Microsoft Wields Its IP For Good, Cripples Botnet Via Trademark Litigation

from the ends-justifies-the-means? dept

Microsoft developed a bit of a reputation as a trademark bully during the early 00s, going after an Australian pillow manufacturer (for its polyester fiber "Microsoft" quilt) and a 17-year-old Canadian named Mike Rowe (for his MikeRoweSoft website business). It seems to have settled down on the bullying but it still wields its trademarks with considerable heft. Krebs on Security reports Microsoft recently leveraged its trademarks to severely cripple a botnet.

Microsoft Corp. has executed a coordinated legal sneak attack in a bid to disrupt the malware-as-a-service botnet Trickbot, a global menace that has infected millions of computers and is used to spread ransomware. A court in Virginia granted Microsoft control over many Internet servers Trickbot uses to plunder infected systems, based on novel claims that the crime machine abused the software giant’s trademarks. However, it appears the operation has not completely disabled the botnet.

Microsoft's request for a restraining order (which I haven't been able to locate yet) pointed out Trickbot infects and alters Microsoft products, which could cause users to believe Microsoft itself has zombiefied their device. This misattribution of source cause has the potential to cause harm to Microsoft's reputation and brands.

However, it doesn't appear Trickbot ever co-opts Microsoft's trademarks to present computer users with seemingly legitimate applications. Instead, it infects Windows systems, causing problems while hiding itself from victims. Microsoft's trademark argument is novel: there's no appropriation, just a lot of potential damage to its reputation from people unwittingly operating infected systems.

The order was granted and Microsoft now has control of some of the servers used by the malicious hackers. Others remain online but work has been done to mitigate future damage.

Microsoft’s action comes just days after the U.S. military’s Cyber Command carried out its own attack that sent all infected Trickbot systems a command telling them to disconnect themselves from the Internet servers the Trickbot overlords used to control them. The roughly 10-day operation by Cyber Command also stuffed millions of bogus records about new victims into the Trickbot database in a bid to confuse the botnet’s operators.

Microsoft's unusual trademark litigation isn't its only use of IP to battle a botnet. In a post about this operation/litigation, the company is also wielding its copyright in a more questionable manner.

This action also represents a new legal approach that our DCU [Digital Crimes Unit] is using for the first time. Our case includes copyright claims against Trickbot’s malicious use of our software code.

Microsoft probably knows something the rest of us don't, but using the information available, it's difficult to see how attacking a system with a malicious script "uses" Microsoft's software code. If this legal theory is granted credence by a judge, it will make it easier for companies (like… I don't know… Apple) to shut down hobbyists and enthusiasts who modify devices or programs containing copyrighted code to do things companies don't approve of. While it's great Microsoft is stepping up to shut down a botnet, it's not as great to see it willing to abuse IP law to get it done.

Filed Under: botnet, trademark, trickbot
Companies: microsoft

Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit

from the interet-of-broken-things dept

Just about two years ago, you might recall that the internet partially imploded after DNS provider Dyn was hit with a historically massive DDOS attack. A major reason for the attack was the Mirai botnet malware, which made creating rampant botnets a pretty trivial affair for anybody with an IQ over 70. The other problem was that Mirai was able to quickly compromise and incorporate millions of internet of things devices as part of the assault thanks to said devices' lack of meaningful privacy and security protections.

That included a large number of DVRs and internet-connected cameras by a Chinese company by the name of XiongMai Technologies, which stated it would be recalling many of the devices after issuing a statement in rather broken English that didn't really make much sense:

"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too."

Sure thing.

Fast forward several years, and you'll be shocked to learn that really nothing has changed at the company in terms of ensuring its cheap hardware can't be quickly compromised by hackers and thieves. Most of the fatal flaws remain in the company's products, including default login credentials, terrible GUIs that fail to show what the device is doing online, intentional backdoors, and pretty basic design flaws like the failure to prompt a password change during setup.

Worse, because XiongMai Technologies is a "white label vendor" whose hardware is often repackaged and resold under a universe of different brands, it's impossible for many to know if they even own these substandard products, notes activist and author Cory Doctorow:

"Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products...The most reliable way to determine if you own a Xiongmai product is to see if its control systems mention "XMEye." But even if you ditch your Xiongmai product, it's clear that the whole industry is a cesspool of flaming garbage devices, and there's probably not an alternative you can trust."

Of course Xiongmai is just one of several, similar Chinese IOT hardware vendors that pretty clearly couldn't give less of a shit about user privacy and security, or the fact these devices directly impact the health of the internet. SEC Consult has been not only issuing advisories surrounding Xiongmai and its universe of offshoot products, but also about a myriad of other, similarly-unaccountable hardware vendors like Shenzhen Gwelltimes Technology Co. All told we're talking about more than 9 million DVRs and cameras currently in use protected with the security equivalent of wet cardboard.

As security experts like Bruce Schneier keep pointing out, we're basically begging for a massive dumpster fire that could have dramatic and potentially even fatal repercussions. And the solution isn't just one thing or another, it's going to require a concerted, cross-sector collaborative effort that starts with integrating security and privacy warnings into product reviews, and naming and shaming vendors that pretty clearly don't think even the barest bones privacy and security standards are worth the time or money it takes to develop them.

Filed Under: botnet, china, cybersecurity, dyn, iot

FBI Tries New Rule 41 Changes On For Size In Fight Against Long-Running Botnet

from the one-warrant;-all-the-computers dept

The DOJ is proud to announce it's flexing its new Rule 41 muscle. The changes proposed in 2015 sailed past a mostly-uninterested Congress and into law, giving the FBI and other DOJ entities permission to hack computers anywhere in the world with a single warrant.

With the new rules, the law has finally caught up with the FBI's activities. It deployed a Network Investigative Tool -- the FBI's nifty nickname for intrusive malware that sends identifying info from people's computers to FBI investigators -- back in 2012 during a child porn investigation and mostly got away with it. It tried it again in 2015 and ran into a bit more resistance.

Rule 41's (former) jurisdictional limitations meant the FBI wasn't supposed to be able to "search" computers all over the US using a single warrant issued in Virginia. This activity was supposed to be confined to the state of Virginia. The aftermath of the Playpen investigation has led to a multitude of conflicting judicial opinions. Some have found the warrant invalid and the evidence obtained worthless. Others have granted good faith exceptions or determined no privacy violation took place. In at least one case, the government has dismissed the charges rather than expose any information about its Rule 41-flouting NIT.

In this case, the FBI isn't hacking computers to uncover child porn site visitors. Instead, it's going to be fiddling with a lot of computers to take down a botnet. The DOJ press release makes particular note of how lawful this all is now, post-Rule 41 amending:

In seeking authorization to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure. A copy of this warrant along with the other court orders are produced below.   The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server. This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.

The search warrant [PDF] application leads off with this as well, waving it in front of its unusual request like a wary vampire hunter's cross.

I make this affidavit in support of an application for a warrant under Federal Rule of Criminal Procedure 41 to authorize an online operation to disrupt the Kelihos botnet currently under the control of Peter Yuryevich LEVASHOV, a criminal hacker. The operation, which is particularly described in Attachment A and Attachment B, involves the distribution of updated peer lists, job messages and/or IP filter lists, further described in Attachment B, to the TARGET COMPUTERS currently infected with the Kelihos botnet malware in violation of Title 18, United States Code, Sections 1030, L343, and 2511, as described in Attachment A. This operation will also obtain the Internet Protocol addresses and associated routing information of those infected computers, and those addresses are evidence of crimes committed by LEVASHOV. A PRTT order has been requested for the purpose of attaining those IP addresses and associated routing information. This operation will not capture content from the TARGET COMPUTERS or modify them in any other capacity except limiting the TARGET COMPUTERS' ability to interact with the Kelihos botnet.

The intent here is to dismantle the botnet by freeing zombie computers. All well and good, except it's not the government pointing victims to malware removal tools, but rather letting themselves into the "house" to size up infections before passing this info on to third parties to actually perform the removals.

This new form of intrusion raised concerns in Congress, but the DOJ insisted the changes were innocuous and please let's all stop talking about this before someone stops the Rule 41 amendments slow roll to tacit approval.

Here it is in action: thousands of computers temporarily hosting digital G-men. We're in unknown territory right now with the FBI's anti-botnet work. The FBI itself doesn't even appear all that sure about the extent of its new Rule 41 powers. As is noted in the warrant, the FBI also applied for a Pen Register/Trap and Trace (PRTT) order [PDF] just in case.

Other than the three elements described above, federal law does not require that an application for an order authorizing the installation and use of a pen register and a trap and trace device specify any facts. The following additional information is provided to demonstrate that the order requested falls within this Court's authority to authorize the installation and use of a pen register or trap and trace device under 18 U.S.C. g 3123(a)(1).

This is the FBI basically saying the law doesn't require this application, but here it is anyway. A CYA PRTT for the interception of communications metadata that might help identify botnet victims. And for all its talismanic waving of Rule 41, the FBI isn't even sure it's really required to seek a warrant to perform this botnet cleanup. From the warrant affidavit:

To effectively combat the P2P structure of the Kelihos botnet, the FBI with assistance of private partners will participate in the exchange of peer lists and job messages with other infected computers. The FBI's communications, however, will not contain any commands, nor will they contain IP addresses of any of the infected computers. Instead, the FBI replies will contain the IP and routing information for the FBI's "sinkhole" server. As this new routing information permeates the botnet, the Kelihos infected computers will cease any current malicious activity and learn to only communicate with the sinkhole. The effect of these actions will be to free individual infections from exchanging information with the Kelihos botnet and with LEVASHOV. This will stop Kelihos's most immediate harm, the harvesting of personal data and credentials, and the transmittal of that data to servers under LEVASHOV's control.

Another portion of the Kelihos job messages is a list, known as the IP filter list. This list functions as a type of blacklist, preventing communication with those IPs contained within the filter list. If necessary, the FBI also seeks authorization to send a filter list to TARGET COMPUTERS to block Kelihos infected computers from continuing to communicate with router nodes.

The footnote attached to this reads:

The law is unsettled as to whether the operation authorized by the proposed warrant constitutes a search or seizure. However, in an abundance of caution, the United States is seeking a warrant.

It looks like the FBI is tentatively exploring its new powers, making sure it has the paper trail it needs to stave off courtroom challenges. If it sticks to disrupting a botnet, it shouldn't face any. If it takes advantage of its new access privileges, it might.

Filed Under: botnet, doj, fbi, hacking, nit, rule 41, warrant

Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack

from the internet-of-broken-things dept

For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how "smart" fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.

Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday. In a piece discussing the attack over at Flashpoint, the security firm (which worked with Akamai to help DYN) notes that the DDoS was indeed thanks to compromised IoT devices, and the Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to... your cable DVR:

"Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks."

Brian Krebs notes that the lion's share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack:

"It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn. At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack."

For what it's worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year. It also issued a poorly translated statement on its role in bringing the U.S. Internet to a crawl for much of Friday:

"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.

And while that's all well and good, that's just one company. There are dozens upon dozens of companies and "IoT evangelists" that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they're generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.

So while it's nice to see at least one company almost admit culpability, this really is little more than a small drop in a very deep ocean of dysfunction. It's going to take a lot more naming and shaming of the companies that pushed "smart" but idiotic and poorly-secured technologies on consumers if we're to avoid significantly worse (and potentially fatal) attacks.

Filed Under: botnet, cameras, china, ddos, dvrs, mirai, recall
Companies: dyn, xiongmai

Botnet Bill Could Give FBI Permission To Take Warrantless Peeks At The Contents Of People's Computers

from the mind-if-we-take-a-look-around,-they-asked-never dept

In a recent ruling in a child porn investigation case, a judge declared that the FBI's Network Investigative Technique (NIT) -- which sent identifying user info from the suspect's computer to the FBI -- was the equivalent of a passing cop peering through broken blinds into a house.

[I]n Minnesota v. Carter, the Supreme Court considered whether a police officer who peered through a gap in a home's closed blinds conducted a search in violation of the Fourth Amendment. 525 U.S. 83, 85 (1998). Although the Court did not reach this question, id at 91, Justice Breyer in concurrence determined that the officer's observation did not violate the respondents' Fourth Amendment rights. Id at 103 (Breyer, J., concurring). Justice Breyer noted that the "precautions that the apartment's dwellers took to maintain their privacy would have failed in respect to an ordinary passerby standing" where the police officer stood.

What would normally be awarded an expectation of privacy under the Fourth Amendment becomes subject to the "plain view" warrant exception. If a passerby could see into the house via the broken blinds, there's nothing to prevent law enforcement from enjoying the same view -- and acting on it with a warrantless search.

Of course, in this analogy, the NIT -- sent from an FBI-controlled server to unsuspecting users' computers -- is the equivalent of a law enforcement officer first entering the house to break the blinds and then claiming he saw something through the busted slats.

The DOJ may be headed into the business of breaking blinds in bulk. Innocuous-sounding legislation that would allow the FBI to shut down botnets contains some serious privacy implications.

Senators Whitehouse (D-RI), Graham (R-SC), and Blumenthal (D-CT) introduced the Botnet Prevention Act in May, which (among other things) amends the portion of federal law (18 U.S.C. § 1345) that authorizes these injunctions. The bill would expand § 1345 by adding violations of a section of the Computer Fraud and Abuse Act (“CFAA”) that covers botnets (and more) to the list of offenses that trigger the DOJ’s ability to get an injunction.

More specifically, it would allow injunctions in all violations or attempted violations of subsection (a)(5) of the CFAA that result or could result in damage to 100 or more computers in a year, including any case involving the “impair[ment of] the availability or integrity of the protected computers without authorization,” or the “install[ation] or maintain[nance of] control over malicious software on the protected computers” that “caused or would cause damage” to the protected computers.

It only sounds like a good idea: the government riding to the rescue of unaware computer users whose devices have been pressed into service by malware purveyors and criminals. But, as Gabe Rottman of CDT points out, there's some vague wording in the existing law that would undercut important Fourth Amendment protections when used in conjunction with the DOJ's botnet-fighting powers.

Buried deep within § 1345(b) is a single phrase that could open up a number of thorny issues when this injunctive authority is applied to botnets. The section not only allows the government to obtain a restraining order that stops someone from doing something nefarious, but also an order that directs someone to “take such other action, as is warranted to prevent a continuing and substantial injury . . . .”'

Rottman points to the FBI's 2011 shutdown of the Coreflood botnet. After obtaining a restraining order under the federal rule, the FBI used its own server to issue commands to infected computers, halting further spread of the malware and shutting down the software on infected host devices. Again, this seems like a good use of the government's resources until you take a closer look at what's actually happening when the FBI does this sort of thing.

The court hearing the Coreflood case accepted the government’s argument that the “community caretaker” doctrine allowed the transmission of the shutdown order, as the action was “totally divorced from the detection, investigation, or acquisition of evidence relating to the violation of a criminal statute.” At the time, the government likened its actions to a police officer who, while responding to a break-in, finds the door to a house open or ajar and then closes it to secure the premises.

The "community caretaker" function is one exception to warrant requirements. Accessing peoples' computers without their permission under these auspices allows the FBI to avail itself of a second warrant exception.

In order to scrub private computers for malware, the government would, by necessity, have to search the computer and its contents for the malware. Once the door is ajar, rather than closing it, the police would actually “walk in” to the computer. And anything they find in “plain view” can be used as evidence of a crime. Nothing in the current version of the bill would prevent such a search or collection, giving the government the potential means to search countless computers of victims of the botnet (not the perpetrators) without a warrant.

While these are both valid exceptions to warrant requirements, they've never been deployed on this sort of scale. Officers can perform community caretaker functions that may result in contraband being discovered in plain view. When the FBI takes on a botnet, however, it will have access to potentially thousands of computers at a time and the legislated permission to not only "enter" these computers, but to take a look around at the contents.

The Fourth Amendment was put into place to end the practice of general warrants. The FBI's botnet-fighting efforts turn court-ordered injunctions into digital general warrants, only without the pesky "warrant" part of the phrase. And, unlike other warrants, the proposed legislation would do away with another Fourth Amendment nicety: notification.

As CDT noted in its comments on the Rule 41 change mentioned above, potentially as many as a third of computers in the United States are infected with some form of malware. And, botnets are extremely hard to clean up, especially when you depend on victims to voluntarily submit their computers for cleaning. Given this reality, unless notice is required by statute, law enforcement would have an incentive to dispense with notice in the much wider array of shutdowns permitted under the Graham-Whitehouse bill.

The bill has only been introduced and there's no forward motion as of yet. It's in need of serious repair before it heads further up the legislative chain. As it's written, there's nothing standing between people's personal files and a host of digital officers wandering through virtual houses in search of malware and searching/seizing anything else that catches their eye.

Filed Under: botnet, botnet prevention act, congress, fbi, hacking, lindsey graham, richard blumenthal, sheldon whitehouse, warrants

Who Needs CISPA? White House Unveils Voluntary Data Sharing Plan To Fight Botnets

from the plus,-no-privacy-violations! dept

As the fight over CISPA continues (apparently with some concerns that the existing bill is effectively dead in the water), the White House announced a new voluntary program for companies to share info about botnets in order to stop them. This raises the question, yet again, why we need laws like CISPA in the first place. Companies and the government can already share threat information without violating anyone's privacy. All CISPA and similar bills are really doing is making it easier to violate privacy rules when sharing that kind of information.

Filed Under: botnet, cispa, data sharing, white house

All Fear The Mobile Phone Botnets... That Don't Actually Exist

from the this-again? dept

For many years, we saw stories, usually pushed by security software companies, about how mobile phone viruses were some huge threat that had to be dealt with quickly before they spread around the world. Of course, that hasn't actually happened -- and there are some good reasons why it's unlikely. In fact, it seemed like such stories had been decreasing lately, perhaps in part due to some security firms scolding competitors for mobile virus FUD.

So, we were a bit surprised to see yet another story on the subject, this time suggesting that we're on the verge of (I'm not making this up) a "Cell Phone Zombie Uprising." Some researchers are predicting that mobile phones would be perfect for botnets, though, again it's not clear how that would actually happen, given the limitations of phones. While it is true that phones have become more powerful (and open) over the past few years, there still hasn't been much evidence that viruses and such are a real threat. Most phones are designed well enough to not make it easy for apps to just install themselves -- so consider us skeptical until there's real evidence of a mobile botnet rising.

Filed Under: botnet, fud, mobile, virus