Feeds

NSA's TURBINE robot can pump 'malware into MILLIONS of PCs'

Sysadmins, routers, criminals' IRC botnets, and maybe terrorists, all for the pwning

Beginner's guide to SSL certificates

Inside Uncle Sam's malware war chest

The Snowden documents show that the TAO team now has access to a very sophisticated toolkit for implanting trackers on systems, and how the methods of spreading the code have evolved to match consumer behavior.

A 2012 presentation complains that the traditional method of infection, spamming out infected attachments, was only achieving a one per cent success rate because people are getting smarter about avoiding potentially malicious downloads. To get around this, the agency switched to browser attacks, which it said upped success rates to 80 per cent in some cases.

Targets visiting certain websites were redirected to an NSA WILLOWVIXEN server, allowing software called FOXACID to find a browser vulnerability and exploit this to compromise the PC or handheld. The documents claim that a fake Facebook server was set up for this purpose and used to distribute malware dubbed QUANTUMHAND, which went live in October 2010.

"If we can get the target to visit us in some sort of web browser, we can probably own them," a TAO team member reports in one document. "The only limitation is the 'how.'"

Other code, called SECONDDATE uses a man-in-the-middle attack to allow "mass exploitation potential for clients passing through network choke points, but is configurable to allow surgical target selection as well."

A 2010 presentation also gives details about the QUANTUM family of malware developed by the government for attacking systems. This includes code for the redirection of web traffic, controlling crooks' IRC botnets, hijacking DNS, and corrupting downloads.

Another malware system, called UNITEDRAKE, comes with a selection of plugins for different purposes, each with its own classification. The CAPTIVATEDAUDIENCE plugin will take over a system's microphone to record conversations, FOGGYBOTTOM will record internet history and login details, and SALVAGERABBIT copies the contents of any flash drives plugged into the machine.

The agency is well aware that antivirus companies are on the lookout for new and interesting malware samples, particularly after the Flame debacle. A NSA trojan dubbed VALIDATOR can be set with an automatic self-destruct sequence and delete itself from a target's system after a set period.

The madness is spreading

Despite efforts to limit the exposure of its systems to outside interest, the documents show that the NSA is aware that other governments are copying their techniques.

"Hacking routers has been good business for us and our 5-eyes partners for some time," notes one NSA analyst in a top-secret document dated December 2012. "But it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene."

This is already worrying security analysts, and was top of the agenda at last month's TrustyCon conference. F-Secure's malware research chief Mikko Hyppönen told the summit that so far government-developed malware was coming from Germany, Russia, China, and even Sweden, and there was a thriving trade by ethically challenged companies willing to develop malware for repressive regimes.

Similar concerns were echoed at the RSA 2014 conference, with the company's chairman Art Coviello calling for an international moratorium on attack code before the situation gets out of control. If government cyberattacks are normalized then the effects on the general public could be catastrophic, he noted, but there's no sign of a change of policy from the NSA.

"As the [US] President made clear on 17 January," the agency said in a statement, "signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes." ®

Updated to add

You may be interested to know that the NSA has responded to the claims first published by The Intercept.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.