System Defense Analysis: The Equation Group

Kaspersky’s Global Research and Analysis Team (GReAT) has posted a 44-page Q&A-style write-up regarding their research into the incredibly advanced malware designed, developed, and implemented by a group they have dubbed “The Equation Group.”  While they don’t name the NSA as the culprit, it’s pretty obvious from the sheer sophistication, the infection pattern, and the relationship with Stuxnet, that they are to blame.  The NSA is a dangerous entity.  That their sights are trained on genuine bad guys is a comforting thought, but that they are human beings who are corruptible (if not corrupted already) and that their weapons may fall into the hands of those same baddies is extremely dangerous.

I am, of course, very interested in the attack vectors employed here.  How an agency controlling practically unlimited resources might go about its operations is of extreme interest and value to a system defense architect, and this data (much more of which is to come, I’m sure) is invaluable.  I have mapped out the attack vectors as I read about this suite of malicious software, and this is what I’ve come up with so far:

Attack Vectors

Initial Compromise

  1. Zero-day exploits against web-based software.
    1. Java
      1. CVE-2012-1723 – arbitrary code execution with local user privilege?
      2. CVE-2012-4681 – arbitrary code execution with local user privilege
    2. Internet Explorer
      1. CVE-2013-3918  – arbitrary code execution with local user privilege
  2. Infected media such as CD-ROMs and USB drives, likely intercepted and tampered with during use of postal systems.
    1. USB-based Fanny Worm
      1. CVE-2010-2568 – arbitrary code execution with local user privilege

Privilege Escalation

  1. Kernel-level privilege escalation
    1. CVE-2009-1123 (MS09-25) – privilege escalation
      1. This is employed by the USB-based Fanny Worm
    2. TrueType Font (TTF) Exploitation (it’s a kernel-mode driver in Windows)
      1. CVE-2012-0159- arbitrary code execution in kernel mode
      2. CVE-2013-3894 – arbitrary code execution in kernel mode
    3. CloneCD’s vulnerable ElbyCDIO.sys driver
      1. CVE-2009-0824 – arbitrary code execution in kernel mode

Persistence and Stealth via Boot Sector or HDD Firmware Manipulation

Once kernel-mode privileges have been gained, the malicious software can modify the master boot record or even flash HDD firmware with custom firmware designed to cordon off areas of the disk and render them inaccessible save through a custom API surfaced to the malicious software.  Obviously, this is a capability likely enjoyed only by those who have somehow gained access to the source code for the HDD firmware, and that further points to the NSA who is known to request such information (and have those requests accepted, I’m sure) from vendors.  Other agencies simply don’t have the clout or respect of the US government which is, I imagine, a necessary prerequisite for gaining access to such valuable code.

Analysis and Conclusions

While the initial points of compromise are not heretofore unknown, the organization behind this malicious software has perhaps unrivaled power in crafting and executing the attacks.  The ability to intercept media and modify it without the knowledge of the senders or recipients, for example, points to control over common trusted infrastructure (such as postal services).  The deeper payloads reveal again unprecedented and certainly unrivaled knowledge unavailable to everyday folks, such as knowledge of hard disk firmware.

But the key to this malware’s success is its initial point of compromise.  Though every stage of this malware’s operation yields a high degree of threatening sophistication, the most worrisome is perhaps the use of zero-day exploits to bypass multiple layers of the System Defense Stack.  They gain access to the system through the users themselves (web browsing or media tampering), leveraging the users’ own authentication and authorization to execute software which exploits the target operating system to gain kernel-level privilege.  Once this is gained, game over; a system whose kernel is compromised will quickly (relative to the competence of the attacker, which is in this case very high) lose its ability to perform any operation with reliability or integrity, and therefore cannot be trusted in any way.

Obviously, the best chance at mitigating risk here is to prevent access by having users who do not visit potentially compromised web resources or make use of media which could have been subjected to tampering.  This, of course, is made very difficult by this group which seems to exert unparalleled control over trusted public infrastructure.  If they can intercept physical goods such as CDs sent through the mail, it is likely that they can intercept digital communications as well (particularly if this is the NSA).  If that is the case, then access is going to be very difficult to prevent.

Of course, properly configuring systems with users operating in accordance with the principle of least privilege is essential to any well-designed system’s mitigation of malicious software.  The exploit stack leveraged by the Equation group is designed to circumvent this, however, by escalating privileges ultimately to the kernel level.  Given that these were zero-day threats at the time, keeping one’s operating system properly patched would have been an inadequate solution.

Again, it seems to me the best chance for mitigating this threat is found in mandatory access control and execution control.  If we cannot prevent exploitation of the browser or its affiliated processes (i.e. Java), these processes must be constrained and prevented from installing or executing software.  This is more easily accomplished in the relevant respects on GNU/Linux or UNIX operating systems than on Windows given the fact that the Windows kernel has such a direct role in TrueType Font handling (and this can be directly exploited through the browser, bypassing all of the remaining System Defense Stack layers).  When it comes to compromised media, execution control takes a more direct role in preventing software contained on that media from doing any damage.

Ultimately, I don’t yet have sufficient information to determine with much precision exactly how these components of the System Defense Stack would work to prevent the exploits listed above when enacted against a theoretical system operating in the timeframe during which these exploits were zero-day threats.  It is certainly within the realm of possibility that such mitigation efforts would succeed, but it is not clear by any means.  The Fanny Worm may have been halted by software whitelisting since it leveraged CVE-2010-2568 to presumably launch an executable designed to take advantage of CVE-2009-1123 and thereby gain kernel-level authority over the system.  However, without seeing exactly how the malicious code operated, this is going to have to remain largely speculative.  Further, it is not clear how exactly the DOUBLEFANTASY software leverages exploits to escalate privilege.  I would be very interested to know the technical details given Internet Explorer’s Protected Mode.

Suffice it to say: these guys are no joke.  Defending against a concentrated attack from such an adversary is the most difficult task facing any system defense architect.  This article in no way purports to demonstrate that the attacks about which we are just now learning are preventable through standard security measures, and given the zero-day nature of the leveraged exploits and the extreme refinement of the attackers, it is not hard to believe that even a perfectly administered system could be subverted.  If the layers of the System Defense Stack can each be compromised through zero-day exploits, there is simply no recourse for the system defense architect.  The problem is with the development of the tools available to said architect, and there is little that can be done.

But, until more data is unveiled, we just won’t know for sure.  Some comfort is in this news for GNU/Linux/UNIX users, of course, in that the malware targets Windows systems and a major avenue of kernel compromise lies in the exploitation of the disastrous TrueType Font implementation in the Windows kernel.

This entry was posted in Information Technology and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s