Really Simple Subtle Malware (and spies as drug addicts, Snowden Q&A)

Here’s a nasty bugger. This malware doesn’t produce any network traffic. Nor does this malware appear in any file on disk. In fact, it barely does anything at all.

All the malware does is watch the Windows clipboard. Whenever you “copy” a number of a certain format, it replaces that number… with another number.

Why bother?

Because the “certain format” is the standard format for Polish bank account numbers. The replacement number is… a particular Polish bank account number.

Somewhere in Poland, someone tried to transfer money online, but —
oops! — for some reason they mis-typed the destination account. And sent the money to an account controlled by the malware author.

This malware is currently not detected by any antivirus program.

Just wanna quote this:

“You have to view the likes of the NSA, GCHQ, et al like “Drug Addicts”, you make heroin unavailable and they will find an alternative opiate to get their fix, rather than face the pain and loss of withdrawal. In fact as with Drug Adicts the loss is likely to push their aggression and criminality buttons hard to societies cost.

So to predict what they will do you have to start thinking like them and the thoughts you have are not nice, even when for you they are just theoretical and to others apparently paranoid.

So where to start on the “paranoid thinking” well for non contact systems you want to find a clear serial signal with low bandwidth or significantly repeated data such that averaging will buy you an advantage.

If you can not find one then you have to start thinking about contact systems such as either bugs or implants. In the case of bugs they need to be both easy to fit and covert which is going to be difficult with modern technology.

So you start thinking of implants at the design, manufacture or supply chain stages. And it’s here where traditional and mass surveillance differ. Anything done in design or manufacture stages is going to enable mass surveillance the supply chain less so.

The easiest and cheapest and potentialy the most covert way is to build something into standards or licencing requirments, which is where I would start. ”

Snowden Q&A: Nothing much earth-shaking in his answers. Snowden’s playing it pretty safe, running everything he says through a heavy “PR filter.” Hard to blame him, given “anything he says can and will be used against him in the court of public opinion.”

One point of interest — in citing Merkelgate, he says “if reports are to be believed.” In other words, “I’m not confirming or denying here that Merkel actually was spied on.” Is he concerned doing that would fall afoul of Putin’s “don’t harm US interests” rule? Or something else?

“This edition of VBKlip is very simple. First, it creates a Form, which has one of the dimensions set to zero. It also sets ShowInTaskbar to false, which leads to the malware not being visible in the system, unless users open the Task Manager.

Next, it uses the Microsoft.VisualBasic.MyServices.ClipboardProxy class in order to manipulate the content of the Windows Clipboard. Every second (with the help of Timer class) it compares the contents of clipboard to two Visual Basic regular expressions: ########################## or ## #### #### #### #### #### ####. This is a standard format of Bank Account Numbers used in Poland. If the content matches any of these regular expressions, it is substituted with another bank account number which is simply hardcoded in the application itself. This is the whole functionality of this malware.

Much like the Pink Floyd’s song, this malware just wants the security solution vendors to leave it alone. It does not use any network communication, so no network signatures can be created for this sample. No IP addresses or domain names to monitor or take down. It does not acquire any persistence, no registry entries are created. No system activity apart from the clipboard content replacement.”

%d bloggers like this: