Say what? Microsoft gave away the Windows source code to Chinese official for inspections? I'm absolutely stunned they would do that, never would've thought they agree to something like that.
Yes, Windows' closed-source nature has allowed MS to rely on security-though-obscurity. Now that one of the entities MS has taken behind it's golden screen has turned out to be a black hat, MS' approach is looking foolish.
Microsoft does gives out source code for some of its software (including parts of windows) to various universities for research purposes. Ofcourse, there are NDAs involved but that shows they aren't shy to share the code in certain. situations.
Yeah, so you give it to a government who is reviewing it for security problems. More than likely the NSA and CIA also have the source code for Windows.
1. Customized compilation result different address offsets thus an exploit is not very generic portable.
2. Everyone can do a static vulnerability scan for Linux source code, so if there is a hole it's more likely to be well known in the industry
Recently series of events with google.cn suggests that this is just a test ground for industrialized 0day farming for closed source software as a strategic weapon.
Specifically, a 0-day exploit in the Adobe Reader software which Adobe knew about and refused to fix for months (since it would break their upgrade schedule).
And all companies have employees who like money. Not that I have studied this in any detail, but my recollection of the cold war is that most spies turned out to be corrupt US (or UK, etc) nationals, not russian employees.
I find the fact that the targets were source code repos very interesting.
If you are a super-smart black-hat villain who wants to plan a mass global attack, what better place to start than with Google and Adobe's source code?
I wouldn't be that worried on my home environment as I'm not that much of a target and am fairly wary of dodgy emails, but I'd prefer it if more major companies with expensive stuff that can be stolen take computer security a lot more seriously.
For example having white-listed software only able to run (of course engineers need to install stuff all the time so they might have to be a different case, but joe bloggs shouldn't need anything new - it can be assessed by security before installing).
what better place to start than with Google and Adobe's source code?
Indeed -- and especially their auto-upgrade mechanisms.
There may yet be more to Google's anger that's not yet been revealed. What if the attackers didn't just look around, but changed (or tried to change) Google content/code at the source?
Well, sure. But as I understand it, most people at Google are running Linux on their desktops. I'd expect most browser testing to be taking place in VMs or on separate boxes, and under test accounts -- which would have made the level of infiltration described in the article more difficult.
I take this claim with a pinch of salt. It's a neat idea: exploit IE to install a sniffer that picks up Gmail passwords etc. on the local network, but the only "ultra sophisticated" bit of this I can tell is that the hackers did a really good job of covering their tracks.
The article mentions that your average cybercriminal is lazy, and I can believe that - you're only going to put as much time in to an attack that you're going to get out in financial reward. But if a commercial hack was going to bring about the same financial-level of reward, I bet the cybercriminals wouldn't be sloppy.
True, it may not have been as ultra-sophisticated as the article lets on, but the fact that there would be no obvious reason to pursue the attack on 34 different companies seems to belie the commercial-hack theory.
I had a similar train of thought, but in a slightly causality ordering:
Places like google have a high potential for a high payout, and they know it. Therefore the cybersecurity is higher, requiring a better caliber of criminal.
"Although the initial attack occurred when company employees visited a malicious web site, Alperovitch said researchers are still trying to determine if this occurred via a URL sent to employees via e-mail or instant messaging or some other method, such as Facebook or other social networking sites."
It still needed an employee to make the usual "install the dancing pigs"-style gaff while using IE6.
Also: Employees using IE6, inside Google, in 2010. Why weren't they using Chrome?
That'd be brilliant! Send a bug report that your site renders incorrectly in chrome but correctly in IE6. That's an almost guaranteed hit with a known browser!
"Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."
Good security is multi-layered. Just because they relied on an old trick to get their foot in the door, doesnt mean they have bad security inside or at more sensitive parts.
So in other words, I can launch an attack against any number of companies and organizations, and as long as I attack human rights activists accounts, everyone will blame the Chinese government?
What do you even call that kind of disinformation? False flag doesn't seem to cut it.
This was ultra sophisticated, they used several layers of multi-encrypted malware to tunnel out and create reverse control channels. Not to mention used a 0day IE bug to install the malware in various targeted companies. This was gov sponsered...
Baidu already uses Hadoop's HDFS and MapReduce. They also support Hypertable. I would guess that they could probably put "something" together over time.
What I wonder about is what do they mean by "stealth programming"? I can think of just programming with white text on a white background, but that wouldn't serve any security related purpose.
From reading that, it's clear that the shellcode was obfuscated ('encrypting' it three times, though, would be unnecessary), but that's just a good way to muddle things up. Although from reading that it's obvious that it was a sophisticated attack in this day and age of cybercriminals who go for the easiest target available, nothing mentioned there hasn't been possible for almost any buffer overflow attack. Code obfuscation has been used for years for copy protection and to prevent static reverse engineering in general, and although nonstandard in exploitation, by no means unheard of. In my opinion a more impressive exploit would be one which used all printable ascii (which also is possible).
On a side note, some of the terms used are either misused or just wrong: although the payload may have been obfuscated, 'encryption' at least to me implies separate key/decryption schemes, which don't really work well from a shellcode point of view. You'd be better off using a static 'encryption' scheme like ROT13, but that seems more like obfuscation in this day and age, particularly since the code to deobfuscate it would have to be built in.
TL;DR: I think they throw around 'encryption' in places where it doesn't make sense to use it because it makes it sound scary, and it doesn't seem like any of the techniques used were 'new' or somehow more sophisticated then what was previously possible.
For simple IDS evasion, at least, so that you aren't throwing up flags: it could've been done to make forensics much harder.
Ok so they use what's called packers to not only obfuscate the malware code to bypass signature based A/V but also hide inside other binaries or Dll's to further evade heuristic defenses. Then a reverse encrypted tunnel for control of infected machine was routed over normal HTTPS also undetectable by IDS. It was to dynamic dns domains such as yahoo1.dyndns.org. Reverse meaning it connects back to the attacker to allow ssh like access to the compromised host via the trojan.
There are all extremely advanced (but known) evasion steps for a very targeted attack. It's rare to see all of them successfully used in one attack because of the complexity and skill required.
If you encrypted or otherwise obfuscated the payload of the attack, it would make log analysis (particularly on the network level) difficult, and may help get around things like an IDS. It'd also make some forms of forensics much harder.
Google, congratulate you on your return to the embrace of mercy of the Lord. Yes, we are here to congratulate you, rather than mourning. When the sun finally shining in Jerusalem tomb of your Lengji, we will meet your resurrection.
Basically that paragraph is praising Google's decision to stand against the Chinese government and pull out of China (thus "return to the mercy of the Lord"). And the author is really celebrating and congratulating here (instead of mourning its possible absence in China due to government restrictions).
The last sentence is very poetic. I get the idea, but since I'm not Christian, I'm not so sure about the exact analogy. Anyway, the real meaning is that eventually freedom of speech will come to China, and at that time, we (the author and the Chinese people) will celebrate Google's return.
P.S. I cried a little bit after the paragraph. I guess I'm moved.
P.S. 2. Machine translating is never good at this kind of stuff... I'm native Chinese.
I've been trying to learn Chinese, and poking around Chinese websites with peraperakun occasionally. Every time I come across a WTF sentence like that, I wonder whether maybe I've bitten off more than I can chew.
I guess poetic sentences are always hard to get right, if you don't really grow up in that culture, just like I have a lot of trouble with some essays in English. Well, if you keep learning, eventually you'll get there :)
There are a large number of secret house churches in China. They are illegal though and hosting one or participating in one can land you in jail or worse.
Doesn't stop them though so the author may be one of those.
I don't really get the part with Russian nested dolls.
Was it like this?:
For example, there is a code which is encrypted three times. And that crypt-code by itself is executable which decrypts itself into another executable, and so on.
I'm not impressed with the Russian doll encryption. Like with DRM, you have to give away the keys to your users. So the analysts had to work a little more than usual to examine the code. Big deal. There was never a question of if they would be able to analyse it, but just how long it would take. There must be something else they have not disclosed that is making them take notice.
Maybe the point of triple encryption was to make it less likely for scanners to find it in a routine scan? The people who did this certainly knew that once they were found it was over; they were just trying to delay being found a bit.
The source for Cisco's IOS has been in rogue hands for quite some time. The Chinese network equipment manufacturer Huawei was caught selling routers in the running IOS with only cursory changes back in 2003. Identical CLI, identical features, identical bugs.
I think we must assume that the source code for most major products is available on the black market.
It seems to me that the word "sophisticated" is being misused here. Rather, I would say "knowledgeable."
If you, even within your general field (say mathematics), talk to an expert, he will easily give you arguments that will seem sophisticated to you, and simple to him. He's spent more time learning, getting familiar with, and thinking about those arguments, and that's the simple reason.
Here, the Chinese government is through a nationalistic sentiment endorsing hacking and education about the same. It is a large country, and many of the people conducting the attacks were not amateurs, using already established techniques. They were professionals, I wager, learning, getting familiar with, and thinking about how to attain their hacking-goals.
An educated person, in any subject, will seem infinitely more sophisticated than a non-educated one. And I argue that China, more than anybody else, invests into young men doing just that.
The sophistication and determination of this attack actually makes Google's actions more plausible.
By walking in and trying to take what it viewed as Google's most valuable assets, the Chinese state signaled that Google would never win in China. The playing field wasn't just rigged by one or another forms of low-level favoritism. The state at a fairly high level had decided it was going to 'p0wn' all the competition. So at that point, it was pretty obvious Google had nothing to lose by leaving China and perhaps even more intellectual property to lose by staying.
i find your argument pretty sound, but i was wondering, is there any 'evidence' that this goes up to chinese state ,except the fact that civil rights fighters account were targeted ?
Really not that much. Once you find a good exploit, the payload code is copy and paste for a lot of it. The payload issue is a solved problem with lots of available source code and knowledge out there for free.
I'm guessing they're leaving out the "sophisticated" details of the compromise. Using encryption to hide your malware from virus scanners and using some computer "social engineering" (ssl connection) is not very sophisticated. I don't understand why it needs to be sophisticated ? because it's google ? It's known that some of the largest viruses have spread to government comuputers (sobig).
“The encryption was highly successful in obfuscating the attack and avoiding common detection methods,”
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection
Because it's a lose-lose proposition. If I get it right, I'm helping some other schmuck break into people's systems. If I get it wrong then I'm the schmuck.
And yes, people will learn to break into systems without my help, and yes, openness is the best defense we have against these things. I've just decided I'm just not going to put anything out there that could possibly be used like that.
I tell you one of the reasons why: about twelve years ago, back in the Windows 3/95 days, I got a call from some stock brokers in New York. They wanted to know basically how to spy on their employees.
So I sketched out a system where software would take pictures of their desktops every few seconds -- this was a long time before such software ever existed. I also sketched out several ways you could keep the software from being detected.
I never knew if they wrote the system or what happened to my design, but it never sat well with me. I always wished I could have went back and not provided them with the information.
> I never knew if they wrote the system or what happened to my design, but it never sat well with me. I always wished I could have went back and not provided them with the information.
This is the least favourite part of my job too. I have a couple of uncomfortable memories from university days when I ran my mouth about some little ideas.
I'm pretty sure the bad guys aren't going to gain much by any vagues sketches of an approach that apparently requires a whole modern state to execute... The original is specific in points...
And there are zillions of reasons for people not to reply to my post. I know I'm not always that interesting...
Their effort to obfuscate their tracks does sound pretty nifty, but part of me is disappointed that it all depended on the target clicking on something they shouldn't have. Glorified phishing schemes just don't have the pizazz of a remote buffer overflow exploit, for example.
This kind of attitude has to stop. "Glorified phishing" might not have pizazz, but it was DAMN effective in this case. Why go to the trouble of finding, coding, exploiting an increasingly difficult target when end users will do all the work for you?
This is the kind of scenario that gives security people nightmares. It takes VERY sophisticated processes and technology to find covert backdoors on your network, and very few places devote the manpower or $$$ to the effort.
Effective or not, sending some bad links to a bunch of Google employees and hoping one of them clicks is not a 'VERY sophisticated process'. It's just a good example of how users will always be the weakest link in securing a network.
Opening up a page in a web browser ought to be a safe operation. Letting that page start a plugin, or running something it downloads, or flat out using IE for an unknown link, then I'd be more inclined to blame the user.
(This is why I use Foxit for PDF reading, I don't have a PDF plugin enabled in my browser, PDFs download to disk, and similarly QuickTime, RealPlayer, WMP etc. plugins are all disabled, with only Flash enabled but controlled via FlashBlock.)
Why are they routinely using IE6 (or any IE)??? Firefox + NoScript + AV = much harder. Acrobat is bloatware, there are alternatives. Scripting should not be allowed in Acrobat by default. Using IE6 with scripting enabled is just asking for trouble. Ultra sophisticated meets ultra outdated.
Sorry, this article lacks real detail. Sounds like standard fare -- an IE vulnerability, malicious emails, "several layers of encryption?" Sorry...not impressed.
“The initial piece of code was shell code encrypted three times and that activated the exploit,” Alperovitch said. “Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”
One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network, Alperovitch said, to search for login credentials, intellectual property and whatever else they were seeking
Chinese government has all the source code of Windows systems:
http://news.cnet.com/2100-1016_3-5083458.html
Including:
Windows Vista, Windows XP, Windows Server 2003, windows 2000, Windows CE 6.0/5.0/4.2(PSK), Microsoft Office Pro 2003, Microsoft Office Systems
It's reviewed by top three Chinese universities and other three government agencies.
The Party is the new overload of 0day farmer.