Slashdot Mirror
New Evidence Strengthens NSA Ties To Equation Group Malware
An anonymous reader writes: When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA's Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. "Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike."
I am glad our best and brightest are better than their best and brightest... keeping us safe from cyber-terrorism is a huge priority.
Seems like very weak evidence to me, and certainly not a "smoking gun" claimed in the referenced article.
Hypothetical Scenario: I work as a coder for the NSA, I work with an extremely talented group, we code the latest, most aggressive malware available.
We make the Russians look like Girl Scouts.
How much do you think they pay me?
How much could I make selling the stuff I code at the NSA to various "businesses".
Does anyone in that position believe in nationalism?
"If any question why we died, Tell them because our fathers lied."
Lets hear for the pulling shit out of our collective asses system! The same goes for any software made by any company in the world... Unless you can see the source and it is open you can't but hope. Why not say it is Snowden who did this so he can sell botnets to Putin. If you have a shred of evidence that Putin has backdoored kaspersky then bring it to light.
Do me a favour. Spooks putting strings identifying their top secret programme by name into malware? Jesus Christ you people are gullible.
Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States
Um, the US is on UTC -5:00 (ET) through UTC -8:00 (PT). My money is on those pesky Greenlandic uber-hackers.
Um, the UTC is -4:00 (EST) through UTC -7:00 (PST) when on Standard Time. The UTC offset is -5:00 through -8:00 when the US is on Daylight Time. The exception to this is the majority of Arizona which doesn't change at all.
now when you mentioned it - NSA did not prevent anything so far unless we believe what they say and ignore available evidence. It did however managed to motivate other nations too look closer at alternatives where that make sense. Here we go then - Putin's fault again and NSA is his puppet!!! Come to think of it, maybe it is other way around - they invented Putin and jihad to increase their budget??? Either way Putin is firmly in the equation that describes NSA reality.
If they don't bother to change the timestamps to 03/13/37.
I am becoming gerund, destroyer of verbs.
I was thinking just about the same thing.
Why don't hackers call their projects "8d 7d 6c 05" or "33 02 ba 9c" in source code constants?
Why would they even include any non-essential things in the code at all?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Rats hoisted by their own profiling petard.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
> Do me a favour. Spooks putting strings identifying their top secret programme by name [...]
The alternative is thrilling too: malware authors knowing the names of top-secret NSA programmes (I assume this malware was hacked together pre-Snowden)? Hmmm.
I don't know the name of the razor to apply here. But it's a hell of a razor, for sure.
No, just hope a believe. HOPE you know this guy, documented here; Belief is just the nicest of fellows. Just like I hope and believe the NSA isn't doing something they shouldn't, until someone outed them we had never heard of before.
I do not think bringing Snowden into the example really works on this one, as he did actually steal classified info and post it to the internet/news, no belief needed. I do hope he gets a fair and public trial though, but I believe he will never make it to court.
Um, the US is on UTC -5:00 (ET) through UTC -8:00 (PT). My money is on those pesky Greenlandic uber-hackers.
Um, the UTC is -4:00 (EST) through UTC -7:00 (PST) when on Standard Time. The UTC offset is -5:00 through -8:00 when the US is on Daylight Time. The exception to this is the majority of Arizona which doesn't change at all.
Whoops...Standard is -5 through -8 and Daylight is -4 through -7, my bad.
Kind of like a PHD student security programmer, accidentally putting in heartbleed in the middle of Xmas when it was automagically accepted in to ssh code, because we do not teach bounds checking to PHD students.
Hope and Belief.
Maybe someone needs to look up just what parts of the world actually use UTC-0300.
I am not too worried about Putin.
What I am worried about is this: the Equation malware was used years ago. We know these guys are good at what they do. Very good.
NSA has been working on that stuff since the 1950s -- that's 65 years of experience, folks, and they have been big computer users since day ONE -- heck even before day one, if you count Bletchley Park and stuff like the cracking of Red, Purple and JN cyphers.
So, we are talking about an organization that has huge experience in cracking systems and crypto, and the enormous budget to support its activities.
So: what have they been producing between Equation and, let's say, Stuxnet, and today?
Equation was -- from what I understand -- fairly Windows specific. What have they got now? The stuff coming out of all these not-so-funny super top secret projects?
Here is a hint: combine stuff like Heartbleed (OpenSSL), ShellShock, stuff that lingered in code bases for decades before being found out, maybe other stuff such as a few rumors about OpenSSH backdoors (remember those?) and the "let me install myself cosily in your HDD BIOS where you cannot dislodge me" capabilities of Equation and, presto! No one is safe from the prying eyes of NSA anymore.
That's the kind of things that makes you lose sleep at night. At least, I do lose sleep over it. Georges Orwell had nothing on these guys.
What if you are only running open-source? Vulnerable. Audited open-source? They have 100 times the manpower of the best programming teams out there. Heck, they may even have inflitrated these projects in the first place!
And don't forget one last things: the guys are masters of misdirection. NSA and GCHQ and everyone in between said for years that Enigma was safe to use, even after the nd of WWII. It's extremely simple for these people to say (unofficially, of course) "Drats! This guy is using open source! Foiled again! Damn you open source programmers!! Damn you all to hell!!!", all the while exploiting Linux/BSD machines as easily as "1-2-3". And we know they like subtle.
So, here is the question: what do they have, right now, that we don't know about? Think about that for a second.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Typically, you won't see the timestamps of when people worked, but when the builds were run.
It doesn't point anywhere, because there's no telling when companies run their builds. Some run nightly builds, others continuous builds.
If you remember when some agent broke into a Linux source repository and added a disguised backdoor attack?
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/
Effectively letting them get root, if they passed those flags into the wait4 call.
Hey, you know the UK government shared all the secrets of Bletchley Park with the US government, right?
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
It includes the name of the program, as known from the Snowden documents, so its a SIGNED CONFESSION.
If every OS and system on the planet is merely your plaything, you are now not just a government agency but a standalone entity that can completely self-fund without leaving a trace, and thus answerable to no one, most especially mere elected civilians.
And if the Senators or POTUS get uppity, well no one that achieves those offices are innocent, thus they are completely blackmailable, if not subject to out and out threats (especially their families).
I think this is the main reason every man that now becomes President ends up with gray hair, regardless of their age.
Wasn't the US government condemning the hack of Sony pictures and instituting economic sanctions based on some shaky evidence that North Korea was involved? I wonder what actions the 42 plus countries that have been infected with Equation Group malware should take against the US government.
Sorry guys, I will never use the word "hacker" again now that they are officially called "Exploit Engineers".
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
I do not think bringing Snowden into the example really works on this one, as he did actually steal classified info and post it to the internet/news, no belief needed. I do hope he gets a fair and public trial though, but I believe he will never make it to court.
Edward Snowden never publicly released any classified information. The media organisation entrusted with the document collection provided by Snowden have been releasing albeit at a trickle-pace any and all such classified documents. Yet the media organisations are not being shutdown or the owners, editors, journalists arrested and charged. Nope. But Edward Snowden, for unfathomable reasons, is State Enemy #1 according to the Government of the United States of Amerika.
I personally liked the kronos amiga virus that installed itself in the clockbios, so it survived reboots.
If I'm good enough to write a sophisticated and successful piece of malware, maybe I could change the time stamps and plant some not-so-secret codeword in order to trick people into thinking it was created by my adversary. ("False flag.")
For a largish project I would suspect that the release builds are run over night, CI builds during the work day.
I am very small, utmostly microscopic.
I don't know if it's still true, but several years ago I was told that there are rainbow tables that permit relatively easy login to Linux systems. To foil that you need to have a limited number of login attempts per day, probably implemented by an increasing time limit since the last bad login...and I've never seen that as an option on a Linux system. (I'm sure it is, because it's a dead-simple obvious approach. It might require you to unplug from the net to login while you were under attack, but that's a minor cost compared to letting intruders in.)
I think we've pushed this "anyone can grow up to be president" thing too far.
> Typically, you won't see the timestamps of when people worked
Because programmer's worth any kind of salt don't manually check-in (commit) their own changes?
What do you mean? The known unknowns or the unknown unknowns?
I used to think I knew what I didn't know, now I don't know...
I now know I need a lot more foil!
http://www.amazon.com/Durable-Packaging-92410-Heavy-Aluminum/dp/B00KNM30UM
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Are they so lame and stuffy that they would not cover their butts?
With a rainbow table you can brute-force a password if you know the password hash. You need only one login attempt -- and you need the hash, for which you normally need root access to start with, at least for the last 20 years. Unix/Linux passwords have always been stored as salted hashes, which makes rainbow tables not practical. The practical way to brute-force a password is therefore a dictionary attack.
Avantslash: low-bandwidth mobile slashdot.
I don't doubt the NSA has been doing nefarious things since the 50s, but I suspect their more outlandish things like this have taken shape since 9/11.
A rainbow table might not be practical for you and I, but might be practical for the NSA. But as you say, it assumes you have the passwd hash table already. In the old days it was exposed in /etc/password, but that hasn't been the case in decades.
They check in the source code, not the object files.
The object files won't have the time stamp of the commit of a source file, but the timestamp of when they were created by a build.
If the NSA can remove the effects of the salt in order to use a rainbow table, they've cracked the hash, and don't need a rainbow table. If not, even a two-byte salt would increase the size of the rainbow table by 65.536 times, and I doubt the NSA is going to use tables that much bigger than they need. They'd almost certainly do a dictionary attack and other things, which essentially means building a rainbow table as they go. It's more computation, but, really, this is the NSA.
Even if the NSA has root access to a system, they might well want to crack the passwords, partly to be able to get further access to the system if their current method stops working or is too obvious, and partly to get username-password pairs they can try elsewhere.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes