Unmasked - Ars Technica [25]
12 Monkeys
The 12 Monkeys rootkit was also a contract paid out by General Dynamics; as one HBGary e-mail noted, the development work could interfere with Task B, but “if we succeed, we stand to make a great deal of profit on this.”
On April 14, 2009, Hoglund outlined his plans for the new super-rootkit for Windows XP, which was “unique in that the rootkit is not associated with any identifiable or enumerable object. This rootkit has no file, named data structure, device driver, process, thread, or module associated with it.”
How could Hoglund make such a claim? Security tools generally work by scanning a computer for particular objects—pieces of data that the operating system uses to keep track of processes, threads, network connections, and so on. 12 Monkeys simply had nothing to find. “Since no object is associated with the objectless rootkit, detection will be very difficult for a security scanner,” he wrote. In addition, the rootkit would encrypt itself to cloak itself further, and hop around in the computer’s memory to make it even harder to find.
As for getting the data off a target machine and back to the rootkit’s buyer, Hoglund had a clever idea: he disguised the outgoing traffic by sending it only when other outbound Web traffic was being sent. Whenever a user sat down at a compromised machine and started surfing the Web, their machine would slip in some extra outgoing data “disguised as ad-clicks” that would contain a log of all their keystrokes.
While the basic rootkit went for $60,000, HBGary hoped to sell 12 Monkeys for much more: “around $240k.”
0-day
The goal of this sort of work is always to create something undetectable, and there’s no better way to be undetectable than by taking advantage of a security hole that no one else has ever found. Once vulnerabilities are disclosed, vendors like Microsoft race to patch them, and they increasingly push those patches to customers via the Internet. Among hackers, then, the most prized exploits are “0-day” exploits—exploits for holes for which no patch yet exists.
HBGary kept a stockpile of 0-day exploits. A slide from one of the company’s internal presentations showed that the company had 0-day exploits for which no patch yet existed—but these 0-day exploits had not yet even been published. No one knew about them.
The company had exploits “on the shelf” for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated.
One of the unpublished Windows 2000 exploits, for instance, can deliver a “payload” of any size onto the target machine using a heap exploit. “The payload has virtually no restrictions” on what it can do, a document notes, because the exploit secures SYSTEM level access to the operating system, “the highest user-mode operating system defined level” available.
These exploits were sold to customers. One email, with the subject “Juicy Fruit,” contains the following list of software:
VMware ESX and ESXi *
Win2K3 Terminal Services
Win2K3 MSRPC
Solaris 10 RPC
Adobe Flash *
Sun Java *
Win2k Professional & Server
XRK Rootkit and Keylogger *
Rootkit 2009 *
The e-mail talks only about “tools,” not about 0-day exploits, though that appears to be what was at issue; the list of software here matches HBGary’s own list of its 0-day exploits. And the asterisk beside some of the names “means the tool has been sold to another customer on a non-exclusive basis and can be sold again.”
References to Juicy Fruit abound in the leaked e-mails. My colleague Peter Bright and I have spent days poring through the tens of thousands of messages; we believe that “Juicy Fruit” is a generic name for a usable 0-day exploit, and that interest in this Juicy Fruit was high.
“[Name] is interested in the Juicy Fruit you told him about yesterday,” one e-mail reads. “Next step is I need to give [name] a write up describing it.” That writeup includes the target software, the level of access gained,