Forgot your password?
typodupeerror
Security Government IT

Sykipot Trojan Variant Stealing DoD Smartcard Credentials 44

Posted by Soulskill
from the tax-money-well-spent dept.
Trailrunner7 writes "A new research report says variants of the Sykipot Trojan have been found that can steal Dept. of Defense smartcard credentials. The research, published in a blog post Thursday, is the latest by Alien Vault to look at Sykipot, a Trojan horse program known to be used in targeted attacks against the defense industry. The new variants, which Alien Vault believes have been circulating since March, 2011, have been used in 'dozens of attacks' and contain features that would allow remote attackers to steal smart card credentials and access sensitive information."
This discussion has been archived. No new comments can be posted.

Sykipot Trojan Variant Stealing DoD Smartcard Credentials

Comments Filter:
  • Ouch! (Score:5, Interesting)

    by jd (1658) <imipak@nOSPam.yahoo.com> on Friday January 13, 2012 @05:25PM (#38692260) Homepage Journal

    Those cards are heavily used. It's not like this would only impact e-mail, the cards are pretty much used for everything.

    • Re:Ouch! (Score:4, Informative)

      by HBI (604924) <kparadine&gmail,com> on Friday January 13, 2012 @05:28PM (#38692298) Homepage Journal

      They are frequently reissued and new certs generated. This causes its own issues, though. The reissued cards cost money and time, and they cause an issue when trying to decrypt old mail, for instance. Specifically, you can't.

      The whole PKI infrastructure thing has not been a glowing success in its largest known implementation.

      • Incorrect, the old certs are recoverable pretty easily, you vist a website, present your CAC, and have access to all your old Certs.
  • by dak664 (1992350) on Friday January 13, 2012 @05:27PM (#38692284) Journal

    There is a trojan within the trojan to guide the black helicopters to your home. In fact I risk the BSOD just posting this.

  • by Anonymous Coward

    Per the Article:

    >> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Per the Article:

      >> The Trojan is delivered to target systems in a corrupted PDF attached to spear-phishing e-mail messages. The PDFs exploited a previously unknown software vulnerability in the Adobe Reader program, the company said.

      Is it just me, or is a program whose purpose (for the vast majority of users) is just to open a document to print turned into a gigantic bloated mess that was far better 10 years ago?

      • It's not just you. I've noticed it as well. Fillable PDFs are of the good, but why do I need 'adobe echosign' when my work already issues digital certificates, a 'convert to PDF' when it's already a PDF, etc..?

      • Is it just me, or is a program whose purpose (for the vast majority of users) is just to open a document to print turned into a gigantic bloated mess that was far better 10 years ago?

        I disagree. It was a bloated POS ten years ago. I had a great dislike for PDF documents not because there was anything inherently wrong with the format but rather because the Adobe reader was so clunky and slow.

        I will grant that it has probably gotten worse in ten years.

  • by cffrost (885375) on Friday January 13, 2012 @06:17PM (#38692844) Homepage

    Authentication 101: Something you have and something you know. I've only read the summary, but if these copied credentials ("something you had") can be used to access sensitive resources remotely, then it would seem that "something you know" is something DoD didn't know.

    • by Jumperalex (185007) on Friday January 13, 2012 @06:31PM (#38692982)

      If the Trojan can pull pki credentials it can keylog pins.

      • by timeOday (582209)
        Maybe I'm confused about what's happening here. If you're using something like a SecureID card, it shouldn't matter that much if somebody gets your PIN, unless they also get your card (and you don't notice and get it deactivated).
        • by gruntled (107194)

          I concur. The concept they're selling is that if you're logged into your system with your card and use your pin, they can then use those credentials to gain access to sensitive databases only you are supposed to have access to. I would argue that if your system is so porous that folks are hanging out waiting for you to log in to the network, you're already done.

      • by gruntled (107194)

        The exploit isn't pulling PKI credentials; the exploit is only effective if the card is in the card reader, according to one of the articles. At which point it can play back the PIN; *that's* the exploit.

        An exploit that can misappropriate identity within your hard-token based authentication system but only so long as the token is plugged into the system isn't much of an exploit since the only reasonable protection offered by hard tokens is...you can't authenticate if the token ain't there. Show me an exploi

        • well then i can tell you that the card is always in the reader while the machine is logged in and unlocked. pull the card and the machine immediately locks. perhaps that needs to change?

          Or is that mitigated by the fact that when a website or other resource (outlook msg signing) require reauthorization they force a reread of the card and asks for your pin? Policy wise for email that ensures non-repudiation, and for online resources I know it enforces authentication in case someone fails to lock their compu

          • by gruntled (107194)

            You'll find a great many agencies do not require the card to be in the reader at all times while the machine is logged in (this is more of a practical issue than anything else; if people are forced to leave their cards in the readers all the time, they tend to forget about them when running out of the building during a fire alarm). Many agencies basically require the card to be in the reader for initial login, then it can be removed and there's your standard timeout feature after X minutes of inactivity you

  • Does it really matter the smart card was attacked? If the machine is compromised to begin with anything you or your computer does with your credentials is compromised anyway.

    According to TFA attacker still can only do anything while card is in compromised computers reader. What has failed?

  • by Thad Zurich (1376269) on Friday January 13, 2012 @07:20PM (#38693446)
    The trojan steals "use" of the inserted card, and probably the PIN. The private key remains safely in the card, and the trojan can't use it once the card is removed. The defenses are (1) don't use smart card on untrusted computer, or (2) if no other choice, use smart card only long enough to accomplish a specific task. The smart card PIN can be changed by the user, so it may not even be necessary to revoke the credential after an exposure. However, the trojan also gains temporary use of the card holder's digital signature -- meaning that authentic digitally-signed spear phishing emails could be sent under the card-holder's email account. If the card is inserted but the PIN is never entered, then a trojan might maliciously enter several random PINs and block the card as a DoS attack...
    • by couchslug (175151)

      DoD has a live distro for telecommuting. They should make its use mandatory for that, and get rid of their Windows desktops. That's as easy as giving the order, just like when we transitioned TO Windows in ancient times.

      It's free to download, grab a copy:

      http://www.spi.dod.mil/lipose.htm [dod.mil]

  • http://www.spi.dod.mil/lipose.htm [dod.mil]

    Your taxes paid for it and it's a free download. Grab a copy and check it out. Saves buckets of money in license fees compared to a PE-ish live CD, and won't run Windows malware.

  • Here is more detail on the attack:

    Smartcard access

    The rst one is that it creates a new thread with a keylogger routine. The code is very basic, it stores the window name and the keys pressed under a le named MSF5F0.dat on an unencrypted format, example:

    Title:Internet Explorer
    www.google.es
    Title:My Computer

    It uses the WIN32 API [alienvault.com]s functions [GetKeyState, GetAsyncKeyState, GetForegroundWindow, GetWindowTextA].

Maybe Computer Science should be in the College of Theology. -- R. S. Barton

Working...