Part 3 (2/2)

Just a demo Some of this work was clearly for demonstration purposes, and much of it was probably never deployed in the field. For instance, HBGary began $50,000 of work for General Dynamics on ”Task C” in June 2009, creating a piece of malware that infiltrated Windows machines running Microsoft Outlook.

The target user would preview a specially crafted e-mail message in Outlook that took advantage of an Outlook preview pane vulnerability to execute a bit of code in the background. This code would install a kernel driver, one operating at the lowest and most trusted level of the operating system, that could send traffic over the computer's serial port. (The point of this exercise was never spelled out, though the use of serial ports rather than network ports suggest that cutting-edge desktop PCs were not the target.) Once installed, the malware could execute external commands, such as sending specific files over the serial port, deleting files on the machine, or causing the infamous Windows ”blue screen of death.” In addition, the code should be able to pop open the computer's CD tray and blink the lights on its attached keyboards-another reminder that Task C was, at this stage, merely for a demo.

General Dynamics would presumably try to interest customers in the product, but it's not clear from the e-mails at HBGary whether this was ever successful. Even with unique access to the innermost workings of a security firm, much remains opaque; the real conversations took place face-to-face or on secure phone lines, not through e-mail, so the glimpses we have here are fragmentary at best. This care taken to avoid sending sensitive information via unencrypted e-mail stands in stark contrast with the careless approach to security that enabled the hacks in the first place. in the first place.

But that doesn't mean specific information is hard to come by-such as the fact that rootkits can be purchased for $60,000.

Step right up!

Other tools were in use and were sought out by government agencies. An internal HBGary e-mail from early 2010 asks, ”What are the license costs for HBGary rk [rootkit] platform if they want to use it on guardian for afisr [Air Force Intelligence, Surveillance, and Reconnaissance]?”

The reply indicates that HBGary has several tools on offer. ”Are you asking about the rootkit for XP (kernel driver that hides in plain sight and is a keylogger that exfiltrates data) or are you asking about 12 Monkeys? We've sold licenses of the 1st one for $60k. We haven't set a price on 12 Monkeys, but can.”

The company had been developing rootkits for years. Indeed, it had even developed a private Microsoft Word doc.u.ment outlining its basic rootkit features, features which customers could have (confirming the e-mail listed above) for $60,000.

That money bought you the rootkit source code, which was undetectable by most rootkit scanners or firewall products when it was tested against them in 2008. Only one product from Trend Micro noticed the rootkit installation, and even that alert was probably not enough to warn a user. As the HBGary rootkit doc.u.ment notes, ”This was a low level alert. TrendMicro a.s.saults the user with so many of these alerts in every day use, therefore most users will quickly learn to ignore or even turn off such alerts.”

When installed in a target machine, the rootkit could record every keystroke that a user typed, linking it up to a Web browser history. This made it easy to see usernames, pa.s.swords, and other data being entered into websites; all of this information could be silently ”exfiltrated” right through even the pickiest personal firewall.

But if a target watched its outgoing traffic and noted repeated contacts with, say, a US Air Force server, suspicions might be aroused. The rootkit could therefore connect instead to a ”dead drop”-a totally anonymous server with no apparent connection to the agency using the rootkit-where the target's keyboard activity could be retrieved at a later time.

But by 2009, the existing generic HBGary rootkit package was a bit long in the tooth. Hoglund, the rootkit expert, apparently had much bigger plans for a next-gen product called ”12 monkeys.”

12 Monkeys The 12 Monkeys rootkit was also a contract paid out by General Dynamics; as one HBGary e-mail noted, the development work could interfere with Task B, but ”if we succeed, we stand to make a great deal of profit on this.”

On April 14, 2009, Hoglund outlined his plans for the new super-rootkit for Windows XP, which was ”unique in that the rootkit is not a.s.sociated with any identifiable or enumerable object. This rootkit has no file, named data structure, device driver, process, thread, or module a.s.sociated with it.”

How could Hoglund make such a claim? Security tools generally work by scanning a computer for particular objects-pieces of data that the operating system uses to keep track of processes, threads, network connections, and so on. 12 Monkeys simply had nothing to find. ”Since no object is a.s.sociated with the objectless rootkit, detection will be very difficult for a security scanner,” he wrote. In addition, the rootkit would encrypt itself to cloak itself further, and hop around in the computer's memory to make it even harder to find.

As for getting the data off a target machine and back to the rootkit's buyer, Hoglund had a clever idea: he disguised the outgoing traffic by sending it only when other outbound Web traffic was being sent. Whenever a user sat down at a compromised machine and started surfing the Web, their machine would slip in some extra outgoing data ”disguised as ad-clicks” that would contain a log of all their keystrokes.

While the basic rootkit went for $60,000, HBGary hoped to sell 12 Monkeys for much more: ”around $240k.”

0-day The goal of this sort of work is always to create something undetectable, and there's no better way to be undetectable than by taking advantage of a security hole that no one else has ever found. Once vulnerabilities are disclosed, vendors like Microsoft race to patch them, and they increasingly push those patches to customers via the Internet. Among hackers, then, the most prized exploits are ”0-day” exploits-exploits for holes for which no patch yet exists.

HBGary kept a stockpile of 0-day exploits. A slide from one of the company's internal presentations showed that the company had 0-day exploits for which no patch yet existed-but these 0-day exploits had not yet even been published published. No one knew about them.

The company had exploits ”on the shelf” for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated.

One of the unpublished Windows 2000 exploits, for instance, can deliver a ”payload” of any size onto the target machine using a heap exploit. ”The payload has virtually no restrictions” on what it can do, a doc.u.ment notes, because the exploit secures SYSTEM level access to the operating system, ”the highest user-mode operating system defined level” available.

These exploits were sold to customers. One email, with the subject ”Juicy Fruit,” contains the following list of software: VMware ESX and ESXi *

Win2K3 Terminal Services Win2K3 MSRPC Solaris 10 RPC Adobe Flash *

Sun Java *

Win2k Professional & Server XRK Rootkit and Keylogger *

Rootkit 2009 *

The e-mail talks only about ”tools,” not about 0-day exploits, though that appears to be what was at issue; the list of software here matches HBGary's own list of its 0-day exploits. And the asterisk beside some of the names ”means the tool has been sold to another customer on a non-exclusive basis and can be sold again.”

References to Juicy Fruit abound in the leaked e-mails. My colleague Peter Bright and I have spent days poring through the tens of thousands of messages; we believe that ”Juicy Fruit” is a generic name for a usable 0-day exploit, and that interest in this Juicy Fruit was high.

”[Name] is interested in the Juicy Fruit you told him about yesterday,” one e-mail reads. ”Next step is I need to give [name] a write up describing it.” That writeup includes the target software, the level of access gained, the max payload size, and ”what does the victim see or experience.”

Aaron Barr, who in late 2009 was brought on board to launch the separate company HBGary Federal (and who provoked this entire incident by trying to unmask Anonymous), wrote in one e-mail, ”We need to provide info on 12 monkeys and related JF [Juicy Fruit] asap,” apparently in reference to exploits that could be used to infect a system with 12 Monkeys.

HBGary also provided some Juicy Fruit to Xetron, a unit of the ma.s.sive defense contractor Northrop Grumman that specialized in, among other things, ”computer a.s.sault.” Barr wanted to ”provide Xetron with some JF code to be used for demonstrations to their end customers,” one e-mail noted. ”Those demonstrations could lead to JF sales or ongoing services work. There is significant revenue potential doing testing of JF code acquired elsewhere or adding features for mission specific uses.”

As the deal was being worked out, HBGary worked up an agreement to ”provide object code and source code for this specific Juicy Fruit” to Xetron, though they could not sell the code without paying HBGary. The code included with this agreement was a ”Adobe Macromedia Flash Player Remote Access Tool,” the ”HBGary Rootkit Keylogger Platform,” and a ”Software Integration Toolkit Module.”

The question of who might be interested in these tools largely remains an unknown-though Barr did request information on HBGary's Juicy Fruit just after asking for contacts at SOCOM, the US Special Operations Command.

But HBGary Federal had ideas that went far beyond government rootkits and encompa.s.sed all facets of information warfare. Including, naturally, cartoons. And Second Life.

Psyops In mid-2010, HBGary Federal put together a PSYOP (psychological operations) proposal for SOCOM, which had issued a general call for new tools and techniques. In the doc.u.ment, the new HBGary Federal team talked up their past experience as creators of ”multiple products briefed to POTUS [President of the United States], the NSC [National Security Council], and Congressional Intelligence committees, as well as senior intelligence and military leaders.”

The doc.u.ment focused on cartoons and the Second Life virtual world. ”HBGary personnel have experience creating political cartoons that leverage current events to seize the target audience's attention and propagate the desired messages and themes,” said the doc.u.ment, noting that security-cleared cartoonists and 3D modelers had already been lined up to do the work if the government wanted some help.

The cartooning process ”starts with gathering customer requirements such as the target audience, high level messages and themes, intended publication mediums... Through brainstorming sessions, we develop concept ideas. Approved concepts are rough sketched in pencil. Approved sketches are developed into a detailed, color end product that is suitable for publis.h.i.+ng in a variety of mediums.”

A sample cartoon, of Iranian President Ahmadinejad manipulating a puppet Ayatollah, was helpfully included.

The doc.u.ment then went on to explain how the US government could use a virtual world such as Second Life to propagate specific messages. HBGary could localize the Second Life client, translating its menu options and keyboard shortcuts into local dialects, and this localized client could report ”valuable usage metrics, enabling detailed measures of effects.” If you want to know whether your message is getting out, just look at the statistics of how many people play the game and for how long.

As for the messages themselves, those would appear within the Second Life world. ”HBGary can develop an in-world advertising company, securing small plots of virtual land in attractive locations, which can be used to promote themes using billboards, autonomous virtual robots, audio, video, and 3D presentations,” said the doc.u.ment.

They could even make a little money while they're at it, by creating ”original marketable products to generate self-sustaining revenue within the virtual s.p.a.ce as well as promote targeted messaging.”

We found no evidence that SOCOM adopted the proposal.

But HBGary Federal's real interest had become social media like Facebook and Twitter-and how they could be used to explore and then penetrate secretive networks. And that was exactly what the Air Force wanted to do.

Fake Facebook friends In June 2010, the government was expressing real interest in social networks. The Air Force issued a public request for ”persona management software,” which might sound boring until you realize that the government essentially wanted the ability to have one agent run multiple social media accounts at once.

It wanted 50 software licenses, each of which could support 10 personas, ”replete with background, history, supporting details, and cyber presences that are technically, culturally and geographically consistent.”

The software would allow these 50 cyberwarriors to peer at their monitors all day and manipulate these 10 accounts easily, all ”without fear of being discovered by sophisticated adversaries.” The personas would appear to come from all over the world, the better to infiltrate jihadist websites and social networks, or perhaps to show up on Facebook groups and influence public opinion in pro-US directions.

As the cyberwarriors worked away controlling their 10 personas, their computers would helpfully provide ”real-time local information” so that they could play their roles convincingly.

<script>