Tue Jan 2 13:37:00 2007

Irresponsible Disclosure

Normally, hackers and vulnerability researchers are accused of irresponsible disclosure, namely the publication of vulnerability information before a fix is available from the vendor of the affected product. The discussions of the dos and don'ts when performing full disclosure and what constitutes responsible or irresponsible behaviour are as old as the idea of public disclosure of vulnerability details itself.

On the 16th of November, Lance James of Secure Science Corporation posted on the SecurityFocus Binary Analysis mailing list and 5 other mailing lists an extensive analysis of a piece of Trojan horse Malware for Windows. The purpose of the Malware was to collect HTTP Post data when certain keywords, such as "bank", "login" or "mail" were matched in the target URL and drop the collected data at some (probably hacked) web server.

The report, written by an anonymous author at Secure Science Corporation and Michael Ligh, explains how the Trojan works and how it encodes and compresses the data collected before dropping it onto the collection sever. Section 11, detailing the encoding and compression, also contains some example material gathered during lab tests and containing only exemplary login data used by Michael Ligh for the testing of the program.

What surprised me was section 12, which detailed that the drop site was changed by an update to the Trojan on October 18 and listed the un-obfuscated IP address of the new drop server. When I saw the authors reporting updates on the drop site at the time of them writing the report and concluding that the site is still very active, we checked it out. Result: It is still alive!!!

Not only did the authors of the report point everyone and their dogs to a live and kicking drop site for stolen banking, email and other accounts but they also detailed how to decode, decompress and interpret the data into a readable and easy to use format. To verify that this is actually the case, we implemented a decoder solely based on the information in the report and tested it with the daily TAR ball of the drop point site from November 17. The TAR ball contains logs from 1196 infected computers, all in all 371 MB of illegally obtained confidential personal data. Our decoder successfully converted the data into readable text format. According to the PHP scripts running on the drop site, it currently maintained 7410 infected machines.

We will assumed in dubio pro reo that Secure Science Corporation tried to contact the hoster or upstream provider of the drop site and simply failed to have the site taken offline due to the contacted party being unreachable or unresponsive. We asked Secure Science Corporation about that and requested taking down the paper and replacing it with a version not disclosing the IP address of the drop site. The only answer was: "many attempts have been made", no comment regarding the paper.

So at the end of the day, we made our own efforts and informed some contacts about the drop site. It is now offline, replaced by a fresh and probably equally insecure Apache installation. May be this happened due to our requests, may be not.

An entertaining side note: A Google search for "FBI computer crime" produces the email address of the FBI National Computer Crime Squad (NCCS) as nccs@fbi.gov. Unfortunately, the address bounces with a "user unknown" SMTP error. Apparently, computer crime has been eradicated in the USA.

The morale of the story: Is the act of publishing illegally obtained information that can only be used to commit a crime itself a criminal act? I don't know. Is it responsible to do so? Certainly not. Irresponsible disclosure is obviously not limited to hackers.

Posted by FX | Permanent link