Wednesday, September 09, 2015

Some notes on satellite C&C

Wired and Ars Technica have some articles on malware using satellites for command-and-control, based on a paper by Kaspersky. The malware doesn't hook directly to the satellites, of course. Instead, it sends packets to an IP address of a known satellite user, like a random goat herder in the middle of the wilds of Iraq. Since the satellites beam down to earth using an unencrypted signal, anybody can eavesdrop on it. Thus, while malware sends packets to that satellite downlink in Iraq, it's actually a hacker in Germany who receives them.

This is actually fairly old hat. If you look hard enough, somewhere (I think Google Code), you'll find some code I wrote back around 2011 for extracting IP packets from MPEG-TS streams, for roughly this purpose.

My idea was to use something like masscan, where I do a scan of the Internet from a fast data center, but spoof that goat herder's IP address. Thus, everyone seeing the scan would complain about that IP address instead of mine. I would see all the responses by eavesdropping on that satellite connection.

This doesn't work in Europe and the United States. These markets use more expensive satellites which not only support encryption, but also narrow "spot beams" that focus on an area of a 100 mile radius.

Instead, they work well in the Middle East and Africa. These use older, cheaper satellites to provide slow Internet. The streams from these things are usually unencrypted. The NSA loves them, I'm sure.

The signal for these things bleeds over to Europe, and even the east coast of the United States. Thus, even though we aren't in the intended service area, we can often get their signal. I keep meaning to setup a satellite dish at home in order to do this -- there appear to be several satellites where this should be possible.

Almost anything can be used to receive the signal.

Several years ago, a program called "SkyGrabber" hit the news, using Windows and a USB tuner rather than the setup using Linux described in the Ars Technica article. SkyGrabber is designed for porn, both eavesdropping on porn satellite channels, but also extracting porn images and videos from TCP/IP streams on a satellite network. It made the news because, according to reports, somebody had actually gotten secret military live drone video by pointing their dish at the right satellite and choosing the right channel.

Another way you can do this is simply with an off-the-shelf SDR (software defined radio) like HackRF. The satellite signal is easy to decode into bits (like 16PSK) and 10b/8b. The stream of bits is then encoded as an MPEG-TS (transport stream) which will carry either video or TCP/IP packets. Therefore, you need some simple software to extract the packets from the stream (hence my project mentioned above). You still need a satellite dish and an LNB, though.

The easiest way, though, is simple use somebody else's satellite connection. A lot of these satellite boxes are themselves on the Internet with open web interfaces. You can find these boxes using masscan or Shodan. These boxes then have diagnostic features, such as tcpdump. Many different users are multiplexed onto the same channel. Using tcpdump receives all the packets on that channel, including those intended for another user. Thus, I can find a user in Tunisia and use them to eavesdrop on that goat herder in Iraq -- even though they are thousands of miles from each other, they are still on the same satellite channel.

The economics of satellites are pretty cool. Many are just "bent-pipes", receiving a signal from one place and beaming it at another. You just go to a satellite company, buy a channel, and setup your own equipment to send/receive anything you want over a range of about a third of the planet. There's a heck of a lot of Christian broadcast channels do that. Theres also a lot of military uses of this -- the satellite provider has no way of knowing what's in that signal. That's probably how that live drone feed was discovered -- some user was flipping through all the Christian broadcast channels looking for a porn feed, and accidentally came across live drone footage. Somebody (not me because I'm lazy) ought to do a survey of the sky using an SDR, cataloging all the mess coming from these satellites. Theres already some good resources dedicated to listing all the TV channels, but I'm thinking more needs to be done -- especially to find the obviously encrypted stuff.






2 comments:

Admin said...

Hope you don't mind me dropping this relevant link: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/

_ryan

Jesse Krembs said...
This comment has been removed by the author.