back to article NSA bloke used backdoored MS Office key-gen, exposed secret exploits – Kaspersky

The NSA staffer who took home top-secret US government spyware installed a backdoored key generator for a pirated copy of Microsoft Office on his PC – exposing the confidential cyber-weapons on the computer to hackers. That's according to Kaspersky Lab, which today published a report detailing, in its view, how miscreants …

ST
Silver badge
Mushroom

Oooooh, really?!?!?

Later, once reactivated, Kaspersky's software searched the machine as usual, removed the trojanized key-gen tool, found the secret NSA code during the scan, and uploaded it to Kaspersky's cloud for further study by staff.

Whose staff? I contemplate this question in wonderment.

And this upload to Kaspersky's cloud was 100% immune, and unrelated to, the GRU, or FSB.

Da, Tovarisch!

Who wrote Kaspersky's report? Kellyanne Conway?

2
47
Silver badge

Re: Oooooh, really?!?!?

> found the secret NSA code during the scan, and uploaded it to Kaspersky's cloud for further study by staff.

So you're saying that if your anti-virus SW finds any files which might be of interest to your business abd quickly steals a copy before anyone realises their mistake. Is it only source code you steal or perhaps you upload any photos and videos too.

2
34
ST
Silver badge
FAIL

Re: Oooooh, really?!?!?

@Dazed and Confused:

Try again, this time around with a minimal effort at being coherent. Your first phrase contains subordinate clauses only. There's no main clause.

Thank you.

32
2
Anonymous Coward

Re: Oooooh, really?!?!?

I read your subject line in the voice and mannerisms of Jim Carrey as Ace Ventura.

13
0
Anonymous Coward

Re: Oooooh, really?!?!?

Dazed and Confused

Does what it says on the tin.

21
0
Silver badge

Re: Oooooh, really?!?!?

Pretty much all the anti-virus vendors do this now, unless you untick the option.

Microsoft also like copies of any files that crash any of their software, along with the memory dumps. Microsoft Security essentials has a "send file samples automatically when further analysis is required" setting for instance. It's probably ticked by default.

Obviously the archive would have been full of virus code, so presumably of interest to an anti-virus vendor.

In any case this is pretty much entirely the NSA's fault. You have to wonder how someone can take *all of your hacking tools* home with them and drops them on their personal computer. You would think a tool kit full of zero days would be a pretty valuable asset and you would ration this stuff out rather than handing it out like candy. And of course the motives of the unnamed NSA operative (who cant even afford an office license apparently) might well be pretty shady.

69
0
ST
Silver badge
Angel

Re: Oooooh, really?!?!?

> I read your subject line in the voice and mannerisms of Jim Carrey as Ace Ventura.

That's very accurate. Thank you.

2
5
Silver badge

Re: Oooooh, really?!?!?

. You have to wonder how someone can take *all of your hacking tools* home with them and drops them on their personal computer.

An NSA contractor walking out of the building with unlimited amounts of secret information - inconceivable

44
0

Re: Oooooh, really?!?!?

I, for one, always disable the sending of malware samples back to the vendor.

9
1
Bronze badge
Facepalm

Re: Oooooh, really?!?!?

> "Microsoft also like copies of any files that crash any of their software, along with the memory dumps."

They must have a lot of copies of their own software sent back to themselves then.

25
2
Gold badge
Coat

"Who wrote Kaspersky's report? Kellyanne Conway?"

Kellyanne Conway can write?

Pix or it didn't happen.

16
2
Silver badge

Re: Oooooh, really?!?!?

And of course the motives of the unnamed NSA operative (who cant even afford an office license apparently) might well be pretty shady.

And lives in a bedroom? How high is the fellow in the NSA ranking or don't they pay their agents enough not to live in a bedsit or with their parents?

12
0
Silver badge
Joke

Re: Oooooh, really?!?!?

They must have a lot of copies of their own software sent back to themselves then.

Which may explain why their Office325 and Hotmail/Outlook servers are often down.

Simply: they're DDOSing themselves.

11
0
Silver badge

Re: Oooooh, really?!?!?

There's always one per thread with no reading comprehension skills and/or a conspiracy theory mentalist.

At least we got it out of the way early this time.

12
0
Silver badge

Re: Oooooh, really?!?!?

This machine obviously wasn't a sanctioned NSA device then, so totally not cleared to host sensitive information.

If it was legit it would have been using a corporate licence for Office.

The basis for the hearing was interesting though - they only seem interested in determining if Kaspersky should be sent down rather than the root problem which was the loss of sensitive information.

Another fact – that yet another NSA staffer took top-secret work home and lost it, which is a criminal felony – was outside of the committee's remit, according to Representative Barry Loudermilk (R-GA)

So their actual remit was to avoid looking too closely at the root cause and to just toe the official line?

26
0
Silver badge

Re: Oooooh, really?!?!?

anti-virus SW finds any files which might be of interest to your business abd quickly steals a copy before anyone realises their mistake

Sigh.

I'll use short words - the software by default is configured to upload malware samples for analysis. Almost all AV software also does the same.

The ex-NSA muppet didn't turn that feature off.

Now do you get it?

(I've no axe to grind with Kaspersky - I've used it in previous jobs. Not always the best and somewhat resource-intensive, but a long, long way from the worst)

20
1
Silver badge

Re: Oooooh, really?!?!?

So their actual remit was to avoid looking too closely at the root cause and to just toe the official line?

The clue is in the name: "Government Committee". Expressly designed to look like "something is being done" without actually doing anything..

12
0
Anonymous Coward

Re: Oooooh, really?!?!?

A Keygen for MS Office?

What the heck was he installing OFF2007?

We need an activation routine now OFF2010 and beyond...

This makes no sense...

2
0
Anonymous Coward

Re: Oooooh, really?!?!?

Actually it's no longer a criminal offense if he didn't mean to get it released like this. He was just extremely careless and should not be prosecuted according to recent precedents. Intent matters and as he didn't intend to have it escape from his machine, he can't be held responsible.

1
1
Silver badge
Windows

Re: Oooooh, really?!?!?

We need an activation routine now OFF2010 and beyond...

Are you sure about that? Really?

Oh? Well what about everyone else? Especially those who've got experience at hunting for software+keygen on torrent sites?

(I have seen functional "keygen" tools for Orifice 2k10, most of but not all tripped AV and the ones that didn't trip AV appeared to act like they were perfectly fine. The customer was also told that their keygen was deleted as part of our normal cleanup processes (MSSE (never before noticed it sounds almost exactly like "messy"...) picked ALL keygens for MS software as malware. Also did the same for any files that were text with lists of keys in them IIRC, so not proof the keygens were harmful but definitely (as far as MS is concerned) fall into the "unwanted program" camp). (have I used enough ")" to be mathematically correct?))")")"?

2
0

Re: Turning it off

Absolutely. The hashes for the source code will be totally different to the hashes for the software in the wild (which Kaspersky has a legitimate interest in and will have seen before). There is not way to tell the code is related to the binaries without compiling it. So if Kaspersky takes this source code without asking, it probably takes ALL source code for good measure. Or maybe only if it says TOP SECRET in the header

0
3
Silver badge
Mushroom

Re: Turning it off

Or maybe only if it says TOP SECRET in the header

Or may, just maybe, as has been pointed out numerous times in this thread, the archive contained COMPILED BINARIES as well as source material, and it was the COMPILED BINARIES that triggered the alert? Or maybe, just maybe, as has also been pointed out here, certain content that is the same between COMPILED AND SOURCE (eg URLs) was detected, and triggered the alert?

But no, fuckwits with too few braincells to walk and chew gum at the same time gotta target them coz Russians bad and yanks good, right?

8
2

Re: Turning it off

Ok, so you've made a great big zip file with your source and your binaries of the NSA tools. You've taken them home in a single lump for convenience. As a result this single archive, which probably runs to hundreds of meg if not gigabytes, matches a known signature. So you are stating that it's ok for Kaspersky to upload this file to their servers without asking? Does it do this for ALL files that match signatures or just those that match NSA signatures?

My point was that just because they identify binaries that match signatures, it gives them no right to upload unrelated items. Or upload anything without asking. Makes no difference if it's in an archive or as separate files on the file system.

PS. I have no view on Russia vs US. However I do have a dim view of all anti-virus software companies and refuse to use them. Their software is only marginally better than the viruses themselves: you can pay them in dollars and don't have to fish around for bitcoin

1
3

Re: Oooooh, really?!?!?

> "Microsoft also like copies of any files that crash any of their software, along with the memory dumps."

That's why the new transoceanic fiber.

1
0
Silver badge
FAIL

Re: Turning it off

Ok, so you've made a great big zip file with your source and your binaries of the NSA tools. You've taken them home in a single lump for convenience. As a result this single archive, which probably runs to hundreds of meg if not gigabytes, matches a known signature.

Actually most malware isn't very big. You can have a few hundred samples in a couple of MB. We are not told how many samples were in the zip file so you can have your terrabytes of data, I'll say it was 2 samples and 2 bits of source, totally 100kb, zipped down to 50kb. It's probably somewhere a bit more than my guess but far less than yours. Let's go for 10mb, the upper limit Google will allow for email. That's not really big, but you can fit a ton of text in there. I have a full height 5mb MFM HDD sitting around somewhere, for it's original owner they probably had OS, programs and data on there, and probably paid several $hundred for it as well.

10Mb wouldn't be much. For many people with today's HDD sizes and internet speeds, 100Mb wouldn't be much - I can (when at a mates) download HD movies faster than I can watch them, and we don't notice much. On ADSL 2 people can stream HD movies. 100Mb is nothing by today's standards. Shall we go for a full series? I have a copy of Babylon 5 (all eps, movies and also the Crusades series) that is a little over 50Gb - took a couple of days for that to come down over ADSL.

So you are stating that it's ok for Kaspersky to upload this file to their servers without asking? Does it do this for ALL files that match signatures or just those that match NSA signatures?

If you knew anything about standards for AV you'd know that yes, for any new variant of a known strain, or something that is a heuristic match (Thunderbyte AV did heuristic matching back when 386's were still quite common) but does not match known malware, then yes, it is standard practice for a sample to be sent off to the AV company. If that file is part of a larger archive, then the entire archive is suspect and thus is sent (how can they tell it's not a largely suspect archive unless they look deeper?). You can turn this off, but IME it is the default setting for normal AV software. Kaspy does it, MSSE/WD does it, I think I can safely assume Symantec products do it. In fact I can say with some assurance that Avast, AVG, ESET, Fortinet, Kaspersky Lab, McAfee, Microsoft, Sophos, Symantec, Trend Micro, Vipre, and Webroot all send data up to home base, and some don't allow you to opt out (I do have an issue with doing it without giving you the chance to say no, but I don't have a problem with it being the default - users should be notified of this behaviour during installation I agree).

This is how new threats are detected so outbreaks can (hopefully) be stopped sooner, perhaps so the AV company can be "first" to find it, etc. Without samples of new strains, the AV companies cannot a) work out what they do and b) work on a way to stop/clean/prevent infection. If you stop the AV companies getting samples of new malware you stop the AV companies.

My point was that just because they identify binaries that match signatures, it gives them no right to upload unrelated items. Or upload anything without asking. Makes no difference if it's in an archive or as separate files on the file system

If you don't want them to have that right, don't ask them to run on your system. It's pretty simple that even someone like yourself has at least a slim chance of grasping the concept.

However I do have a dim view of all anti-virus software companies and refuse to use them.

Going off your posts, I have to wonder if "dim" is the operative word? Run an online Windows? You need protection.

5
1
Silver badge
Big Brother

Highly confidential Windows PC ..

"highly confidential software exploits from the NSA employee's bedroom Windows PC"

Highly confidential and Windows PC don't go together.

40
3
Anonymous Coward

Re: Highly confidential Windows PC ..

As any NSA employee should already know. I mean, they've taken their malware (likely for Windows OS) home to a Windows PC and it went walkies courtesy of an OS they know to not be secure not being secure. FFS. I want to believe this was some sort of deliberate honeypot type action but I'm inclined to simply believe it was the actions of a fucking idiot.

1
1

He's hosed.

That spook was running bootleg Office. Black choppers from Redmond are en route.

43
0
Bronze badge

Re: He's hosed.

Redmond vs Alphabet Soup: The Cage Match.

27
0
Silver badge

Re: He's hosed.

Indeed, I found that little line in the article very interesting as well.

A "security" contractor who 1) takes confidential data out of NSA premises without authorization and 2) uses a malware-infested cracker to unlock an unregistered copy of Office without wondering what might go wrong.

And those are the goons allowed to spy on us. If that's how smart they are, no wonder Russia can pilot US elections.

45
0
Silver badge

Re: He's hosed.

Microsoft are old school. There's none of this Google / Facebook / Twitter desire to control opinions or the media or pretend to the The Good Guy... They just want money. All of it. Everywhere. They will do anything to get it. Even on occasion, if it's necessary, protecting your privacy. In an age of Google, there's something endearing about Microsoft's more Old School brand of evil.

4
0
Silver badge
Trollface

Re: He's hosed.

Even on occasion, if it's necessary, protecting your privacy.

Actually I don't think they're that desperate for money.

2
1
Silver badge

Re: He's hosed.

Not to mention that this chuckle head had apparently never heard of LibreOffice/OpenOffice. How can you work in IT and not realise that there's better options than downloading a pirated version of Office?

6
1
Silver badge

Re: He's hosed.

>>Actually I don't think they're that desperate for money.

I know that you're trolling (the troll icon gives it away!), but seriously - Microsoft have been fighting an expensive and ongoing legal action against the US government to prevent them being able to access Azure data in their Ireland data centres. They've been doing so because they know allowing this would be a big blow to their sales in Europe. As I said, if there's money involved, they'll even stoop to doing the right thing if they have to.

4
0
Silver badge
Coat

Re: He's hosed.

As I said, if there's money involved, they'll even stoop to doing the right thing if they have to.

Right thing done for wrong motives = still right thing gets done :)

(No, the end does not always justify the means, but sometimes we don't need to worry about the motivation if good stuff gets done and no one gets hurt).

That said.. If MS is doing something, even for money, I have to re-check my own mental alignment to make sure something really is "right" when it's the same as what MS is doing.

Been a long day. I should be in bed I think. Night.

2
0
Silver badge

Re: He's hosed.

You might also want to wonder whether the resistance is in order to distract from something more untoward happening elsewhere. Just saying.

1
1

How is Kaspersky recognizing NSA source code anyway?

6
6
Silver badge

How is Kaspersky recognizing NSA source code anyway?
Based on what we know, they probably put this comment at the top:

# VERY SECRET NSA SOURCE CODE.

# DO NOT READ THIS. IT IS VERY SECRET.

39
0

Don't you think people who look at viruses and malware for a living can tell who the professionals are and who run of the mill coders are.

16
0
Silver badge

Based on what we know, they probably put this comment at the top:

# VERY SECRET NSA SOURCE CODE.

# DO NOT READ THIS. IT IS VERY SECRET.

What? No line numbers and REM statements?

21
0
Anonymous Coward

How is Kaspersky recognizing NSA source code anyway?

Ah, the old nemesis "comprehensive reading" rises again.

From the article: "The antivirus duly deleted the Mokes malware, but also found several new types of NSA code – which appeared to be similar to the agency's Equation Group weapons that Kaspersky was already familiar with – which were pinged back to Russian servers for analysis."

Kaspersky went public with this in 2015, greatly annoying the NSA.

That is IMHO what is really behind the anti-Kaspersky thing: they keep showing up the NSA and other spy agencies by catching their spyware. Unless they get Kaspersky off the market, the NSA will forever have a problem spying on users and would potentially have to be exclusively rely on what Microsoft slurps. As we know, single supplier strategies are never a good idea from a resilience perspective, and that goes for spy agencies as much as companies.

Kaspersky's strategy is good here: transparency is good. Verified transparency is even better, but that creates a question in itself: who would you trust? I'd get Ross Anderson involved, but I'm not even sure he'd do work like that (and I'm not sure the UK spy agencies would be happy with him wandering into Russia either)..

22
0
Anonymous Coward

What? No line numbers and REM statements?

That's lower down, just after the GOTO lines :)

8
0
Silver badge

"How is Kaspersky recognizing NSA source code anyway?"

It's malware. Detecting malware is what Kaspersky does for a living. Why would you expect them not to detect it?

15
1
Silver badge

"It's malware."

No. It's a bunch of non-executable letters. Source code. I'd also like to know what business an antivirus may have with bits that it determines do not contain binary, runnable code.

1
6
ST
Silver badge
FAIL

Kaspersky's transparency strategy

> Kaspersky's strategy is good here: transparency is good.

Lots of unconditional love for the Russian FSB on this board.

Yep. Very good strategy. Kaspersky AV transparently spies on you.

You don't even have to go to Russia to find out what Kaspersky has been up to. It's all public.

For starters, Eugene Kaspersky attended the KGB School as a teenager. He then went on to work for the GRU. That's good, because the KGB and the GRU always have your best interests at heart.

Then Kaspersky had a change of heart, and became an Internet Freedom Fighter. He totally broke off any previous connections to the KGB or the GRU. How do I know this? Because Kasperksy himself said so, many times.

Kaspersky AV has been known to be a FSB-sponsored spyware tool at least since 2012. But no, it's the very best AV one could install on their Windows PC. Transparency and all that. Delusion said so.

Whenever I think of the KGB, what is the first word that springs to my feeble mind? Transparency.

NSA spying on your files: BAD. FSB spying on your files: GOOD.

Is that the idea here?

1
17

RTFA

No. It's a 7zip archive full of malware - source code, executables, libraries, resources.

If that wouldn't trigger even the most simple hash-based malware detection, anti-malware would be useless.

12
1
Silver badge

Not all malware is compiled software. There are plenty of scripts that constitute malware. I could write you a trojan in Bash right now if I wanted. Also, it said it uploaded infected zip files. So for example, I have project folders that contain both source code and compiled executables which, if I were transferring, I would zip up to export.

9
0
Silver badge

"No. It's a bunch of non-executable letters. Source code."

From TFA (my emphasis):

"The archive itself was detected as malicious and submitted to Kaspersky Lab for analysis, where it was processed by one of the analysts. Upon processing, the archive was found to contain multiple malware samples and source code for what appeared to be Equation malware."

I read this as indicating that the archive contained both binaries and source and that it was the binaries that triggered the detection and subsequent upload of the entire archive. No need for the AV to have recognised the source.

6
0
Silver badge

How is Kaspersky recognizing NSA source code anyway?

Simple, source code and scripts (ie. human readable executables) will contain many of the same strings eg. certificates, passwords, URLs etc. that get compiled into binaries. So if you are doing a full system deep scan (ie. don't trust the file extension and scan everything), an AV scan may well detect these and flag the file as suspect.

4
1

"How is Kaspersky recognizing NSA source code anyway?"

Um a 7z archive, how many times when you download the source for windows do you actually also download the executable?

Expand that looking for virus, find a virus by checksum, upload the offending archive. I would have thought that was standard operating procedure, unless there

On examination the archive also contains the source. Analyst gets to eyeball it as its Equation group. Someones been hit by the NSA.

All predictable, and all too plausible.

As to what happened after that? Would you tell the NSA that their code has escaped? Would you if you were a Russian?

6
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018