Password Hygiene: Hiding Your Identity is Difficult for Attackers and Adulterers

Let’s say you’re an individual who wants to start engaging in naughty behavior online but the Ashley Madison dump has made you skittish. Engaging in bad behavior (and for that matter crime) is pretty easy in the grand scheme of things.  Getting away with that behavior is actually pretty hard. To get away with it you have to get everything correct in a way that can’t be mapped back to you and even seasoned cybercriminals get this wrong from time to time.

The key is making sure no attributes of what you are doing can be mapped to your actual persona. Josh Duggar was caught using Ashley Madison (as were others) because they used their real names and addresses. This is not a difficult problem to get around if you use gift cards to purchase subscriptions as many people did. It also creates the possibility of using another name altogether.

Additionally, you’d want a separate email that you’d ideally never access with your known and core devices. This is the operational security principle known as compartmentalization. One can see how it gets inconvenient really quickly and failures here have led to investigators catching even experienced online criminals.

However, there are other interesting ways to correlate individuals to their actual personas. Recently 11 million passwords have been decrypted in the Ashley Madison database dump. Usual password advice is to create long and strong passwords. The problem with this is that unless you have an uncanny memory or are using a password manager (which would be a problem for those engaging in bad behavior) the tendency is towards password reuse even of complex passwords.

Assuming you had access to multiple password dumps, one could start correlating complex passwords between them to start mapping identities together. This was one of the points made by the UK Government in making its case against overuse of complex passwords. While it may be interpreted as self-service, people with many complex passwords either reuse them across domains or have a password manager that can be compromised, both of which are unideal.

Now this blog isn’t really about how to cheat on your spouse safely but a useful technique that can also be used to correlate and hopefully attribute malware campaigns.

Many malware campaigns use the same tools which all have built in configuration items that are either randomized or are free-form text fields created by the actor. Many of these fields can be used to correlate malware binaries to a specific likely actor. For example, one could use the password entered in malware to authenticate it to its controller.

Looking in our database of indicators, we found one such password of “@client$321$” which mapped to 7 different binaries all using PoisonIvy. In each case, the hostnames were mostly distinct between samples as were other fields such as “campaign ID”.

What was unique between all these binaries was a password from a free-form text field that is unlikely to have been used by another actor. This allows the researcher to map between all 10 hostnames used by 7 samples to correlate other activity and map backwards.

This is the reason why bulk analysis and storage of a broad set of indicators is useful. Human beings, including criminals, are prone to re-use information from time to time especially when it comes to security which allows for correlation.

That being said, keep using strong passwords just make them unique to avoid such correlation.

The details are below, all the domains have either been blown away or are currently being sinkholed as of September 15, 2015.

Password:

@client$321$

MD5s:

089fe27df0be49a5eaa5d233561105f8

19b1c577c41c8d4ac540d166b34a6eac

21f3369333d26192e5f1a4578eac934f

7ee53765e423d7c965e8b09c24bd931b

b9c8eb67e91bd53271127821a3b6e1a2

c4ded03b6e79ed948a570961907d4beb

df25df77402ba4f5db5fd48234611a3e

Domains:

connektme.hopto.org

connektme.no-ip.org

drwebstatic.hopto.org

drwebstatic.myvnc.com

easyconnect.no-ip.org

easyconnect.zapto.org

gserverhost.myftp.org

gserverhost.no-ip.biz

hellointra.myftp.org

hellointra.no-ip.org

Campaign IDs:

Connektme~8.1.5353.17671 – WIN_7

Connektme~8.1.5353.17671 – WIN_XP

Easyconnect~8.1.5353.17671_2 – WIN_7

Gserverhost~8.1.5353.17671 – WIN_XP

Hellointra~8.1.5353.17671 – WIN_7

MetaTrader_test

-John Bambenek

Tags:
Browse our blog