_http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/
This article is really quite mind-blowing IMO. Here are a few snippets:
This article is really quite mind-blowing IMO. Here are a few snippets:
Hoglund's special interest was in all-but-undetectable computer "rootkits," programs that provide privileged access to a computer's innermost workings while cloaking themselves even from standard operating system functions. A good rootkit can be almost impossible to remove from a running machine—if you could even find it in the first place.
The reply indicates that HBGary has several tools on offer. "Are you asking about the rootkit for XP (kernel driver that hides in plain sight and is a keylogger that exfiltrates data) or are you asking about 12 Monkeys? We've sold licenses of the 1st one for $60k. We haven't set a price on 12 Monkeys, but can."
The company had been developing rootkits for years. Indeed, it had even developed a private Microsoft Word document outlining its basic rootkit features, features which customers could have (confirming the e-mail listed above) for $60,000.
On April 14, 2009, Hoglund outlined his plans for the new super-rootkit for Windows XP, which was "unique in that the rootkit is not associated with any identifiable or enumerable object. This rootkit has no file, named data structure, device driver, process, thread, or module associated with it."
How could Hoglund make such a claim? Security tools generally work by scanning a computer for particular objects—pieces of data that the operating system uses to keep track of processes, threads, network connections, and so on. 12 Monkeys simply had nothing to find. "Since no object is associated with the objectless rootkit, detection will be very difficult for a security scanner," he wrote. In addition, the rootkit would encrypt itself to cloak itself further, and hop around in the computer's memory to make it even harder to find.
As for getting the data off a target machine and back to the rootkit's buyer, Hoglund had a clever idea: he disguised the outgoing traffic by sending it only when other outbound Web traffic was being sent. Whenever a user sat down at a compromised machine and started surfing the Web, their machine would slip in some extra outgoing data "disguised as ad-clicks" that would contain a log of all their keystrokes.
While the basic rootkit went for $60,000, HBGary hoped to sell 12 Monkeys for much more: "around $240k."
HBGary kept a stockpile of 0-day exploits. A slide from one of the company's internal presentations showed that the company had 0-day exploits for which no patch yet existed—but these 0-day exploits had not yet even been published. No one knew about them.
The company had exploits "on the shelf" for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated.
One of the unpublished Windows 2000 exploits, for instance, can deliver a "payload" of any size onto the target machine using a heap exploit. "The payload has virtually no restrictions" on what it can do, a document notes, because the exploit secures SYSTEM level access to the operating system, "the highest user-mode operating system defined level" available.
These exploits were sold to customers. One email, with the subject "Juicy Fruit," contains the following list of software:
Psyops
In mid-2010, HBGary Federal put together a PSYOP (psychological operations) proposal for SOCOM, which had issued a general call for new tools and techniques. In the document, the new HBGary Federal team talked up their past experience as creators of "multiple products briefed to POTUS [President of the United States], the NSC [National Security Council], and Congressional Intelligence committees, as well as senior intelligence and military leaders."
The document focused on cartoons and the Second Life virtual world. "HBGary personnel have experience creating political cartoons that leverage current events to seize the target audience's attention and propagate the desired messages and themes," said the document, noting that security-cleared cartoonists and 3D modelers had already been lined up to do the work if the government wanted some help.
But HBGary Federal's real interest had become social media like Facebook and Twitter—and how they could be used to explore and then penetrate secretive networks. And that was exactly what the Air Force wanted to do.
Fake Facebook friends
In June 2010, the government was expressing real interest in social networks. The Air Force issued a public request for "persona management software," which might sound boring until you realize that the government essentially wanted the ability to have one agent run multiple social media accounts at once.
It wanted 50 software licenses, each of which could support 10 personas, "replete with background, history, supporting details, and cyber presences that are technically, culturally and geographically consistent."
The software would allow these 50 cyberwarriors to peer at their monitors all day and manipulate these 10 accounts easily, all "without fear of being discovered by sophisticated adversaries." The personas would appear to come from all over the world, the better to infiltrate jihadist websites and social networks, or perhaps to show up on Facebook groups and influence public opinion in pro-US directions.
As the cyberwarriors worked away controlling their 10 personas, their computers would helpfully provide "real-time local information" so that they could play their roles convincingly.
In addition the Air Force wanted a secure virtual private network that could mask the IP addresses behind all of this persona traffic. Every day, each user would get a random IP address to help hide "the existence of the operation." The network would further mask this persona work by "traffic mixing, blending the user's traffic with traffic from multitudes of users from outside the organization. This traffic blending provides excellent cover and powerful deniability."
While Barr fell increasingly in love with his social media sleuthing, Hoglund still liked researching his rootkits. In September, the two teamed up for a proposal to DARPA, the Defense Advanced Research Projects Agency that had been instrumental in creating the Internet back in the 1960s.
[...]
So Barr and Hoglund drafted a plan to create something like a lie detector, except that it would look for signs of "paranoia" instead.
"Like a lie detector detects physical changes in the body based on sensitivities to specific questions, we believe there are physical changes in the body that are represented in observable behavioral changes when committing actions someone knows is wrong," said the proposal. "Our solution is to develop a paranoia-meter to measure these observables."
The idea was to take an HBGary rootkit like 12 Monkeys and install it on user machines in such a way that users could not remove it and might not even be aware of its presence. The rootkit would log user keystrokes, of course, but it would also take "as many behavioral measurements as possible" in order to look for suspicious activity that might indicate wrongdoing.
What sort of measurements? The rootkit would monitor "keystrokes, mouse movements, and visual cues through the system camera. We believe that during particularly risky activities we will see more erratic mouse movements and keystrokes as well as physical observations such as surveying surroundings, shifting more frequently, etc."
The rootkit would also keep an eye on what files were being accessed, what e-mails were being written, and what instant messages were being sent. If necessary, the software could record a video of the user's computer screen activity and send all this information to a central monitoring office. There, software would try to pick out employees exhibiting signs of paranoia, who could then be scrutinized more closely.
The ideas got ever more grandiose. Analyzing malware, HBGary's main focus, wasn't enough to keep up with the hackers; Hoglund had a plan to get a leg up on the competition by getting even closer to malware authors. He floated an idea to sniff Russian GSM cell phone signals in order to eavesdrop on hackers' voice calls and text messages.
