In association with heise online

16 January 2012, 12:55

US Department of Defense smartcards attacked

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Trojan icon

According to US security firm Alienvault, a trojan variant that has existed since March 2011 is stealing the PINs of smartcards that are used by the US Department of Defense. Smartcards are used for logging into computers or web sites as part of "2-factor authentication". The report says that the malware is installed when opening a PDF attachment, and that the attackers exploit an unspecified zero-day hole in Adobe Reader. The vulnerability in question could be the flaw in the code for processing graphics in Universal 3D format that was disclosed in early December 2011.

Alienvault said that the trojan contains a keylogger that writes all keyboard inputs, and the name of the window, to a file in plain text. Apparently, it also extracts the user's clipboard contents. The security firm added that further malware modules can read the contents of the Windows certificate memory, where a smartcard's certificates are copied when the smartcard is inserted into a reader.

The researchers also found that the trojan contains code to load a dynamic ActivIdentity library. According to Alienvault, ActivIdentity supplies this library together with smartcard readers to US authorities such as the Department of Defense and the Department of Homeland Security. However, since all of these "Omnikey" devices ship without a keyboard, their security level is low anyway. In such environments, the PIN for authenticating a smartcard must be entered on the computer keyboard, making it an easy target for keyloggers.

Alienvault says that while the smartcard is inserted in the reader, the trojan in question can secretly use the harvested PINs and certificates to log in as the legitimate user. It is suspected that these attacks originate from servers in China. The security firm said that it has already identified the same origin when investigating a similar attack in December 2011.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit