Slashdot Mirror
New Evidence Strengthens NSA Ties To Equation Group Malware
An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."
I am glad our best and brightest are better than their best and brightest... keeping us safe from cyber-terrorism is a huge priority.
Just because Putin might benefit from this information doesn't mean that it is made up.
Since Putin benefits from the rest of the world distrusting USA, does that mean that NSA just is a Russian puppet organization too?
Seems like very weak evidence to me, and certainly not a "smoking gun" claimed in the referenced article.
Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States
Um, the US is on UTC -5:00 (ET) through UTC -8:00 (PT). My money is on those pesky Greenlandic uber-hackers.
Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.
We make the Russians look like Girl Scouts.
How much do you think they pay me?
How much could I make selling the stuff I code at the NSA to various "businesses".
Does anyone in that position believe in nationalism?
"If any question why we died, Tell them because our fathers lied."
Lets hear for the pulling shit out of our collective asses system! The same goes for any software made by any company in the world... Unless you can see the source and it is open you can't but hope. Why not say it is Snowden who did this so he can sell botnets to Putin. If you have a shred of evidence that Putin has backdoored kaspersky then bring it to light.
Do me a favour. Spooks putting strings identifying their top secret programme by name into malware? Jesus Christ you people are gullible.
now when you mentioned it - NSA did not prevent anything so far unless we believe what they say and ignore available evidence. It did however managed to motivate other nations too look closer at alternatives where that make sense. Here we go then - Putin's fault again and NSA is his puppet!!! Come to think of it, maybe it is other way around - they invented Putin and jihad to increase their budget??? Either way Putin is firmly in the equation that describes NSA reality.
If they don't bother to change the timestamps to 03/13/37.
I am becoming gerund, destroyer of verbs.
I was thinking just about the same thing.
Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
Why would they even include any non-essential things in the code at all?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Rats hoisted by their own profiling petard.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
> Do me a favour. Spooks putting strings identifying their top secret programme by name [...]
The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.
I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.
No, just hope a believe. HOPE you know this guy, documented here; Belief is just the nicest of fellows. Just like I hope and believe the NSA isn't doing something they shouldn't, until someone outed them we had never heard of before.
I do not think bringing Snowden into the example really works on this one, as he did actually steal classified info and post it to the internet/news, no belief needed. I do hope he gets a fair and public trial though, but I believe he will never make it to court.
Kind of like a PHD student security programmer, accidentally putting in heartbleed in the middle of Xmas when it was automagically accepted in to ssh code, because we do not teach bounds checking to PHD students.
Hope and Belief.
is to brand all timestamps and other traces in the malware, so as to implicate Russia and China, or whatever country or organization happens to be on the agenda.
How many of our own critical systems were offlined by these viruses when they got out in the world?
I mean, people have been struggling with this for years - google "fanny.bmp"
Maybe someone needs to look up just what parts of the world actually use UTC-0300.
I was thinking just about the same thing.
Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
Why would they even include any non-essential things in the code at all?
Remember nimda virus ? (thats admin backwards)
NIMDA was a polymorphic plague of a virus that hit out network right after 9/11/2001.
It would write itself all over every file on the disk drive until the drive was full and everything came to a screeching halt. It exploited the NT web service that was active by group policy default on client boxes with NT and or Win 2000. Anyway, our software engineers looked inside the Nimda.dll and there was some jihad "Death to America, Death to Israel" crap commented right into the file!!
I'm sure that was the NSA's earlier work, as they took over most domestic networks just to be on the safe side....
I am not too worried about Putin.
What I am worried about is this: the Equation malware was used years ago. We know these guys are good at what they do. Very good.
NSA has been working on that stuff since the 1950s -- that's 65 years of experience, folks, and they have been big computer users since day ONE -- heck even before day one, if you count Bletchley Park and stuff like the cracking of Red, Purple and JN cyphers.
So, we are talking about an organization that has huge experience in cracking systems and crypto, and the enormous budget to support its activities.
So: what have they been producing between Equation and, let's say, Stuxnet, and today?
Equation was -- from what I understand -- fairly Windows specific. What have they got now? The stuff coming out of all these not-so-funny super top secret projects?
Here is a hint: combine stuff like Heartbleed (OpenSSL), ShellShock, stuff that lingered in code bases for decades before being found out, maybe other stuff such as a few rumors about OpenSSH backdoors (remember those?) and the "let me install myself cosily in your HDD BIOS where you cannot dislodge me" capabilities of Equation and, presto! No one is safe from the prying eyes of NSA anymore.
That's the kind of things that makes you lose sleep at night. At least, I do lose sleep over it. Georges Orwell had nothing on these guys.
What if you are only running open-source? Vulnerable. Audited open-source? They have 100 times the manpower of the best programming teams out there. Heck, they may even have inflitrated these projects in the first place!
And don't forget one last things: the guys are masters of misdirection. NSA and GCHQ and everyone in between said for years that Enigma was safe to use, even after the nd of WWII. It's extremely simple for these people to say (unofficially, of course) "Drats! This guy is using open source! Foiled again! Damn you open source programmers!! Damn you all to hell!!!", all the while exploiting Linux/BSD machines as easily as "1-2-3". And we know they like subtle.
So, here is the question: what do they have, right now, that we don't know about? Think about that for a second.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Lots of folks above posting about how the eastern US isn't in TZ UTC-3. If you RTF summary more carefully, they're talking about code timestamps being consistent with 8-5 UTC-3, which is also consistent with 7-4 UTC-4, or 6-3 UTC-5.
The company I work for (UTC-6) routinely has folks coming in as early as 6, with quite a few coming in between 7 and 8, just so they can beat the rush hours. Yes, even coders.
If you remember when some agent broke into a Linux source repository and added a disguised backdoor attack?
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
Effectively letting them get root, if they passed those flags into the wait4 call.
Hey, you know that Bletchley Park isn't located quite in US, right?
Hey, you know the UK government shared all the secrets of Bletchley Park with the US government, right?
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
What do you mean? The known unknowns or the unknown unknowns?
captcha: awesome
It includes the name of the program, as known from the Snowden documents, so its a SIGNED CONFESSION.
Our NSA had damn well be better than Putin's and LiKeqiang's or all of us in the US are going to be irretrievably harmed.
1. Fake the time stamps to look lile eastern US
2. Add a well known NSA project name to the code
3. "Leak" information about these issues.
4. Profit
Could this information be a plant to point the finger at the NSA?
So what are you saying there? That we're the Nazi enemy now to be spied on like in the second world war?
Looking through the project names, I suspect the FREE* ones are all open source related. FOX* are maybe firefox attacks?
EFFABLELAMBDA, EFF? DARK* could be darknet attacks.
There's a much more indepth discussion about EquationGroup malware here:
http://www.wikileaks-forum.com/nsa/332/how-omnipotent-hackers-tied-to-nsa-hid-for-14-yearsand-were-found-at-last/33191/
Kaspersky Lab managed to register some of the attack domains as they expired and collect the data from old attacks. These domains are registered with US based Domains By Proxy, LLC. So if it was NOT official they should be easy to catch simply because they bought and paid and renewed the attack domains used!
e.g. standardsandpraiserepurpose[.]com was one of the attack domains and is registered with Domains By Proxy
I emailed Kaspersky asking if they were going to do something about this -- no answer. Seagate tech support continues to pretend it's a non-problem.
We are so screwed.
Think about that for a second.
Can you site any examples of any government agency ever being as perfectly perfect as you seem to think NSA is? When I think about it for a second, realistically, I think the best NSA can do is some day be able to report about something I said or did a few years ago that got picked up in their Internet dragnet. Unless there is some active investigation into your illegal or unamerican activities, I really doubt NSA is interested in what kind of porn you're beating off to.
If every OS and system on the planet is merely your plaything, you are now not just a government agency but a standalone entity that can completely self-fund without leaving a trace, and thus answerable to no one, most especially mere elected civilians.
And if the Senators or POTUS get uppity, well no one that achieves those offices are innocent, thus they are completely blackmailable, if not subject to out and out threats (especially their families).
I think this is the main reason every man that now becomes President ends up with gray hair, regardless of their age.
https://www.youtube.com/watch?v=MGQaH3-LK54
Wasn't the US government condemning the hack of Sony pictures and instituting economic sanctions based on some shaky evidence that North Korea was involved? I wonder what actions the 42 plus countries that have been infected with Equation Group malware should take against the US government.
Sorry guys, I will never use the word "hacker" again now that they are officially called "Exploit Engineers".
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
I do not think bringing Snowden into the example really works on this one, as he did actually steal classified info and post it to the internet/news, no belief needed. I do hope he gets a fair and public trial though, but I believe he will never make it to court.
Edward Snowden never publicly released any classified information. The media organisation entrusted with the document collection provided by Snowden have been releasing albeit at a trickle-pace any and all such classified documents. Yet the media organisations are not being shutdown or the owners, editors, journalists arrested and charged. Nope. But Edward Snowden, for unfathomable reasons, is State Enemy #1 according to the Government of the United States of Amerika.
From the article: "Assuming they worked a regular 8 to 5 workday, the timestamps show the employees were likely in the UTC-3 or UTC-4 time zone, a finding that would be consistent with people working in the Eastern part of the US."
Neither UTC -03:00 nor UTC -04:00 are associated with the Eastern US.
UTC -03:00 is associated with: Buenos Aires, Montevideo, São Paulo
UTC -04:00 is associated with: Santiago, La Paz, San Juan de Puerto Rico, Manaus, Halifax
UTC -05:00, however, is however, associated with Eastern US.
Yes, timestamps could be altered.
And, the existence of a particular keyword does not imply NSA ties. It implies that somebody typed a known NSA keyword into the file.
I think Kaspersky likes to read about his brilliance in the pubs. Where's the selfie?
Back in my day, we only had an extra day of the week, not a whole month. You younguns are getting too greedy.
If I'm good enough to write a sophisticated and successful piece of malware, maybe I could change the time stamps and plant some not-so-secret codeword in order to trick people into thinking it was created by my adversary. ("False flag.")
OpenSSL not SSH.
For a largish project I would suspect that the release builds are run over night, CI builds during the work day.
I am very small, utmostly microscopic.
I don't know if it's still true, but several years ago I was told that there are rainbow tables that permit relatively easy login to Linux systems. To foil that you need to have a limited number of login attempts per day, probably implemented by an increasing time limit since the last bad login...and I've never seen that as an option on a Linux system. (I'm sure it is, because it's a dead-simple obvious approach. It might require you to unplug from the net to login while you were under attack, but that's a minor cost compared to letting intruders in.)
I think we've pushed this "anyone can grow up to be president" thing too far.
They do. The codewords are often randomly generated and deliberately meaningless. (The word list isn't 100% random, at least since Churchill decided he didn't want anyone to die over something called Operation Bunnyhug back in WW2.)
NSA's mistake was in assuming that the codewords would never leave the organization. Security by obscurity. Replacing codewords with 32-bit hex digits doesn't eliminate that risk.
What do you mean? The known unknowns or the unknown unknowns?
I used to think I knew what I didn't know, now I don't know...
I now know I need a lot more foil!
http://www.amazon.com/Durable-Packaging-92410-Heavy-Aluminum/dp/B00KNM30UM
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Fucking NSA wants to see everything and every machine plugged into the Internet to be automatically compromised. Why are we paying our government to do this? They aren't at all concerned with making the net safer, they are concerned with taking it over. Fuck NSA.
Rainbow Tables are only useful if you have an unsalted password hash. Rainbow tables are essentially pre-computed texthash databases (using a reduction function to reduce the space requirements). If you have a salted hash, you'd need a Rainbow table for that specific salt value...
Limiting the number of login attempts has nothing to do with Rainbow tables, but it's a good idea in general to prevent brute-force attacks.
Imagine a place they protect with AK47s and large trucks with large missiles on them. The missiles have a nice 500kt warhead at the tip. Now imagine what that place could theoretically achieve.
That place could actually build a full suite of hardware and software not corrupted by the Maryland bastards. It would not contain a C compiler and no ARM processor. Neither would it contain a backdoored Linux kernel or an even more backdoored Windows kernel. They would fend off the saboteuers from maryland with said weapons.
But that would imply that they actually had DIFFERENT concepts for the future in their minds. Now I am not sure the Russkies have that intelligence or aspiration. Their aspiration seems to be left alone from all the insane Money People And Their Guns from Paris, Berlin and now New York. It does not seem to be their aspiration to fix the morally 100% rotten world of computers.
China just stated that they want to rot computers even less covertly.
In other words: The folks who could do something about Moral Rottenness chose to play Least Effort and let the IT industry continue to rot to death.
Are they so lame and stuffy that they would not cover their butts?
If everyone believes they have perfect knowledge, it doesn't matter what you actually did. Whatever they say will be taken as the truth. They can control with blackmail, but they can disgrace with libel. That is the more dangerous thing.
With a rainbow table you can brute-force a password if you know the password hash. You need only one login attempt -- and you need the hash, for which you normally need root access to start with, at least for the last 20 years. Unix/Linux passwords have always been stored as salted hashes, which makes rainbow tables not practical. The practical way to brute-force a password is therefore a dictionary attack.
Avantslash: low-bandwidth mobile slashdot.
Kaspersky is a KGB front, an incredibly complex operation with built in denial it run by a pretend dissident.
I don't doubt the NSA has been doing nefarious things since the 50s, but I suspect their more outlandish things like this have taken shape since 9/11.
A rainbow table might not be practical for you and I, but might be practical for the NSA. But as you say, it assumes you have the passwd hash table already. In the old days it was exposed in /etc/password, but that hasn't been the case in decades.
If the NSA can remove the effects of the salt in order to use a rainbow table, they've cracked the hash, and don't need a rainbow table. If not, even a two-byte salt would increase the size of the rainbow table by 65.536 times, and I doubt the NSA is going to use tables that much bigger than they need. They'd almost certainly do a dictionary attack and other things, which essentially means building a rainbow table as they go. It's more computation, but, really, this is the NSA.
Even if the NSA has root access to a system, they might well want to crack the passwords, partly to be able to get further access to the system if their current method stops working or is too obvious, and partly to get username-password pairs they can try elsewhere.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes