intercepting data.<\/p>\n Although Barbin\u2019s point is well taken, some of these memos are two years old. Just because it was tested with a USB insert doesn\u2019t mean that the attack couldn\u2019t today be launched wirelessly.<\/p>\n Another security professional, Ken Pfeil, the chief architect at the TechDemocracy consulting firm, was equally unimpressed with the CIA\u2019s tactics.<\/p>\n \u201cThese are pretty standard. The fact that they are using DLL injection is not surprising. In the exploit world, some of this stuff is pretty basic,\u201d Pfeil said. \u201cThere is nothing sitting in front of me [from the Wikileaks data dump] that would surprise me. Absolutely nothing.\u201d<\/p>\n Agreed. Only the dumbest terrorist would opt to hold terror planning meetings in the same room as a smart TV that supports voice recognition. Then again, who ever said terrorists are especially smart? If only one plan is thwarted from some IQ-deficient murderer, it\u2019s likely worth the effort.<\/p>\n Some of the advice in the CIA memos is positively coach-like. Consider: \u201cAfter verifying that the CTNR was called for thread creation, the kernel code can do some basic checks to see if the thread is being created in an interesting process. The important thing to remember about running code in the CTNR is that NO new threads can be created until each CTNR is finished. If your CTNR code takes 1 minute to run, then you\u2019ve bottlenecked thread creation to 1 new thread a minute \u2014 extreme example of course. Whatever you do in the CTNR, make sure it\u2019s quick.\u201d<\/p>\n Many of the suggestions were aimed at, logically enough, tactics to avoid detection. \u201cProcess Hollowing involves starting a benign process \u2014 such as Internet Explorer \u2014 using Windows\u2019 CreateProcess, with a specific flag set to create the process in a suspended mode. At this point, the component removes the benign process\u2019 code from the suspended process, injects its own malicious code, and resumes the process. PSPs may only do an initial scan when the process is created \u2014 even though it\u2019s suspended at the start \u2014 and won\u2019t notice the code replacement. Also, dynamic analysis tools such as Procmon will only log\/show that a benign process was created.\u201d<\/p>\n The CIA paid particular attention to getting around security defenses from Kaspersky. That might be a compliment of sorts to that product\u2019s sophistication or it might simply be that Kaspersky has rejected many efforts to cooperate with government investigators.<\/p>\n \u201cThe Kaspersky AVP.EXE process references a DLL called WHEAPGRD.DLL. This DLL is supposed to be located in one of the Kaspersky directories, which are protected by the PSP. Due to a UNICODE\/ASCII processing mistake, the DLL name is prepended with the Windows installation drive letter, rather than the full path to the DLL,\u201d a memo said. \u201cFor typical installations, this causes Kaspersky to look for the DLL \u2018CWHEAPGRD.DLL\u2019 by following the standard DLL search path order. Loading our own DLL into the AVP process enables us to bypass Kaspersky\u2019s protections.\u201d<\/p>\n Here\u2019s an interesting example of a more basic exploit on Windows. \u201cProcess Hollowing involves starting a benign process, such as Internet Explorer, using Windows\u2019 CreateProcess, with a specific flag set to create the process in a suspended mode. At this point, the component removes the benign process\u2019 code from the suspended process, injects its own malicious code, and resumes the process,\u201d a memo said. \u201cPSPs may only do an initial scan when the process is created even though it\u2019s suspended at the start and won\u2019t notice the code replacement. Also, dynamic analysis tools such as Procmon will only log\/show that a benign process was created.\u201d<\/p>\n Other memos described time-savers. \u201cAll function calls need to come from the ese.dll, and not esent.dll. The API appears the same, but exchange does not use esent.dll. Therefore all JET function calls need to be from ese.dll space. Thankfully, its already loaded into mem,\u201d the document said, before adding a smiley emoticon. \u201cStore.exe seems to export a wonderful function EcGetJetInstanceForMDB() that takes a GUID and returns a valid JET instance handle that has already been initialized and setup for use. Appears there is no need to figure out all the right SystemParameters, etc. and in order to create our own sessions from this instance. Use UuidFromString() to convert from String GUID to binary. However, this function isn\u2019t really need as once we are injected in, calling JetGetInstanceInfo() gives us everything we need.\u201d<\/p>\n The most interesting discussions, though, were candid in suggesting ways to bypass security restrictions. \u201cWhen building a tool, you will almost inevitably have to use some set of strings or sensitive data. When security products or professionals scan a system, we don\u2019t want to make it easy for them to find something malicious by just doing a string search. Thus, in order to obfuscate what the tool is doing, we obfuscate the strings or data being used,\u201d one memo said. \u201cYou should also scan the binary you deliver against usernames and names of people on the project as many times mistakes are made and PDB strings \u2014 file paths that often include usernames \u2014 are left in the final binary. There are many products we use to help us automate portions or all of string\/data obfuscation.\u201d<\/p>\n That memo continued, winking to the reader about its intended use. \u201cSo you may already have a good idea of where we\u2019re going with this. Memory refers to the volatile memory on the machine while the disk is non-volatile. This difference is important when developing malicious software,\u201d the note said. \u201cAs a development shop, we tend to do most of our work in memory and rarely leave unencrypted artifacts on disk. That being said, all persistence is gained by writing to a non-volatile location on the machine. Thus, it is good to keep in mind that anything on disk shouldn\u2019t contain anything too cool for school. Also, on disk artifacts are more likely to be detected by Personal Security Products (PSPs).\u201d<\/p>\n All in all, just a run-of-the-mill day for your friendly neighborhood CIA agents.<\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Evan Schuman| Date: Wed, 08 Mar 2017 06:48:00 -0800<\/strong><\/p>\n<\/p>\n