You’ve Been Hacked - First Place

 

You've Been Hacked! A Valentine's Day Challenge
(or… You've Got Sleepless Mail in Seattle)

Answers by Jay Swofford

1) Why hadn't the privacy settings in Tom's AIM client or the digital certificate in Meg's
client encrypted their connection?
The privacy settings do not affect encryption of transmitted data.  The privacy settings (AIM 5.5) allow you to specify:
 - Who can contact me
  -- Allow all users to contact me
  -- Allow only users on my Buddy List
  -- Allow only the users below
  -- Block all users
  -- Block Internet users only
  -- Block the users below
 - Allow users to see...
  -- how long I've been idle
  -- that I am using a mobile device
  -- that I am typing a response
 - Allow users who know my e-mail address to find...
  -- My screen name
  -- Only that I have an account
  -- Nothing about me

We can assume Meg chose to Allow only Tom to contact her. We can also assume that she unchecked all the "Allow
users to see..." boxes and selected "nothing about me" under the "Allow users who know my e-mail address to find".

However, none of these privacy settings affect data encryption between users.  They also do not protect the user
from keystroke loggers or trojans capturing data as it is typed by the user.

AIM certificates are explained at http://enterprise.netscape.com/products/aim/personalcerts/.  The key paragraph on
this page is:
"AIM users can send and receive both encrypted and standard AIM messages. Messages exchanged with users that have
security credentials are encrypted and messages with standard AIM users are not encrypted."

It didn't work because Tom did not have a certificate. Per the above web page:
"When digital certificates are present, a message is digitally signed using the sender's certificate, encrypted using the
recipient's public key and sent to the recipient. When the recipient receives the message, it verifies the sender's digital
signature and decrypts the message using its locally stored private key."

As Tom did not have a digital certificate it was impossible to encrypt the traffic and AIM reverted to plain text messages. 
However, as Meg had a certificate, she was marked as secure in Tom's buddy list (the padlock icon Tom reported seeing).


2) How can Meg and Tom employ an encrypted protocol for communication using AIM?
What other chat programs offer better security features?

Tom needs to purchase and install a personal certificate.  Directions for importing the certificate into AIM 5.2 are included at the
bottom of http://enterprise.netscape.com/products/aim/personalcerts/ with a flash demo using screenshot and animation at:
http://enterprise.netscape.com/products/aimsvcs/secure-cert_nosound.html. Then their messages to each other would be encrypted using
the S/MIME email cryptographic standard.  Once this is complete, under the text entry window, they should both see:
"This IM conversation is encrypted and signed by <name>"



Other instant messenger programs offering good security for Windows 2000 are:
BitWise Chat (Free) - http://www.bitwisecommunications.com/chat/
CryptoHeaven (Monthly Fee) - http://www.cryptoheaven.com/
Hush Messenger (Free, Requires Hushmail account) - https://www.hushmail.com/
iGo Incognito (Free) - http://www.igo-incognito.com/main.html
IMpasse ($19.99) - http://www.im-passe.com/
Project SCIM (Free for non-commercial) - http://www.projectscim.com/
PSST (Free, Donations accepted) - http://psst.sourceforge.net/
Seclude (Free) - http://www.seclude.org/ (website offline when I checked on 2/10/2004)
Secure Shuttle Transport (Free) - http://www.secureshuttle.com/
Trillian ($25) - http://www.ceruleanstudios.com/products/



3) Given the evidence presented in the narrative above, which system had the attacker
most likely compromised: Meg's computer, Tom's computer, a machine on a network
sitting between Meg and Tom, or AOL's messaging system itself? Why?

Meg's computer, probably with a keystroke logger or AIM-specific logger. 
Logical evidence:
The attacker was privy to what Meg typed but made no reference to Tom's portion of the threads (suggesting they can
only see what is typed not what is read/displayed).  Given that the attacker is trying to get her to dump Tom,
they would have logically rather made Tom look stupid than just playing on Meg's email comment.  If the
attacker had compromised Tom's system, then they would have just sent Meg messages from Tom's account
getting her to dump Tom.  If the attacker had compromised AOL or the network they would have access
to both sides of the conversation and would probably have made references to Tom's statements.

Technical evidence:
If you look closely at the Ethereal trace you can see the keylogger/trojan at work.  You will notice the following
lines:

 3 12.343676   10.1.1.4      64.12.25.109   AIM   Message to: th4124 -> I think someone is listening to our chats!
 5 2.208146    10.1.1.4      66.48.76.90    TCP   2696 > domain [SYN] Seq=1389461665 Ack=0 Win=16384 Len=42
10 6.567940    64.12.25.109  10.1.1.4       TCP   Message from: th4124 -> Uh-oh! What should we do?
14 7.388246    10.1.1.4      64.12.25.109   AIM   Message to: th4124 -> I dunno! I think we're in trouble...
16 3.130788    10.1.1.4      66.48.76.90    TCP   2697 > domain [SYN] Seq=1405600891 Ack=0 Win=16384 Len=37

Notice lines 5 and 16, as those are the logger sending data outbound. It is sending it outbound over TCP 53 in SYN packets. This
is a good choice for the malware as TCP/UDP 53 are usually open for DNS lookups.  Also notice that after line 10,
there is no communication outbound, so we assume that Tom's inbound message was not captured (again pointing to a
keystroke logger).  Also notice that 66.48.76.90 does not return a SYN-ACK packet as would be normal under TCP handshake
standards.  Definitely suspicious!

Now lets look at the packet length.  Packet 5 had 42 bytes of data and packet 16 had 37 bytes of data.
This is exactly how many bytes of data are contained in packets 5 and 14 respectively when you remove the whitespace
(most keystroke loggers and trojans will drop this as unnecessary to minimize data transfer).

th4124Ithinksomeoneislisteningtoourchats! = 42 bytes
th4124Idunno!Ithinkwe'reintrouble...      = 37 bytes

So it looks like our culprit is located at 66.48.76.90 and definitely has control of Meg's machine.  That address resolves to:
w-wcom.netfirms.com.  This is a site hosting facility: Netfirms, Inc., 5255 Yonge Street #800, Toronto, ON, M2N 6P4, Canada.
Netfirms DNS server is 66.48.76.92, not .90, so it is unlikely that this is DNS traffic.  With exact match on the byte sizes and
data strings in AIM, we can be confident that whatever Meg sends in AIM is being logged or forwarded via this IP address.

The characteristics of this trojan/keystroke logger using TCP 53 are suggestive of the Muska backdoor family.  Officially this family
is listed as performing the following actions: Remote Access / Keylogger / Steals passwords / ICQ trojan / AIM trojan

More information on this backdoor can be found at http://www.pestpatrol.com/PestInfo/m/muska52.asp,
http://www.simovits.com/trojans/tr_data/y2194.html and http://vil.nai.com/vil/content/v_99123.htm.



4) What steps should Meg and Tom take next to deal with the bad guy and eradicate him
from their lives?

Officially, Meg should contact local law enforcement.  She should be able to get him charged with the following
crimes at a minimum:
 Interception of Wire Communications - keystroke logger
 Unauthorized access to a computer system - installing logger and retrieving results
Depending on what information was collected, how it used, etc. additional charges may be in order (identity theft, fraud, etc).  Law
enforcement could obtain the attackers real identity and IP used to send the message to Meg from AOL via a warrant.  They should also
work with Canadian law enforcement (additional laws may have been broken as the traffic crossed international boundaries, and local
Ontario/Canadian laws come into play).

See http://www.ago.state.ma.us/txt/bc2.htm for details about a case involving a keystroke logger at Boston College.

If they just want him to go away but stay with AIM, then they should do the following:
 - Meg and Tom should run antivirus sweep of their systems
  Panda Software http://www.pandasoftware.com/activescan/
  McAfee FreeScan http://us.mcafee.com/root/mfs/default.asp
 - Meg and Tom should then purchase an antivirus program for their systems and keep it up to date
  Panda Software Titanium Antivirus 2004 (includes protection from dialers, hacker tools and jokes)
   http://www.pandasoftware.com/products/titanium2004/
  Norton Internet Security 2004 (includes firewall and enhanced privacy settings)
   http://www.symantec.com/sabu/nis/nis_pe/
 - Meg and Tom should scan their systems for spyware (and repeat this on a regular basis):
  SpyWareBlaster http://www.spychecker.com/program/spywareblaster.html
  Ad-aware http://www.spychecker.com/program/adaware.html
 - Tom should purchase a digital certificate for his AIM
 - Tom and Meg should then both install Ethereal and verify that the contents of the messages are now encrypted.
 - Meg should also assume that everything she typed into her computer has been recorded.  She should assume that
   her identity has been stolen and begin the process to protect her bank accounts and identity.
  Identity Theft Resource Center http://www.idtheftcenter.org/index.shtml
  Federal Trade Commission http://www.consumer.gov/idtheft/
  Department of Justice http://www.usdoj.gov/criminal/fraud/idtheft.html
   Privacy Rights.Org http://www.privacyrights.org/identity.htm
  Social Security Administration http://www.ssa.gov/pubs/idtheft.htm