Recent Videos

How the NSA Attacks Computer Users with Malware

By Dan Auerbach

We've long suspected that the NSA, the world's premiere spy agency, was pretty good at breaking into computers. But now, thanks to an article by security expert Bruce Schneier-who is working with the Guardian to go through the Snowden documents-we have a much more detailed view of how the NSA uses exploits in order to infect the computers of targeted users. The template for attacking people with malware used by the NSA is in widespread use by criminals and fraudsters, as well as foreign intelligence agencies, so it's important to understand and defend against this threat to avoid being a victim to the plethora of attackers out there.

How Does Malware Work Exactly?

Deploying malware over the web generally involves two steps. First, as an attacker, you have to get your victim to visit a website under your control. Second, you have to get software-known as malware-installed on the victim's computer in order to gain control of that machine. This formula isn't universal, but is often how web-based malware attacks proceed.

In order to accomplish the first step of getting a user to visit a site under your control, an attacker might email the victim text that contains a link to the website in question, in a so-called phishing attack. The NSA reportedly uses phishing attacks sometimes, but we've learned that this step usually proceeds via a so-called "man-in-the-middle" attack.1 The NSA controls a set of servers codenamed "Quantum" that sit on the Internet backbone, and these servers are used to redirect targets away from their intended destinations to still other NSA-controlled servers that are responsible for the injection of malware. So, for example, if a targeted user visits "yahoo.com", the target's browser will display the ordinary Yahoo! landing page but will actually be communicating with a server controlled by the NSA. This malicious version of Yahoo!'s website will tell the victim's browser to make a request in a background to another server controlled by the NSA which is used to deploy malware.

Once a victim visits a malicious website, how does the attacker actually infect the computer? Perhaps the most straightforward method is to trick the user into downloading and running software. A cleverly designed pop-up advertisement may convince a user to download and install the attacker's malware, for example.

But this method does not always work, and relies on a user taking action to download and run software. Instead, attackers can exploit software vulnerabilities in the browser that the victim is using in order to gain access to her computer. When a victim's browser loads a website, the software has to perform tasks like parsing text given to it by the server, and will often load browser plugins like Flash that run code given to it by the server, in addition to executing Javascript code given to it by the server. But browser software-which is becoming increasingly complex as the web gains more functionality-doesn't work perfectly. Like all software, it has bugs, and sometimes those bugs are exploitable security vulnerabilities that allow an attacker to gain access to a victim's computer just because a particular website was visited. Once browser vendors discover vulnerabilities, they are generally patched, but sometimes a user has out of date software that is still vulnerable to known attack. Other times, the vulnerabilities are known only to the attacker and not to the browser vendor; these are called zero-day vulnerabilities.

The NSA has a set of servers on the public Internet with the code name "FoxAcid" used to deploy malware. Once their Quantum servers redirect targets to a specially crafted URL hosted on a FoxAcid server, software on that FoxAcid server selects from a toolkit of exploits in order to gain access to the user's computer. Presumably this toolkit has both known public exploits that rely on a user's software being out of date, as well as zero-day exploits which are generally saved for high value targets.2 The agency then reportedly uses this initial malware to install longer lasting malware.

1 | 2 | Next Page››

Originally published by the Electronic Frontier Foundation.

(AP Photo)

Dan Auerbach
Author Archive