Jump to content

NSA Hacking Window OS


RickC

Recommended Posts

What about today's news that the NSA is hacking our Windows 10 operating systems. Should we be concerned? Is Malwarebytes on top of this. I use VPNs, TOR, etc. Is that sufficient to thwart the government's efforts to spy on me? 

 

 

LEAKED NSA MALWARE THREATENS WINDOWS USERS AROUND THE WORLD
https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/ 

Hacked NSA tools put Windows users at possible risk
https://www.cnet.com/news/hacked-nsa-tools-put-windows-users-at-possible-risk/ 

NSA's arsenal of Windows hacking tools have leaked
http://www.zdnet.com/article/shadow-brokers-latest-file-drop-shows-nsa-targeted-windows-pcs-banks/ 

#TheShadowBrokers  

Link to post
Share on other sites

Greetings RickC and welcome :)

I moved your topic out of the malware removal area as this seems to be more of a technical question than an issue with a currently infected PC (the purpose of that area is for infected users seeking free assistance with malware removal).

Now, onto the questions you raise about government hacking and malware.  To be honest, I don't think anyone can say definitively whether we are safe from the kinds of threats and attacks which might be used by government agencies simply because they have so much money and access to incredibly vast amounts of resources (including some of the best hackers/coders money can buy) and technology.  That said, I don't think we're quite to the point yet where the US government is trying to monitor all devices/users, only specific targets of interest to them (suspect terrorists etc.).  In other words, and I'm just speaking hypothetically here, I am NOT claiming that you participate in any illegal activities whatsoever, but let us imagine that you are an individual who uses services such as Bittorrent clients and the like for the purposes of pirating copyrighted content online.  While this activity is certainly illegal in the United States, it is definitely not the kind of thing that the NSA is interested in these days.  They would consider it a vast waste of time, effort and resources to go after pirates and the likes for what are generally considered minor financial crimes.  To be honest, there are just far too many pirates and the cost vs gains from trying to go after them all would put the government at a big loss, both financially and with regards to manpower when they could be using those resources for far more important targets (remember, they also have to justify their budgets to Congress and any other arms of the government who sign off on and finance their work).

Now that said, in theory it is of course possible for the government to develop malware that would be capable of bypassing pretty much all security measures.  The simplest means I can think of would be via a man-in-the middle attack which doesn't even use any malware installed on your system but instead monitors traffic between your system(s) and your ISP.  Of course using things like TOR help to evade these types of attacks, but it's also possible that the government has discovered ways around that as well.  Keep in mind I'm not saying that this is happening because frankly I have no idea.  I'm simply thinking of what the most efficient means of monitoring a user's web use would be, especially since, if they were to install malware on your system they put themselves at some level of risk if only because you might suspect something's going on and then come to a place like this where an expert malware analyst or technician might get their hands on a sample of the malware they're using, or at least be able to capture enough of it to reverse engineer some aspects of it and whenever something like that happens, it's tons of time and money down the drain for them because it won't be long until news of such a threat spreads and other technicians and security experts (and unfortunately, often the bad guys who write malware for profit) get ahold of it, after which it could theoretically become quite easy to detect and stop for all of us anti-malware vendors (and unfortunately, possibly for the bad guys to reverse engineer and create derivative works from).

So if the government has any sort of "super-bugs"/new malware of any kind, you can bet they're likely to use it quite sparingly.  Now exploits on the other hand are another matter entirely, since all they have to do is try to keep it a secret so that it doesn't get patched (or protected by tech such as our own anti-exploit module in Malwarebytes), but even then, these days there are tons of paid and freelance organizations and individuals constantly trying to find new exploits in software and operating systems just so they can report them to the software makers (like Microsoft) in order to get them patched so it's not likely that many exploits would last too long, though this only emphasizes the importance of keeping all of your software and especially your operating system up-to-date (and running good exploit protection doesn't hurt either).  Also, as far as the specific articles you cited go, they actually say that the only OS NOT affected is Windows 10.  In other words, it's all of the older Windows versions which are targeted/put at risk by these exploits and apparently MS' latest operating system is safe from this particular batch of exploits (that doesn't mean that there aren't 0-days we don't know about for Windows 10, as I've no doubt there are just because new exploits are popping up all the time for pretty much every OS and software version; one of the main reasons MS and other vendors release security updates so frequently).

Essentially what I'm trying to say here is that you really don't have a whole lot to worry about as far as government spying goes in all likelihood.  That doesn't mean it's not possible, just not likely.  I know that some will say things like "if you aren't doing anything wrong then you shouldn't worry about being watched anyway" but I'm not in that camp at all.  I'm a huge advocate for personal privacy as are we all here at Malwarebytes.  I just don't think that at the moment it would be an efficient use of time, money, manpower and resources to attempt to spy on all users.  It would just be way too much data, most of which would be deemed insignificant, just to try to find the needles in the massive haystack that they're looking for.  We're talking way beyond petabytes of data and traffic were they to target any significant number of the population, especially with the high use of streaming services these days by users and the low cost of storage devices (HDDs, SSDs etc.).  They'd be taking months or even years sorting through tons of data just to locate a few targets of real value to them, the entire time risking exposing themselves by attacking so many networks and systems (the more widespread a piece of malware is, the more likely it is to be captured by or handed to a threat researcher like those who work for Malwarebytes and once that happens, it's pretty much game over for that piece of malware, and possibly that entire attack vector if that researcher's heuristics and/or behavioral detection capabilities are up to snuff).

Anyway, I know this isn't a definitive answer, but I hope it at least helps to set your mind at ease.

Link to post
Share on other sites

Reading RickC's links it comes to my mind the famous saying from Goethe's poem "The Sorcerer's Apprentice":

"Spirits that I've cited

My commands ignore."

Edited by GMork
Link to post
Share on other sites

8 hours ago, KenW said:

I don't remember reading anything about Windows 10 in any articles about this.

From the first article/link the user posted:

The leak includes a litany of typically codenamed software “implants” with names like ODDJOB, ZIPPYBEER, and ESTEEMAUDIT, capable of breaking into — and in some cases seizing control of — computers running version of the Windows operating system earlier than the most recent Windows 10.

Also, that same article has been updated with the following information.  It looks like we might not be quite as vulnerable as we first thought (thank goodness!):

Update: April 15, 2017

Late Friday night, Microsoft published a blog post stating that after an analysis of the ShadowBrokers leak, it had determined that most of the vulnerabilities were patched in a series of Windows updates released in March — updates that security researchers who analyzed the NSA tools apparently neglected to install. This means the exploits in question were not in fact “zero days” and that anyone running the most recent updates on software still supported by Microsoft is safe from the ShadowBrokers arsenal. But the timing of the patch in question is interesting: If Microsoft truly did not receive any help from the NSA, as it claims, the fact that it fixed a litany of holes vulnerable to secret NSA tools exactly a month before those tools were made public is an amazingly fortunate coincidence (curiously, Microsoft skipped the usual acknowledgements section with the patch, which typically nods to how they were informed of the threats fixed in a given update). At any rate, this is certainly good news for Windows users who keep their computers up to date, good news for Microsoft, and still very bad news for the NSA.

Link to post
Share on other sites

6 hours ago, leo3487 said:

But at least we can be safe at this point?

Malwarebytes never will agree with any government agency to whitelist their malware?

(I guess all anti malware companies should make that disclaimer)

Based on what I've learned of these particular threats/exploits etc. so far, yes, we should be pretty much safe as long as we've installed the latest Windows Updates and patches for other significant web facing software such as web browsers and their plugins (Flash etc.).

And yeah, I wish all security vendors would state as much.  I've heard stories and claims that some vendors have agreed at various times to whitelist/deliberately ignore government malware but in my opinion, malware is malware regardless of its source and an anti-malware solution's job is to protect systems from attack by that malware no matter what it's purpose might be or where it comes from.  That's especially important with attack vectors such as exploits which could potentially be used by anyone, not just the authorities meaning the bad guys could just as easily use it to infect systems, steal data and/or attempt to extort money.

On our "About us" page located here it states: "We believe everyone has a fundamental right to a malware-free existence." meaning all malware, no matter where it comes from :) .

Edited by exile360
Link to post
Share on other sites

4 hours ago, exile360 said:

Based on what I've learned of these particular threats/exploits etc. so far, yes, we should be pretty much safe as long as we've installed the latest Windows Updates and patches for other significant web facing software such as web browsers and their plugins (Flash etc.).

Shadow Brokers had been trying to sell these exploits since August 2016, quote:

Quote

A Microsoft spokesperson told The Intercept “We are reviewing the report and will take the necessary actions to protect our customers.” We asked Microsoft if the NSA at any point offered to provide information that would help protect Windows users from these attacks, given that the leak has been threatened since August 2016, to which they replied “our focus at this time is reviewing the current report.” The company later clarified that “At this time, other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers.”

Patching these exploits in March 2017 would meant that we were not safe prior to this date, nor do we know just how long they had been utilized prior to August 2016. That just shows the value of updates that re-enforces the need for security solutions for protecting systems and applications against advanced threats.

My question is, could Malwarebytes 3.0x stop these exploits?

Based on the KB Article, the chances are the answer to this question is no, quote:

Quote

Multiple Windows SMB Remote Code Execution Vulnerabilities

Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.

The "specially crafted packet" could be anything, such as buffer overflow, unintentional/intentional backdoor, etc. It's hard to say without looking at the actual packets in question and its impact on the system. Nor did Microsoft disclose the details of the exploit and more strangely, it did not credit anyone for finding this vulnerability and notifying Microsoft. 

Link to post
Share on other sites

On 4/15/2017 at 9:18 AM, KenW said:

I don't remember reading anything about Windows 10 in any articles about this.

Windows 10 market share is about 25%, I am pretty certain that the intelligence agencies have exploits for this platform. Not having them at their disposal would limit their effectiveness of eavesdropping on people. And yes, some of vulnerabilities patched last month impacted Windows 10 platforms as well... 

Link to post
Share on other sites

12 hours ago, dont_touch_my_buffer said:

Shadow Brokers had been trying to sell these exploits since August 2016, quote:

Patching these exploits in March 2017 would meant that we were not safe prior to this date, nor do we know just how long they had been utilized prior to August 2016. That just shows the value of updates that re-enforces the need for security solutions for protecting systems and applications against advanced threats.

My question is, could Malwarebytes 3.0x stop these exploits?

Based on the KB Article, the chances are the answer to this question is no, quote:

The "specially crafted packet" could be anything, such as buffer overflow, unintentional/intentional backdoor, etc. It's hard to say without looking at the actual packets in question and its impact on the system. Nor did Microsoft disclose the details of the exploit and more strangely, it did not credit anyone for finding this vulnerability and notifying Microsoft. 

I can't speak to whether or not Malwarebytes would have been 100% effective against any potential exploits for these particular vulnerabilities, but I do know that one of the generic/behavioral/signatureless detection mechanisms built into our anti-exploit protection is the detection of and termination of exploits which attempt buffer overflow attacks (among several other layers/behaviors) so while without seeing any actual exploits of the vulnerability in the wild or a POC I cannot determine its effectiveness, I can say that I'm confident that it would likely be at least far more difficult to infiltrate a system via an exploit if only because we have so many layers that look for exploit behaviors and other suspicious activity related to exploits.

Again, I do not know how vulnerable, if at all, systems protected by Malwarebytes would be, but I do believe at the very least, that it would make it far more difficult if only because there are several attack vectors/exploit types which are generically stopped at the door regardless of the vulnerability they're trying to exploit, and this includes buffer overrun attacks.

Link to post
Share on other sites

11 hours ago, exile360 said:

Again, I do not know how vulnerable, if at all, systems protected by Malwarebytes would be, but I do believe at the very least, that it would make it far more difficult if only because there are several attack vectors/exploit types which are generically stopped at the door regardless of the vulnerability they're trying to exploit, and this includes buffer overrun attacks.

Except that the Windows SMB Server CVE-2017-0147 Information Disclosure Vulnerability does not include buffer overrun attack. An attacker could exploit this vulnerability by sending a crafted request to the target system that may contain random information that is stored in memory when returned. The "crafted request" means a string of characters that may include letters and numbers that the server protocol driver responds to. The chances are that that the attacker could also execute arbitrary code, otherwise exploiting this vulnerability is iffy at best. Even if Microsoft does not state that...

While I don't know much about programming, but.... The crafted request handled by the system two different ways:

  1. The crafted request results in a buffer overflow that allows the attacker to execute arbitrary code
  2. The crafted request, or string of characters, coded in the server protocol driver and system system responds as expected

Anyone knowing the string of characters could exploit this vulnerability. While it is unlikely that MS would do this, having an eerily similar vulnerability from 2006, quote, makes it suspicious:

Quote

SMB Information Disclosure Vulnerability - CVE-2006-1315:

There is an information disclosure vulnerability in the Server service that could allow an attacker to view fragments of memory used to store SMB traffic during transport.

The CVE-2006-1315 has this description, quote:

Quote

The Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to obtain sensitive information via crafted requests that leak information in SMB buffers, which are not properly initialized, aka "SMB Information Disclosure Vulnerability."

Yes, it could be coincidence... On the other hand, it could be an update for the crafted request, or special strings of characters once they become known. We will never know the answer to this...

PS: Yes, Malwarebytes 3.x provides multi-layers of security protection for the system. But even this protection is pretty much ineffective against unknown special strings of characters that's actually a "normal" and "intended" operation...

Link to post
Share on other sites

3 hours ago, dont_touch_my_buffer said:

Except that the Windows SMB Server CVE-2017-0147 Information Disclosure Vulnerability does not include buffer overrun attack. An attacker could exploit this vulnerability by sending a crafted request to the target system that may contain random information that is stored in memory when returned. The "crafted request" means a string of characters that may include letters and numbers that the server protocol driver responds to. The chances are that that the attacker could also execute arbitrary code, otherwise exploiting this vulnerability is iffy at best. Even if Microsoft does not state that...

While I don't know much about programming, but.... The crafted request handled by the system two different ways:

  1. The crafted request results in a buffer overflow that allows the attacker to execute arbitrary code
  2. The crafted request, or string of characters, coded in the server protocol driver and system system responds as expected

Anyone knowing the string of characters could exploit this vulnerability. While it is unlikely that MS would do this, having an eerily similar vulnerability from 2006, quote, makes it suspicious:

The CVE-2006-1315 has this description, quote:

Yes, it could be coincidence... On the other hand, it could be an update for the crafted request, or special strings of characters once they become known. We will never know the answer to this...

PS: Yes, Malwarebytes 3.x provides multi-layers of security protection for the system. But even this protection is pretty much ineffective against unknown special strings of characters that's actually a "normal" and "intended" operation...

Regarding item 1., if I'm correct then as soon as the buffer overflow was initiated then 3.x should shut it down right there.  Regarding item 2., you are most likely correct so the only mitigation would be Microsoft's patch to eliminate this vulnerability.  I'm no programmer either so I don't have intimate knowledge on the subject but at least as I understand it we do generically detect buffer overflows and shut them down, thus stopping such exploits in their tracks.  I believe there are other layers in the anti-exploit module that work in similar ways as well to thwart other exploit methods on a behavioral/generic basis and I don't know if any of those would apply to whatever methods apply to this attack or not but I can only hope.  I do know that our team is investigating the published data so if there is any actionable intel to be used for strengthening our methods of protection, I'm sure it won't be long before they are implemented.  I'm anxious to learn what the tech experts (not just ours, but others as well) have to say about these exploits/vulnerabilities and the methods which would apply to exploiting them.  I assume it's only a matter of time before more information becomes available as more and more people analyze the code and documentation made public by this leak.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.