Any computer, anywhere?

http://m.washingtonpost.com/business/technology/2013/12/06/352ba174-5397-11e3-9e2c-e1d01116fd98_story.html

Noticed this tonight.. Not saying the WP is always on target, but what software could be installed via a browser on any computer to gather all of that data? And how would it be done without the OS speaking up about it? Far fetched.. Or do the Firefox / chrome guys have some 'splainin to do?

The wording sounds like it was tied to his yahoo account
Tammy

My first thought as I read the article Friday evening was that they were
attempting to exploit a vulnerability in a popular application (first
guess: Adobe Flash) in order to execute arbitrary code -- at which point
they have full control of the victim's PC and can do (or install)
whatever they want.

    "A software update to a program the surveillance software was
    planning to target, meanwhile, raised fears of a malfunction,
    forcing the FBI to refashion its malicious software before sending
    it to Mo’s computer."

However, the article also states that:

    "Federal magistrate Judge Kathleen M. Tafoya approved the FBI’s
    search warrant request on Dec. 11, 2012, ..."

    "The surveillance software was sent across the Internet on Dec. 14,
    2012 ..."

December 11, 2012 fell on a Tuesday. More specifically, it fell on the
second Tuesday of the month, a.k.a. "Patch Tuesday".

Perhaps it was a vulnerability in Microsoft Windows itself, then, that
they were attempting to exploit? Six of the seven vulnerabilities fixed
that month "could allow remote code execution". Internet Explorer and
Microsoft Office were among the affected software, according to
http://technet.microsoft.com/en-us/security/bulletin/ms12-dec.

    "... but the FBI’s program didn’t function properly, ..."

Oops.

/p

"The goal of the software was to gather a range of information ‚ÄĒ Web sites
     he had visited and indicators of the location of the computer..."
That's available from just the browser - don't need to install any
software on the computer. Altho if the browser is exploitable
  http://www.wired.com/threatlevel/2013/08/freedom-hosting/
    The malware showed up Sunday morning on multiple websites hosted by the
    anonymous hosting company Freedom Hosting. That would normally be
¬†¬†¬†¬†considered a blatantly criminal ‚Äúdrive-by‚ÄĚ hack attack, but
nobody’s calling in
    the FBI this time. The FBI is the prime suspect.

  https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
    To be clear, while the Firefox vulnerability is cross-platform, the
    attack code is Windows-specific.

Regards,
Lee

I've been getting several of these (empty messages) from different people and on different subjects but always on the NANOG list.

Secret messages? Or is NSA sucking too hard?

I confirm I've been seeing the same thing.
I've also been seeing more duplicate messages than I would attribute to
someone sending twice.

Confirming I've also been receiving blank messages. Most recently Michael Browns email sent at 9:13am 12/8/13

Let's remember that the information in the article was filtered through no less than two people who don't fully speak tech. I think I can translate it back:

¬ęThe FBI crafted a custom piece of malware targeting Mo, designed to snoop his activities . A link was emailed to Mo in a spear phishing attack in an attempt to get hin to download and install the malware from the FBI's monitored servers.

The attempt failed; the software was downloaded but never executed in a manner enabling the software to send back information to the FBI.¬Ľ

Nothing too special. I wonder if Mo had the balls to submit the software to Sophos etc. for malware analysis. :slight_smile:

M.

This I can solidly attribute (at least in my case) to the fact that BlackBerry 10 devices only send emails with a text/html part and no text/plain part.

I've seen this cause problems in a few places - notably in services that automatically parse emails for replying to forums/chat/etc. (Discourse & kato.im and now the nanog list which strips text/html). Somewhere I have a nice little python snippet I wrote for extracting text out of the html.

It's convenient when you're *expecting* it (you can use the html div information to separate out the actual reply vs. the signature vs. the quoted text) but when you're expecting to be able to use text/plain, it's just not there.

(arguments over who is being a worse Internetizen - BB for not having text/plain or Mailman/Mimedel for stripping out text/html when there's no text/plain are not included in this :smiley: )

M.

Not really; it's well within the realm of possibility, and not even
unlikely.
The answer about what software could be installed that way, would be
taylor-made covert software; plenty of that is known to exist.

Law enforcement would have it well within their ability to potentially
intercept and modify traffic on web pages accessed by the user, and inject
targetted exploits into the user's in-flight data connections.

Software can be installed via the browser through a variety of vectors;
mostly vulnerabilities leveraging Javascript, browser-specific flaws,
viewer flaws, API flaws such as fonts, or plugins such as Java,
Silverlight, Flash, Quicktime, or Adobe reader.

Then a sandbox defeat, and privilege escalation using a variety of
unpublished exploit techniques.

Once that has occured; software may be deployed undetectably and
persistently in a variety of ways. A payload specific to the target may
be downloaded and configured in the background.

It is also possible, that the malware may simply modify existing programs
such as the operating system running in RAM --- diskless malware that
doesn't save a copy of itself, but reinfects the system after a reboot,
when the user browses the web again, and the exploit kit is launched
again.

Same here, they are written with invisible bits, like invisible ink. You have to drop some special lemon juice on your email client to be able to see it.

-Jorge

1 Like

Lemon juice as promised, to be applied prior to de-HTML-izing email:

http://stackoverflow.com/q/20462965/93180

M.