July 28, 2014

Has Iran been fighting off a fresh Stuxnet attack?

targeted attack(LiveHacking.Com) – There is some confusion about recent malware activity in Iran. A story broke in the last few days saying that a power plant and other industries in southern Iran have been targeted by Stuxnet but that the cyber attack has been successfully rebuffed and prevented from spreading. The story was carried by many of the world’s news agencies including the BBC and Agence France-Presse.

The original story comes from the Iranian Students News Agency (ISNA) which reported that cyberattackers had struck industrial infrastructure in the southern province of Hormuzgan. In it Ali Akbar Akhavan is quoted as saying that a virus had penetrated some manufacturing industries in Hormuzgan province, but that with the help of skilled hackers it had been repelled. Akhavan is quoted as saying that the malware was “Stuxnet-like” but he did not expand on what that meant.

Once the story was being reported Iran issued a correction. “At a press conference we announced readiness to confront cyber attacks against Hormuzgan installations, which was mistakenly reported by the agencies as a cyber attack having been foiled,” Ali Akbar Akhavan said. However ISNA is sticking with its original story and has published MP3 files which it claims contain Akhavan’s initial remarks.

The state of Iran’s industrial and IT infrastructure has been a topic of much discussion ever since the original Stuxnet worm was allegedly used to hamper Iran’s nuclear enrichment efforts in 2010. Since then Iran has has various malware troubles including reports of a piece of malware called Narilam which attacked Iranian business databases and a malware incident where Iran was been forced to disconnect some of the computers at its Kharg Island oil processing terminal.

Symantec says new worm attacking Iranian businesses – Iran says no, it isn’t true

(LiveHacking.Com) – Symantec is reporting that it has detected a new piece of malware called Narilam which is attacking business databases in Iran. Of course, the existence of such a worm that is attacking the Middle East, and Iran specifically, has drawn parallels with other well documented cyber-attacks on Iran including Stuxnet, Duqu and Flame.

According to Symantec, Narilam is designed to cause chaos by targeting and modifying corporate databases. It does this by attacking Microsoft SQL databases via OLEDB (Object Linking and Embedding, Database) and hunts out SQL databases with three distinct names: alim, maliran, and shahd. It then replaces certain items (including columns called Asnad.LastNo, Asnad.FirstNo and refcheck.amount) in the database with random values.

However the Iranian National Cert “Maher”, is saying that after its initial investigations there seems to be some misunderstanding about the malware. First, it isn’t new malware but old! Iran reckons it has been around since 2010 but under a different name. Secondly, the malware is not a major threat nor is it a sophisticated piece of malware. Thirdly, the malware isn’t that wide spread and it is only able to corrupt the database of a particular accounting package for small businesses.

Maher’s advise is not to panic and only the customers who use that particular accounting software should make sure they have good backups and that they scan their systems regularly with a decent antivirus product.

So who is right? It is difficult to tell. Malware which targets a very specific software product made and predominately used in Iran is very suspect, especially in light of other cyber attacks like Stuxnet, but at the same time if it is old and contains no functionality to steal information from infected systems then its impact will certainly be limited.

Iran Releases Flamer Malware Removal Tool

(LiveHacking.Com) – Iran’s Computer Emergency Response Team (CCCERT) has released a tool which can detect and remove the Flame worm which is being described as “the most sophisticated cyber weapon yet unleashed”. This is the first time a tool has been released to tackle the malware which according to a report from CrySys Lab was first spotted in Europe in 2007. According to the BBC, the detection and clean-up tool was written in early May and now Iran’s National Computer Emergency Response Team are ready to distribute it to organisations at risk of infection.

The Flame malware is sophisticated and is designed for surveillance malware and with the ability to record audio, keystrokes and even Bluetooth devices. It also has a unique modular design which allows its creators to upload new functionality to malware on a victim’s machine. As well as being modular in design, it appears that Flame also tries to detect which anti-virus software is installed on a target machine and then disguise itself as a file that traditionally isn’t scanned for viruses or malware.

According to Kaspersky, 189 infections have been reported in Iran, compared to 98 in Israel/Palestine and 32 in Sudan. Reports are coming in that Syria, Lebanon, Saudia Arabia and Egypt have also been hit.

Back in April, Iran was forced to disconnect some of the computers at its Kharg Island oil processing terminal due to malware.  At the time the malware was unknown, but it is now believed to be Flame. At the time the National Iranian Oil Company (NIOC) disconnected some of its computers from the Internet, to stop any further spread of the malware, however the terminal remained operational.

An analysis by Symantec says that “the complexity of the code within this threat is at par with that seen in Stuxnet and Duqu, arguably the two most complex pieces of malware we have analyzed to date. As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives.”

 

Flame Malware Designed for Cyber Espionage

A new piece of malware called “Flame” has been uncovered by Kaspersky Lab and is thought to be part of a well-organized, state-run cyber espionage operation affecting Iran, Israel and other Middle Eastern countries. Because the new malware seems to attack computer mainly in the Middle East and because of the specific software vulnerabilities exploited, analysts are saying that although Flame differs from Duqu and Stuxnet it belongs to the same family.

“The primary purpose of Flame appears to be cyber espionage, by stealing information from infected machines. Such information is then sent to a network of command-and-control servers located in many different parts of the world. The diverse nature of the stolen information, which can include documents, screenshots, audio recordings and interception of network traffic, makes it one of the most advanced and complete attack-toolkits ever discovered. The exact infection vector has still to be revealed, but it is already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet” wrote Kaspersky Lab in a statement.

According to the the Iranian CERTCC, the file naming conventions, propagation methods, complexity level, and precise targeting indicate that Flame is a close relation to the Stuxnet. However one important difference is that Flame is modularised. Once a machine has been infected the operators can upload new modules to increase Flame’s functionality. So far 20 modules have been found but it is expected that researchers will find more.

Flame can perform a number of complex operations including network sniffing, making screenshots, recording audio, logging keyboard strokes, and so on. All this data is sent to the operators via command-and-control servers.

According to Reuters, it is possible that Flame has lurked inside thousands of computers across the Middle East for as long as five years as part of a sophisticated cyber warfare campaign. Further details can be found in Kaspersky Lab’s Flame FAQ.

Iran Unplugs Oil Export Terminal Computers After Virus Found

(LiveHacking.Com) – Iran has been forced to disconnect some of the computers at its Kharg Island oil processing terminal due to malware. The yet unknown virus was found inside the control systems of Kharg Island – Iran’s main oil terminal which handles the vast majority of Iran’s crude oil exports. The National Iranian Oil Company (NIOC) said although it disconnected some computers from the Internet, to stop any further spread of the malware, the terminal remained operational.

According to the semi-official Mehr news agency, the virus affected the computers in Iran’s Oil Ministry and of its national oil company. As a precaution, computers that control some of Iran’s other oil facilities have also been disconnected from the Internet. It is also reporting that the Iranian authorities have set up a crisis unit which is work to neutralize what they are calling an “attack.”

It looks as if the disruption to Iran’s oil production has been minimal unlike the international sanctions which, according to Reuters, is forcing the country to use more than half of its supertanker oil fleet to store crude at sea in the Gulf. The only tangible effect seems to be that the Iranian oil ministry and national oil company websites went offline. This could be due to the massive unplugging that occurred or it could be a direct result of the virus. This remains to be seen. According to the BBC the Ministry website was back in action on Monday but the oil company site has remained unreachable. The BBC added that an Iranian oil ministry spokesperson was quoted as saying that data about users of the sites had been stolen as a result of the attack.

Pundits are already starting to make comparisons with the Stuxnet computer worm which hit Iran’s nuclear facilities in 2009 and 2010. It is estimated that the Stuxnet worm, which specifically targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers), was responsible for destroying about a fifth of Iran’s nuclear centrifuges in an attempt to delay Iran’s nuclear program. In 2010 William J. Lynn, U.S. Deputy Secretary of Defense, wrote that “as a doctrinal matter, the Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space.”

CrySyS Lab Updates its Duqu Detector Toolkit to Recognize New Variant

(LiveHacking.Com) – CrySyS Lab has updated its Duqu Detector Toolkit to v1.24 to add new signatures for a new variant of the Duqu malware found by Symantec. The classification of the new variant is based on a file Symantec received, however it is only one component of the whole Duqu malware (in this case the loader file that is used to load the rest of the malware when the computer restarts). The file is called mcd9x86.sys and it has a compile date of February 23, 2012. In an attempt to bypass anti-virus software the file has been compiled with different options compared to those used in the previous version. There are also some code changes connected with decrypting the configuration block and loading the malware’s payload.

The Duqu malware has been a topic of constant discussion among security experts since its discovery in October 2011. Recently while analysing its structure, researchers at Kaspersky Lab concluded that the parts of the code which communicate with the command and control (C&C) servers are written in an unknown programming language. Unlike the rest of the Duqu body, it’s not C++ (or Objective C, Java, Python, Ada, Lua). Compared to Stuxnet (which is considered to be a cousin of Duqu and is written completely in C++), this unknown language is one of the defining features of Duqu. Further analysis then revealed that the mystery programming languages was in fact a custom extension to C, generally called “OO C” and that these parts of Duqu were written in “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″

Duqu Detector Toolkit

The detector uses simple signature and heuristic detection techniques to find Duqu infections on a computer or in a whole network. It is able to find traces of infections where components of the malware have already been removed from the system. The Duqu malware got its name because of the temporary files it uses beginning with ~DQ. The detector toolkit also includes a tool to find all Duqu related temporary files on a system.

Update: Stars Worm Probably Just Political Bluff

It is now a couple of days since Iran claimed it was under another cyber attack but so far it has not offered any proof or given security experts any information about the worm. Simple fingerprint  information about the worm would immediately validate Iran’s claims and also allow security experts to see if examples of the worm have been found in the west.

Investigations by Live Hacking have revealed that inside of Iran there is little or no information about this worm and even Iran’s Computer Emergency Response Team have no knowledge of the attack.

Since Stuxnet also infected PC’s outside of Iran it is impossible that the new Stars worm has remained only inside the borders of this middle eastern country. When (and if) Iran publish more data on the worm it can be analysed thoroughly. If they don’t published any more information this will just been seen as another attempt at political misdirection.

First Stuxnet, Now Stars – New Worm Attacks Iran

Gholam-Reza Jalali, the director of Iran’s Passive Defense Organization has announced that it has detected a new worm called Stars which is designed to spy on Iran’s government systems. Jalali did not reveal what facilities the worm targeted or when it was first detected.

These new revelations come in the wake of Stuxnet, the first ever malware designed to attack industrial equipment. Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers). It is reported that such equipment is used by Iran at its Natanz nuclear facility.

Last week Jalali accused Siemens of helping the U.S. and Israel create the Stuxnet worm saying they should “explain why and how it provided the enemies with the information about the codes of the SCADA software and [so] prepared the ground for a cyber attack.”

Could Stars be just an “ordinary” Windows worm which Iran have mistaken as a cyber attack? Every day security experts find thousands of new malware samples, many of which are designed for spying on victims’ computers.