dinsdag 5 maart 2013

Do we have a non-disclosure agreement with Belgium Defense?

"He who plays with the devil, could burn his fingers." 

Lots of people know this application: "HijackThis". Whenever you get stuck with your PC for some reason, some tech people will ask you to pull a HijackThis report. Nothing wrong at first sight.

But HijackThis grabs a lot of information. Information about your IE settings and thus about proxyserver definitions, etc...:

 IE - HKU\S-1-5-21-1935655697-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1935655697-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.mil.intra;portal.mil.be;dghr.mil.*;http://intranet;http://10.999.0.999;intranet.mil.intra
IE - HKU\S-1-5-21-1935655697-343818398-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxyREMOVED:REMOVED

The example above was found back on a Dutch computerforum where they were discussing about the ecops virus. Information that should be covered in a non-disclosure agreement as it contains a small part of network-design information. And that agreement was never signed between the "Belgian Defense" and "The Internet".
If you look to the export, I could also tell that Belgian Defense has Dell machines with next info:
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000813 | Country: Belgiƫ | Language: NLB | Date Format: d/MM/yyyy

1,99 Gb Total Physical Memory | 1,24 Gb Available Physical Memory | 62,09% Memory free
3,33 Gb Paging File | 2,69 Gb Available in Paging File | 80,71% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 21,68 Gb Total Space | 0,04 Gb Free Space | 0,18% Space Free | Partition Type: NTFS
Drive D: | 50,00 Gb Total Space | 0,16 Gb Free Space | 0,33% Space Free | Partition Type: NTFS
Drive G: | 15,62 Gb Total Space | 3,49 Gb Free Space | 22,32% Space Free | Partition Type: FAT32
Drive H: | 465,76 Gb Total Space | 224,79 Gb Free Space | 48,26% Space Free | Partition Type: NTFS

Computer Name: LAPTOP-XXXXXX | User Name: XXXXXX | Logged in as Administrator. 
Next items are installed: F-Secure, Java 6 runtime, Windows Defender, Azureus VUZE remote, Adobe Reader 9, Free YouTube to MP3 Converter, ICQ lite, ... And this poor guy, Patrick, likes to read "De standaard" as this was set as his homepage in IE8.

I suppose any hacker  would benefit if having such information to make a custom virus. And when he will pretend to be the helping hand of this "soldier in need" at the forum, it will be easy social engineering to hand over the virus to get triggered in the military network. Think about the MiniDuke or the ATP1 report.

So if they are so free to provide all this info to the public, I'm not surprised that they got infected with the ecops virus. 

And maybe also some nice side note. Keep in mind that also copy-write organizations like BRAIN or BAF might be reading this info and find it interesting when someone would have torrent software (Azureus) or Youtube-mp3 convertors on their machine.