SCHOOLMONTANA: NSA Exploit of the Day

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog:

SCHOOLMONTANA

(TS//SI//REL) SCHOOLMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card.

(TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process on the target operating system. The vector of attack is the modification of the target's BIOS. The modification will add the necessary software to the BIOS and modify its software to execute the SCHOOLMONTANA implant at the end of its native System Management Mode (SMM) handler.

(TS//SI//REL) SCHOOLMONTANA must support all modern versions of JUNOS, which is a version of FreeBSD customized by Juniper. Upon system boot, the JUNOS operating system is modified in memory to run the implant, and provide persistent kernel modifications to support implant execution.

(TS//SI//REL) SCHOOLMONTANA is the cover term for the persistence technique to deploy a DNT implant to Juniper J-Series routers.

Status: (U//FOUO) SCHOOLMONTANA completed and released by ANT May 30, 2008. It is ready for deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 15, 2014 at 2:56 PM • 14 Comments

Comments

Kai HowellsJanuary 15, 2014 3:48 PM

Although there's been one mentioned so far for Cisco PIX and ASA firewalls, it's interesting how many of these exploits that Bruce is covering are for Juniper security appliances.
Based on my experience (in Australia, not the USA) Government seem to use a lot more Cisco equipment than Juniper, and I'm lead to believe that the situation is the same over there.

pointles_hackJanuary 15, 2014 4:05 PM

@Kai Howells: So NSA has done due diligence, and not left agents who want to penintrate Juniper systems hanging. But they have Cisco well in hand (if you've been following.)

Phill Hallam-BakerJanuary 15, 2014 4:34 PM

Bruce,

Congrats on the new job.

Meta question here, is this going to be collaborative research for your next book?

If so, I will get the book when it comes out. I'm up to my eyeballs in code right now.

Seems to me that the NSA is giving an unintended graduate level course in comprehensive penetration and penetration testing (with a minor in botched tradecraft). But it needs someone to take the time to organize and structure etc.

Phill

Alexa ThrysterJanuary 15, 2014 5:47 PM

So, basically, badBIOS? Ironchef, Gourmettrough, and of course Schoolmontana.

sparkygsxJanuary 15, 2014 6:51 PM

@Bruce: what is the point of these posts? All I read is "persistent implant for device [brand and types] with some retarded name IN ALL CAPS". They all seem to be more or les the same, but for slightly different targets. Can't we just get a list of all the brands and types that have been compromised and get it over with?

BuckJanuary 15, 2014 11:30 PM

Certainly a coincidence! But still...
Cheating scandal at Montana school for minuteman control-men?
http://www.cnn.com/2014/01/15/politics/air-force-nuclear-scandal/

Guess that investigation started with this:
http://usnews.nbcnews.com/_news/2014/01/09/22245986-officers-at-us-nuclear-missile-base-suspended-in-illegal-drugs-case

Then, there's also this...
http://www.cnn.com/2013/08/27/world/meast/nuclear-air-force-fail/

And of course, the obligatory COC (cover our constituency) congressional outrage!
http://www.airforcetimes.com/article/20131230/NEWS05/312300012/Senators-ask-DOD-delay-nuclear-missile-study

TipJanuary 15, 2014 11:59 PM

@sparkygsx if you find it too distressing to read massively underreported news about your employer perhaps you should find yourself some other occupation?

Think of that as a fair warning: nothing has gone beyond skin deep yet and your job is only going to get worse.

I mean; you don't seriously think this is as bad as it's going to get right? That the single tiny drop of blood in the water called Snowden hasn't made the sharks move?

William LeeJanuary 16, 2014 3:40 AM

@Bruce Schneier: Do you think you could tag all your 'Exploit of the Day' articles with something like um, 'exploit of the day' so they could more easily all be pulled up at once? Just an idea. Cheers

65535January 16, 2014 5:15 AM

I see a trend.

1] Juniper sell both Carrier Routing Systems and Security Systems for enterprises.

2] Juniper software (such as JUNOS) and hardware must have Carrier Routing Systems and Enterprise Security Systems with some compatibility or similar software.

3] The Carrier Routers must comply with CALEA (a big backdoor).

4] The Enterprise routers => Carrier Routers and the reverse.

5] A bios hack and a second implant are used to target the Enterprise routers with BIOS root kits and spyware.

This is just speculation – if the Juniper’s Enterprise Routers have dormant software code associated with their Carrier Routers code -wouldn’t it be reasonable to infect the Enterprise routers to emulate the CALEA port mirror or deep packet inspection probe and send the entire stream to the NSA (for further analysis).

In SchoolMontana we see a BIOS infection and “Validator” implant to create a persistent BIOS root kit interacting with the SMM handler. It maybe possible to re-enable the CALEA mode - a big maybe.

For discussion sake: Isn’t it remotely possible that various routers and switches contain partial copies of the “Lawful Intercept” code which could be hacked to work as it should in a carrier backbone?

I think Bruce mention Utimaco the provider for many lawful intercepts. They probably know of a hack for business routers (let alone the NSA).

Here is the CALEA setup information for the Catalyst 6500 series.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/lawful/intercept/65LIch2.html

A Cisco ASR 1000 Series Lawful Intercept license for $691.74 On HelpFindit(dot)com. I will not post the link.

Here is an old RFC3924 for Cisco Architecture Lawful Interception
http://www.faqs.org/rfcs/rfc3924.html

I have an old PIX 515e with a banner containing ‘lawful monitoring’ wording laced through it… although I doubt that it could actually send a CALEA intercept even if it could mirror it and store it. But, newer routing/switching devices may be a different story.

OlaJanuary 16, 2014 7:49 AM

@65535 it would be an hack of the decade if you could turn on Lawful Intercept on a router that needs an licens for that to work. Im not sure if port mirroring to NSA would work on enterprise routers. But anyway, it means that NetOptics and other tap manuf are going to have busy year. But then again you need BANAGLEE free server to run snort. It sucks to work on computer security these days.

A-TeamJanuary 16, 2014 10:08 AM

It would surely open a lot of doors if little people could obtain Lawful Intercept access and pose queries. Better, put MARINA and MAINWAY portals on the public internet and give us five milliseconds each to task our personal selectors.

Recall the 2010 Aurora attacks on Google (and Microsoft) were not so much activist email as years of FISA-court authorized surveillance on behalf of the FBI.

http://www.washingtonpost.com/world/national-security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html

http://www.networkworld.com/community/blog/will-chinese-hackers-launch-re-tread-attacks-surveillance-databases

"These [FISA orders] provide the legal cover for targeting people of interest in the US, notably the list of known or suspected undercover agents for the Chinese (who then might need to be extracted, change selectors, or provide misinformation). When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looking to access Gmail accounts of Tibetan activists.

What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists. Armed with such information, Chinese intelligence agencies might decide to extract the suspected operatives, or instruct them to provide false information aimed at deceiving U.S. intelligence agents.

As Google was responding to the breach, its technicians made another startling discovery: its database with years' worth of information on surveillance orders had been hacked. The database included data on thousands of orders issued by judges around the country to law enforcement agents seeking to monitor suspects' emails.

The most sensitive orders, however, came from a federal court that approves surveillance on foreign targets such as spies, diplomats, suspected terrorists, and agents of other governments. Those orders, issued under the Foreign Intelligence Surveillance Act, are classified.

The theory is also backed by an earlier claim by Dave Aucsmith, senior director of Microsoft's Institute for Advanced Technology in Governments, who said that the Aurora attacks directed at Microsoft were aimed at discovering similar information regarding Microsoft accounts.

"If you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that's difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That's essentially what we think they were trolling for, at least in our case," he shared with the attendees of a government IT conference.

Aucsmith said the attack on Microsoft appeared to be "a reconnaissance mission hackers were conducting to determine what type of surveillance U.S. authorities were conducting on undercover operatives through records obtained from the software giant via court orders."

5050January 16, 2014 9:24 PM

Happy belated birthday and thank you, thank you! A personal voice in a world of "actors"

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..