Emotet beutet Outlook aus

Emotet ist seit mehreren Jahren eine bekannte Trojaner-Gruppe. Lag der Fokus zuvor auf Internetbanking, so hat sich Emotet heute zu einem modularen Downloader und Infostealer entwickelt. Erste Berichte der neusten Emotet-Version wurden von CERT Polska im April 2017 veröffentlicht. Bereits zur dieser Zeit wurde Emotet über per E-Mail versandte Links, die auf einen Dropper verweisen, verteilt.

Kürzlich warnte CERT-Bund erneut vor Spam-Emails, über die Emotet verbreitet wird. Auch bei diesen Mails scheint der Absender dem Empfänger bekannt zu sein – dies stärkt das Vetrauen in die E-Mail und erhöht die Wahrscheinlichkeit, dass der Empfänger eine genauere Überprüfung von Anhängen oder enthaltenen Links vernachlässigt.

Um solche Beziehungen zwischen Personen herstellen zu können, liefert Emotet auf bereits infizierten Systemen ein spezielles Modul aus, das alle E-Mails in den Outlook-Konten des aktuellen Benutzers analysiert und Relationen zwischen Sendern und Empfängern aufbaut.


Zur Extraktion der Informationen aus Outlook verwendet das Modul die standardisierte Schnittstelle MAPI (im Bild oben wird der Ladevorgang der MAPI-DLL und das Auflösen der vom Modul benötigten Funktionen dargestellt). Mit Hilfe dieser Schnittstelle iteriert das Modul über alle ihm zugänglichen Outlook-Profile des Computers. Aus jedem Profil werden aus allen vorhandenen E-Mail-Konten Name und E-Mail-Adresse extrahiert. Im Anschluss wird jeder Ordner des Profils rekursiv nach E-Mails durchsucht. Aus jeder gefundenen E-Mail werden der Absender (angezeigter Name und E-Mail-Adresse) sowie alle Empfänger (angezeigter Name und E-Mail-Adresse) inklusive der Empfänger in den CC- und BCC-Feldern extrahiert und in Relation zueinander gespeichert (im Bild unten sind die Felder zu sehen, welche aus den E-Mails extrahiert werden). Sollte in einem der extrahierten Felder ein Verweis auf das Adressbuch enthalten sein, wird aus dem entsprechenden Eintrag des Adressbuches Name und die E-Mail-Adresse der Person extrahiert. Allerdings werden nur die Header der E-Mail ausgewertet, der Inhalt wird nicht analysiert.


Nachdem alle Profile, Ordner und E-Mails durchsucht wurden, schreibt das Modul die gesammelten Daten in eine temporäre Datei im Verzeichnis %PROGRAMDATA%. Die E-Mail-Adressen werden zusätzlich noch nach der Häufigkeit ihres Vorkommens absteigend sortiert. Jede E-Mail wird um alle Kontakte erweitert, zu denen sie in Relation steht. Es werden dabei jedoch zwei Fälle unterschieden:

  • ist der referenzierte Kontakt der Absender einer E-Mail, werden alle Empfänger dem Kontakt zugeordnet
  • ist der referenzierte Kontakt ein Empfänger der E-Mail, wird nur der Absender dem Kontakt zugeordnet.

Beispiel (Postfach von A):
Mail 1: A sendet an B und C
Mail 2: D sendet an A
Mail 3: C sendet an A , D und E

A wird 3-mal referenziert und steht in der Liste ganz oben. A hat durch Mail 1 eine Verbindung zu B und C, diese werden also mit A verknüpft. Mail 2 zeigt eine Verbindung von D zu A, deshalb wird D ebenfalls mit A verknüpft. In Mail 3 ist eine Relation von C nach A vorhanden. Diese wird allerdings ignoriert, da sie bereits zu Beginn mit A→C erfasst wurde. In Mail 3 gibt es allerdings noch die Relationen C→D und C→E. Da weder die Relation C→D noch C→E in der Liste vorhanden sind, werden C die Kontakte D und E zugeordnet und ebenfalls in die Liste aufgenommen.

Die vollständige Liste, die dem Angreifer übermittelt wird, sieht nun wie folgt aus:
A<A@mail.com>; B<B@mail.com>; C<C@mail.net>; D<D@mail.com>
C<C@mail.net>; D<D@mail.com>; E<E@mail.com>

Anschließend wird die Datei verschlüsselt, an den Server der Angreifer übermittelt und von der Festplatte des Computers gelöscht.

Durch dieses Modul erhalten die Angreifer einen umfassenden Überblick, ob und in welcher Relation die Sender und Empfänger der Mails stehen. Unter Zuhilfenahme einer solchen Liste ist es für einen Angreifer mit keinem großen Aufwand verbunden, die Beziehungen von Personen zueinander zu erkennen und Spam-Mails mit passenden Absendern zu schicken. Zusätzlich gewinnt ein Angreifer Informationen über Relationen von Personen, deren Rechner nicht befallen sind.

Um die Spam E-Mails später an die passenden Adressaten verteilen zu können, benötigen die Angreifer E-Mail Accounts. Um dies zu erreichen, setzen sie ein zusätzliches Modul mit der Aufgabe, die Zugangsdaten aus E-Mail Programmen zu extrahieren und an die Angreifer zu übermitteln, ein. Das Modul greift dazu auf eine mitgeführte Kopie der Anwendung Mail PassView der Firma NirSoft zurück. Diese extrahiert die Zugangsdaten aus allen geläufigen E-Mail Programmen (Microsoft Outlook, Mozilla Thunderbird, Windows Mail, …) und schreibt diese ebenfalls in eine temporäre Datei. Diese Datei wird dann wieder verschlüsselt, an den Server der Angreifer übermittelt und anschließend gelöscht.

Security for Sale? – On Security Research Funding in Europe

On Wednesday, Feb. 22. 2017, a collective of 20 journalists from eleven countries published their recherches on the European security industry. The article, Security for Sale, published at The Correspondent, mostly seems to revolve around the question of how the funding several players in the field received from Horizon 2020 (H2020) and FP7 framework programmes are put to use for the European people. H2020 is the European Commission’s current funding initiative for research and innovation. Here is the commission’s own explanation.

Simplified, the authors of Security for Sale conclude that the benefit of funding security research for the Europe as a whole is limited, but that the funding works pretty well as hidden subsidies for the industry itself. Their wording is more lenient than mine, but nevertheless I feel that the picture the authors draw is incomplete and I’d like to add another perspective. I can only assume that the data for this article stems from the Secure Societies line of funding, as its core topics are emphasized in the article and some of the articles it links to refer to that – the article does regrettably not contain any straightforward references to its sources. And in my opinion, the Secure Societies line of funding does indeed sometimes yields research results that are scary to everyone who did not answer the question of ‘how do we want to live?’ with ‘I liked the setting depicted in Minority Report quite a bit, but it’s missing the effectiveness of Judge Dredd’.

The authors describe the landscape in the security sector roughly as 1) the big players, where kinetic and digital technology converge, 2) research organizations, 3) universities, and 4) small and medium enterprises (SMEs). Our sector, of Ze Great Cybers, primarily hides in 4) and to some extent increasingly in 1). The article does not explicitly touch the field of information security and neither do many calls in the Secure Societies context, however, most of the projects need to touch the digital domain at some point or other, making it clear that a division of information security and all the other potential flavors of security is merely artificial, given our current state of technology. As the authors observe, this is also reflected by the upcoming funding opportunities:

“similar programs are being set up for cybersecurity and military research”

The EU and some of it’s member states are late to the game and I’m aware that not everybody hacking at computers likes the notion that InfoSec and defense converge. I also dislike the idea and I somehow liked the Internet better when it was still a lot emptier, or as Halvar Flake once put it:

However, I came to enjoy civilization and as most people, I rely on the critical infrastructures that make our societies tick. I’ve been leading incident response assignments in hospitals more than once in the last year and as a human, who may suddenly require the services of a hospital at some point or another, I am very grateful for the effort and dedication my colleagues and the clients’ staff put into resolving the respective incidents. If this means I’m working in defense now, then I still dislike the notion, but I see that the work is necessary and also that we need to think more on the European scale when we want to protect the integrity of our societies. Packets only stop at borders of oppressive societies and that shouldn’t be us.

Now let’s have a look at where the EU’s security research funds go to, according to the article. The authors state

“Companies received by far the most money. That’s not particularly surprising; these same companies were the ones influencing funding policy.”

and illustrate it with the following figure:

Figure 1: Security research funding distribution. Illustration by The Correspondent.

In 2015, I was directly responsible for four H2020 grant applications and consulted on several other applications for nationally or regionally managed funding opportunities. Security in its various flavors is a tiny part of the picture. I’m happy to state that we had an above the average success rate. The illustration in the article struck me as familiar: to me, Figure 1 simply shows a typical distribution of funding within the majority of grant applications I’ve worked on. So it is hardly surprising that the global distribution of funding within technology sector of the programme looks very similar. There is nothing much sinister to that.

Larger corporations do have more opportunities to influence policy, as they can afford the time/resources to lobby. But the main reason for the distribution is salaries on the one hand and grant policy on the other. An engineer working at a large corporation will be more expensive by factor 1.2 to 2.3 than a PhD student, depending on country and the respective corporation. A factor of ~1.9, as in the figure, does not look unreasonable, given that the figure accounts for accumulated costs, not just personnel and that it is more likely that a corporation or a research institute will take the effort of building a demonstrator or pilot installations of a technology, as universities regrettably tend to lack monetization strategies for research results.

Government entities, as the next in line, tend to have very limited personnel resources for research projects and do not have a lot of wiggle room when in comes to contributions.  With a funding scope that aims at technological advances, funding for advisories is often politically limited, and rightly so. As the figures are very much aggregated, I can only assume that the complete sum also contains Coordination and Support Actions (CSAs), which are rather limited funding schemes, financially speaking, that aim at connecting related projects and generally at the systematization of knowledge to avoid arriving at one insight at twice of thrice the funding. This work is sometimes done by entities that could classify as advisories. ‘Other’ can be translated to network and dissemination partners, or dedicated project management (which makes a lot of sense, H2020 projects can be large in terms of the number of partners).

Now let’s not talk militarizing corporations enriching themselves, as the article’s authors suggest, let’s talk research funding effectiveness. I my conversations with the granting side of research funding, it is a constant pain that there is a significant amount of research projects being funded that do not amount to a product. I have seen quite a few projects where I would judge without hesitation that the project was a WoMBaT (i.e., Waste of Money, Brains, and Time) and did primarily serve to compensate for the lack of public funding towards universities.

But that is only a small part of the picture. Another part is that there is a very expensive zone between ‘things you can publish’ and ‘things you can actually use’. Simplifying, technological progress has a tendency to increase complexity. To specify their expectations regarding the results of a funding measure, the European Commission adopted NASA’s Technology Readiness Levels (TRL). In the rather broad field of engineering, we often see the requirement for a validation under lab conditions (TRL 4), to the extent of a working prototype under field conditions (TRL 7), depending on the class of funding action. The funding of a given project often ends at that point.

Using my terminology from above, in the best case you then have something you can publish and/or show off, i.e., an interesting approach that has been shown to be feasible. Between that and monetization are the roughly two to seven years you’ll often need in engineering to go from a prototype to a product. And strictly speaking, research funding ends here, because research ends here. There are almost no publicly funded actions that will allow you to go towards product development, although piloting of a technology in the field can be funded (TRL 9). Nevertheless, either a company is now able to fund the continued development towards a product, or not. This is still a limited view, as I don’t need a new product to monetize research results. It is just as desirable to to improve an existing set of products and services, based on new research results. It is, however, by far not as visible.

Now why more so much funding for the big players? Research grants tends to have a bias towards those applicants, who were able to successfully complete a project, presented impressively in the past and are generally held in good standing. Sounds familiar? Yep,sounds like selecting talks for Black Hat or any other non-academic security conference, where the process is single-blind and the committee needs to judge based only on an abstract, not a full paper with a proper evaluation section and extensive related work. If the data is relatively poor, judgment needs to rely on the applicants reputation and previous work to some extend. And in comparison to a well-backed research paper, grant applications are in their nature always speculative, although very much more detailed than the abstract of a conference submission. If one knew how something was done in the first place, there’d be no need to call it research and there’d be no reason for a grant. The important point is not to fail, if one wants to continue receiving grants (cf. bias, above).

And that still does not fully account for the observation that big players are doing very well in grant applications. A H2020 application is a lot of work, it’s often a hundred pages just for sections 1 to 3, which can easily amount to 100 person days for the coordinator until everything is properly polished. The acceptance rate for Research and Innovation Actions can be as low as 6%. Academic Tier-1 conferences are relaxed in comparison. A small company may simply be unable to compete, economically, i.e., it cannot accept the realistic risk of putting a lot of effort into naught. It’s not as hard in other types of actions, but the risk is still significant and acceptance rates have been getting worse, not better.

“Our investigation reveals that EU security policy emphasizes technology: a high-tech solution is being sought for a societal problem.”

From an outside position I feel that I’m unable to judge the intention and the mindset of the various individuals responsible for the actual wording of the H2020 calls. The persons from this context I’ve met in the past did, however, not leave an impression of exceptional naivety. I genuinely believe that it is in the best interest of European countries and the EU to fund security research, without denying that there may be recipients of funds with a questionable ethical standard. As Europeans, we need to address these issues. I do not want to live in a militarized society and I don’t believe in solving societal problems purely through technology. However, I see a significant amount of opportunities, where usable, efficient technology can enable solutions for societal problems. Given my socialization, I may have a bias towards the security spectrum of research, but that said, I see quite a few things that can and should be done to positively impact the security of our societies. In a changing political climate, Europe needs to step up its security game, also and especially in the digital domain.

And now excuse me, I need to continue that research grant proposal. I’m not doing that for kicks and neither in pure self-interest.