Posts Tagged Kaspersky Lab
A Weapon We Can’t Control
By MISHA GLENNY
Published: June 24, 2012
THE decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.
It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.
There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.
Stuxnet was originally deployed with the specific aim of infecting the Natanz uranium enrichment facility in Iran. This required sneaking a memory stick into the plant to introduce the virus to its private and secure “offline” network. But despite Natanz’s isolation, Stuxnet somehow escaped into the cyberwild, eventually affecting hundreds of thousands of systems worldwide.
This is one of the frightening dangers of an uncontrolled arms race in cyberspace; once released, virus developers generally lose control of their inventions, which will inevitably seek out and attack the networks of innocent parties. Moreover, all countries that possess an offensive cyber capability will be tempted to use it now that the first shot has been fired.
Until recent revelations by The New York Times’s David E. Sanger, there was no definitive proof that America was behind Stuxnet. Now computer security experts have found a clear link between its creators and a newly discovered virus called Flame, which transforms infected computers into multipurpose espionage tools and has infected machines across the Middle East.
The United States has long been a commendable leader in combating the spread of malicious computer code, known as malware, that pranksters, criminals, intelligence services and terrorist organizations have been using to further their own ends. But by introducing such pernicious viruses as Stuxnet and Flame, America has severely undermined its moral and political credibility.
Flame circulated on the Web for at least four years and evaded detection by the big antivirus operators like McAfee, Symantec, Kaspersky Labs and F-Secure — companies that are vital to ensuring that law-abiding consumers can go about their business on the Web unmolested by the army of malware writers, who release nasty computer code onto the Internet to steal our money, data, intellectual property or identities. But senior industry figures have now expressed deep worries about the state-sponsored release of the most potent malware ever seen.
During the cold war, countries’ chief assets were missiles with nuclear warheads. Generally their number and location was common knowledge, as was the damage they could inflict and how long it would take them to inflict it.
Advanced cyberwar is different: a country’s assets lie as much in the weaknesses of enemy computer defenses as in the power of the weapons it possesses. So in order to assess one’s own capability, there is a strong temptation to penetrate the enemy’s systems before a conflict erupts. It is no good trying to hit them once hostilities have broken out; they will be prepared and there’s a risk that they already will have infected your systems. Once the logic of cyberwarfare takes hold, it is worryingly pre-emptive and can lead to the uncontrolled spread of malware.
Until now, America has been reluctant to discuss regulation of the Internet with Russia and China. Washington believes any moves toward a treaty might undermine its presumed superiority in the field of cyberweaponry and robotics. And it fears that Moscow and Beijing would exploit a global regulation of military activity on the Web, in order to justify and further strengthen the powerful tools they already use to restrict their citizens’ freedom on the Net. The United States must now consider entering into discussions, anathema though they may be, with the world’s major powers about the rules governing the Internet as a military domain.
Any agreement should regulate only military uses of the Internet and should specifically avoid any clauses that might affect private or commercial use of the Web. Nobody can halt the worldwide rush to create cyberweapons, but a treaty could prevent their deployment in peacetime and allow for a collective response to countries or organizations that violate it.
Technical superiority is not written in stone, and the United States is arguably more dependent on networked computer systems than any other country in the world. Washington must halt the spiral toward an arms race, which, in the long term, it is not guaranteed to win.
- Op-Ed Contributor: Stuxnet Will Come Back to Haunt Us (nytimes.com)
- Stuxnet cyberattack by US a ‘destabilizing and dangerous’ course of action, security expert Bruce Schneier says (mbcalyn.com)
- Stuxnet Cyberweapon Operation Comes to Halt (bigthink.com)
- Stuxnet cyberweapon set to stop operating (csmonitor.com)
- U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say – The Washington Post (mbcalyn.com)
- Confirmed: US and Israel created Stuxnet, lost control of it (arstechnica.com)
- Flame pieces found in Stuxnet virus, expert says (mercurynews.com)
- Cybersleuths see link between Flame, Stuxnet virus (cbsnews.com)
- Flame Steals Data Even When Computers Are Not Connected to the Internet (blacklistednews.com)
- Confirmed: US and Israel created Stuxnet, lost control of it (weeklyintercept.blogspot.com)
Flame Malware Hijacks Windows Update Mechanism
By Brian Prince on June 05, 2012
New details have emerged showing that the Flame malware abused Microsoft’s Windows Update mechanism to infect computers.
According to new information revealed by researchers, three modules of theFlame malware – named Snack, Gadget and Munch – are used to launch what is essentially a man-in-the-middle attack against other computers on a network.
“When a machine tries to connect to Microsoft’s Windows Update, it redirects the connection through an infected machine and it sends a fake, malicious Windows Update to the client,” blogged Alexander Gostev, head of the Global Research and Analysis team at Kaspersky Lab.
“When a victim updates itself via Windows Update, the query is intercepted and the fake update is pushed,” he explained. “The fake update proceeds to download the main body and infect the computer.”
According to Symantec’s Security Response team, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing.
“When clients attempt to resolve a computer name on the network, and in particular make WPAD (Web Proxy Auto-Discovery Protocol) requests, Flamer will claim it is the WPAD server and provide a rogue WPAD configuration file (wpad.dat),” Symantec noted. “NetBIOS WPAD hijacking is a well-known technique and many publicly available hack tools have implemented the technique.”
“Once a computer that has not yet been compromised receives the rogue wpad.dat file, it will set its proxy server to the Flamer-compromised computer,” the firm noted. “All its web traffic will now be redirected to the Flamer compromised computer first.”
The Munch component is a Web server within Flamer and receives the redirected traffic and checks for a variety of queries, including matching URLs for Windows Update.
“Hijacking Windows Update is not trivial because updates must be signed by Microsoft,” Symantec’s team added. “However, Flamer bypasses this restriction by using a certificate that chains to the Microsoft Root Authority and improperly allows code signing. So when a Windows Update request is received, the GADGET module through MUNCH provides a binary signed by a certificate that appears to belong to Microsoft.”
The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how.
“The Flame malware used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft,” blogged Mike Reavey, senior director of Microsoft Security Response Center. “However, code-signing without performing a collision is also possible. This is an avenue for compromise that may be used by additional attackers on customers not originally the focus of the Flame malware. In all cases, Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack.”
“To increase protection for customers, the next action of our mitigation strategy is to further harden Windows Update as a defense-in-depth precaution,” he added. “We will begin this update following broad adoption of Security Advisory 2718704 in order not to interfere with that update’s worldwide deployment.”
- ‘Gadget’ in the middle: Flame malware spreading vector identified (securelist.com)
- Windows Security Emergency Patch to fix Flame loophole (ghacks.net)
- ‘Flame’ Malware Prompts Microsoft Patch (krebsonsecurity.com)
- Microsoft Update and The Nightmare Scenario (f-secure.com)
- How to Stop Windows Update from Automatically Restarting Your Computer (todayifoundout.com)
- Windows XP in update loop (h-online.com)
- Leaked Adobe memo reveals reasons behind Windows 8 Flash, upgrades delivered through Windows Update (theverge.com)
- Analysis of the Flame, Flamer, sKyWIper Malware (technicalinfodotnet.blogspot.com)
- The Roof Is on Fire: Tackling Flame’s C&C Servers (securelist.com)
- Flame Malware Has Evaded AV for 5 to 8 Years (lumension.com)
Iran acknowledges that Flame virus has infected computers nationwide
Iranian officials have acknowledged that a sophisticated virus has infected computers across the country and, echoing the conclusions of security researchers, suggested that the malicious code is related to the virus that damaged centrifuges in an Iranian nuclear facility two years ago.
In a statement, Iran’s National Computer Emergency Response Team said that “investigations during the last few months” had resulted in the detection of the virus, which has been dubbed Flame and is capable of stealing data from infected computers.
“It seems there is a close relation to the Stuxnet and Duqu targeted attacks,” the statement said, referring to two other viruses. Stuxnet damaged hundreds of centrifuges at the Natanz nuclear plant. Duqu, like Flame, was apparently built for espionage but shared characteristics with Stuxnet.
The Iranians also said they had developed tools to detect and remove Flame from infected computers.
Iran has in the past blamed Israel and the United States for creating Stuxnet, but there has been no proof of authorship.
Although Israeli officials have generally not commented on Iranian accusations that their country was behind that virus, a deputy to Prime Minister Benjamin Netanyahu on Tuesday appeared to hint at Israel’s possible involvement in manufacturing Flame.
Speaking on Israel’s Army Radio, Moshe Yaalon, the vice prime minister and minister for strategic affairs, said the virus was “apparently” state sponsored.
“Whoever sees the Iranian threat as a significant threat — and it’s not only Israel, it’s the whole Western world, led by the United States — it’s certainly reasonable that he uses all means at his disposal, including these, to harm the Iranian nuclear system,” Yaalon said.
He added, “Israel is blessed with being a country rich in high-tech, and from that perspective, these achievements we take pride in, both in the civilian sector and defense sector, open up very many opportunities.”
White House spokesman Jay Carney declined to comment, as did a spokesman for the CIA; officials at the Defense Department referred questions to the Department of Homeland Security. A spokesman for the DHS said the department has been made aware of the malware and is working with other U.S. agencies to analyze its potential impact on the United States.
Security researchers say Flame is capable to logging keyboard strokes, activating microphones to record conversations and taking screen shots.
Experts have cautioned that it is far too early to draw conclusions about who might have created the virus and why. “There’s a lot of guessing going on out there, and I don’t think a lot of it is based on facts,” said Jody Westby, chief executive of Global Cyber Risk, a consulting firm.
Iran was among several countries that about a week ago reported the infection to a U.N. agency responsible for communications technology, the International Telecommunication Union, said Mohd Amin, head of the ITU’s global cyber-center, which analyzes and shares data on cyber-threats.
The ITU asked the Russian-based Kaspersky Lab, which provides software to clients around the world, to investigate. Kaspersky checked its database and found samples of the virus in countries across the Middle East. Iran had the highest number of infections, followed by Israel and the Palestinian territories, then Sudan, Syria and Lebanon, according to the firm, whose database is limited to infections reported by its clients.
Kaspersky also has detected a few infections in Europe and the United States, but it is unclear whether those reflect people in the Middle East accessing the Internet through U.S. and European servers to circumvent Web filters, said Kaspersky Lab senior researcher Roel Schouwenberg.
- Virus Infects Computers Across Middle East – NYTimes.com (mbcalyn.com)
- Iran acknowledges that Flame virus has infected computers nationwide – Washington Post (washingtonpost.com)
- Computer virus briefly hits Iran’s oil industry (miamiherald.com)
- Iran Confirms Attack by New Virus (nytimes.com)
- Flame computer virus is more sophisticated than Stuxnet (theweek.co.uk)
- Son of Stuxnet: Sophisticated ‘Flame’ virus infected thousands of Mideast computers (news.nationalpost.com)
- Iran admits ‘Flame’ virus caused substantial damage (thehindu.com)
- Computer virus briefly hits Iran’s oil industry (usatoday.com)
- Bits Blog: Virus Infects Computers Across Middle East (bits.blogs.nytimes.com)
- Stuxnet x20: Massive cyber spy virus ‘Flame’ hits Iran, Israel (rt.com)
Virus Infects Computers Across Middle East
| May 28, 2012, 3:10 PM
9:09 p.m. | Updated A complex computer virus has been pilfering confidential information from computers in the Middle East for at least two years, according to a security report released on Monday.
The virus, called Flame, has been infecting computers in Iran, Israel, Lebanon, Sudan, Syria, Saudi Arabia and Egypt. It has been grabbing images of users’ computer screens, recording their instant messaging chats, remotely turning on their microphones to record their audio conversations and monitoring their keystrokes and network traffic, according to a report by Kaspersky Labs, a Moscow-based security research firm.
If the report’s findings prove to be true, Flame would be the third major Internet weapon to have been discovered since 2010. The first, named Stuxnet, was intended to attack software in specialized industrial equipment, and was used to destroy centrifuges in an Iranian nuclear facility in 2010. The second virus, called Duqu, like Flame, performed reconnaissance. Security researchers believe Duqu was created by the same group of programmers behind Stuxnet.
The researchers said Flame appeared to have been developed by a different group of programmers. It contains 20 times more code than Stuxnet and is much more widespread than Duqu. Researchers believe Duqu hit fewer than 50 targets worldwide. Kaspersky’s researchers said they had detected Flame on thousands of computers belonging to individuals, private companies and universities across the Middle East.
“Flame can easily be described as one of the most complex threats ever discovered,” Alexander Gostev, the head of Kaspersky’s Global Research and Analysis team, wrote in a blog post on Monday. “It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.”
Researchers say they do not know who is behind the virus, but given its complexity and the geography of its targets, they said it was most likely being staged by a government. The authors of Stuxnet and Duqu are also unknown but their targets and digital evidence suggest to some researchers that they may have been part of a joint American-Israeli project to sabotage Iran’s nuclear program.
Kaspersky’s researchers said the majority of computers infected with Flame were located in Iran. Like Duqu and Stuxnet, Flame infects machines through a known security hole in the Windows operating software.
Researchers discovered Flame while investigating reports that another computer virus, called Wiper, had been erasing computer programs in Iran. The International Telecommunications Union, a United Nations agency, had asked Kaspersky’s researchers to look into Wiper when they discovered that thousands more computers had been infected with Flame.
- Ya’alon hints Israel might be behind “Flame” malware (ifaynsh.wordpress.com)
- Flame computer virus is more sophisticated than Stuxnet (theweek.co.uk)
- New ‘cyberwarfare’ virus found in Middle East: researchers (talesfromthelou.wordpress.com)
- Cyber weapon ‘Flame’ discovered in thousands of Middle East computers (business.financialpost.com)
- Flame virus has been burning for five years (pcpro.co.uk)
- Powerful “Flame” cyber weapon found in Iran (12160.info)
- Flame: world’s most complex computer virus exposed – By Damien McElroy, Christopher Williams 7:06PM BST 28 May 2012 – The world’s most complex computer virus, possessing a range of complex espionage capabilities, including the ability to secretly record (projectbrainsaver.wordpress.com)
- Flame: world’s most complex computer virus exposed – By Damien McElroy, Christopher Williams 7:06PM BST 28 May 2012 – The world’s most complex computer virus, possessing a range of complex espionage capabilities, including the ability to secretly record (punpht.wordpress.com)
- Flame: world’s most complex computer virus exposed – By Damien McElroy, Christopher Williams 7:06PM BST 28 May 2012 – The world’s most complex computer virus, possessing a range of complex espionage capabilities, including the ability to secretly record (worldwright.wordpress.com)
Kelihos gang is building a new botnet, researchers say
The cyber criminal gang behind the sinkholed Kelihos botnet can easily regain control over a part of it
By Lucian Constantin, IDG News Service
March 30, 2012
The cyber-criminal gang that operated the recently disabled Kelihos botnet has already begun building a new botnet with the help of a Facebook worm, according to security researchers from Seculert.
Security experts from Kaspersky Lab, CrowdStrike, Dell SecureWorks and the Honeynet Project, announced that they took control of the 110,000 PC-strong Kelihos botnet on Wednesday.
The researchers used a method called sinkholing, which involves infiltrating the botnet’s peer-to-peer (P2P) network with rogue clients and tricking the other peers to report back to command and control servers under their control.
However, one day after the successful sinkholing operation was announced, malware experts from security firm Seculert reported that the Kelihos gang had already started building a new botnet.
The Kelihos gang pays the creators of a Facebook worm to install their Trojan horse on already infected computers. That worm has compromised over 70,000 Facebook accounts so far and is currently distributing a new version of the Kelihos Trojan, Seculert security researchers said in a blog post on Thursday.
However, the Kelihos gang can also leverage the Facebook worm to regain control of the Kelihos bots sinkholed by Kaspersky and its partners, since the worm is still installed on those machines. All it needs to do in order to bypass the sinkhole is pay the worm’s operators to reinfect those computers with the new Kelihos version, said Aviv Raff, Seculert’s chief technology officer, in email.
Sinkholing alone does not result in the complete takedown of botnets, because it doesn’t impact the cyber criminals that operate them or their distribution infrastructure, said Gunter Ollmann, vice president of research at security company Damballa, in a blog post on Thursday.
“If you’re going to take down a botnet you have to take out the criminals at the top. It’s the only way,” Ollmann said. “In the case of P2P-based botnets, there’s very little infrastructure you can get your hands on — and you’ll probably end up having to issue commands to botnet victim devices — which is fraught with legal and ethical problems.”
Ollmann believes that a similar group of researchers will probably attempt to sinkhole the new Kelihos botnet in the future. Unfortunately, cyber criminals can easily escape from this virtual game of Whac-A-Mole by implementing domain generation algorithms as a backup strategy for updating their botnets, he said.
- Researchers Say Kelihos Gang Is Building New Botnet (it.slashdot.org)
- Kelihos zombies erupt from mass graves after botnet massacre (go.theregister.com)
- Kelihos.B is still live and social (seculert.com)
- Kelihos Is Dead: Long Live Kelihos (circleid.com)
- Kelihos Botnet Sucked into Netherlands Sinkhole (blogs.wsj.com)
- Second Kelihos botnet downed, 116,000 machines freed (theverge.com)
- Security firms disable the second Kelihos botnet (infoworld.com)
- Staggering Kelihos zombie army smacked down AGAIN (go.theregister.com)
- New Zeus P2P bots: anonymous cyber-crime ready for mass market (arstechnica.com)
- Botnet Shutdown Success Story – again: Disabling the new Hlux/Kelihos Botnet (securelist.com)