May 17, 2020

Symantec says new worm attacking Iranian businesses – Iran says no, it isn’t true

(LiveHacking.Com) – Symantec is reporting that it has detected a new piece of malware called Narilam which is attacking business databases in Iran. Of course, the existence of such a worm that is attacking the Middle East, and Iran specifically, has drawn parallels with other well documented cyber-attacks on Iran including Stuxnet, Duqu and Flame.

According to Symantec, Narilam is designed to cause chaos by targeting and modifying corporate databases. It does this by attacking Microsoft SQL databases via OLEDB (Object Linking and Embedding, Database) and hunts out SQL databases with three distinct names: alim, maliran, and shahd. It then replaces certain items (including columns called Asnad.LastNo, Asnad.FirstNo and refcheck.amount) in the database with random values.

However the Iranian National Cert “Maher”, is saying that after its initial investigations there seems to be some misunderstanding about the malware. First, it isn’t new malware but old! Iran reckons it has been around since 2010 but under a different name. Secondly, the malware is not a major threat nor is it a sophisticated piece of malware. Thirdly, the malware isn’t that wide spread and it is only able to corrupt the database of a particular accounting package for small businesses.

Maher’s advise is not to panic and only the customers who use that particular accounting software should make sure they have good backups and that they scan their systems regularly with a decent antivirus product.

So who is right? It is difficult to tell. Malware which targets a very specific software product made and predominately used in Iran is very suspect, especially in light of other cyber attacks like Stuxnet, but at the same time if it is old and contains no functionality to steal information from infected systems then its impact will certainly be limited.

Kaspersky Lab developing secure OS for industrial control systems

(LiveHacking.Com) – In a blog post for Kaspersky Lab, Eugene Kaspersky has confirmed that the security company is working on a new, secure operating system on top of which  industrial control systems (ICS) can be installed. The aim is to provide a secure environment that incorporate all the latest security technologies available and is built to tackle the realities of 21st century cyber-attacks.

The motivation behind such an ambitious project is the inevitable future of mass cyber-attacks on nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems. Until a few years ago cyber attacks were limited to web servers and emails server, however that has changed and now the very infrastructure that controls our countries is open for attack.

Industrial IT systems are different to office system and internet facing server for three very important reasons:

  1. The system must always be running. If a web server is under attack, worst case scenario is that the server is shutdown until everything can be resolved. You can’t do that with the control system running a nuclear power station!
  2. Because of the “always on” nature of the systems, performing software upgrades are difficult and often undesired by those running the systems.
  3. Traditionally the ICS manufacturers have been less willing to provide updates to existing control system.

The result is that when an exploit is found in the control system, fixing it can be very hard.

The fact that the majority of control systems aren’t connected to the Internet could lull us into a false sense of security as how could a hacker possibility get to the system if it isn’t connected to anything. Unfortunately the reality is quite different. Kaspersky gives the following example from twelve years ago:

An employee of a third-party contractor who was working on the control systems of Maroochy Shire Council (in  Australia) carried out 46 (!) attacks on its control system, which caused the pumps to stop working or work not as they should have. No one could understand what was happening, since the communication channels inside the system had been breached and the information traveling along them distorted. Only after months did companies and the authorities manage to work out what had happened. It turned out that the worker really wanted to get a job at the sewage firm, was rejected, and so decided to flood a huge area of Queensland with sewage!

And this long before the rise of cyber espionage malware like Stuxnet, Duqu, Flame, miniflame and Gauss.

“Ideally, all ICS software would need to be rewritten, incorporating all the security technologies available and taking into account the new realities of cyber-attacks,” wrote Kaspersky.

However, such a huge project effort would still not guarantee sufficiently stable operation of systems. The alternative is to create a a secure operating system, one onto which ICS can be installed. To do this Kaspersky Lab are developing a highly tailored operating system for a specific narrow task. It is not, as Kaspersky put it “for playing Half-Life on, editing your vacation videos, or blathering on social media.”

Also the company is working on methods of writing software which, by design, won’t be able to carry out any behind-the-scenes, undeclared activity.

“It’s a sophisticated project, and almost impracticable without active interaction with ICS operators and vendors. We can’t reveal many details of the project now because of the confidentiality of such cooperation. And we don’t want to talk about some stuff so competitors won’t jump on our ideas and nick the know-how. And then there are some details that will remain for certain customers’ eyes only forever, to ward off cyber-terrorist abuses,” added Kaspersky.

More details about the system, its requirements and background to its development can be read here.

miniFlame: New malware found that is linked with Flame, Stuxnet, Duqu and Gauss

(LiveHacking.Com) – Kaspersky Lab has found a new piece of malware that is linked with the various nation-state cyber-espionage malware including Stuxnet, Duqu, Flame and Gauss. Although found all over the world, these malware attacks have specifically targeted the Middle East. Previous analysis of the Flame malware led Kaspersky Lab that there was some form of collaboration between the groups that developed Flame, Stuxnet and Duqu.  Further research prompted the discovery of  the previously unknown malware called Gauss which uses a modular structure resembling that of Flame, has a similar code base and uses the same system for communicating with its C&C servers. The made the whole family: Flame, Stuxnet, Duqu and Gauss.

Now Kaspersky Lab has discovered miniFlame. This new malware is based on the Flame platform and can be operated as part of Flame, but it can also be run as independently, without the main Flame modules installed.

“The SPE malware, is a small, fully functional espionage module designed for data theft and direct access to infected systems. If Flame and Gauss were massive spy operations, infecting thousands of users, miniFlame/SPE is a high precision, surgical attack tool,” wrote GReAT a Kaspersky Lab Expert.

Kaspersky Lab have also discovered that miniFlame can also be used in together with Gauss. It has also been assumed that Flame and Gauss were parallel projects but different as they did not have any common modules or common C&C servers. The fact that miniFlame works with both of these malware projects, proves that that they come from the same authors.

Like the others in the family, miniFlame is targeting the Middle East. Flame attacks where found mainly in Iran and Sudan, while Gauss was mostly present in Lebanon. However miniFlame does not have a clear geographical bias but there are reports from Lebanon, Palestine, Iran, Kuwait and Qatar.

Kaspersky Lab have a a Full Technical Paper on miniFlame here.

Why does Gauss install Palida Narrow font?

Source: Securelist

(LiveHacking.Com) – In the ongoing saga, which started with Stuxnet and continued with Duqu and Flame, Gauss is seen by many as malware which, like its predecessors, is state sponsored. It was discovered during the ITU’s investigation into Flame and is thought to have been created in mid-2011 and deployed for the first time in August-September of the same year.

The major difference between Stuxnet and its cousins is that Gauss is a banking Trojan and is designed to steal login details for customers of Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal. Kaspersky lab have gone as far as to say “This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component.”

It has now been discovered that computers infected with Gauss all have a previously unknown font, known as “Palida Narrow”, installed on them. Security researchers have linked Duqu to Gauss, due to some similar characteristics, and have wondered if Gauss uses the same font rendering vulnerability as Duqu. However Kaspersky has checked the font for such malicious code and found nothing: “But of course, anything is possible”.

However the new font can be used as a marker for the presence of the malware and to this end the Cryptography Laboratory at the Technical University of Budapest has created a web page to test for Palida and hence Gauss.


Microsoft has started to harden Windows Update as it prepares for June’s Patch Tuesday

Microsoft has started to roll out  additional hardening measures for its Windows Update service. Microsoft is taking these new steps in response to the discovery that the Flame malware was using Windows Update to propagate itself. At the same time, Microsoft is planning to go ahead and release its scheduled patches for Windows next Tuesday via Windows Update.

For Windows XP and Windows Server 2003, Flame was able to use false certificates issued by Microsoft’s now invalid Terminal Server Licensing Service. For all versions of Windows after and including Vista, the malware also had to use a  MD5 hash-collision attack. The hackers needed to use a MD5 hash-collision attack on the certificates issued by the Terminal Server Licensing Service because, by default, the attacker’s certificate would not work on Windows Vista or above. The collision attack was necessary to forge a certificate that would be valid for code signing. The Redmond company has posted more details on the nature of the MD5 hash collision attack here.

“Windows Update can only be spoofed with an unauthorized certificate combined with a man-in-the-middle attack. To address this issue, we are also taking steps to harden the Windows Update infrastructure and ensure additional protections are in place,” wrote Mike Reavey, a Senior Director of the Microsoft Security Response Center.

Microsoft has decided to go ahead with this month’s Patch Tuesday and has  published its advance notification. This month’s patches includes 7 bulletins addressing 25 vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework. Three of the bulletins are rated as Critical and will require a system reboot after the patches have been applied.

Bulletin 4, which is rated as Important, concerns Microsoft Office 2003 Service Pack 3, Microsoft Office 2007 Service Pack 2 and Microsoft Office 2007 Service Pack 3. It also applies to Microsoft Office 2010 (both 32-bit and 64-bit editions) but according to Microsoft there are no known attack vectors for the vulnerabilities  in Office 2010 . However, as a defense-in-depth measure, Microsoft will recommend that users apply the update.

How Flame Hijacked Windows Update


(LiveHacking.Com) – It is a malware writers dream to invent a system that automatically infects a PC by pretending to be a legitimate OS update coming from the manufacturer, or more specifically to trick a PC into thinking that the software it is receiving isn’t malware but in fact an update from Microsoft. Such updates are installed by the OS without question meaning that the infection happens automatically and without question. Up until now this had been impossible.

But now, Symantec has posted details on how the Flame malware has managed to do exactly that, how it managed to launch a man-in-the-middle attack on the Windows update service. Flame has an interesting feature in that it is modular. New modules can be uploaded to any infected PC by the Flame authors. For the Windows update spoof Flame uses three modules called: SNACK, MUNCH, and GADGET.


On start-up, IE automatically sends out Web Proxy Auto-Discovery Protocol (WPAD) requests to discover if there any proxies on the network. These requests are directed to local computers with the relevant wpad domain names, but if there are no DNS records with those names then the request protocol switches over to NetBIOS. One of SNACK’s functions is to act as a sniffer and catch any WPAD requests and spoof the sending computer into thinking it is a valid proxy. The uninfected PC will now start using the infected PC as a web proxy and all web traffic will flow through the infected machine.


MUNCH is Flame’s built-in webserver. As the web traffic is redirected to the infected PC due to SNACK, MUNCH sniffs all the requested URLs and hijacks Windows Update traffic. Because Flame has some fake Microsoft code signing certificates, MUNCH is able to tell GADGET to send fake updates to the Windows machine.


GADGET sends a binary signed by a certificate that appears to belong to Microsoft to the uninfected computer as if it is a legitimate Windows Update file. The binary isn’t Flamer itself, but a loader for Flamer. Once the update is received, the uninfected computer executes it and then in due course Flame is downloaded on to the PC.


Flame Malware Using Unauthorized Microsoft Certificates

(LiveHacking.Com) – Microsoft has released a security advisory outlining how components of the Flame malware have been signed by unauthorized Microsoft certificates. The result is that the signed components appear as if they were produced by Microsoft.  The problem originates with an older cryptography algorithm that can be exploited and then be used to sign code. Specifically, Microsoft’s Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in the enterprise, used the older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft.

To fix the problem Microsoft has done three things: First, it released another security advisory outlining steps users can take to block software signed by these unauthorized certificates. Second, it released a software update that automatically takes this step and third, the Terminal Server Licensing Service has been changed to no longer issues certificates that allow code signing.

Microsoft’s update, which  is available through Windows Update and Automatic Updates, revokes three intermediate certificate authorities, pushing the following certificates into the “Untrusted Certificates Store”:

  • Microsoft Enforced Licensing Intermediate PCA (2a 83 e9 02 05 91 a5 5f c6 dd ad 3f b1 02 79 4c 52 b2 4e 70) – Issued by Microsoft Root Authority
  • Microsoft Enforced Licensing Intermediate PCA (3a 85 00 44 d8 a1 95 cd 40 1a 68 0c 01 2c b0 a3 b5 f8 dc 08) – Issued by Microsoft Root Authority
  • Microsoft Enforced Licensing Registration Authority CA (SHA1) (fa 66 60 a9 4a b4 5f 6a 88 c0 d7 87 4d 89 a8 63 d7 4d ee 97) – Issued by Microsoft Root Certificate Authority

Microsoft is also concerned that the same technique could have been used by other types of malware. “Our investigation has discovered some techniques used by this malware that could also be leveraged by less sophisticated attackers to launch more widespread attacks.  Therefore, to help protect both targeted customers and those that may be at risk in the future, we are sharing our discoveries and taking steps to mitigate the risk to customers,” wrote Jonathan Ness from Microsoft Security Response Center.

Iran Releases Flamer Malware Removal Tool

(LiveHacking.Com) – Iran’s Computer Emergency Response Team (CCCERT) has released a tool which can detect and remove the Flame worm which is being described as “the most sophisticated cyber weapon yet unleashed”. This is the first time a tool has been released to tackle the malware which according to a report from CrySys Lab was first spotted in Europe in 2007. According to the BBC, the detection and clean-up tool was written in early May and now Iran’s National Computer Emergency Response Team are ready to distribute it to organisations at risk of infection.

The Flame malware is sophisticated and is designed for surveillance malware and with the ability to record audio, keystrokes and even Bluetooth devices. It also has a unique modular design which allows its creators to upload new functionality to malware on a victim’s machine. As well as being modular in design, it appears that Flame also tries to detect which anti-virus software is installed on a target machine and then disguise itself as a file that traditionally isn’t scanned for viruses or malware.

According to Kaspersky, 189 infections have been reported in Iran, compared to 98 in Israel/Palestine and 32 in Sudan. Reports are coming in that Syria, Lebanon, Saudia Arabia and Egypt have also been hit.

Back in April, Iran was forced to disconnect some of the computers at its Kharg Island oil processing terminal due to malware.  At the time the malware was unknown, but it is now believed to be Flame. At the time the National Iranian Oil Company (NIOC) disconnected some of its computers from the Internet, to stop any further spread of the malware, however the terminal remained operational.

An analysis by Symantec says that “the complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives.”


Flame Malware Designed for Cyber Espionage

A new piece of malware called “Flame” has been uncovered by Kaspersky Lab and is thought to be part of a well-organized, state-run cyber espionage operation affecting Iran, Israel and other Middle Eastern countries. Because the new malware seems to attack computer mainly in the Middle East and because of the specific software vulnerabilities exploited, analysts are saying that although Flame differs from Duqu and Stuxnet it belongs to the same family.

“The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet” wrote Kaspersky Lab in a statement.

According to the the Iranian CERTCC, the file naming conventions, propagation methods, complexity level, and precise targeting indicate that Flame is a close relation to the Stuxnet. However one important difference is that Flame is modularised. Once a machine has been infected the operators can upload new modules to increase Flame’s functionality. So far 20 modules have been found but it is expected that researchers will find more.

Flame can perform a number of complex operations including network sniffing, making screenshots, recording audio, logging keyboard strokes, and so on. All this data is sent to the operators via command-and-control servers.

According to Reuters, it is possible that Flame has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign. Further details can be found in Kaspersky Lab’s Flame FAQ.