Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Wednesday October 29 2014, @06:01PM   Printer-friendly
from the draft-dodging dept.

In his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account. Now hackers have learned the same trick. Only instead of a mistress, they’re sharing their love letters with data-stealing malware buried deep on a victim’s computer.

Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.

With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Troll) by Ethanol-fueled on Wednesday October 29 2014, @06:04PM

    by Ethanol-fueled (2792) on Wednesday October 29 2014, @06:04PM (#111284) Homepage

    AKA Jewish intelligence infiltration. Easy even for an ugly Jew when the target's wife is even uglier.

  • (Score: 2) by strattitarius on Wednesday October 29 2014, @06:21PM

    by strattitarius (3191) on Wednesday October 29 2014, @06:21PM (#111290) Journal
    So my first thought when I read this:

    in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.

    is that is a very misleading statement. I realize Wired is read by quite a few amateurs, but the way that is worded makes it sound like this could only occur thanks to Windows, IE and Gmail, which as most of us know is completely and totally wrong. And sure enough there are comments on wired about using FireFox or Thunderbird for mail or how this is a Windows only issue. He even suggests you may need to block Gmail, but doesn't seem to realize how easy this would be with any other webmail service.

    I wonder if it actually even uses IE? I would think that would end up being more complicated to hide than just forming the HTTP requests yourself. I don't know, but I know TFA didn't bother with such specifics and instead started spouting a bunch of useless and incorrect advice.

    --
    Slashdot Beta Sucks. Soylent Alpha Rules. News at 11.
    • (Score: 2) by frojack on Wednesday October 29 2014, @06:50PM

      by frojack (1554) on Wednesday October 29 2014, @06:50PM (#111304) Journal

      Python on windows?
      Hidden IE window, (like no one would notice that running in task manager?)

      The whole story sounds fishy. If you have access to the computer to install malware
      why would you use such clumsy means and send it through Gmail Drafts?
      Why not just send it directly to some cloud or offshore server.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Interesting) by strattitarius on Wednesday October 29 2014, @06:54PM

        by strattitarius (3191) on Wednesday October 29 2014, @06:54PM (#111306) Journal
        The benefit I see to using Gmail is that it would easily get lost in the logs as it is mixed in with everyone else checking their Gmail account during the day. Some random server in Beckystan might stick out a bit more and set off some flags.
        --
        Slashdot Beta Sucks. Soylent Alpha Rules. News at 11.
      • (Score: 2) by Joe Desertrat on Thursday October 30 2014, @05:07AM

        by Joe Desertrat (2454) on Thursday October 30 2014, @05:07AM (#111444)

        Hidden IE window, (like no one would notice that running in task manager?)

        I doubt that you, or the average Soylent reader, is a target of these attacks. I would bet that 90% of Windows users only see the task manager if they accidentally open it, and in that case close it without doing anything. If they do look at it, most of what they see is gibberish to them and they are afraid to touch it. Of course, your second point holds in this case, but it is probably still easier and less traceable to stick it in some online e-mail draft than to set up or infiltrate a server for the purpose.

      • (Score: 1) by NeoNormal on Thursday October 30 2014, @01:42PM

        by NeoNormal (2516) on Thursday October 30 2014, @01:42PM (#111507)

        > If you have access to the computer to install malware
        > why would you use such clumsy means and send it
        > through Gmail Drafts?

        My first thought too. Just seems to complicate things and create higher visibility.

    • (Score: 3, Insightful) by PizzaRollPlinkett on Wednesday October 29 2014, @07:33PM

      by PizzaRollPlinkett (4512) on Wednesday October 29 2014, @07:33PM (#111322)

      Wired is written by quite a few amateurs, too. I'd like to see a real source like Krebs or someone discuss this issue.

      --
      (E-mail me if you want a pizza roll!)
    • (Score: 1) by terrab0t on Thursday October 30 2014, @06:33PM

      by terrab0t (4674) on Thursday October 30 2014, @06:33PM (#111626)

      My guess is that offices concerned about security have software on workstations that monitors processes that make network requests and software on both the workstations and servers that monitor where network requests are being made to.

      A process directly contacting some suspicious HTTP or IRC address is uncommon, suspicious behaviour. It's easy to pick that out of the noise of legitimate network use and flag it for investigation. You could even whitelist which processes on a workstation can use the network.

      Internet Explorer sending and receiving encrypted data from gmail.com is a routine occurrence. Detecting spyware that operates this way is much harder. You need to fall back to virus scanning and malware databases to catch this.

  • (Score: 2) by halcyon1234 on Wednesday October 29 2014, @06:33PM

    by halcyon1234 (1082) on Wednesday October 29 2014, @06:33PM (#111296)
    Woo hoo, here's a layer of extra security! Now, when Google changes Gmail's UI every three days and breaks userscripts and screen-scrapers, it will also break the malware.
    --
    Original Submission [thedailywtf.com]
    • (Score: 1) by Gertlex on Wednesday October 29 2014, @08:11PM

      by Gertlex (3966) Subscriber Badge on Wednesday October 29 2014, @08:11PM (#111335)

      This is highly accurate... one time I added Google Scholar to the black topbar on google pages, and the script was indeed broken before the week was over.

    • (Score: 2) by M. Baranczak on Thursday October 30 2014, @12:03AM

      by M. Baranczak (1673) on Thursday October 30 2014, @12:03AM (#111382)

      I know that if I was writing malware like that, I wouldn't fuck around with screen scrapers, I'd just connects to Gmail with IMAP.

  • (Score: 4, Insightful) by Grishnakh on Wednesday October 29 2014, @07:16PM

    by Grishnakh (2831) on Wednesday October 29 2014, @07:16PM (#111315)

    Why is it anyone's business who some General fucks?

    • (Score: 2) by tangomargarine on Wednesday October 29 2014, @07:33PM

      by tangomargarine (667) on Wednesday October 29 2014, @07:33PM (#111323)

      Unless it's one of his subordinates/bosses, I suppose. Fraternization and abuse of authority and whatnot.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 2) by VLM on Wednesday October 29 2014, @07:42PM

      by VLM (445) Subscriber Badge on Wednesday October 29 2014, @07:42PM (#111325)

      Once its public he can't be blackmailed, so bang away.

    • (Score: 3, Informative) by SlimmPickens on Wednesday October 29 2014, @07:53PM

      by SlimmPickens (1056) on Wednesday October 29 2014, @07:53PM (#111329)

      she had "substantial classified data on computer"

      http://www.reuters.com/article/2012/11/14/us-usa-generals-idUSBRE8AD0GT20121114 [reuters.com]

      • (Score: 2) by frojack on Wednesday October 29 2014, @08:08PM

        by frojack (1554) on Wednesday October 29 2014, @08:08PM (#111333) Journal

        But the quantity of classified material found on the computer was significant enough to warrant a continuing investigation, the officials told Reuters.

        One email "Hey babe, I'm lying out to Kandahar tonight" is probably enough to "warrant a continuing investigation".

        Its a pretty thin excuse if you ask me, especially when:

        As a reserve officer in military intelligence, Broadwell had security clearances that gave her access to classified material, several officials said.

        --
        No, you are mistaken. I've always had this sig.
    • (Score: 2) by looorg on Thursday October 30 2014, @01:01AM

      by looorg (578) on Thursday October 30 2014, @01:01AM (#111390)

      It's a security risk. If Joey Average is getting some on the side isn't really a matter of national security but when people in a position such as General Petraeus position steps out then it does matter. Extra-marital affairs is, for most people and in most cultures, morally wrong and for that reason a possible source of blackmail. Hence it's a security risk associated with it and not something that can or should be tolerated or allowed. He should quite frankly have known better.

      • (Score: 2) by Grishnakh on Thursday October 30 2014, @08:10PM

        by Grishnakh (2831) on Thursday October 30 2014, @08:10PM (#111653)

        There's nothing morally wrong with extramarital sex, and more importantly, most people do it (including cheating on their partners after marriage). You can't expect someone not to do something the vast majority of the population does; it's an absurdly high standard, and one that needs to be eliminated. What people do in their private lives is none of the government's business. If this kind of thing is such a problem in the military (and the military is infamous for cheating because of deployments), then maybe they shouldn't allow anyone to have a monogamous marriage in the military, and should only allow open marriages. It's kinda hard to blackmail someone if their spouse already knows they have another lover.

        • (Score: 2) by looorg on Friday October 31 2014, @06:33PM

          by looorg (578) on Friday October 31 2014, @06:33PM (#111988)

          You might not want to believe it but if you want to do some kinda of work involving secrets, security or have a security clearance job then it is a problem.

          For most people this isn't an issue and you might not think that stepping out on your wife (or husband) is a moral problem, but it is. If you want to work in the business and at the same time having lots of extra-martial affairs or some extravagant sexual lifestyle then it is a problem, just as having a drinking problem, a drug problem, a gambling problem or being knee deep in debt is. They are all big nono:s since they make you a security risk and open you up to easy blackmail. Sure it was probably worse before back in the day, then the security risks also included things such as being a homosexual and belonging to the wrong political party -- some of these are probably true today to in various degrees depending on where you are. But in large these days most people seem to be able to forgive some of these things -- but that is usually for ordinary people with ordinary access and if you want to be one of them then this doesn't matter. Petraeus wasn't ordinary in this context.

          That doesn't mean that people with security clearance doesn't fool around on the side or do other bad things. They do, probably all the time and almost as often as normal people. That is how they usually loose their security clearance. They do actually ask and check for these things if you want one of these jobs.

          So in the case of Petraeus he, and she, should have known better. Even if the wife knew. It doesn't matter. If it wasn't an issue he should have made it public and not been found out. If he wanted to stick it in someone else then he should have gotten a divorce.

          • (Score: 2) by Grishnakh on Wednesday November 05 2014, @01:15AM

            by Grishnakh (2831) on Wednesday November 05 2014, @01:15AM (#113111)

            at the same time having lots of extra-martial affairs or some extravagant sexual lifestyle then it is a problem, just as having a drinking problem, a drug problem, a gambling problem or being knee deep in debt is.

            The problem here is that one of these is not like the others. Having consensual extra-marital sexual relations (I'm talking about a situation where you have an open marriage) isn't harming anyone (as long as you don't get an STD, but you don't hear of the military disciplining enlisted single soldiers for having premarital sex and STDs/pregnancy are a risk with any sex). Drinking, drugs, and gambling addictions, and excessive debt are all actual problems which harm you.

            They are all big nono:s since they make you a security risk and open you up to easy blackmail.

            How does having extramarital affairs open you up to blackmail? Well, if you're cheating on your spouse, yes, I see how, but what if you have an open marriage? If someone told my wife I had sex with her friend (which is true BTW), she'd say "yeah, so?" (since she already knows, since I talked to her about it before and after doing it), and her big concern would be how the heck some random stranger knows this private information and is coming to her with it. Of course, with the military the potential for blackmail is there even with open relationships since, instead of going to the spouse, they could go to the CO and get the person in trouble that way, but that's a problem the military created all by itself by having a UCMJ which actually makes extramarital affairs a court-marshallable offense, no different from when you could get in trouble for being exposed as gay.

            Even if the wife knew. It doesn't matter.

            If the wife knows, then it absolutely does matter, because the only reason it's a problem at that point is because the military has rules against it. If they didn't have such rules, and the wife knows, then there would be no problem. As I said, it's a problem entirely of the military's creation by its insistence on particular moral conduct, no different at all from when homosexual activity (or just being homo) was prohibited.

  • (Score: 3, Insightful) by kaszz on Wednesday October 29 2014, @07:43PM

    by kaszz (4211) on Wednesday October 29 2014, @07:43PM (#111326) Journal

    If your malware can send something by any automated means and wait for an answer. It will be able to update its instructions and exfiltrate whatever it needs. Be it speaker-microphone link, WiFi, email spam, connected GSM phone, USB stick, street lights to webcam etc. It doesn't matter. It just works.

  • (Score: 2) by arslan on Wednesday October 29 2014, @10:25PM

    by arslan (3462) on Wednesday October 29 2014, @10:25PM (#111365)

    So if the victim's computer doesn't have python to begin with, it will install the runtime? Wouldn't that immediately be a red flag?

    Nothing against the language.. although those "No curly braces" zealots can get a little annoying at times.

    • (Score: 1) by keithzg on Wednesday October 29 2014, @10:42PM

      by keithzg (4842) on Wednesday October 29 2014, @10:42PM (#111372)

      Well, you can compile Python code into Windows binaries trivially enough (see for example py2exe). In this day and age, the slight increase in space of the compiled exe probably isn't a big deal, and it's a hell of a lot easier to use that to call Windows APIs (which they'd probably have to do if they're actually using IE for this) than writing such from scratch, or (shudder) using Microsoft's compilers.

      Not saying the story doesn't seem a bit weird, just that there's no reason to believe they'd actually need to rely on the normal runtime.

      • (Score: 2) by arslan on Thursday October 30 2014, @01:43AM

        by arslan (3462) on Thursday October 30 2014, @01:43AM (#111401)

        That is not running Python, it is running native code coverted from py2exe. Your source is in python. Unless I'm mistaken, the summary reads like it is running Python...