Carrier IQ Explains Secret Monitoring Software to FTC, FCC

Carrier IQ, the embattled phone-monitoring software maker, said Wednesday it had met this week with officials from the Federal Communications Commission and the Federal Trade Commission “to educate the two agencies about the functionality of its software and answer any and all questions.”

The company, referring to the FTC, was quick to add that “We are not aware of an official investigation into Carrier IQ at this time.” The statement comes nearly two weeks after Rep. Edward Markey (D-Massachusetts) urged the trade commission to open an inquiry into Carrier IQ.

“Consumers and families need to understand who is siphoning off and storing their personal information every time they use their smart phone,” Markey said. “I am asking the Federal Trade Commission to investigate this practice, and I will continue to monitor this important privacy issue.”

As a rule, the FCC does not confirm or deny whether it is investigating a company for violating unfair business practices.

Carrier IQ executives told Wired two weeks ago that the Mountain View, California company’s wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.

The company’s Wednesday statement comes amid a firestorm targeting the 6-year-old company. Carriers Sprint, AT&T and T-Mobile, along with Carrier IQ, are the subject of lawsuits, accusing them of secretly spying on customers. The software came to light when a Connecticut researcher weeks ago released a video showing what he believed was Carrier IQ chronicling every keystroke from a mobile handset.

The telecoms and Carrier IQ maintain that the software is used exclusively to enhance the mobile-phone “user experience” to enable carriers the ability to know what apps are crashing phones and, among other things, where new phone towers are needed.

The software maker said the data it vacuums to its servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, the company said, the software is not logging every keystroke.

Congress Authorizes Pentagon to Wage Internet War

The ancient art of war is coming to the internet.

The House and Senate agreed to give the U.S. military the power to conduct “offensive” strikes online — including clandestine attacks, via a little-noticed provision in the military’s 2012 funding bill.

The power, which was included in the House version but not the Senate version, was included in the final “reconciled” bill that is all but guaranteed to pass into law.

Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to–
(1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

While “offensive” action isn’t defined, that’s likely to include things like unleashing a worm like the Stuxnet worm that damaged Iran’s nuclear centrifuges, hacking into another country’s power grid to bring it down, disabling websites via denial-of-service attacks, or as the CIA has already done with some collateral damage, hacking into a forum where would-be terrorists meet in order to permanently disable it.

The conference report goes on to say:

The conferees recognize that because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in relation to cyber operations and that it is necessary to affirm that such operations may be conducted pursuant to the same policy, principles, and legal regimes that pertain to kinetic capabilities.

The conferees also recognize that in certain instances, the most effective way to deal with threats and protect U.S. and coalition forces is to undertake offensive military cyber activities, including where the role of the United States Government is not apparent or to be acknowledged. The conferees stress that, as with any use of force, the War Powers Resolution may apply.

Despite mainstream news accounts, there’s been no documented hacking attacks on U.S. infrastructure designed to cripple it. A recent report from a post-9/11 intelligence fusion center that a water pump in Illinois had been destroyed by Russian hackers turned out to be baseless — and was simply a contractor logging in from his vacation at the behest of the water company.

Over the last few years, there’s been a drumbeat from D.C. and security contractors about the possibility of “cyberwar,” and the military has been pushing for, and largely receiving, increased funding for internet security research and more power to monitor and operate on the civilian internet.

Chinese hackers, perhaps affiliated with the government, have targeted large U.S. corporations, defense contractors and human rights groups with data-stealing trojans, something Bloomberg News trumpeted Tuesday as an “undeclared global cyber war.”

However, spying isn’t an act of war — just ask the NSA and CIA, who spend billions of dollars a year spying on other countries by intercepting communications and persuading foreign citizens to give the U.S. valuable intelligence. It’s certainly an aggressive state action, and a diplomatic issue. But if spying was an act of war, every CIA agent hiding under diplomatic cover would count as cause for a country to attack the U.S.

After perfunctory votes in both the House and Senate, the spending measure — and the cyberwar green light — will go to the President for his signature.

Via Stephen Aftergood’s Secrecy News.

Inside Adobe Reader Zero-Day Exploit CVE 2011-2462

Recently a critical vulnerability has been identified in Adobe Reader X and Adobe Acrobat X Versions 10.1.1 and earlier for Windows and Mac OS, Reader 9.4.6 and Reader 9.x Versions for Unix. This zero-day vulnerability (CVE-2011-2462) could allow an attacker to execute arbitrary code and silently take the control of a victim’s machine. This flaw is currently being exploited in the wild. Adobe says it will release a patch this week.

McAfee researchers analyzed the exploit (the sample circulating in the wild) and figured out how the vulnerability is exploited and identified the malicious binary, which allows an attacker to take the control of the system.

Using the MD5 algorithm we found a hash value of b025b06549caae5a7c1d23ac1d014892. The technique used in this exploit has been known to researchers for ages.

Here’s what we found as output when we ran the PDFiD tool against this exploit.

Looking at the output, we can immediately make out what this exploit would contain. Like many other exploits in the wild, this document uses the techniques of /JavaScript and /OpenAction to launch its malicious JavaScript. The combination of both of these techniques would make this document suspicious to any researcher.

/JS and /JavaScript indicates that this PDF document contains the JavaScript. /OpenAction indicates the action to be performed automatically when the document is viewed. Let’s take the deeper look at the object structure of the PDF and find out what is interesting.

Object Analysis of the PDF document

Object 1 contains the author, email, and the web–a kind of meta information.

Object 4 has an /OpenAction reference to object 14, which seems particularly interesting. Let’s take a look at what is in the referenced object.

Object 14, as seen above, has the stream link to object 15, which contains the actual compressed JavaScript.

This is the malicious JavaScript that is encoded twice, first with ASCIIHexDecode and then with FlateDecode. These stream filters will indicate to Reader how to decode the streams while opening the document. This combination of stream filters is widely used in exploits to compress the code. We’ll take a look at the JS code a little later in this analysis. In the meantime, let’s move further into the object structure analysis of the PDF.

Object 11 contains the stream link to Object 10, as seen below. This stream link contains the Flate-encoded 3D Annotations data that is to be Flate decoded and displayed while the Reader document is rendered.

According to the Adobe 3D Annotations documentations available here, 3DD entry of the Annotations data specifies the Flate-encoded data stream containing the U3D data. That’s exactly what we see in Object 10, as shown below.

This U3D data is likely to cause memory corruption and trigger the vulnerability. Object 16 is of special interest to us. Let’s see how this object looks.

This object does not have any references and contains the stream that is supposed to be Flate encoded. This stream contains the malicious XORed executable that is dropped after successful exploitation. Let’s see if we can figure out the XOR key.

The executable is XORed by 0×12. Looks like this stream wasn’t Flate encoded but rather simply XORed to embed the malicious file within. This technique is normally used in exploits to hide the malicious code and bypass AV detections.

Let’s take a look at the decoded JS code from Object 15 to understand what it does.

This code checks for supposedly nonexistent versions of Reader and apparently enters an infinite loop if the version comes out to be greater than 10.0. The code appears to use a heap-spray technique to exploit this vulnerability and execute the shellcode. The end of this code checks for the Windows platform and sets the document to page 2 if it is running on Windows and will render the 3D data specified by the U3D file–causing the corruption.

The heap-spray function in the JS code looks like this:

The last function call in the preceding figure allocates the memory and fills up the heap as seen below:

Launching this exploit on Windows with Reader 9.4.6 installed will crash and open the new document “2012 Federal Employee Pay Calender.pdf.”

It spawns the new process pretty.exe and finally injects WSE4EF1.TMP into the iexplore.exe process, which connects to the control server.

Looking at pretty.exe, we see that it looks for outlook.exe, iexplore.exe, and firefox.exe. It then injects the code into whichever process it finds open on the victim’s machine.

Network Communications

Once the code is injected into any of these open processes, a connection is made to the domain prettylikeher.com (IP: 72.30.2.43, which was resolved at execution) on port 443. Assuming that it must be using SSL for control, we hooked the WinInet.SecureSend and WinInet.SecureReceive APIs to check what was sent as the encrypted request. We found the following clear-text decrypted traffic:

The server responded with HTTP 301. The location header had the HTTP link.

Next the HTTP GET request initiated as shown below. The URI query string contains the hostname of the victim’s machine appended with the IP address. The SSL and HTTP requests turned out to be the same.

Analysis of the Injected DLL WSE4EF1.TMP

Looking at the injected DLL, the following code forms the HTTP GET request along with the URI query parameters:

This DLL also seems be virtual-machine aware. While analyzing the code, we came across the VM check that is performed via the SIDT instruction.

SIDT    FWORD PTR SS:[EBP-8]

EAX, DWORD PTR SS:[EBP-6]

CMP     EAX, 8003F400

JBE     SHORT WSE4EF1.10001C88

CMP     EAX, 80047400

JNB     SHORT WSE4EF1.10001C88

Further analysis of the control code of the DLL reveals that the following commands can be run on the victim’s system:

Cmd

Shell

Run

Getfile

Putfile

Kill

Process

Reboot

Time

Door

McAfee Coverage for Exploit CVE-2011-2462

McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the exploit under the attack ID 0x402b1a00 HTTP: Adobe Reader and Acrobat U3D Memory Corruption Remote Code Execution. McAfee customers with up-to-date installations are protected against this malware.

Acknowledgments

I would like to thank my colleagues Hardik Shah, Swapnil Pathak, and Amit Malik for analyzing this vulnerability and contributing to this blog.

Megaupload: Pop Star’s Contract Proves YouTube Takedown Was Bogus

          

Megaupload bolstered its legal case against the recording industry for forcing YouTube to remove the company’s all-star promotional video, arguing that a copyright takedown notice was bogus since it had secured the signature of Black Eyed Peas front man will.i.am to appear in a video singing the file-sharing service’s praises.

The Hong Kong-based file-sharing service lodged the contract (.pdf) in federal court Wednesday as proof it had the right to include will.i.am singing, “When I’ve got to send files across the globe, I use Megaupload.”

The four-minute video featuring will.i.am and a host of other stars, including Kanye West, Mary J. Blige, Estelle and Diddy was removed from YouTube last week after Universal Music and the front man’s attorney sent YouTube takedown notices under the Digital Millennium Copyright Act.

Megaupload has been a thorn in the side of the recording industry which views Megaupload as a facilitator of rampant copyright infringement. Megaupload filed suit Monday, saying the takedown was a “sham” to silence brand-named stars from endorsing the service, and it wants a judge to order the video back online and fine Universal Music for the bogus notice.

Kim Dotcom, the chief innovation officer of the file sharing service that boasts some 50 million users, told (.pdf) a federal judge in a Thursday filing that “an attorney for will.i.am sent a DMCA notice and takedown to YouTube in connection with the Megaupload video.” Dotcom added that, “I had spoken directly with will.i.am about this issue, and he personally advised me that he absolutely had not authorized the submission of any takedown notice on his behalf.”

Under the DMCA, online service providers like YouTube lose legal immunity for their users’ actions if they don’t remove allegedly infringing content if asked to by rights holders. If the content is not removed, companies such as YouTube and Flickr could be held liable for damages under the Copyright Act, which carries penalties of up to $150,000 per violation.

Ken Hertz, will.i.am’s attorney of Beverly Hills, California, did not respond for comment. But on Tuesday, he told the Hollywood Reporter that he had sent a takedown notice because his client did not endorse the video.

Adding to the confusion, Universal Music’s takedown notice to YouTube over the same video was filed on behalf of New Zealand songwriter-singer Gin Wigmore, who isn’t even in the video.