Oct 31 2012

Feds Say No Dice in Retrieving Your Data Seized in Megaupload Case

Photo: Parker Miles Blohm/Flickr

Federal prosecutors are proposing a process that would make it essentially impossible for former Megaupload users to recover their data following the government’s seizure of the file-sharing service’s servers and domain names in January as part of its prosecution of a criminal copyright infringement indictment of Megaupload’s employees.

That’s according to Julie Samuels, an Electronic Frontier Foundation attorney representing an Ohio man seeking the return of his high school sports footage.

“It’s almost an insurmountable hurdle for any individual or small business,” Samuels, in a telephone interview Wednesday, said of the government’s position.

The government asserted in a court filing Tuesday that the process of returning videos to EFF client Kyle Goodwin, so far the only individual to come forward demanding return of data, “may require the testimony of numerous witnesses, including potential expert witnesses.”

The government’s position comes as people increasingly store documents in the cloud, while the government, in the name of protecting intellectual property, has shown a willingness to seize servers and domain names first and worry later about the consequences, like there being no clear process on how to return data to their rightful owners. 

The government fears a rush of some of 60 million-plus former Megaupload customers could make a claim to get their data back. The government says that Goodwin’s court declaration asserting he owns files in a Megaupload account is not good enough.

“Mr. Goodwin has yet to demonstrate whether he has an interest in any property seized by the government,” the authorities said in a brief filing. The government added that “the mere fact that he may claim, for example, an initial copyright to a version of the files he uploaded is not sufficient to establish that he has an ownership interest in the property that is the subject of this motion.”

Goodwin wants U.S. District Judge Liam O’Grady, the judge overseeing the Megaupload criminal infringement prosecution, to continue his order preserving the 25 petabytes of data the authorities seized in January. Goodwin, the operator of OhioSportsNet, which films and streams high school sports, wants to access his copyrighted footage that he stored on the file-sharing network. His hard drive crashed days before the government shuttered the site Jan. 19, he claims in a court filing.

The government also suggested that Goodwin may have uploaded unauthorized music to Megaupload, too, which cannot be returned.

The authorities suggested that “cheaper remedies” might exist for Goodwin to retrieve his content, “such as data recovery from Mr. Goodwin’s hard drive.”

Here’s what the government said the judge should consider before agreeing that Goodwin should get back his files:

(1) whether Mr. Goodwin has ‘clean hands’ or whether he is barred from obtaining equitable relief;

(2) the cost and technical feasibility of finding a single user’s data on the Carpathia servers;

(3) the number of other affected parties similarly situated to Mr. Goodwin;

(4) how, if at all, the government can prevent the return of infringing materials and other contraband from the servers;

(5) and whether other, cheaper remedies exist, such as data recovery from Mr. Goodwin’s hard drive.

Such issues may require the testimony of numerous witnesses, including potential expert witnesses. Many of these difficult issues may be avoided if the Court determines that Mr. Goodwin’s lacks an interest in the seized property, or that his interest is narrower than he currently claims.

Megaupload allowed users to upload large files and share them with others, but the feds and Hollywood allege the service was used almost exclusively for sharing copyrighted material without permission — which Megaupload denies.

A hearing on the data issue is pending.

Federal authorities have said they have copied some, but not all of the Megaupload data, and said Carpathia, Megaupload’s Virginia-based server host, could delete the 25 million gigabytes of Megaupload data it is hosting on 1,100 servers — a decision the judge in the case has tentatively halted.

Carpathia has said it is spending $9,000 daily to retain the data, and is demanding that Judge O’Grady relieve it of that burden. Megaupload, meanwhile, wants the government to free up some of the millions in dollars of seized Megaupload assets to be released to pay Carpathia to retain the data for its defense and possibly to return data to its customers.

The criminal prosecution of Megaupload targets seven individuals connected to the Hong Kong-based file-sharing site, including founder Kim Dotcom. They were indicted in January on a variety of charges, including criminal copyright infringement and conspiracy to commit money laundering.

Five of the members of what the authorities called a five-year-old “racketeering conspiracy” have been arrested in New Zealand, pending possible extradition to the United States — though that has devolved into political mess, after the New Zealand government admitted to spying illegally on Dotcom.

The U.S. government said the site, which generated hundreds of millions in user fees and advertising, facilitated copyright infringement of movies, often before their theatrical release, in addition to music, television programs, electronic books, and business and entertainment software. The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.”

Oct 31 2012

Tool Talk: Cracking the Code on XtremeRAT

Late last week, reports began to surface that the Israeli police (along with other regional law enforcement) were targeted by a malware attack.  The entry vector was described as a phishing campaign sent from Benny Gantz (head of the Israeli Defense Forces).  Initially, details and indicators around the malware were beyond sparse. Aside from the FROM: address, little was known that could assist in any sort of investigation. After nearly 24 hours from the first reports, both details and samples of the malware started to flow. As soon as we could confirm details of the phish email and the malicious attachments, we were able to cross-reference sample data already in our malware database and connect the dots.

Generic Dropper.p (Xtrat)

Generic Dropper.p (XtremeRAT)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

Sample Data

 

 

 

 

The result sets are organized as a specific directory structure.

Analysis Report sample

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data

Sample Data

Sample Data 2

Sample Data 2

Sample Data 3

Sample Data 3

Sample Data 4

Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

MemDumps

Memory dumps

PCAPs

PCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped Files

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

Example:

Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Oct 31 2012

Sandy Storms Inboxes

Hurricane Sandy, one of the most devastating Superstorms in decades, hit the US East coast. Causing the loss of lives and businesses and leaving countless people without electricity, Sandy has now added spam to its list of misery. We are observing spam messages related to the hurricane flowing into Symantec Probe Networks. The top word combinations in message headlines are "hurricane – sandy", "coast – sandy", "sandy – storm", and "sandy – superstorm."

Figure 1. Message volume over a two-day period

Typical spam attacks like "Gift card offer" and "Money making & Financial" spam are currently targeting the disaster. Below are the screenshots of some spam samples.

The following are examples of subject lines seen in the spam messages:

  • Help Sandy Victims and get $1000 for Best Buy!
  • Sandy Strikes... [WARNING]
  • Deposit Processing Open Today (Frankenstorm doesn't stop us)

Spammers taking advantage of disasters is nothing new. Previously, for example, we witnessed phishing and spam campaigns using the Haiti earthquake as a means of spreading. We anticipate fake news, photos, donation requests, 419 scams, phishing campaigns, and malicious video link attacks will be seen over the coming few days.

We advise users to follow best practices while online. Users are advised to type website addresses directly into their Internet browser for any online video rather than clicking on links contained in emails.

Finally, never donate money or buy products through wire transfer services or similarly untraceable methods of payment. Instead, reach out to the storm victims through legitimate and secure channels.

As always, we will be continuously updating our anti-spam filters to block these emails from reaching users. 

Thanks to Anand Muralidharan for contributing to this blog.

Oct 30 2012

Supreme Court to Decide if Drug Dogs Pass Constitutional Smell Test

Miami-Dade County Police Department K-9 “Franky” has discovered more than 2.5 tons of marijuana. Photo: Courtesy of Miami-Dade County Police Department

The Supreme Court on Wednesday is set to hold oral arguments concerning the novel question of whether judges may issue search warrants for private residences when a drug-sniffing dog outside the home reacts as if it smells drugs inside.

In a second case involving drug-sniffing dogs, the justices also will entertain arguments Wednesday concerning a Florida Supreme Court decision allowing defendants to challenge the authenticity of a drug sniff, by bringing up past evidence of false alerts and how well-trained the dog and handler were.

The home-sniff case, also arriving from the Florida Supreme Court, tests a decade-old U.S. Supreme Court precedent in which the justices ruled that police need a warrant to use thermal-imaging devices outside a house to detect marijuana-growing operations, saying it amounted to a search. In that case, the high court ruled in 2001 that “rapidly advancing technology” threatens the core of the Fourth Amendment “right of a man to retreat into his own home and there be free from unreasonable governmental intrusion.”

Wednesday’s argument in the home-search case concerns a suspected Florida drug dealer and tests the limits of government intrusion into the home — substituting drug-sniffing dogs for thermal-imaging devices. The justices and lower courts have routinely sanctioned search warrants based on trained drug-detecting dogs responding to packages like airport luggage or vehicles stopped during routine traffic stops.

The issue is being watched closely by at least 18 states that warned the Supreme Court that the case “jeopardizes a widely used method of detecting illegal drugs” (.pdf). The Obama administration has also weighed in, telling the justices that a drug-sniffing dog’s duties amount to no search at all (.pdf) — and hence no Fourth Amendment scrutiny is warranted.

The case before the justices stems from a Florida Supreme Court ruling last year in which Florida’s justices tossed evidence of 179 pot plants that Miami-Dade County authorities seized from the residence of Joelis Jardines in 2006. Authorities made the bust after a trained dog “alerted,” or indicated that it detected drugs, while outside the home.

Florida’s top court said the case, which comes as studies suggest drug-sniffing dogs reflect police bias or are wrong, sets a bad precedent and “invites overbearing and harassing conduct.”

Such a public spectacle unfolding in a residential neighborhood will invariably entail a degree of public opprobrium, humiliation and embarrassment for the resident, for such dramatic government activity in the eyes of many — neighbors, passers-by, and the public at large — will be viewed as an official accusation of crime. Further, if government agents can conduct a dog ‘sniff test’ at a private residence without any prior evidentiary showing of wrongdoing, there is nothing to prevent the agents from applying the procedure in an arbitrary or discriminatory manner, or based on whim and fancy, at the home of any citizen. Such an open-ended policy invites overbearing and harassing conduct.

The dog used to nab Jardines was Franky, a chocolate Labrador. Miami-Dade County officials said the canine, now retired, discovered more than 2.5 tons of marijuana, 80 pounds of cocaine and millions in cash during its career.

Jardines’ attorney, Howard Blumberg, urged the justices to uphold the Florida Supreme Court. He said the government’s deployment of a dog was akin to the “device” (.pdf) used in the thermal-imaging case. The dog, like thermal imaging equipment, was used “to explore details of the home that would previously have been unknowable without physical intrusion.”

Florida prosecutors told the high court that it must undo the Florida Supreme Court decision, saying dog searches are a “valuable tool” (.pdf).

Law enforcement is significantly hampered if required to develop probable cause without the assistance of dogs. The Florida Supreme Court’s decision requires that the officers have probable cause before employing a dog. It is the dog’s alert, however, that often provides the probable cause to obtain the search warrant. This Court should grant certiorari to directly hold that a dog sniff of a house is not a search and to restore this valuable tool in the detection of numerous illegal and dangerous activities to law enforcement.

In the other case to be argued Wednesday, the Florida Supreme Court last year invalidated a search that found meth-making chemicals in the vehicle Clayton Harris was driving, and suppressed the evidence that was seized based on an alert by Aldo, a Labrador retriever. The court said an alert by the truck’s door handle was insufficient evidence by itself to get a warrant to search Harris’ truck. Florida’s high court said other evidence was required, like the dog’s track record, and records regarding the handler’s and the dog’s background and training.

The Florida high court said that the courts always side with the dog “with an almost superstitious faith” and that “the dog is the clear and consistent winner.”

The Supreme Court justices usually rule weeks or months after arguments. There is no opinion-detecting dog that can help predict when a ruling is ready or how the court will rule.