Pixel Envy

Written by Nick Heer.

Behind the Trend Micro-NBC News Honeypots (PDF)

Kyle Wilhoit just released a white paper to more clearly explain the details of that bogus NBC story. Let’s dive in, starting on the third page:

After roughly 30 hours, Richard’s fake account received a spear-phishing email. The email came from quentorn1971@gmail.com (MD5: 85a97e1550be413b850f76a5a3a36272), someone who supposedly had some information to share with Richard in the form of a link to a Sochi-Olympic-related document.

Richard’s email address appears to have been obtained from the compromised Samsung Galaxy S4 smartphone we used. It is possible that the attacker who gained access to the phone realized that Richard was a high-value target and so sent him a spear-phishing email.

Why did I start on the third page? Because I think these two paragraphs are the crux of this part of the story. If it was indeed the case that high-value targets — like media personalities or executives — were the specific targets for this attack, then the general public probably doesn’t need to worry. Furthermore, it makes this, on the first page, all the more ridiculous:

NBC News wanted the experiment to be performed on new gadgets with no security or software updates. The decision to not put basic precautions in place was made because we were supposed to be regular users in Russia for the Sochi Olympics and wanted to understand the threats attendees who do not take proper precautions faced.

If they’re going after high-value targets, any respectable IT department would ensure that those people have antivirus software on their computers.

If, on the other hand, this is a more general spam-style attack, then the fact that the email address they used “resided within the NBC News domain and was very similar to Richard’s true email address” (as on the first page of the white paper) is not relevant to the attack.

What about the individual attacks? Let’s tackle them one by one, starting with the Android phone:

We unboxed the Samsung Galaxy S4 running Android when we arrived in Russia. We left all of its security settings in the default state. […]

We visited a Sochi-Olympic-themed site and were redirected to another, which prompted us to download an app (avito.apk) that seemed to have relevant travel information. After downloading the .APK file (MD5: 6d6cb42286c3c19f642a087c9a545943), we were prompted to install it. We clicked “Accept” because we believe that’s what typical users would do.

What was reported in the NBC broadcast is exactly what the APK with that MD5 would, in fact, do: it will intercept SMS messages and read arbitrary data on the phone.

But, let’s back up a minute: they apparently left the Galaxy S4 in its default state. However, according to page 93 of its manual (PDF), the Galaxy S4 ships with the option for allowing apps from “unknown sources” deselected. That is to say that there shouldn’t be a way, out of the box, for an APK downloaded from an arbitrary web page to be installed. I’ve asked Wilhoit to clarify this, and will update if I get a reply.

Onto the Windows attack, which was a bog-standard malicious Office document. When run, the attacker gains access, unless…

Patching the OS to the latest level would have also helped prevent the exploit from properly executing.

Breaking: newer system versions often contain important security updates.

And how about that MacBook Air that was compromised?

We proceeded to right-click and choose “Open.” Had we not right-clicked and opened the file, Macintosh Gatekeeper running on OS X 10.8.5 would have caught and prevented the file from running.

To be fair, Wilhoit was simply following the sketchy-looking instructions on the strange Russian page which specifically told him to right-click. But who does that in the real world? Everyone double clicks to open applications.

Does NBC’s original report have any value at all? Well, not really:

While the infections appeared to have automatically occurred due to the editing process on TV (which did not show the user interaction), no zero-days were used and all infections required user interaction and several risky behaviors to succeed.

NBC basically cut out the critical steps required to execute the attacks and failed to mention this, giving the impression that these were all drive-by attacks which will occur the moment you land in Russia. This makes me think that NBC worked to create their chosen narrative in lieu of accurate, correct reporting. And that’s shitty journalism.