DuQu Mystery Language Solved With the Help of Crowdsourcing

A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.

The language, which DuQu used to communicate with command-and-control servers, turns out to be a special type of C code compiled with the Microsoft Visual Studio Compiler 2008.

Researchers at Kaspersky Lab, who put out the call for help two weeks ago after failing to figure out the language on their own, said they received more than 200 comments to a blog post they wrote seeking help, and more than 60 direct emails from programmers and others who made suggestions.

DuQu, an espionage tool that followed in the wake of the infamous Stuxnet code, had been analyzed extensively since its discovery last year. But one part of the code remained a mystery – an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines.

Kaspersky researchers were unable to determine the language in which the communication module was written and published a blog post asking programmers for help. Identification of the language would help them build a profile of DuQu’s authors.

While other parts of DuQu were written in the C++ programming language and were compiled with Microsoft’s Visual C++ 2008, this part was not. Kaspersky also ruled out Objective C, Java, Python, Ada, Lua or many other languages they knew.

Most commenters who wrote in response to Kaspersky’s plea thought the code was a variant of LISP, but the reader who led them in the right direction was a commenter who identified himself as Igor Skochinsky and wrote in a thread posted to Reddit.com that he was certain the code was generated with the Microsoft Visual Studio Compiler and offered some cogent reasons why he believed this. Two other people who sent Kaspersky direct emails made crucial contributions when they suggested that the code appeared to be generated from a custom object-oriented C dialect — referred to as OO C — using special extensions.

This led the researchers to test various combinations of compiler and source codes over a few days until they found the right combination that produced binary that matched the style in DuQu.

The magic combination was C code compiled with Microsoft Visual Studio Compiler 2008 using options 01 and Ob1 in the compiler to keep the code small.

“Visual C can optimize for speed and it can optimize for size, or it can do some kind of balance between the two,” says Costin Raiu, director of Kaspersky’s Global Research and Analysis Team. “But they wanted obviously the smallest possible size of code” to get it onto victim machines via an exploit.

A custom framework allowed DuQu’s authors to meld C code with object-oriented programming.

The use of object-oriented C to write the event-driven code in DuQu reveals something about the programmers who coded this part of DuQu – they were probably old-school coders, Kaspersky’s researchers say. The programming style is uncommon for malware and is more commonly found in professionally-produced commercial software created ten years ago, Raiu says. The techniques make DuQu stand out “like a gem from the large mass of ‘dumb’ malicious program we normally see,” the Kaspersky researchers note.

The idea that the coders are “old school” is also supported by their use of C over the more modern C++ language. Some commenters told Kaspersky that coders who were actively programming a decade ago didn’t like C++ because, when compiled, it was known to produce code that could be unpredictable.

“When you write C code, you can be sure that the program will be executed the way you intend it to,” Raiu says. “With C++ it’s a bit different. In C++ you have some language features, for instance constructors, which will be executed transparently by the language. So you will never code a constructor directly. Instead, the compiler codes the constructor for you [and] basically you lose control of the whole thing. You can’t be sure that your code will be executed in the way intended.”

It suggests that whoever coded this part of DuQu was conservative, precise, and wanted 100 percent assurance that the code would work the way they wanted it to work.

But there was one other reason DuQu’s old-school programmers might have preferred C over C++ — its versatility. When C++ was initially developed, it was not standardized and wouldn’t compile in every compiler. C was more flexible. DuQu was delivered to Windows machines using a Microsoft Word zero-day exploit. But Raiu thinks DuQu’s programmers might have chosen C because they wanted to make sure that their code could be compiled with any compiler on any platform, suggesting they were thinking ahead to other ways in which their code might be used.

“Obviously when you create such a complex espionage tool, you take into account that maybe some day you will run it on servers, maybe you will want to run it on mobile phones or God knows what other devices, so you just want to make sure your code will work everywhere,” he says.

Back to top

The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

Photo: Name Withheld; Digital Manipulation: Jesse Lenz

The spring air in the small, sand-dusted town has a soft haze to it, and clumps of green-gray sagebrush rustle in the breeze. Bluffdale sits in a bowl-shaped valley in the shadow of Utah’s Wasatch Range to the east and the Oquirrh Mountains to the west. It’s the heart of Mormon country, where religious pioneers first arrived more than 160 years ago. They came to escape the rest of the world, to understand the mysterious words sent down from their god as revealed on buried golden plates, and to practice what has become known as “the principle,” marriage to multiple wives.

Magazine2004

Today Bluffdale is home to one of the nation’s largest sects of polygamists, the Apostolic United Brethren, with upwards of 9,000 members. The brethren’s complex includes a chapel, a school, a sports field, and an archive. Membership has doubled since 1978—and the number of plural marriages has tripled—so the sect has recently been looking for ways to purchase more land and expand throughout the town.

But new pioneers have quietly begun moving into the area, secretive outsiders who say little and keep to themselves. Like the pious polygamists, they are focused on deciphering cryptic messages that only they have the power to understand. Just off Beef Hollow Road, less than a mile from brethren headquarters, thousands of hard-hatted construction workers in sweat-soaked T-shirts are laying the groundwork for the newcomers’ own temple and archive, a massive complex so large that it necessitated expanding the town’s boundaries. Once built, it will be more than five times the size of the US Capitol.

Rather than Bibles, prophets, and worshippers, this temple will be filled with servers, computer intelligence experts, and armed guards. And instead of listening for words flowing down from heaven, these newcomers will be secretly capturing, storing, and analyzing vast quantities of words and images hurtling through the world’s telecommunications networks. In the little town of Bluffdale, Big Love and Big Brother have become uneasy neighbors.

The NSA has become the largest, most covert, and potentially most intrusive intelligence agency ever.

Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.

But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”

For the NSA, overflowing with tens of billions of dollars in post-9/11 budget awards, the cryptanalysis breakthrough came at a time of explosive growth, in size as well as in power. Established as an arm of the Department of Defense following Pearl Harbor, with the primary purpose of preventing another surprise assault, the NSA suffered a series of humiliations in the post-Cold War years. Caught offguard by an escalating series of terrorist attacks—the first World Trade Center bombing, the blowing up of US embassies in East Africa, the attack on the USS Cole in Yemen, and finally the devastation of 9/11—some began questioning the agency’s very reason for being. In response, the NSA has quietly been reborn. And while there is little indication that its actual effectiveness has improved—after all, despite numerous pieces of evidence and intelligence-gathering opportunities, it missed the near-disastrous attempted attacks by the underwear bomber on a flight to Detroit in 2009 and by the car bomber in Times Square in 2010—there is no doubt that it has transformed itself into the largest, most covert, and potentially most intrusive intelligence agency ever created.

In the process—and for the first time since Watergate and the other scandals of the Nixon administration—the NSA has turned its surveillance apparatus on the US and its citizens. It has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls, whether they originate within the country or overseas. It has created a supercomputer of almost unimaginable speed to look for patterns and unscramble codes. Finally, the agency has begun building a place to store all the trillions of words and thoughts and whispers captured in its electronic net. And, of course, it’s all being done in secret. To those on the inside, the old adage that NSA stands for Never Say Anything applies more than ever.

Tags: ,
Back to top

Senators Demand DOJ Release Secret Spy Court Rulings

Photo: Urban Don/Flickr

Two Democratic senators urged the Obama administration Thursday to declassify secret court rulings that give the government far wider domestic spying powers under the Patriot Act than intended. The 10-year-old measure, hastily adopted in the wake of the 2001 terror attacks, grants the government broad surveillance powers with little oversight that can be used domestically. While much has been written and debated about the bill’s powers and efficacy, there’s evidently much more going on than the public knows. A secret tribunal known as the Foreign Intelligence Surveillance Act Court has issued classified rulings about the Patriot Act that U.S. Senator Ron Wyden (D-Oregon) and Sen. Mark Udall (D-Colorado) say expand the government’s surveillance powers even more.

Sen. Ron Wyden. Photo: Courtesy Sen. Wyden

At issue, the lawmakers said, is section 215 of the Patriot Act. The sweeping power, one of the most controversial in the law, allows the secret FISA court to authorize broad warrants for most any type of record, including those held by banks, internet companies, libraries and doctors. The government does not have to show a connection between the items sought under a section 215 warrant and a suspected terrorist or spy: the authorities must assert the documents would be relevant to an investigation. Those who receive such an order are not allowed to tell anyone, ever, that such records were requested. The senators, in a letter to Attorney General Eric Holder, wrote: “We believe most Americans would be stunned to learn the details of how these secret court opinions have interpreted section 215 of the Patriot Act. As we see it, there is now a significant gap between what most Americans think the law allows and what the government secretly claims the law allows. This is a problem, because it is impossible to have an informed public debate about what the law should say when the public doesn’t know what its government thinks the law says.” The senators know of the classified rulings and accompanying legal interpretations because the government briefed some members of intelligence committees in February, 2011. But the government has no plans to declassify and publicize the opinions and the interpretations of them. The administration claims “disclosure could be expected to cause exceptionally grave damage to the national security of the United States,” Arnetta Mallory, the Justice Department’s declassification director, said in court filing (.pdf) weeks ago in an attempt to beat back Freedom of Information Act lawsuits brought by the American Civil Liberties Union and The New York Times. Mallory added:
The withheld material contains specific descriptions of the manner and means by which the United States government acquires tangible things for certain authorized investigations pursuant to Section 215. As such, the withheld information describes highly sensitive intelligence activities, sources and methods. Disclosure of this information would provide our adversaries and foreign intelligence targets with insight into the United States government’s foreign intelligence collection capabilities, which in turn could be used to develop the means to degrade and evade those collection capabilities.
The senators’ two-page letter blasts the government’s position in the FOIA cases, saying its reasoning amounts to a “chilling” argument to classify all federal surveillance law.

Sen. Mark Udall. Photo: Wikipedia

“The crux of the Justice Department’s argument for keeping the official interpretation of the law secret is that this secrecy prevents U.S. adversaries from understanding exactly what intelligence agencies are allowed to do. We can see how tempting to latch on to this chilling logic, but we would know that it would then follow that all of America’s surveillance laws should be secret, because that would make it even harder to guess how the United States government collects information.” The FISA court, set up in 1978, issues warrants for domestic surveillance that are unlike the warrants issued in criminal investigations. The secret court warrants, under the authority of the Foreign Intelligence Surveillance Act, grant the government broad authority to secretly monitor the electronic communications of persons in the United States, generally for intelligence purposes only. The targets of a FISA warrant may never learn of the surveillance, whereas subjects of criminal eavesdropping warrants are informed of the tap eventually and may challenge the warrants and the evidence gathered if it is used in a criminal prosecution. Meanwhile, the secret court approved all 1,506 government requests to electronically monitor suspected “agents” of a foreign power or terrorists on U.S. soil in 2010, according to the latest Justice Department report released under the Freedom of Information Act.
Tags: ,
Back to top

Real-Name Registration Threatens the Lively World of China’s Microblogs

<< Previous | Next >>
aww1
  • aww1
  • aww2
  • aww3
  • aww4
  • fashionweek1
  • fashionweek2
  • ministryrailways1
  • ministryrailways2
  • ministryrailways3
  • ministryrailways4


<< Previous | Next >>
View all
The timeline on Sina Weibo, China’s popular Twitter-like service, is filled with pithy comments about “Beijing Fashion Week,” chronicling the comings and goings and sartorial choices of the elite. But the commenters aren’t fashionistas, and they aren’t talking about supermodels or design stars. They are referring, in not-so-secret code, to Communist Party officials. “Beijing Fashion Week” is a thinly veiled, sarcastic commentary on the Communist Party’s annual summit, now under way in the nation’s capital. And many of the assembled are making it easy to be ridiculed by showing up in luxury garb — a far cry from the staid image they aspire to project. Yes, there are scattered, unabashed criticisms of the elite on Sina Weibo, China’s most popular and active microblog service. But subterfuge like “Beijing Fashion Week” helps China’s netizens feel safer about mocking the country’s all-powerful ruling class. It’s becoming a familiar dodge on Sina Weibo, which functions similarly to Twitter and invites quick, frequent updates — but unlike Twitter, the bulk of whose members are in the United States, does not operate in a country where political speech is protected. And all this may change in the face of a new, more stringent policy designed to clamp down on free expression where other methods have been less successful. In a move to exert greater control on citizen speech online, the government is requiring that Sina Weibo and China’s other microblogs register the real names and identification cards of users in several cities. Those who do not register this week in many major cities like Beijing will not be allowed to share or forward posts; after a period of testing, the policy will go into effect nationwide. Microblogs caught fire in China just as they did in the US: more than half of the nation’s 500 million internet users have accounts. Like Twitter, China’s microblogs play host to lively discussions, with pop stars, professors and even government officials and police officers logging on daily to talk about a wide variety of topics. Most posts are apolitical and trivial: cute cats, celebrity gossip and the latest in “Linsanity.” Since microblogs operate within the bounds of the Great Firewall, they are subject to highly sophisticated and nuanced forms of censorship recently chronicled in a Carnegie Mellon study on Sina Weibo. Censorship depends on a combination of search algorithms and hundreds, if not thousands, of people actively looking for violations. If you post about a topic deemed sensitive, it could be taken down swiftly, and without explanation. If you search for a sensitive topic, you will get a terse message notifying you that “Due to relevant laws, regulations and policies, search results are not displayed.” Despite these challenges, many still make efforts to post critical messages, which are scattered amidst the plethora of apolitical posts. Clever users rely on code words, pictures, image-based text and viral memes that evade the keyword algorithms and pass undetected under the watchful eyes of censors. Last year, for instance, when the bearded artist Ai Weiwei was detained by authorities and made headlines in the West, his name was quickly scrubbed from posts and searches within China. But just as quickly, many slapped his recognizable face and iconic sunflower seeds on their profile pictures and in viral memes. The images — which search algorithms cannot detect and which are remixed too quickly for most human censors to catch — continue to appear online. Most famously, after the high-speed rail collision this past July in Wenzhou, netizens organized online to demand transparency in the investigations. In previous years, the incident may have been quickly swept under the rug by state-controlled media. But with the advent of microblogs, the topic trended for days thanks to startling pictures and viral memes. Top officials from the Ministry of Railways were sacked and the party was forced to issue an investigative report on the crash. And not all the criticism is directed at the Communist Party. For example, after multiple failed attempts to contact Siemens about a defective refrigerator, blogger Luo Yonghao invited his followers on Weibo to rally around a public smashing of his refrigerator in front of the Siemens corporate office. Indeed, Sina Weibo and other microblog services have opened up a space for public discussion that rarely exists anywhere else in China, a country where police quickly suppress public assembly and the state has final say on all media publications. All of this may change in the face of real-name registration–a new, more stringent policy designed to clamp down on free expression where other methods have been less successful. We have no doubt that netizens will find creative ways to circumvent the chilling effect of this policy. Many have already begun discussing possible strategies. Even so, real-name registration will almost certainly limit the spread of politically sensitive messages, as it will be easy to trace their origin. Even worse: the policy also threatens the vast majority of people who are not aware of or do not engage in political commentary. Just as many Facebook users now think twice about what they share online — even if not particularly controversial — real name registration may dampen the fun of microblogs as a casual place to let out some steam and relax with relative anonymity. Microblogs have become a particularly lively, important and rare forum of public discussion in China. Real-name registration threatens this. And that is a major cause of concern for anyone hoping for a more free and open internet here.
Back to top

FBI Can’t Crack Android Pattern-Screen Lock

Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation. The bureau claims in federal court documents that forensics experts performed “multiple attempts” to access the contents of a Samsung Exhibit II handset, but failed to unlock the phone. An Android device requires the handset’s Google e-mail address and its accompanying password to unlock the handset once too many wrong swipes are made. The bureau is seeking that information via a court-approved warrant to Google in order to unlock a suspected San Diego-area prostitution pimp’s mobile phone. (For details on the pimp investigation, check out Ars Technica‘s story on the case.) Locking down a phone is even more important today than ever because smart phones store so much personal information. What’s more,  many states, including California, grant authorities the right to access a suspect’s mobile phone, without a warrant, upon arrest for any crime. Forensic experts and companies in the phone-cracking space agreed that the Android passcode locks can defeat unauthorized intrusions. “It’s not unreasonable they don’t have the capability to bypass that on a live device,” said Dan Rosenberg, a consultant at Boston-based Virtual Security Research. A San Diego federal judge days ago approved the warrant upon a request by FBI Special Agent Jonathan Cupina. The warrant was disclosed Wednesday by security researcher Christopher Soghoian, In a court filing, Cupina wrote: (.pdf)
Failure to gain access to the cellular telephone’s memory was caused by an electronic ‘pattern lock’ programmed into the cellular telephone. A pattern lock is a modern type of password installed on electronic devices, typically cellular telephones. To unlock the device, a user must move a finger or stylus over the keypad touch screen in a precise pattern so as to trigger the previously coded un-locking mechanism. Entering repeated incorrect patterns will cause a lock-out, requiring a Google e-mail login and password to override. Without the Google e-mail login and password, the cellular telephone’s memory can not be accessed. Obtaining this information from Google, per the issuance of this search warrant, will allow law enforcement to gain access to the contents of the memory of the cellular telephone in question.
Rosenberg, in a telephone interview, suggested the authorities could “dismantle a phone and extract data from the physical components inside if you’re looking to get access.” However, that runs the risk of damaging the phone’s innards, and preventing any data recovery. Linda Davis, a spokeswoman for forensics-solutions company Logicube of suburban Los Angeles, said law enforcement is a customer of its CellXtract technology, which it advertises as a means to “fast and thorough forensic data extraction from mobile devices.” But that software, she said in a telephone interview, “is not going to work” on a locked device. All of which is another way of saying those Android screen locks are a lot stronger than one might suspect. It was not immediately clear whether the iPhone’s locking system is as powerful as its Android counterpart. But the iPhone’s passcode has been defeated with simple hacks, the latest of which was revealed in October 2010. Clearly, the bureau is none too happy about having to call in Google for help. The warrant requires Google to turn over Samsung’s “default code” in “verbal” or “written instructions for overriding the ‘pattern lock’ installed on the Samsung model SGH-T679.” Google spokesman Chris Gaither would not say if Google would challenge any aspect of the warrant. Google, he said, does not comment on “specific cases.” “Like all law-abiding companies, we comply with valid legal process. Whenever we receive a request we make sure it meets both the letter and spirit of the law before complying,” he said in an e-mail. “If we believe a request is overly broad, we will seek to narrow it.” Photo: Mike Dent/Flickr
Tags: ,
Back to top
« OLDER POSTS