Friday 20 June 2014

Dyreza Banker Trojan Seen Bypassing SSL

The Trojan, which is being called either Dyre or Dyreza by researchers, uses a technique known as browser hooking to intercept traffic flowing between the victim’s machine and the target Web site. The malware arrives in users’ inboxes through spam messages, many of which will look like messages from a financial institution. The list of targeted banks includes Bank of America, Natwest, Citibank, RBS and Ulsterbank. Researchers say that much of the activity from the Trojan so far is in the U.K.
When a victim opens the attached zip file in a spam message, the malware installs itself on the machine and then contacts a command-and-control server. Researchers at CSIS in Denmark located a couple of the C2 servers and discovered that one of them had an integrated money mule panel for several accounts in Latvia. The goal of the malware, of course, if to steal users’ credentials for online banking and other financial sites. Various banker Trojans go about this in different ways, and Dyreza’s creators decided to employ browser hooking to help defeat SSL.
Various banker Trojans go about this in different ways, and Dyreza’s creators decided to employ browser hooking to help defeat SSL.
“The traffic, when you browse the Internet, is being controlled by the attackers. They use a MiTM (Man in The Middle) approach and thus are able to read anything, even SSL traffic in clear text. This way they will also try to circumvent 2FA,” an analysis by Peter Kruse at CSIS says.
When users go to one of the targeted financial sites and attempt to log in, the data is intercepted by the malware and sent directly to the attackers. Victims would not have any visual cues that their data is being siphoned off or that the malware is redirecting their traffic to a domain controlled by the attackers and it’s no longer encrypted.
“Here’s the kicker. All of this should be encrypted and never seen in the clear. By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attackers page,” another analysis by Ronnie Tokazowski of PhishMe says.
“To successfully redirect traffic in this manner, the attackers need to be able to see the traffic prior to encryption, and in the case of browsers, this is done with a technique called browser hooking. No DNS queries were performed for the c1sh Bank of America domain, suggesting the attackers simply appended this to the Host field in the network traffic.”
The Dyreza malware has the ability to hook Google Chrome, Mozilla Firefox and Internet Explorer.

Spying Together: Germany's Deep Cooperation with the NSA

REUTERS
Cooperation between Germany's foreign intelligence service, the BND, and America's NSA is deeper than previously believed. German agents appear to have crossed into constitutionally questionable territory.
Three months before Edward Snowden shocked the world with his revelations, members of NSA's "Special Source Operations department" sat down for a weekly meeting at their headquarters in the US state of Maryland. The group, considered internally to be particularly efficient, has several tasks, one of which is overseeing the intelligence agency's delicate relationship with large telecommunications firms. It is the department that Snowden referred to as the "crown jewels" of the NSA.
ANZEIGE
At this particular meeting, one significant slip-up was on the meeting agenda. On March 14, 2013, an SSO member had reported a potentially damaging incident. "Commercial consortium personnel" had apparently discovered the program "Wharpdrive," for which SSO had tapped a fiber-optic cable. "Witting partner personnel have removed the evidence," he explained further, "and a plausible cover story was provided." According to an internal NSA document to which SPIEGEL has access, a team was quietly put together to to reinstall the program. The NSA, apparently, did not perform the highly sensitive operation on its own. All signs indicate that the agency had help from Germany's Bundesnachrichtendienst (BND), the country's foreign intelligence agency. The code name Wharpdrive appears in a paper drafted in preparation for a BND delegation's visit to NSA headquarters in Fort Meade, and which instructs NSA leaders to "thank the BND for their assistance with the trilateral program." It also makes clear that the German agency plays a leadership role in the Wharpdrive program, with the NSA providing only technical assistance.
It isn't clear from the document exactly where the BND and NSA accessed the fiber-optic cable nor is there any indication of the operation's target. Neither agency responded to questions about Wharpdrive. What appears obvious, however, is that the BND cooperates closely with NSA in one of its most sensitive areas of operation.

Germany's collaboration with US intelligence, which Berlin officials agreed to in the wake of the Sept. 11, 2001 terror attacks, is opaque and convoluted: opaque because the German parliament and public are unable to review most of what is delivered to the United States; convoluted because there are questions about its legality.
Constitutionally Unacceptable
Leading constitutional law experts have their doubts. In testimony before the NSA investigation committee in the Bundestag, Germany's parliament, heavyweight constitutional law experts Hans-Jürgen Papier, Wolfgang Hoffmann-Riem and Matthias Bäcker stated that the BND is potentially violating the German constitution by working with data received from the NSA. Furthermore, they argued that basic constitutional rights such as the privacy of correspondence, post and telecommunications apply to Germans abroad and to foreigners in Germany. That would mean that surveillance performed by the BND and NSA is constitutionally unacceptable.
German intelligence agencies, for their part, consider their cooperation with the NSA to be indispensable -- for counter-terrorism efforts, for the fight against the proliferation of weapons of mass destruction and for the battle against organized crime. According to a classified paper created by the government in response to a query from the opposition, the BND does not keep official statistics on the amount of telephone, email and text message metadata that is shuttled to American agencies. "All metadata" collected at the NSA site in Bad Aibling in Bavaria "is made available," the response states. In 2012 and 2013, some 3 million items of content data, or intercepted conversations and messages, were sent to the United States each month.
These facts and figures, until now available only to select parliamentarians, offer a window into German-American intelligence cooperation. Documents SPIEGEL has seen from the archive of whistleblower Edward Snowden, when combined with SPIEGEL's own reporting, open up a much broader panorama.
They show that the exchange of data, spying tools and know-how is much more intense than previously thought. Given this close partnership, BND statements claiming they knew little about the programs and methods used by the NSA are, at minimum, startling.
One location in Germany is particularly illustrative of the trans-Atlantic pact. It is located in the Alpine foothills, in the beautiful valley of Mangfalltal. For decades, the NSA maintained its largest listening post in Germany in Bad Aibling, population 18,000. The agency once had up to 1,800 workers stationed here: They frequented Chicken Joe, a bar near the American base, and Johnny's Bowling. And they cruised through town in American off-road vehicles sporting US license plates.
The Americans' affection for the town can be seen in "A Little Bad Aibling Nostalgia," a document that NSA employees posted on the agency's intranet. They reminisced wistfully about "free bier" emails and leberkäse, a bologna-like substance "made neither of liver nor cheese." German locals were fond of the agents, in part because they were reliable tenants. "Two men who specialized in Arabic dialects lived at my place," recalled jeweler Max Regensburger. "Nice people." Everyone, from baker to butcher to carpenter, profited from the Americans. When they left the base in 2004, Bad Aibling residents waved American flags in farewell.
The Tin Can
But the NSA did not completely abandon Bad Aibling. The BND took over most of the facilities on site, including nine white Radomes, the oversized golf ball-like structures crucial to many surveillance operations. But one small NSA special unit remained active and joined BND agents in the Mangfall Kaserne. The Americans built a specially constructed windowless building with an exterior of black-painted metal.
BND agents refer to the American complex, which houses the "Special US Liaison Activity Germany," or SUSLAG, as the "Tin Can." The unit's very existence is classified information. But it is clear that the Germans and Americans who work there know each other and value one-another's presence.
The official nature of the cooperation between Germany and the US in Bad Aibling is documented in a contract, written two years prior to the NSA's official departure, drafted under the auspices of then-Chancellery Chief of Staff Frank-Walter Steinmeier, now Germany's foreign minister. The "Memorandum of Agreement," signed on April 28, 2002, is six pages long and marked Top Secret. It is not from Snowden's material.
Much of the document consists of broad declarations of "good cooperation," but the important points can be found in the 74-page appendix. There, the two sides agree on joint espionage areas and targets, such as counter-terrorism, and the battles against organized crime and proliferation of weapons of mass destruction.
Surveillance as such isn't mentioned, at least initially. The treaty signatories, instead, commit to respecting fundamental rights such as the privacy of correspondence, post and telecommunications and agree not to conduct surveillance on German or American citizens. The deal is valid both for "real" and "legal entities," meaning it applies to companies and associations as well.
But even in this memorandum, the crux is in the small print -- the addenda and exceptions. In the case of "terrorist activity," the taboos mentioned earlier no longer apply. Should it become clear that intercepted information originated from a German citizen, it can still be used as long as the partner agency is informed and agrees. The same is true in cases where the end point of monitored communications is located in a foreign country.
'Exciting Joint Ventures'
According to the German constitution, the BND is not allowed to perform surveillance on German citizens. But does the memorandum's small print open up a back door? Does the NSA provide information about radicals that the German intelligence agency is not permitted to have access to?
The BND denies the existence of such channels and says, "At no time has there been a deviation from the legal framework."
It seems doubtful that the Germans know exactly what their NSA colleagues are doing in Bad Aibling. According to the agreement, the NSA is allowed to carry out its own surveillance operations and only has to allow the German partners to look at its task assignments and operational details if asked. In any case, internal documents indicate that the NSA is pleased with the Bad Aibling facility. "Two exciting joint ventures" are carried out there. One involves teams for working on joint surveillance (referred to as "Joint SIGINT Activity") and the other for the analysis of captured signals (Joint Analysis Center or JAC). Snowden's documents hint at what precisely the trans-Atlantic allies were collaborating on. In 2005, for example, five NSA employees worked "side-by-side" with BND analysts on a BND operation called Orion. Its targets lay outside NATO's eastern border.
According to the documents, most of the targets monitored jointly by the BND and NSA are in Africa and Afghanistan. One document, though, reveals something else. Stemming from 2009, it includes a list of companies and organizations with domain endings such as .com, .net and .org that are explicitly to be removed from the surveillance efforts because they are German web addresses. Among them are basf.com and bundeswehr.org, but also such domains as orgelbau.com and feuerwehr-ingolstadt.org.