Threat Intelligence Blog

By Robert Simmons

Late Wednesday night (and as has now been reported by Brian Krebs and others), Cyveillance analysts noticed that the TrueCrypt website was replaced with a forward to a new site hosted by Sourceforge, a major open source project hosting site. The site is now recommending that people stop using TrueCrypt, a popular disk encryption service, and start using BitLocker from Microsoft instead. The site also provides a new binary with an incremented version number “7.2”, versus the old “7.1a,” which it says to use only to migrate from TrueCrypt.

At this time it’s not clear whether the site has been hijacked and the new binary is just a Trojan, or if the anonymous developers behind TrueCrypt just decided to shutter it.

There are a number of ideas being circulated about what’s going on, with some early theories being discussed on Russian sites (Google Translate may come in handy if you’re not a Russian speaker). An in-depth discussion of all the current theories can be found on ycombinator.com.

For a bit of context, TrueCrypt, like Bitcoin, is one of those odd pieces of software that is made by completely anonymous individuals. This, coupled with the fact that there had not been a full security audit of the TrueCrypt source code and that lots of people were using it to protect very sensitive information, led to a project last October to do a full audit. Interestingly, the project leaders were able to make contact with the TrueCrypt developers and essentially got their blessing, along with some caveats about what TrueCrypt was meant to do (or not). The project page, which was a crowd-funded effort on Indiegogo and Fundfill, can be found here. Last month, iSECpartners completed the first phase of the audit. The vulnerabilities found in the report were important, but according to the audit, they were not able to be reliably attacked. Additionally, the audit did not uncover any backdoors. Up until today, it was believed that when the report came out, the TrueCrypt developers would work to fix the problems and release a new version. However, this does not seem to be the case.

The comments section of VirusTotal about the new version’s binary is also interesting, in addition to the +/- voting for the binary being hit hard by lots of anonymous -1 votes. The binary itself is cryptographically signed by TrueCrypt Foundation which is in turn signed and verified by GlobalSign, Symantec, and Thawte certificate authorities. If this is malware, it would indicate that the authors’ private software signing keys have been compromised in addition to the website. Warewolf, a security researcher with Nova Labs in Reston posted a source code comparison between the new version and the previous version. This comparison can be found here.

Cyveillance conducted our own research and found that the newly-compiled binary contains strings that use the same language as the new TrueCrypt website:

<control lang=”en”key=”IDT_INSECURE_APP”>WARNING: Using TrueCrypt is not secure</control>

 

Despite this, our recommendation is to stay away from the new version of TrueCrypt, and to wait until the full audit of the 7.1a code is complete to make a final decision about that version.

Additional Posts

Leaking Trade Secrets: A Conversation with Michael Schrenk

Cyveillance was recently lucky enough to chat with business intelligence specialist, author, and ...

VirusTotal + Maltego = Visualizing Actionable Malware IOCs

Setting up your own malware zoo and collecting all indicators of compromise related to those ...