Remote Forensics Trojans, Surveillance and Investigations

Tuesday, August 07, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

No doubts, one of the most advanced cyber threats is malware diffusion, and we read daily news regarding new unknown agents developed by cybercriminals, governments or hacktivists, but are we really ready to reduce the exposure of our technical resources?

Some weeks ago some news had passed without too much noise, but I believe it is really interesting, and that's why I decided to examine it.

Doctor Web, a Russian anti-virus company, had detected a cross-platform Trojan horse that is able to gain full control of its targets and can render the system unusable. The agent, dubbed BackDoor.DaVinci.1, runs both on Windows and Mac OS X, and what is most interesting are the characteristics of the Mac OS X release which for the first time implements rootkit technologies to hide the malware processes and files.

The first question is who has developed the backdoor?

According to the info available, the Trojan has been designed by the Italian HackingTeam, a security firm  which has specialized in the development of offensive solutions for cyber investigations.

On the company's website it is possible to find the following description on the dubious product:

"In modern digital communications, encryption is widely employed to protect users from eavesdropping. Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security. Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable. For Governmental LEAs and Agencies ONLY."

For the record, the name HackingTeam was published in the SpyFile dossier by the WikiLeaks's Team, regarding the technologies developed for surveillance and control of communication channels.

(click image to enlarge)

The malware appears to be a very smart agent that is able to hide its presence from security systems, and is also able to infect mobile devices.

Its spread as a signed AdobeFlashPlayer.jar file, obviously the signature it has uses an invalid digital certificate. The file is used to analyze the OS version of victim and execute malicious code:

(click image to enlarge)

The malware, following a valid design, is modular and its core components are represented by the backdoor module and a set of drivers that make possible the operation in hidden mode.

All the instances of the malware share the same configuration settings stored in a dedicated file and it is equipped with a large collection of module to elude antivirus software and firewalls.

After Doctor Web's discovery, other security firms have detected the cyber espionage tool, giving it different name - for example, the Kaspersky Lab team named it Morkut and provided the first analysis in a blog post.

According to a Mikko Hypponen (F-Secure) Tweet...

"The Mac backdoor in the news (DaVinci/Morcut/Crisis/Flosax) is a commercial espionage trojan, and openly advertised on www.hackingteam.it"

The developers of the BackDoor.DaVinci.1 maintain that their product is able to elude any anti-virus program, but Doctor Web's antivirus is able to detect it... we can bet that a game of "cops and robbers" has begun, and the HackingTeam is already working to introduce improvements that can make their malware undetectable.

TheDaVinci backdoor is not a common type of malware, as it was released in the wild without controls, but it is a commercial surveillance Trojan sold mainly to governments, used to monitor thousands of people all over the world.

Of course, the product of the Italian firm is not the only one, for example remeber the FinFisher product developed by Gamma Company, and similar products have been used by law enforcement and also by authoritarian regimes such as Egypt and Bahrain.

Their use is becoming more frequent, and the thought that a maliciuos agent could defeat computer defenses for espionage and for offensive purposes is not very reassuring.

"Once released their software these companies are actually able to control the diffusion of the malware? What could happen if a foreign government or a group of cyber criminals make a reverse engineering of the products, developing its own malware resulting no easily identifiable that could be used for cyber espionage on a large scale? Are we really ready to this?"

Unfortunately, although similar instruments may be justifiable, such as in support for investigations and prevention of crime and terrorism, they are too easily sold to governments that use them for tracking and the persecution of dissidents.

It should be mentioned that in court, similar tools could not to be admitted as evidence in any way, and the provider must ensure that the instrument will not alter the nature of information gathered. I state that I'm not discussing any specific case, but it is evident that in the course of proceedings by authorities, the information collected may not be deemed reliable for some legal loopholes.

The very fact that a Trojan alters the nature of the system that it infects leads to the rejection of the gathered evidence, and lawyers often maintain that once compromised it is impossible to guarantee that the data collected from a chat is legitimate and not deliberately inserted by the malware.

The EU Council has recently recommended that Member States should strive for the examination of computers remotely is suspicious, and there are still too many unresolved technical and legal aspects. The experience that Germany has done in its attempt to regulate the use of tools for "remote forensics" by those who must enforce the law is helpful in this regard.

A new generation of technologies, such as software agents and Trojans, has unique features that distinguish them from existing technologies currently used in investigations.

"During the investigation, these technologies can act independently. Their autonomous decision-making enables them to replace at least some of the functions previously performed by a human, and without the direct supervision of a human controller. This raises the question whether the rules that give human rights to officials can be applied by analogy to software agents, and if the rules are intended to limit the interference of the police citizen's rights can be circumvented by using technology (Schafer, 2006)."

Another problem... companies that provide free anti-virus and those that provide the control systems are not necessarily in the same jurisdiction of the entities, causing conflicts with relevant privacy laws.

How should the person carrying out investigations in relation to suppliers of antivirus? Ask for their cooperation or proceed in seeking to evade them? At the moment it would seem that the second road is most traveled, at least by the German government (BT-Drucksache 16/4995).

Other question... The data collection is automated, no human subject will decide which data will be relevant and should be copied, but this may involve the collection of other data recorded on the computer that is irrelevant to the investigation.

This data could be potentially problematic and highly sensitive, such as medical and health information, and therefore protected from investigations that the authorities can not analyze and use.

A judgment of the German Federal Supreme Court has established as a requirement for the use of RFS tools by law enforcement agencies for the custody of the selection process is conducted by an investigating judge, a state prosecutor or a bailiff (BVerfG, NJW 2008, 822), but the German judicial system does not have sufficient human resources.

Traditionally in forensic investigations, computers are taken off-line to ensure that there aren't changes and that the object of the investigation is in the same condition when the evidence is admitted as it was when the crime was found to take place.

The use of a Trojan for investigations requires the authorities to reach target machines remotely which, however, remain in the control of the suspect and remain connected to the network before, during and after the operations of inspection.

Thus the problem of acquisition using RFS tools is that not only is the original source (the computer) not subjected to seizure, but is not in a static environment and can be manipulated. As a general rule, evidence obtained from an unsecured network, such as the Internet, can always be subject to a challenge to its authenticity and reliability.

The attempt to subject statutory regulation in the use of malware for investigations produces new ambiguities, and it must be promoted a common approach applicable to the entire class of investigative technologies.

The debate is open, and there are many doubts, but there is no ambiguity that these agents have efficacy for those governments who want to spy on and pursue their opponents... from an ethical point of view, there is much to discuss, but this is not the appropriate forum.

Cross-posted from Security Affairs

Possibly Related Articles:
10316
Viruses & Malware
Information Security
Antivirus Legal malware Investigation Law Enforcement backdoor Advanced Evasion Techniques Offensive Security Remote Forensics Trojans
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.