December 19, 2014

Symantec says new worm attacking Iranian businesses – Iran says no, it isn’t true

(LiveHacking.Com) – Symantec is reporting that it has detected a new piece of malware called Narilam which is attacking business databases in Iran. Of course, the existence of such a worm that is attacking the Middle East, and Iran specifically, has drawn parallels with other well documented cyber-attacks on Iran including Stuxnet, Duqu and Flame.

According to Symantec, Narilam is designed to cause chaos by targeting and modifying corporate databases. It does this by attacking Microsoft SQL databases via OLEDB (Object Linking and Embedding, Database) and hunts out SQL databases with three distinct names: alim, maliran, and shahd. It then replaces certain items (including columns called Asnad.LastNo, Asnad.FirstNo and refcheck.amount) in the database with random values.

However the Iranian National Cert “Maher”, is saying that after its initial investigations there seems to be some misunderstanding about the malware. First, it isn’t new malware but old! Iran reckons it has been around since 2010 but under a different name. Secondly, the malware is not a major threat nor is it a sophisticated piece of malware. Thirdly, the malware isn’t that wide spread and it is only able to corrupt the database of a particular accounting package for small businesses.

Maher’s advise is not to panic and only the customers who use that particular accounting software should make sure they have good backups and that they scan their systems regularly with a decent antivirus product.

So who is right? It is difficult to tell. Malware which targets a very specific software product made and predominately used in Iran is very suspect, especially in light of other cyber attacks like Stuxnet, but at the same time if it is old and contains no functionality to steal information from infected systems then its impact will certainly be limited.

Kaspersky Lab developing secure OS for industrial control systems

(LiveHacking.Com) – In a blog post for Kaspersky Lab, Eugene Kaspersky has confirmed that the security company is working on a new, secure operating system on top of which  industrial control systems (ICS) can be installed. The aim is to provide a secure environment that incorporate all the latest security technologies available and is built to tackle the realities of 21st century cyber-attacks.

The motivation behind such an ambitious project is the inevitable future of mass cyber-attacks on nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems. Until a few years ago cyber attacks were limited to web servers and emails server, however that has changed and now the very infrastructure that controls our countries is open for attack.

Industrial IT systems are different to office system and internet facing server for three very important reasons:

  1. The system must always be running. If a web server is under attack, worst case scenario is that the server is shutdown until everything can be resolved. You can’t do that with the control system running a nuclear power station!
  2. Because of the “always on” nature of the systems, performing software upgrades are difficult and often undesired by those running the systems.
  3. Traditionally the ICS manufacturers have been less willing to provide updates to existing control system.

The result is that when an exploit is found in the control system, fixing it can be very hard.

The fact that the majority of control systems aren’t connected to the Internet could lull us into a false sense of security as how could a hacker possibility get to the system if it isn’t connected to anything. Unfortunately the reality is quite different. Kaspersky gives the following example from twelve years ago:

An employee of a third-party contractor who was working on the control systems of Maroochy Shire Council (in  Australia) carried out 46 (!) attacks on its control system, which caused the pumps to stop working or work not as they should have. No one could understand what was happening, since the communication channels inside the system had been breached and the information traveling along them distorted. Only after months did companies and the authorities manage to work out what had happened. It turned out that the worker really wanted to get a job at the sewage firm, was rejected, and so decided to flood a huge area of Queensland with sewage!

And this long before the rise of cyber espionage malware like Stuxnet, Duqu, Flame, miniflame and Gauss.

“Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks,” wrote Kaspersky.

However, such a huge project effort would still not guarantee sufficiently stable operation of systems. The alternative is to create a a secure operating system, one onto which ICS can be installed. To do this Kaspersky Lab are developing a highly tailored operating system for a specific narrow task. It is not, as Kaspersky put it “for playing Half-Life on, editing your vacation videos, or blathering on social media.”

Also the company is working on methods of writing software which, by design, won’t be able to carry out any behind-the-scenes, undeclared activity.

“It’s a sophisticated project, and almost impracticable without active interaction with ICS operators and vendors. We can’t reveal many details of the project now because of the confidentiality of such cooperation. And we don’t want to talk about some stuff so competitors won’t jump on our ideas and nick the know-how. And then there are some details that will remain for certain customers’ eyes only forever, to ward off cyber-terrorist abuses,” added Kaspersky.

More details about the system, its requirements and background to its development can be read here.

miniFlame: New malware found that is linked with Flame, Stuxnet, Duqu and Gauss

(LiveHacking.Com) – Kaspersky Lab has found a new piece of malware that is linked with the various nation-state cyber-espionage malware including Stuxnet, Duqu, Flame and Gauss. Although found all over the world, these malware attacks have specifically targeted the Middle East. Previous analysis of the Flame malware led Kaspersky Lab that there was some form of collaboration between the groups that developed Flame, Stuxnet and Duqu.  Further research prompted the discovery of  the previously unknown malware called Gauss which uses a modular structure resembling that of Flame, has a similar code base and uses the same system for communicating with its C&C servers. The made the whole family: Flame, Stuxnet, Duqu and Gauss.

Now Kaspersky Lab has discovered miniFlame. This new malware is based on the Flame platform and can be operated as part of Flame, but it can also be run as independently, without the main Flame modules installed.

“The SPE malware, is a small, fully functional espionage module designed for data theft and direct access to infected systems. If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” wrote GReAT a Kaspersky Lab Expert.

Kaspersky Lab have also discovered that miniFlame can also be used in together with Gauss. It has also been assumed that Flame and Gauss were parallel projects but different as they did not have any common modules or common C&C servers. The fact that miniFlame works with both of these malware projects, proves that that they come from the same authors.

Like the others in the family, miniFlame is targeting the Middle East. Flame attacks where found mainly in Iran and Sudan, while Gauss was mostly present in Lebanon. However miniFlame does not have a clear geographical bias but there are reports from Lebanon, Palestine, Iran, Kuwait and Qatar.

Kaspersky Lab have a a Full Technical Paper on miniFlame here.

Why does Gauss install Palida Narrow font?

Source: Securelist

(LiveHacking.Com) – In the ongoing saga, which started with Stuxnet and continued with Duqu and Flame, Gauss is seen by many as malware which, like its predecessors, is state sponsored. It was discovered during the ITU’s investigation into Flame and is thought to have been created in mid-2011 and deployed for the first time in August-September of the same year.

The major difference between Stuxnet and its cousins is that Gauss is a banking Trojan and is designed to steal login details for customers of Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal. Kaspersky lab have gone as far as to say “This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component.”

It has now been discovered that computers infected with Gauss all have a previously unknown font, known as “Palida Narrow”, installed on them. Security researchers have linked Duqu to Gauss, due to some similar characteristics, and have wondered if Gauss uses the same font rendering vulnerability as Duqu. However Kaspersky has checked the font for such malicious code and found nothing: “But of course, anything is possible”.

However the new font can be used as a marker for the presence of the malware and to this end the Cryptography Laboratory at the Technical University of Budapest has created a web page to test for Palida and hence Gauss.

 

Iran Releases Flamer Malware Removal Tool

(LiveHacking.Com) – Iran’s Computer Emergency Response Team (CCCERT) has released a tool which can detect and remove the Flame worm which is being described as “the most sophisticated cyber weapon yet unleashed”. This is the first time a tool has been released to tackle the malware which according to a report from CrySys Lab was first spotted in Europe in 2007. According to the BBC, the detection and clean-up tool was written in early May and now Iran’s National Computer Emergency Response Team are ready to distribute it to organisations at risk of infection.

The Flame malware is sophisticated and is designed for surveillance malware and with the ability to record audio, keystrokes and even Bluetooth devices. It also has a unique modular design which allows its creators to upload new functionality to malware on a victim’s machine. As well as being modular in design, it appears that Flame also tries to detect which anti-virus software is installed on a target machine and then disguise itself as a file that traditionally isn’t scanned for viruses or malware.

According to Kaspersky, 189 infections have been reported in Iran, compared to 98 in Israel/Palestine and 32 in Sudan. Reports are coming in that Syria, Lebanon, Saudia Arabia and Egypt have also been hit.

Back in April, Iran was forced to disconnect some of the computers at its Kharg Island oil processing terminal due to malware.  At the time the malware was unknown, but it is now believed to be Flame. At the time the National Iranian Oil Company (NIOC) disconnected some of its computers from the Internet, to stop any further spread of the malware, however the terminal remained operational.

An analysis by Symantec says that “the complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives.”

 

Flame Malware Designed for Cyber Espionage

A new piece of malware called “Flame” has been uncovered by Kaspersky Lab and is thought to be part of a well-organized, state-run cyber espionage operation affecting Iran, Israel and other Middle Eastern countries. Because the new malware seems to attack computer mainly in the Middle East and because of the specific software vulnerabilities exploited, analysts are saying that although Flame differs from Duqu and Stuxnet it belongs to the same family.

“The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet” wrote Kaspersky Lab in a statement.

According to the the Iranian CERTCC, the file naming conventions, propagation methods, complexity level, and precise targeting indicate that Flame is a close relation to the Stuxnet. However one important difference is that Flame is modularised. Once a machine has been infected the operators can upload new modules to increase Flame’s functionality. So far 20 modules have been found but it is expected that researchers will find more.

Flame can perform a number of complex operations including network sniffing, making screenshots, recording audio, logging keyboard strokes, and so on. All this data is sent to the operators via command-and-control servers.

According to Reuters, it is possible that Flame has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign. Further details can be found in Kaspersky Lab’s Flame FAQ.

CrySyS Lab Updates its Duqu Detector Toolkit to Recognize New Variant

(LiveHacking.Com) – CrySyS Lab has updated its Duqu Detector Toolkit to v1.24 to add new signatures for a new variant of the Duqu malware found by Symantec. The classification of the new variant is based on a file Symantec received, however it is only one component of the whole Duqu malware (in this case the loader file that is used to load the rest of the malware when the computer restarts). The file is called mcd9x86.sys and it has a compile date of February 23, 2012. In an attempt to bypass anti-virus software the file has been compiled with different options compared to those used in the previous version. There are also some code changes connected with decrypting the configuration block and loading the malware’s payload.

The Duqu malware has been a topic of constant discussion among security experts since its discovery in October 2011. Recently while analysing its structure, researchers at Kaspersky Lab concluded that the parts of the code which communicate with the command and control (C&C) servers are written in an unknown programming language. Unlike the rest of the Duqu body, it’s not C++ (or Objective C, Java, Python, Ada, Lua). Compared to Stuxnet (which is considered to be a cousin of Duqu and is written completely in C++), this unknown language is one of the defining features of Duqu. Further analysis then revealed that the mystery programming languages was in fact a custom extension to C, generally called “OO C” and that these parts of Duqu were written in “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″

Duqu Detector Toolkit

The detector uses simple signature and heuristic detection techniques to find Duqu infections on a computer or in a whole network. It is able to find traces of infections where components of the malware have already been removed from the system. The Duqu malware got its name because of the temporary files it uses beginning with ~DQ. The detector toolkit also includes a tool to find all Duqu related temporary files on a system.

Same Platform Used to Create Stuxnet, Duqu and Other Yet Unknown Malware

(LiveHacking.Com) – Researchers from Kaspersky Labs have discovered that Stuxnet and Duqu were created on the same platform which may have been developed long before the Stuxnet scandal of 2011. Known as “Tilded”, because of the common use of files that start with the tilde symbol (~), it is used by just one team to create modular malware that can be adapted to specific targets.

Kaspersky Labs came to this conclusion by analyzing the drivers used for infecting systems with Duqu and Stuxnet. More worrying is that one of the internal driver files used was compiled in January 2008 and that seven types of drivers with similar characteristics exist in the wild.

“The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date. We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team” said Alexander Gostev, Chief Security Expert at Kaspersky Lab.

This leads to the conclusion that Duqu and Stuxnet are separate projects, but that they were created on a single platform – Tilded. It appears that Tilded was developed around the end of 2007 and the beginning of 2008. In 2010 the platform was developed further to avoid detection by antivirus solutions. There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown.

The full version of the report of Alexander Gostev and Igor Sumenkov is available at Securelist.

Microsoft Fixes Duqu Vulnerability But Drops SSL Changes at Last Minute

(LiveHacking.Com) – As expected Microsoft has released its Patch Tuesday security updates for December. Originally Microsoft were going to release 14 bulletins but instead released only 13. The missing update was intended to make changes to the way Windows works with SSL/TLS to try and minimize the recently discovered weaknesses of the security protocol as highlighted by the BEAST (Browser Exploit Against SSL/TLS) hacking tool. However Microsoft discovered some compatibility issues with their changes and “a major third-party vendor.” Microsoft are “working with that vendor to address the issue.”

Microsoft however did fix the kernel-mode driver vulnerability that allows the Duqu malware to spread. The vulnerability allows remote code execution if a user opens a specially crafted document or visits a malicious Web page that embeds TrueType font files.

Microsoft also fixed a vulnerability in Windows Media Player and Windows Media Center that can allow remote code execution. Bulletin MS11-092  resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so.

The other “Critical” level update is for a  remote code execution vulnerability if a user views a specially crafted Web page that uses a specific binary behavior in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes kill bits for four third-party ActiveX controls.

 

CrySyS Releases Duqu Detector

(LiveHacking.Com) – The lab that participated in the discovery of the Duqu trojan has developed a detector toolkit that can find Duqu infections on a computer or in a whole network. The toolkit, released by the Laboratory of Cryptography and System Security (CrySyS), uses signature and heuristics methods to find traces of Duqu infections even when bits of the malware have already been removed from a PC.

The toolkit searches for a range of different Duqu related suspicious files and known indicators to detect the current or past presence of the trojan. However, as with all anomaly detection tools, it is possible that it generates false positives.

Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.

The toolkit, which includes the source code, can be downloaded from here.

Recently NSS Labs also released its a Duqu detector. Their solution is based is Python script which uses pattern match to scan the system drivers. The script, which is published under BSD-licensed, is available from the their GitHub repository.