Victim Exposure by Anti-Malware Research

Let’s say malware compromises your system. Do you want a responder or a researcher to let others know that you were compromised? That’s the question that came to mind when I read a new research report.

There certainly is precedent for privacy and secrecy practices among other emergency responders, as well as researchers. Health care privacy might be a good example. One of the interesting cases I had to deal with in a hospital was related to x-rays of sports teams. In the run up to a big game we saw threats increase as gamblers tried to get in and improve their chances on bets by stealing information related to player health.

From that perspective a report of a system breach by a security responder could be analogous to a report of a bone break by a doctor. The situation may be more complicated than some realize, given the market for data, when you try to ask a simple question like who does a report serve. People betting on a company want to know the company status, just like people betting on a player want to know the team status.

Regulations help because they can sort out the decisions and attempt to make it as clear as possible when a responder or even a victim has an obligation to report. Recently an anti-malware blog report seemed to unintentionally expose more than necessary.

The start of the story called “An Inside Look into a Customized Threat” has a screenshot of “targeted” email. From the redacted sections you can almost make out the company name, as you can see at the top of this image:

FireEye Email Example

The little clues to the company name might not be enough to do anything about if the image didn’t also reveal the location.

San Diego, CA is redacted but still very easy to read. So now you know elements of the company/domain name in a specific city. And then the report emphasizes it’s a billion dollar company with the title Senior Vice President and Chief Financial Officer.

The individual points on their own are not much to think about; taken together they significantly narrow down the possibilities.

The irony is if there is anything generic to that message, which the researcher might try to argue in their own defense, it works against their argument that this is a “Customized Threat”.

Moving on to the rest of the story reveals little customization. Nothing in the technical summary mentions customization at all.

To summarize, when the malicious file—disguised as a financial report—is executed, it drops an executable file in a temporary folder and executes it. The dropped file then requests an HTML page from a server located in Taiwan and downloads a compressed executable file. This downloaded file establishes SSL communication on the compromised computer.

Perhaps they’re omitting custom elements but that sounds pretty generic. Then the researcher gives more detail on the company.

The entire exploitation was customized for a specific individual—in this case, the president of a billion dollar corporation.

The entire exploitation was customized or just the initial attack path? It seems to reveal a message could be customized while at the same time trying not to reveal how customized it is.

I wonder why they didn’t go all the way and just give the company name. Approval to discuss customized information may have been more convincing and less likely to cause accidental exposure, compared with semi-exposing the target.

Or we can hope that the email was completely fabricated by the researcher and San Diego, etc. have nothing to do with the real victim. A simple disclaimer would have been nice in that case, like the usual “identities have been changed to protect…”.

Otherwise it’s like a doctor who says they are not going to reveal which team has an injured player, but test results could be a threat to a winning streak in Manchester.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.