In its latest quarterly Critical Patch Update, Oracle has acknowledged and repaired two security bugs identified by Sjoerd Resink, Senior IT Security Expert at Fox-IT.

The bugs were discovered during one of Fox-IT’s penetration testing assignments in version 10.1.4.3 of Oracle Application Server’s Single Sign-On component.

The first security issue, numbered CVE-2012-3175 by the Common Vulnerabilities and Exposures index, is rated as a 4.3 CVSS risk by Oracle and would allow an attacker to use web applications based on Oracle Application Server as an “open redirect”, i.e. to abuse the public’s confidence in a site to send people a link to a trusted website that would actually result in an automatic redirect to another, potentially malicious, web site. Attackers could also abuse such a vulnerability in specifically targeted phishing attacks (“spear phishing”).

The second bug (CVE-2012-0518), is actually a collection of three “Cross-Site Scripting” or XSS vulnerabilities in Oracle Application Server. It is also risk-rated at 4.3 by Oracle but is potentially more serious (in our opinion, the CVSS vulnerability scoring system tends to under-rate XSS issues). By sending people specially-crafted links to a web application based on Oracle Application Server, attackers can run Javascript code in the context of the vulnerable application. This means that an attacker can control how an application looks, and what an application does, if a user goes to the application through the attacker’s malicious link. It enables attackers to obtain passwords and/or take control of user sessions in the application in whatever way (s)he chooses.

One of the XSS issues is also undetected by Microsoft Internet Explorer’s XSS filtering feature. Another of the 3 XSS issues we reported to Oracle appears to have been first discovered in 2009 by the “Hackers Center Security Group” because it is described accurately on this web page.

Fox-IT recommends that all installations of web applications based on Oracle Application Server be upgraded with the latest Oracle Critical Patch Update as soon as possible.

Nederlandse overheid komt met cyberwetgeving

Terughacken als wapen tegen cybercrime kan niet zonder wettelijke basis. Het werkt wel, mits met de juiste voorwaarden omkleed en alleen als uiterst middel gebruikt, om burgers tegen cybercriminelen te beschermen. Nu is hét moment voor de politiek om problemen en oplossingen in cyberspace in kaart te brengen en zich aan een ‘zeerecht’ voor het internet te wagen, vindt directeur Ronald Prins van Fox-IT. Zijn opinie.

‘Sinds het aantreden van minister Ivo Opstelten van Veiligheid en Justitie in 2010, oefenen de diensten die verantwoordelijk zijn voor de opsporing en vervolging van cybercrime, druk uit om meer bevoegdheden te krijgen om buitenlandse internetcriminelen aan te pakken. Nu exact twee jaar later heeft de, inmiddels demissionair, minister in een brief aan de Tweede Kamer aangekondigd met cyberwetgeving te komen.’ Bij Fox-IT kijken we met belangstelling uit naar deze nieuwe wet. Want ondanks dat we vaak weten waar de buitenlandse servers staan van waaruit cyberaanvallen worden gepleegd, kunnen we nu niets doen zonder wettelijke basis. Nederland ervaart veel overlast van cybercrime. De huidige regelingen om deze groeiende vorm van criminaliteit te handhaven zijn beperkt en niet effectief genoeg om criminelen te stoppen en burgers te beschermen. Het internet is per definitie een terrein dat los van nationale grenzen staat en dat moeten we ook zo houden. Maar het mag niet betekenen dat strafbare feiten zonder consequenties gepleegd kunnen worden. Immers, de slachtoffers zijn échte mensen, met reële schade, en geen virtuele figuren in een virtuele wereld. Wetgeving, vergelijkbaar met het internationaal zeerecht, helpt burgers te beschermen en maakt cybercrime voor daders minder aantrekkelijk.

Wachten op medewerking

Het Bredolab botnet, 2010: via de servers bij een bedrijf in Nederland worden zo’n 30 miljoen geïnfecteerde computers aangestuurd door een crimineel vanuit het buitenland. De Nederlandse politie heeft dit botnet een halt toegeroepen door in te breken op de Nederlandse servers en de functionaliteit van het botnet zelf gebruikt om de besmette computers op te schonen.

Anders ligt het bij de recente uitbraak van het Dorifel-virus: de verdachten zijn niet direct op te pakken. Reden: de politie heeft niet de bevoegdheid om in de buitenlandse computers van cybercriminelen in te breken, bewijsmateriaal te verzamelen en de command and control servers onschadelijk te maken.

Met meer bevoegdheden om de acute dreiging van het recente Dorifelvirus offline te halen, had de politie dit binnen een paar uur kunnen doen. Nu heeft het stopzetten van nieuwe besmettingen dagen moeten duren. Als samenleving vinden we het onacceptabel dat gemeenten, bedrijven en overheidsinstellingen niet meer konden werken omdat het Dorifel-virus zich kon blijven verspreiden. Dit alles alleen doordat een hostingprovider in het buitenland niet direct meewerkte met het verhelpen van het probleem.

Een verzoek naar het buitenland duurt weken zo niet maanden en dat is maar één stap in het onderzoek. Informatie is vaak al weg omdat iedere willekeurige partij in ieder willekeurig land een notice and takedown kan doen of dat de crimineel zelf zijn sporen opruimt. De data op een server wordt steeds vaker versleuteld opgeslagen waardoor een kopie van een server geen tot weinig waarde heeft. Wel zijn gegevens over welke informatie de dader heeft gestolen en wat mogelijk is gebruikt/misbruikt is, alleen beschikbaar op systemen van de aanvaller. Sporen die wijzen naar de dader zijn vaak alleen te achterhalen door in zijn eigen infrastructuur in te breken.

Minister Opstelten erkent dat er behoefte is aan nieuwe regels voor grensoverschrijdende bestrijding en voorkoming van cybercrime. Hij constateert ook dat wetgeving en internationale afspraken zijn achtergebleven. Het is daarom goed te merken dat het vorige Kabinet de samenwerking wil versterken met landen die voorop lopen met cybersecurity. Zoals een aantal Europese landen, de Verenigde Staten, Australië en in Azië bijvoorbeeld Singapore. Maar concrete oplossingen zijn nog niet in zicht. Dat is misschien ook niet zo vreemd als je je bedenkt hoe gevoelig het uitgangspunt van nationale soevereiniteit in sommige landen ligt. Want hoe halen we het in ons hoofd om te gaan grasduinen in computers die in andere landen staan? Volgens mij heeft de angst hiervoor alles te maken met hoe je tegen het internet en zijn grenzen aankijkt. Als een server in de Oekraïne staat, zich alleen op Nederlandse slachtoffers richt, alleen impact in Nederland heeft en vanuit Nederland te bereiken is, dan heeft de Nederlandse justitie er meer zeggenschap over dan het land dat toevallig de stroom voor de server levert. Het is wel een vraag die je per incident goed moet stellen. Betreft het bijvoorbeeld een gehackte server van een keurig Oekraïens bedrijf, dan moet je er een stuk voorzichtiger mee omgaan. In dat geval heb je ook best een goede kans dat het bedrijf na het belletje de server onmiddellijk uitschakelt.

Moeten we andersom tolereren dat buitenlandse politiediensten op computers in Nederland rondkijken? Dat zou dan een logisch gevolg zijn. Als het bijvoorbeeld gaat om een gehuurde virtual private server van zo’n twintig euro per maand, gehuurd door een Oost-Europese criminele organisatie, dan is het verstandig dat het andere land de opsporing zelfstandig afhandelt. Het is natuurlijk wel zo prettig als er op zijn minst een notificatie naar de autoriteiten gaat, dat er een online ‘huiszoeking’ heeft plaatsgevonden.

Rechtshulpverzoeken

Het gaat om bevoegdheden die niet alleen voor Nederland gelden, maar ook de ruimte bieden om ‘niet-identificeerbare’ computers in het buitenland binnen te treden. Nederland is het eerste land dat dit zo expliciet en vergaand in de wet wil regelen. Waarom is het mogen terughacken van belang? Omdat veel digitale delicten alleen digitale sporen achterlaten. Je moet dus ‘door het internet heen kunnen kijken’ om uiteindelijk tot echte identiteit te achterhalen en een verdachte te kunnen aanhouden. Als het een Nederlands spoor betreft, komen we een heel eind. Maar zodra het bijvoorbeeld gaat om een rij aaneengeschakelde proxyservers die uiteindelijk uitkomt in de Oekraïne, ben je op dit moment zeker een aantal weken bezig met rechtshulpverzoeken.

Geen paardenmiddel

In geval van een aanval op de nationale veiligheid, bijvoorbeeld op de vitale infrastructuur in Nederland, ben ik van mening dat het soms nodig is om zonder toestemming van buitenlandse autoriteiten ‘terug te hacken’. Ik realiseer me dat dit een bijzondere bevoegdheid is. Zowel het schenden van privacy als het schenden van de soevereiniteit van andere landen zijn zorgpunten. Ik hoop daarom ook dat daarmee goed rekening wordt gehouden bij het definitief vaststellen van de wet. Het moet in mijn ogen niet zo zijn dat de politie dit paardenmiddel mag inzetten voor elk onderzoek waar het wel ‘handig’ lijkt. Het mag pas ingezet worden als afgewogen is dat minder ingrijpende middelen echt niet werken en een noodzaak voor snel ingrijpen bestaat. Het moet toch mogelijk zijn om in internationaal verband afspraken te maken over het bestrijden van cybercriminaliteit? Vergelijk het met het internationale zeerecht: als een Nederlands schip in internationale wateren wordt aangevallen, komt onze marine ook in actie. Dat zou op internationale internetterritoria ook moeten gelden.’

Ronald Prins,
Directeur Fox-IT

Recently the Internet has been abuzz with news of an unpatched (0-day) exploit for the latest version of Java. The vulnerability is critical because it can exploit a fully patched version of Windows, Linux or Mac OS X. Also, it can do all this without users knowledge or consent. All that is needed is have Java 7 installed and a visit to a website that contains a malicious Java applet. A patch from Oracle that addresses this vulnerability may not be released until the 16th of October.

In the past week, Fox-IT detected attempts to exploit the Java vulnerability on a large scale. The perpetrators did not use the code that everyone is concentrating on. In this case some malicious JavaScript was first used to load the Java archive into the clients Java virtual machine. Subsequently, it was checked if the client was running Java 7, which is the version of Java that is vulnerable. If the system is vulnerable, it was attacked with custom exploit code. Once the jar is executed, a malicious exe is downloaded and then the computer is compromised. It is reassuring to know that even if someone attempts to compromise systems in a new way and uses a known methodology to do so, it can still be detected; as was the case here.

The executables that were dropped by the exploit code consisted of a new sample of the Hermes Trojan, and various versions of ZeuS including Citadel, Ice-IX, Gameover-ZeuS and other customized versions. Analysis of the Hermes sample, as well as the command and control servers that it was configured to connect to, has shown that the perpetrator of this attack was previously responsible for the large scale infections by Dorifel using a Citadel botnet, as described previously on our blog.

Interestingly enough, the exploit code that was used to exploit unsuspecting visitors appears to have been compiled on August 17th, which predates most known exploits for this vulnerability, even the one referenced in other blog posts related to a targeted attack using an exploit kit from East-Asian origin. The timeline makes it interesting, as it is even closer to the date that the VulnDisco Java 0-day was announced on the 10th of August. It could very well be that the vulnerability was circulating in the underground and some people picked it up along the line, or even that someone ripped it from VulnDisco.

The variety of malware that was distributed suggests this exploit kit is used as a service, which was recently discovered when large amounts of traffic were sent to it originating from compromised OpenX servers that are used for advertorial purposes. One of the compromised OpenX servers was amongst others used by OmroepWest.nl. Much more effort was put into this exploit to make sure that it would not be detected by Anti Virus products when compared to the other exploits in the wild. Additionally, the domains that were used by the exploit kit were changed frequently to avoid blacklisting and the IP addresses were often rotated as well. The domains were sub-domains of the popular DynDNS service: dyndns-at-home.com, dyndns-ip.com, dyndns.biz, dyndns.info, dyndns.org and dyndns.tv. The type and variety of malware that was distributed to various countries, suggests that it was likely that it was actively offered in the Russian-speaking underground community in the past weeks.

The unpatched Java vulnerability poses a severe security risk, as the software is widely used on systems in corporate, consumer and governmental environments. The vulnerability can be exploited to compromise Windows, Mac OS X and Linux systems. Given the amount of systems that can be affected, the readily available exploit code and the expectation that the vulnerability will not be patched for a significant amount of time, it is only a matter of time before this vulnerability will be exploited in even greater numbers. Also with the 0-day exploit having been added to the most popular exploit kit out there, Blackhole, we expect that the exposure of systems will become even higher as will the success rate of exploitation.

To protect oneself it is recommended to uninstall Java, unless it is used for tasks that are essential. In those cases, it is recommended to disable Java in the web browsers that are installed on the system. References to guides how to disable Java in some of the most used browsers: Chrome, Firefox, Safari.

Update 31-8: Oracle has issued an update to Java 7 which addresses the vulnerability. More details here.

Update 3-9:  The earlier mentioned compilation date of the 17th of August was not related to the actual 0day exploit directly, we shared the samples with the industry and Moshe Basanchig from Trustwave responded that the earlier files found, only appeared to exploit CVE-2012-1723, and not CVE-2012-4681. All Jar files were exploiting CVE-2012-1723 and used the same obfuscator and had similarities due to the CVE-2012-1723 exploit and referenced ProtectionDomain, hence my confusion. Only the files from the 27th of August and onward exploited CVE-2012-4681 for 1.7 versions of Java and CVE-2012-1723 for other versions. Thanks to the excellent practical analysis of Immunity’s Esteban Guillardoy  it was easy to verify. Sorry for any confusion this might have caused.

It is interesting as the exploit kit appeared to gain traction on the 22nd of August and has distributed a large variety of malware which we expected to be related to the java 0day exploit, but it is not. While this exploit kit is definitely of a managed variant it also has some different properties. For example, another centrally managed exploit kit commonly referred to as Redkit, allows one to upload an executable and send traffic (visitors) to the exploit kit. The individual customers are differentiated using a numbered file which corresponds to the customer account and after successful exploitation the relevant customer malware is installed. Also the Bomba exploit kit (2010) and Incognito exploit kit (2011) are references of this type of service.

In this case however there is no distinguishing of customers to the exploit kit, all traffic has an identical landing page, and the only difference being made is the geo-location and relevant malware offered for that country is installed. This type of service is called a loads service where a customer pays for an X amount of infections for a certain country or list of countries. Another example of such a loads service was the Bredolab related loads service in 2010, which had huge volumes of traffic being converted into infected systems.

Still I am surprised by the amount of different malware that has been distributed by this service using dyndns domains, since it was only recently started, so it remains a mystery to me why it is suddenly so popular. The seemingly randomly generated domains which lead to this exploit kit are generated by a javascript domain generator which used a set of keywords and selects 4 keywords based on input parameters which are Hour, Day, Month and Year. The domain generator which was in use, is no longer used at this moment as the domains are not active.

The keywords used:
fox v junk five n r man out yes u qw solve but ea x im low zero go one too seven zeta do four key dry nine wide park hi a echo six two code

Generated domains:
date: 0:00 28-8-2012
domain: hxxp://foxwidecodea .dyndns-at-home .com
date: 1:00 28-8-2012
domain: hxxp://vparkfoxecho .dyndns-at-home .com
date: 2:00 28-8-2012
domain: hxxp://junkhivsix .dyndns-at-home .com
date: 3:00 28-8-2012
domain: hxxp://fiveajunktwo .dyndns-at-home .com
date: 4:00 28-8-2012
domain: hxxp://nechofivecode .dyndns-at-home .com
date: 5:00 28-8-2012
domain: hxxp://rsixnfox .dyndns-at-home .com
date: 6:00 28-8-2012
domain: hxxp://mantworv .dyndns-at-home .com
date: 7:00 28-8-2012
domain: hxxp://outcodemanjunk .dyndns-at-home .com
date: 8:00 28-8-2012
domain: hxxp://yesfoxoutfive .dyndns-at-home .com
date: 9:00 28-8-2012
domain: hxxp://uvyesn .dyndns-at-home .com …

The last domain in the list can be seen in the wireshark traffic log as seen in the blog, with a matching timestamp.

Barry Weymes, Michael Sandee et al.

Most Zeus trojan infections use HTTP for communication. There are however versions of Zeus that use P2P technology, but they are the exception. Once a computer is infected, Zeus must connect to the command and control (CnC) server for settings and instructions. The usual way of doing this is to use a HTTP POST.

When Zeus uses HTTP, it leaves the referer field in the HTTP header empty. Note the “-” which is the referer field.

POST hxxp://studioustwnfor.su/dpl/nbsdus.php HTTP/1.1" - - "-" "Mozilla/4.0 
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET 
CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E)"

The interesting thing about these malicious POST’s are that they look nothing like normal legitimate traffic. If someone was to login to a website with HTTP, such as a blog login page, the POST response has a referer field in the header. Another important thing to remember is that normally logging into a web service will only take one or two POST responses. A typical Zeus CnC communcation will be every 5 minutes at slow times and anything up to 10 every second at peak times. These two attributes together make detecting this type of communication possible.

Detecting such an anomaly is not as easy as you would think however. There are many possiblities for false positives. Online radio, SOAP, SAP, and antivirus vendors communcations are just some exceptions that need to accounted for, but it is possible after some training of the detection engines.

Detection of these malicious POST’s will also show communication for malware other than Zeus. Other malware using HTTP to communicate also don’t add a referer. For example, a fast(ish) flux dropper was changing the domain it sent data to regularly, to avoid detection but was caught because it didn’t have a referer:

"POST hxxp://195.16.89.60/insight/flourence?banner_id=
386514&yjuov=ZJRWYZFTYdsvwIwawGTZRgau0atHx3OB HTTP/1.1" - - "-"

"POST hxxp://for.quickbarber.co.uk/booking/read?page=
120&yjuov=ZJRWYZFTYdsvwIwawGTZRgau0atHx3OB HTTP/1.1" - - "-"

P.S. If you’re a malware developer, please disregard this blog post! We like detecting malicious communication, the way things are…

Barry Weymes
Security Specialist

A little over 2 weeks ago Microsoft announced operation B71. It was being brought as the biggest blow to ZeuS botnets in history, and was picked up in the media globally. A released movie showed Microsoft personnel executing a preliminary injunction in a civil case and seizing a server in Scranton, PA. In their words: “Hopefully this action will disrupt not only one but multiple botnets and allows Microsoft to get visibility into the criminal organization which really runs and develops the ZeuS family of malware”. A spokesperson for FS-ISAC said, “we have sat back and we have taken it, I think we need to go onto the offensive.” Also the former DHS Cyber Chief mentions that for Microsoft and the Financial Industry to combat these types of threats they need to work together. A spokesperson for NACHA mentions that fighting these threats is not as easy as finding individuals or groups that are causing these problems, but that they operate in very intricate networks in a very sophisticated way. Mr. Boscovich from Microsoft adds that they are very technical and very hard to identify and that they are hard to prosecute criminally.

We have some reservations on this whole operation, which in light of the above statements, will become very twisted and will leave you with an uneasy feeling. I suggest reading the entire article, so you can form your own opinion. Microsoft has actually released the affidavits (statements of facts) and accompanying documents on a website reachable at http://www.zeuslegalnotice.com/.

We have waited with publishing this response in anticipation of Microsoft publishing a statement of rectification on their recent operation b71 regarding some of the background on events that took place. This blog post will detail that background to some extent, so that the public knows and also the Microsoft customers and partners in this Operation b71 know what Microsoft did in order to offer their so called protection of their customers.

Seizing servers

So the movie shows that Microsoft seized one server. In total there were two servers seized, one containing an installation of a ZeuS variant named Ice-IX. This is a commercially available kit based off of the leaked source code of the original ZeuS. The other server functioned as a SpyEye controller, which was a Trojan very popular in 2011 but its popularity declined dramatically by the end of 2011 due to lack of updates. Ice-IX is 99.9% the same as the original ZeuS with some small additions and modifications. The last available SpyEye backend code was also freely downloadable from ‘The Internet’, so that is not going to reveal anything new.

If the code on these servers is not interesting what else could they have been looking for? Would Microsoft be able to find something linking to the actual criminals running these two seized servers? Very unlikely, especially with servers like these which are not bulletproof hosted. The criminals know those systems are going to be taken offline sooner or later and might be inspected. So they will leave as little or no information on these systems and also often the logging of the server is disabled, or if it is not, it only contains an IP address of a VPN gateway or Socks proxy that the criminals used to manage the server. All in all, we expect this will not reveal any information … at least not the supposed “visibility into the criminal organization which really runs and develops the ZeuS family of malware” as stated in the released video. One of the botnets was up and running again within 24 hours of the takedown on a brand new c&c server and continued with its business as usual.

Seizing domains

Another thing Microsoft did was seize a large number of domains used by ‘criminals’ for the purpose of pointing the malware on infected systems to the actual IP address of the C&C server. Not only for making communication to those domains impossible, well actually not at all, instead the domains were pointed to nameservers under control of Microsoft on the 24th of March 2012. The nameservers used were NS1 and NS2 at microsoftinternetsafety.net. Among the large set of domain names were old domains (from early 2011), parked, unused, expired and also legitimately used domains. This proves there was little to no verification done on the data by Microsoft or the Judges in this case. Looking for example at the .nl domains (page 14 of Prelim_Inj_Pt4.pdf) we see a number of sites which are just legitimate. Perhaps at some point in time these were used as an update server, redirect server or proxy for C&C traffic. This also directly indicates a lot of mislabeling of domains and their purpose, which as we now know was not just the case for the .nl TLD. For sure Microsoft has a very liberal interpretation of the word dropzone for example.

Now a problem occurred because a lot of the domains were not registered by criminals but by security companies and NGOs, who use these domains to look for communications by infected systems, with the intention of using it as a feed for ISPs and similar organizations to indicate that systems have been compromised with a Trojan. This process is called sinkholing, often this occurs through the registering of backup domains or domains generated by a domain generating algorithm. So these security companies and NGOs lost a part of their domains and thus a part of their intelligence feed, and were also marked as being potentially a contact for the criminals. These mistakes have not been fixed at the time of writing over 2 weeks after the domains have been seized, which can be easily observed as the sinkholed domains are easily recognizable.

An even more interesting part of this paragraph, is actually in the affidavits, linked above. In Debenham_Decl_Part_1.pdf act 113 it is mentioned that regarding the seized domains that are pointed to Microsoft controlled DNS servers, the A record will point to a server that has the following property: “The Microsoft computers are configured to capture only the IP addresses of computers that are attempting to establish contact. They are deliberately configured to break-off the communication before any content is received.”

An interesting statement as this is far from the reality of how it works. A simple test will show that a connection is actually setup completely to at least to port 80, port 443 and port 8080, with a full TCP handshake. This is already more than described above. Then the server will receive data, which includes not only a single packet of data, but multiple. At the end of Microsoft they are actually processing the packet data, seemingly specifically for HTTP formatted data. This means (and yes we tested it) that Microsoft will received the HTTP request with full headers and actually also POST data which will contain sensitive information about the victims, including usernames, email addresses , passwords and personally identifiable information. This definitely indicates that it is different from what was stated in the affidavits.

Statements and facts presented by Microsoft

In the affidavits you can find a great deal of that information that is freely available on the Internet. It is interesting to notice that this is presented as verifiable facts just because it was available on a website or as download. These websites and documents are statements of questionable source and it goes too far to actually go into every detail of each paper, but when I was reading it I found many presented facts which I know to be incorrect. For example one of the included whitepapers states that the latest version at the time of writing in 2010 of the ZeuS Trojan would be version 1.6, which is simply false. The last ZeuS version in the major version 1, is actually 1.3.X.X which was released by the end of 2009 and further updated with fixed in the beginning of 2010. And version 1.4 was actually never really released and not for sale, but was merely the beta version for the 2.0 release which was released in 2010.

Another statement on page 5 of Debenham_Decl_Part_1.pdf it is indicated that ZeuS was first identified in 2007, this is verifiable incorrect and it was researched in 2006 and it was published about in a great write up by Michael Ligh et al. This is another indication of sloppy research done on the end of Microsoft.

On page 2 of Debenham_Decl_Part_1.pdf, act 3, it is stated that ZeuS, Ice-IX and Spyeye can be seen as the same because they incorporate ZeuS code, and are from then on referenced to as “Zeus botnets”. To prove this fact there are appendices that claim to verify this fact, including a reference to a blog posting of the IT Security journalist Brian Krebs. Note that there has been a lot of talk about SpyZeuS and it being the next great threat to the worlds IT infrastructure and online banking in general, but in reality this was all make belief. Obviously SpyEye contains tricks used in ZeuS, obviously SpyEye supports the ZeuS webinjects format, as do a dozen other banking Trojans. Let’s just make a comparison, there is Windows and there is Linux, and both support NTFS, is it now logical to call Linux a Windows variant? No, they are both just an operating system, and SpyEye and ZeuS are both a Trojan.

Also in some of the statements such as the one in Debenham_Decl_Part_1.pdf act 22, you can see that the author writes that the email addresses of domain registrations can be used to contact john doe 1-39. This is a bit off as there has obviously been little to no verification that the domains were related to the unnamed defendants. Actually we are pretty sure they have not done anything like that, they have only supplied a pretty limited list of domains obtained from zeus and spyeye configurations.

Another interesting observation from our end is that in the documents we found no clear references to the usage of exploit kits, which is the main method of infection employed for infecting systems with banking malware. This seems odd and perhaps they did not want to overcomplicate things, or perhaps they wanted to put the focus more directly on the NACHA spam mails which is one of the plaintiffs.

On page 51 of Summons.pdf the actor named “duo” is apparently mislabeled as “D frank”, which is different from the declaration from Debenham.

John doe information

This last part brings us on the most interesting part of this whole write up on operation b71, we were surprised to see the contents of the Summons.pdf and the declaration of Debenham. This includes a lot of information on actors involved within the ZeuS operations, the SpyEye author and individual SpyEye users but also completely unrelated actors. This information includes nicknames, email addresses, icq numbers and jabber addresses.

And when looking at those details we found some interesting details on some of the described john doe’s. The information therein was 100% identical to information we had supplied to a certain mailing list. This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data. The information was in exactly the same order and contained exactly the same amount of information on those john does that we and also a friendly information security company had provided. Since the order and amount of information was 100% identical, and the data then also being used out of context and misinterpreted, meant that the person who interpreted it did not have the right background to fully understand the data.

For us this felt as a major blow as we spent a lot of time in getting this kind of information, while a corporate giant like Microsoft is now using this information without reaching out to the persons who supplied that information, for their own marketing and public relation purposes. From our end we can confirm that this information was never supplied for the purposes that Microsoft used it for. This whole action of Microsoft brings a major blow to the entire information sharing between information security companies on mailing lists and working groups.

Closing statements

The actions by Microsoft were thus definitely disruptive, but not so much for the criminals as they can easily setup their botnets again, if they lost any in the first place. The cost of setting up a new botnet for those that might have been disabled is very cheap, for about 10,000 USD you can setup a botnet with about 100,000 systems from a single popular country, which will typically be enough for a quick return on investment. The disruptive effect on the information security industry and the public private partnerships which have emerged is however devastating. The level of trust and the potential losses in effectiveness of information collection is becoming a major issue with information sharing, especially when taking into account these kinds of leaks. What we will see in the near future and also already now is a hesitation of partnering organizations to provide information on what is current, instead only vague information will be shared that is not actionable.

To reference the words of the Former DHS Cyber Chief, that working together, he mentioned, has now become an interesting proposal . Everyone in the industry at least now knows Microsoft is an untrustworthy partner who will go through great lengths to betray those who it works together with and will not claim responsibility for their mistakes. In light of the whole Responsible Disclosure debate from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests.

Also in light of the statement made in the video “how the criminal networks are intricate and how the individuals are hard to identify”, letting them know you are looking for them, and exactly with what information is not really going to help anyone’s objectives apart from that of the criminals themselves. At the same Monday we saw several actors register new accounts and jabber addresses, and reintroduced themselves to their partners in crime. Obviously this will make future attempts to attribute information to a person difficult as now you have to not only attribute actions to a single identity but also link those two or multiple identities together.

When it comes to what the actual harm is, Microsoft has endangered the success of countless ongoing investigations in both the private as the public sector all over the world from east to west. Obviously as most of these folks are located in Russia and Eastern Europe, the cooperation between parties in those regions and in western countries on both public and private sector side has been hurt more than you can expect, and also years of trust building has potentially been lost. It is not so much about this individual investigation but more about the global issue of partnerships between countries and regions and also between the private and public sector. In our discussions with Law Enforcement Officers, private investigators and members of NGOs researching these threats from across the globe we have found nothing but disappointment and disbelief regarding the irresponsible actions executed by Microsoft. Various other researchers have outed their disappointment earlier:
http://countermeasures.trendmicro.eu/dont-be-dumb-keep-schtumm/ and https://twitter.com/#!/sempersecurus/status/184344304788045825

By the end of the Microsoft PR/marketing movie I was laughing out loud and at the same time crying. As if these people actually reside in a country where Microsoft can prosecute them and as if you can actually find them, when you actually have to steal intelligence collected by others in the first place. No, you know who is doing the real laughing now. That are the criminals, who are the ones that really achieved victory over the entire industry by Microsoft’s irresponsible actions.

Summary

To summarize what has happened, Microsoft has publicly announced a takedown of ZeuS, Ice-IX and SpyEye botnets and has listed a large number of domain names which are supposedly involved and attempted to seize all these domain names. The lists of domains were unverified and contained domains which had a legitimate use.

Microsoft’s declaration contained statements which were incorrect and even contain misleading information regarding the invasion of privacy regarding the victims of ZeuS botnets, as their personal information may end up in the hands of Microsoft.
A large amount of information that identify the so called john doe’s for this case, has no apparent source or is not verifiable to any extent in the published information. We know that a large part of this information was sourced from individuals and organizations without their consent, breaking various NDA’s and unspoken rules.

This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with. It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.

Advice for the future

This has obviously been a major setback for everyone involved, not only those directly involved but also slowly but surely for those who are fighting the same battle and who are now confronted with this issue. How things should have been done, where do we go from here? Well, the first step is communicating. When you are planning an action you talk about it with as many people you know are going to be affected by the actions you are going to execute. If you need a key piece of evidence supplied by someone else, ask that person if it is possible to use this information without risking their information position. This is not just a thing private parties should learn, but public parties as well.

A second step is sharing, which goes both ways, and sharing is caring. While it is not always possible to share everything, it is definitely worth sharing things, sometimes raw data, sometimes an analysis or for example indicators or advice. Doing this allows people to reach out to one another because they know they can help on a specific topic and this results to a better common understanding of the working topic. It is really not a shame that you have to admit someone else just knows more about a certain topic than you, and if you prove you can handle information without risking each others positions that is a perfect start for a working relationship.

Preventing misuse of the information shared is impossible; the only thing we can rely on is trust within a group, and the repercussions on abusing this trust. In the case of the recent events I can only conclude that it is going to take a long time before Microsoft has regained its trust with the rest of the industry, and it is unfortunately that a few bad apples have now ruined it for everyone else.

Apart from trust there is one more thing, and that is due diligence, there is no other explanation than Microsoft not having done any due diligence in their actions and verification of data and sources in this case. They wanted to have a quick win, they might have gotten their quick win, but in the process sacrificed a lot. The advice is, check where the data is coming from, check it with your sources, get the confirmation that you can use it. Do not proceed until you are sure everyone has agreed and everything has been verified as much as can be possibly expected from you. Listing and seizing sinkholes and legitimate domains should be limited to a few and not dozens as was the case here.

The good thing to note is, information sharing has not completely stopped, people are still exchanging information, but for how long… and what are they not sharing? Only time will tell how this setback will affect us all in the long run.

Michael Sandee, Principal Security Expert at Fox IT