Reverse-Engineering a Zero-Day Exploit from the Hacking Team Data Dump

Last July, a still-anonymous hacker broke into the network belonging to the cyberweapons arms manufacturer Hacking Team, and dumped an enormous amount of its proprietary documents online. Kaspersky Labs was able to reverse-engineer one of its zero-day exploits from that data.

Posted on January 19, 2016 at 2:34 PM • 17 Comments

Comments

Xer0xerJanuary 19, 2016 5:08 PM

Smart thinking for discovering this exploit, but i doubt it's smart to publish this technique.

rJanuary 19, 2016 7:42 PM

@xer,

I don't see a downside, if you're an assembler you know better than to leave your code plaintext.
If you compile you know to strip your executables.
IF you don't you've spent too much time in books?
This is a good technique for the public, this is a good technique for the private industry and this is a good technique for the private researcher.

I really don't see how publishing this isn't smart, if you're really concerned about unleashing zero days then the solution is simple... take your information to the companies involved.

rJanuary 19, 2016 7:49 PM

As to the comment in the article about repurposing existing material: with ROP I would assume this is a given but for anything else I'm not sure I'd still classify it as unusual or rare.

Just like traditional open source it would decrease time to market.

rJanuary 19, 2016 7:56 PM

Esp. considering some people may (as stated in the 'identifying programmers' thread) not possess the awareness or education to acknowledge or prevent this.

I know that if I opened metasploit today, and fed in an el rando script from packetstorm myself the comment system or ascii escapes could possibly elude me.

John McAfeeJanuary 19, 2016 8:03 PM

So my question is about the ethics of the task. It's a nifty bit of detective work to be sure but what bothers me is the fact that his little spy program initially picked up two IP addresses, one in the middle east and one in Laos. Two areas of the world not known for democracy. So what did the researcher do to track down these two IP addresses and inform them that they probably have a compromised file? There is nothing in the article about THAT.

See, this article just convinces me once again that anti-virus is security theater. The poor sob from Laos did exactly what one is supposed to do, run his virus check and what happened? False Negative. So why bother? Any hacker worth his money is going to run his stuff through Virus Total too. Anti-virus is not going to protect one from a zero day and with zero days all over the place the only thing anti-virus is going to catch are lazy script-kiddies.

Save your money and assume it is all infected. It is the only sane thing to do.

MrTroyJanuary 19, 2016 8:19 PM

@John McAfee,

> Save your money and assume it is all infected. It is the only sane thing to do.

And then what?

ZzzJanuary 19, 2016 8:57 PM

'Save your money,' sure, but 'assume it's all infected'? That's just more resistance-is-futile. If you're not one of the first, absolutely highest-value targets (and you're not, let's face it, you're just not that important,) let's go through the and-then-what with an even more insidious example:

1. http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ ?!

2. Oh shit!

3. No sign of the three implicated syscalls on firejail traces for web-facing applications, Whew.

4. No sign of hidden processes or connections or anomalous privileges, or log alerts, Whew.

5. ASLR set appropriately to impede the attack, Whew.

6. tweak seccomp pending a fix with something like this for all web-facing applications:
firejail --seccomp.drop=keyctl, add_key, request_key [program and arguments]

7. Get on with your life.

rJanuary 19, 2016 9:27 PM

@John McAfee,

any hacker worth half his money isn't going to need or use virus total.

immho.

rJanuary 19, 2016 9:33 PM

@John McAfee,

to wit: this article proves that AV's (one's that include an NIDS) are capable of protecting against at least some zero days.

Actually I'm not sure an NIDS at the packet level would catch a silverlight exploit over https without an intermediate certificate being installed... It's definately alot of work to protect against the [un]holey browser plugin.

InterestingJanuary 20, 2016 12:58 AM

Doesn't this just prove that the only safe methods for us mere mortals who care about privacy & security is to minimise their attack surface?

I am thinking here:

- Running the most secure open source software available e.g. Qubes - also addresses large kernel attack surface with standard linux platforms
- Running everything necessarily in separate VMs so the damage caused by inevitable hacks is minimised as much as possible
- Running web browsing with minimal/no plug-ins i.e. especially never trust crap associated with Microsoft, Adobe and co.
- Opening any attachments in stand-alone (throw-away) VMs
- Not using a single piece of proprietary software & utilising proven, privacy-enhancing software as your default e.g. Tor
- Keeping nothing personal stored on digital media attached to the web-facing computer
- Considering all computer use as potentially open to the Feds and alphabet agencies at all times e.g. have any very personal communications in person and never using the Internet or peripherals for this purpose
- Never entering personal data into the public domain if you can manage it, ruling out all use of social media, professional networks etc.

While resistance may not be futile, it does appear that civil libertarians can only win if they don't play. That EFF link shows that the Feds are regularly going on trawling expeditions for any and all illegalities & zero days are critical for that purpose.

Is this all just paranoia for use mere mortals going about our daily business? Well - no.

1) Consider GHCQ's 'Karma Police' program.

2) Consider that in 2007, millions of Americans were already on a 'subversives list' in the 'Main Core' database, thanks to illegal dragnet surveillance. This would have been ramped up significantly in the last 9 years with the increased use of X-KeyScore and other programs and the large number of innocent people hooked in by NSA two and three-hop processes. We are all suspects ('potential subversives') in the new paradigm.

The data they are keeping is very, very thorough:

https://www.emptywheel.net/2016/01/18/martin-luther-king-jr-subversives-and-the-patriot-dragnet/

The following information seems to be fair game for collection without a warrant: the e-mail addresses you send to and receive from, and the subject lines of those messages; the phone numbers you dial, the numbers that dial in to your line, and the durations of the calls; the Internet sites you visit and the keywords in your Web searches; the destinations of the airline tickets you buy; the amounts and locations of your ATM withdrawals; and the goods and services you purchase on credit cards. All of this information is archived on government supercomputers and, according to sources, also fed into the Main Core database.

[snip]

Main Core also allegedly draws on four smaller databases that, in turn, cull from federal, state, and local “intelligence” reports; print and broadcast media; financial records; “commercial databases”; and unidentified “private sector entities.

3) Consider spook databases that now marry up with the new Police 'Pre-Crime' tools like Beware, and the authoritarian trends are obvious:

http://libertyblitzkrieg.com/2016/01/11/meet-beware-the-new-police-tool-that-data-mines-your-life/

The program scoured billions of data points, including arrest reports, property records, commercial databases, deep Web searches and the man’s social- media postings. It calculated his threat level as the highest of three color-coded scores: a bright red warning.

Privacy rights may be gone forever, short of a socialist democratic revolution that spreads world-wide and throws out the fascists in power everywhere. Political, rather than technological solutions are the primary factor in addressing the rot.

However, I won't hold my breath, especially since most people are addicted to their tech gadgets/trinkets and oblivious to the many threats which are destroying the remnants of democracy.

Just the way the shadow government likes it.

65535January 20, 2016 3:52 AM

@ r

“this article proves that AV's (one's that include an NIDS) are capable of protecting against at least some zero days…I'm not sure an NIDS at the packet level would catch a silverlight exploit over https without an intermediate certificate being installed... It's definately alot of work to protect against the [un]holey browser plugin.”

Yes, that is the truth. I do believe that certain versions of Kaspersky’s AV does do some SSL/TLS stripping – as to other AV companies. But, it is interesting using debugging code in malware to reverse engineer said malware.

What Network Intrusion Detection System do you recommend for the SOHO users [Snort, OPNET, IntruShield, TippingPoint and so on]?

@ L. W. Smiley

The EFF is doing it a fair job of shedding light on Governmental hoarders of 0-days. But, there is a lot to do.

Next, is the question of Antivirus companies in bed with the Government to suppress discovery of 0-day exploits?

Bruce involved in asking major AV if they were colluding with Governments and the NSA. Then last I heard is that only a handful of AV sellers said they were not [one of the few was Kaspersky].

[Few AV vendors respond to open letter about collusion with the NSA]

“I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.” –Bruce S.

‘Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware.’ – see EFF posts and Bruce’s posts.

“The Electronic Frontier Foundation (EFF) sent an open letter Thursday to anti-virus software companies asking a series of questions about their experience countering – or cooperating with – government surveillance.”

http://www.truthandaction.org/eff-calls-antivirus-companies-protect-govt-surveillance/

[and]

https://www.bof.nl/live/wp-content/uploads/Letter-to-antivirus-companies-.pdf

I would be a relief if AV companies were actively detecting Governmental malware and reporting it their customers.

@ Interesting

I also am concerned with reporters and the average Joe minimizing their attack surface. The more reduction in attack surface the better.

"Is this all just paranoia for use mere mortals going about our daily business? Well - no.
“1) Consider GHCQ's 'Karma Police' program.
“2) Consider that in 2007, millions of Americans were already on a 'subversives list' in the 'Main Core' database…”

Although these are tangential items to this post they are very concerning. I think they will have to be discussed in-depth and in public for better understanding.

A] If Main Core still is active what does it have in it and what other databases can it query [TIDE, Beware, and so on]?

B] Is the State of Emergency still in effect since the Bush Administration? If so why is it still in effect?

“The United States has been in a declared state of emergency from September 2001, to the present. Specifically, on September 11, 2001, the government declared a state of emergency. That declared state of emergency was formally put in writing on 9/14/2001:

“A national emergency exists by reason of the terrorist attacks at the World Trade Center, New York, New York, and the Pentagon, and the continuing and immediate threat of further attacks on the United States.

“NOW, THEREFORE, I, GEORGE W. BUSH, President of the United States of America, by virtue of the authority vested in me as President by the Constitution and the laws of the United States, I hereby declare that the national emergency has existed since September 11, 2001 . . .” – global research

http://www.globalresearch.ca/state-of-emergency-and-continuity-of-government-what-is-the-real-reason-the-government-is-spying-on-americans/5338508

[and see Emptywheel]

https://www.emptywheel.net/2016/01/18/martin-luther-king-jr-subversives-and-the-patriot-dragnet/

This "State of Emergency" is quite disturbing, long lasting and should be explained publicly [Possibly in another post].

rJanuary 20, 2016 12:44 PM

@65535,

I recommend practicing safe sex, backups, noscript, whitelisting and an intermediate hardware firewall. Maybe clamav/snort with modifications and a customized? dataset on the firewall/router and Avast on the end user. I recommend not flattening your attack surface by relying soley on linux or x86. I recommend getting used to lynx, links or links2.

None of that is a joke, it's a reality check - I routinely tell the families I work with that THE INTERNET IS A WARZONE - that they can expect something to get through even using best practices and that the only solution is to keep your head down and BACK THINGS UP.


There's really not alot anyone can do, do you remember the heuristics and binary emulation of the 90's? Do you remember how much it slowed down even the "fast" pentium pros? In defense of the NIDS' out there: I can't imagine being asked to emulate or scan every single potentially UNALIGNED/encrypted packet coming into a system. HOWEVER: To assail the AV industry, and to reinforce the suspicions of the other guy who claims that they are in bed with governments - given that this 'third' silverlight exploit was detected using an extrapolation of known 'signatures'... they don't really have an excuse given that it was found in their datasets. Are they really drowning in a backlog of data like the NSA?


I fully believe AV's are colluding and or complicit... I completely believe that at times they look the other way... I also firmly believe that they think that it is in their best interest as a business seeking revenue to let the 1% through (think scareware).

I believe what we have gentlemen, is one big private gentlemen's agreement.

There's also questions of subversion, not only from governments but specifically from company researchers who have not been screened or supervised.

But what do I recommend? Whatever the government is using to protect their networks, if they're using anything at all honestly - we have hints that they do have some reasonable sort of NIDS with packet inspection - there's allusions to various branches sharing 'signatures'. Whether those signatures are just pivot/origin signatures or actual weapons (not attack) signatures is beyond me, i can easily see them sharing known infrastructure information as that's far easier in my mind than stateful inspection of all non-metadata DPI incoming/outgoing frames.

As for the rest of us? Practice, practice, practice.

I don't recommend paying for something that looks the other way, which is why I push Avast - it's free - and they SEEM to be a VERY consumer oriented company. Once you get to the top you have nothing to prove... kaspersky and mcafee immhoo are both galvanized, complacent, stagnant and entrenched but still lightyears ahead of 95% of their competition... They will also have larger userbases and may(or may not) pick up on new malvertising campaigns quicker than others... Bitdefend in recent years has had outstanding reviews also and from what i remember it has it's roots in the early NIDS'/firewalls and therefor may be of reasonable performance in that area... I personally, just can't see telling families that they need to buy premium protection that is only minimally better than free solutions coupled with basic awareness.

To be fair to kaspersky, I relied on them for 10-15 years. I'd been using and highly recommending them since they were AVP, I would always just reinstall the 30 day trial... The were quite simply the best - and you couldn't beat the price. It's not fair to them that my reservations over their russian origin taint my opinion of them or the company, they are highly qualified in everything they do.

AND, concerning comments in recent weeks about the exploitation of anti-viruses... I seem to recall a certain remotely exploitable ring0 driver hole in McAfee's software firewall implementation 10 or 12 years back... nothing is fail safe or for that matter fool proof.

Clive RobinsonJanuary 20, 2016 11:22 PM

@ Steve,

With regards the quote from,

rationalwiki.org

The page it comes from comes across as an ironical parody of a right wing "potty" trying to sound rational.

Thus I would expect on the "lesser flea principle" to find another site complaining about Rational Wiki in the same way they are complaibing about Global Research.

I'm not saying that either organisation is good or bad, but I've started to notice more and more of these "beware XXXX" sites. It appears to be a new phenomenon, but it could also be part of a "black propaganda" operation not to disimilar to those that the GCHQ "smurf tools" are designed to support.

As was once noted "On the Internet nobbody knows you are a dog" well it also applies to websites as well and it's reached the point where rational thought does not help weed out the bad from the good...

NEDJanuary 21, 2016 10:20 AM

The reason that statists hate globalresearch.ca is that it publishes the source documents that state-sanctioned media keep from you. Very often you'll read a news story in commercial media about a document, but it doesn't link to the document or even tell you the title - the story just tells you what to think. To read the document itself you have to go to sites like globalresearch. That's why statist psywar pukes cotinually attack its reputation.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.