Information Security News
Recently shipped Dell systems have been found to include a special Root CA Certificate and private key, eDellRoot. All systems apparently use the same key and certificate. Using the secret key, anybody could create certificates for any domain, and Dell systems with this eDellRoot certificate would trust it. The key is part of Dell Foundation Services.
To test if your system is affected, see:https://edell.tlsfun.de
To remove the certificate if you are affected:
- stop and disable Dell Foundation Services
- delete the eDellRootCA (start certmgr.msc, select Trusted Root Certification Authorities and Certificates. Look for eDellRoot)
For details about managing Root CAs seehttps://technet.microsoft.com/en-us/library/cc754841.aspx
In this case, it is not sufficient to just remove the CA. Dell Foundation Services will reinstall it. This is why you need to disable Dell Foundation Services first, or delete theDell.Foundation.Agent.Plugins.eDell.dll.
Earlier this month, the BizCN gate actor switched IP addresses for its gate domains to 220.127.116.11/24. Also, as early as Friday 2015-11-20, this actor started sending CryptoWall 4.0 as one of its malware payloads from the Nuclear exploit kit (EK). Until now, Ive only associated CryptoWall 4.0 with malicious spam (malspam). This is the first time Ive noticed CryptoWall 4.0 sent by an EK.
This diary discusses the recent change in BizCN-registered gates, and well look at some examples of CryptoWall 4.0 sent by this actor.
Like some other groups, the BizCN gate actor uses another server to act as a gate between the compromised website and its EK server (I explained gate traffic in my previous diary here). Ive been calling this criminal group the BizCN gate actor because domains it uses for the gate have all been registered through the Chinese registrar BizCN, always with privacy protection [1, 2]." />
Shown above: Flow of infection traffic caused by the BizCN gate actor.
This actor uses dedicated servers for its gate domains. These gate domains tend to stick with one particular hosting provider. At times, the BizCN gate actor will switch hosting providers for its gates, and the IP address block for these gates will change.
Since February 2015, the BizCN gate actor has used a handful of IP addresses in the 18.104.22.168/16 block (Germany - TK Rustelekom LLC) for its gate domains." />
Shown above: Examples of BizCN-registered gate traffic from this actor. Click here for a pcap of the traffic.
A successful infection chain
Lets look at some infection traffic from Saturday 2015-11-21 . The first step in this infection chain? Youll find injected script that points to the BizCN-registered gate in a web page from the compromised" />
Shown above: Injected script in page from a compromised website.
URL patterns in HTTP GET requests to these gate domains are fairly distinctive. Whats the second step for this successful infection chain?" />
In the above image, Ive highlighted the unicode that represents a Nuclear EK landing page URL." />
The final step of this infection chain?" />
Shown above:" />
Shown above:" />
Shown above: Malware payload from Nuclear EK used by the BizCN gate actor.
yptoWall 4.0 sent by the BizCN gate actor
CryptoWall is not the only payload sent by the BizCN gate actor, but its the most common." />
Shown above: CryptoWall 3.0 infection caused by the BizCN gate actor (up through Thursday 2015-11-19).
Less than 24 hours later on Friday 2015-11-20, there was a change in CryptoWall sent by this actor . I didnt realize it until another infection the next day ." />
Shown above: CryptoWall 4.0 infection caused by the BizCN gate actor (Friday 2015-11-20 and after).
Whether its version 3.0 or 4.0,CryptoWall sentby the BizCN gate actor is different than CryptoWall sent by other actors. This malware looks like an NSIS installer , and it leaves behind artifacts in the infected users AppData\Local\Temp directory that I don" />
Shown above: CryptoWall 4.0 samples sent by BizCN gate actor Nuclear EK." />
Shown above: Examples of the artifacts left behind by BizCN gate actor CryptoWall (3.0 and 4.0).
Although examples of CryptoWall 4.0 have been found since 2015-11-02 , these samples were associated with malicious spam. Until now, I havent noticed CryptoWall 4.0 from any EKs. And now Ive only seen it from the BizCN gate actor.
As recently as Monday 2015-11-23, I saw CryptoWall sent by Angler EK, but it was still at version 3 . Except for Nuclear EK from the BizCN gate actor, none of the other EKs appear to be sending version 4. At least, thats what Ive found so far. I fully expect to see CryptoWall 4.0 from other EKs sometime soon.
Below is a list of traffic seen from the BizCN gate actor since Thursday 2015-11-19. It includes links for traffic and malware samples.
(Read: Date/time - Nuclear EK IP address - Nuclear EK domain name - Link)
Since this information is now public, the BizCN gate actor may change tactics. However, unless this actor initiates a drastic change, it can always be found again. I (and other security professionals) will continue to track the BizCN gate actor. Expect another diary on this subject if any significant changes occur.
In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website.
The self-signed transport layer security credential, which was issued by an entity calling itself eDellRoot, was preinstalled as a root certificate on at least two Dell laptops, one an Inspiron 5000 series notebook and the other an XPS 15 model. Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet. Depending on the browser used, any Dell computer that ships with the root certificate described above will then accept the encrypted Web sessions with no warnings whatsoever. At least some Dell Inspiron desktops, and various Precision M4800 and Latitude models are also reported to be affected.
The crowdsourced discovery came over the weekend, as Dell customers shared technical details of the eDellRoot certificate installed on recently purchased computers. Joe Nord, a self-described programmer, showed the certificate as it appears in the Microsoft Management Console: