August 21, 2014

Symantec says new worm attacking Iranian businesses – Iran says no, it isn’t true

(LiveHacking.Com) – Symantec is reporting that it has detected a new piece of malware called Narilam which is attacking business databases in Iran. Of course, the existence of such a worm that is attacking the Middle East, and Iran specifically, has drawn parallels with other well documented cyber-attacks on Iran including Stuxnet, Duqu and Flame.

According to Symantec, Narilam is designed to cause chaos by targeting and modifying corporate databases. It does this by attacking Microsoft SQL databases via OLEDB (Object Linking and Embedding, Database) and hunts out SQL databases with three distinct names: alim, maliran, and shahd. It then replaces certain items (including columns called Asnad.LastNo, Asnad.FirstNo and refcheck.amount) in the database with random values.

However the Iranian National Cert “Maher”, is saying that after its initial investigations there seems to be some misunderstanding about the malware. First, it isn’t new malware but old! Iran reckons it has been around since 2010 but under a different name. Secondly, the malware is not a major threat nor is it a sophisticated piece of malware. Thirdly, the malware isn’t that wide spread and it is only able to corrupt the database of a particular accounting package for small businesses.

Maher’s advise is not to panic and only the customers who use that particular accounting software should make sure they have good backups and that they scan their systems regularly with a decent antivirus product.

So who is right? It is difficult to tell. Malware which targets a very specific software product made and predominately used in Iran is very suspect, especially in light of other cyber attacks like Stuxnet, but at the same time if it is old and contains no functionality to steal information from infected systems then its impact will certainly be limited.

CrySyS Lab Updates its Duqu Detector Toolkit to Recognize New Variant

(LiveHacking.Com) – CrySyS Lab has updated its Duqu Detector Toolkit to v1.24 to add new signatures for a new variant of the Duqu malware found by Symantec. The classification of the new variant is based on a file Symantec received, however it is only one component of the whole Duqu malware (in this case the loader file that is used to load the rest of the malware when the computer restarts). The file is called mcd9x86.sys and it has a compile date of February 23, 2012. In an attempt to bypass anti-virus software the file has been compiled with different options compared to those used in the previous version. There are also some code changes connected with decrypting the configuration block and loading the malware’s payload.

The Duqu malware has been a topic of constant discussion among security experts since its discovery in October 2011. Recently while analysing its structure, researchers at Kaspersky Lab concluded that the parts of the code which communicate with the command and control (C&C) servers are written in an unknown programming language. Unlike the rest of the Duqu body, it’s not C++ (or Objective C, Java, Python, Ada, Lua). Compared to Stuxnet (which is considered to be a cousin of Duqu and is written completely in C++), this unknown language is one of the defining features of Duqu. Further analysis then revealed that the mystery programming languages was in fact a custom extension to C, generally called “OO C” and that these parts of Duqu were written in “C” code compiled with MSVC 2008 using the special options “/O1″ and “/Ob1″

Duqu Detector Toolkit

The detector uses simple signature and heuristic detection techniques to find Duqu infections on a computer or in a whole network. It is able to find traces of infections where components of the malware have already been removed from the system. The Duqu malware got its name because of the temporary files it uses beginning with ~DQ. The detector toolkit also includes a tool to find all Duqu related temporary files on a system.

Symantec Working with Unnamed Law Enforcement Agency

(LiveHacking.Com) – Following my blog post about Anonymous releasing the source code for pcAnywhere, Symantec has contacted us here at LiveHacking.com with further details of the events leading up to the uploading of the source code. Symantec are underlining the following things:

  1. Symantec did NOT offer a bribe to Anonymous. Anonymous tried to extort Symantec for money to withold posting of additional source code. (As a point of clarification – I didn’t say that Symantec offered a bribe and have never inferred it, the original blog post said that the hacker YamaTough asked for $50,000 not to release the source code).
  2. The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement.
  3. Once Symantec saw that it was a clear cut case of extortion, they contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec.

“The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation.  Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved,” said Cris Paden of Symantec in his email to us.

Anonymous Releases Source Code for pcAnywhere [Updated]

Update: Symantec has contacted us here at LiveHacking.com with the following correction: The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement. For more details see Symantec Working with Unnamed Law Enforcement Agency

(LiveHacking.Com) – The hacking group Anonymous has tweeted that it has released the source code of Symantec’s pcAnywhere on The Pirate Bay. The release of the software seems to have come after a set of emails between Symantec a  law enforcement agency (masquerading as Symantec) and the hacker YamaTough. The hacker tried to exhort money from Symantec when he asked for $50,000 not to release the source code. According to the email exchange the negotaions ended when the hacker gave Symantec the law enforcement agency (masquerading as Symantec) a 10 minute utlimatum: “we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus.” To which Symantec the law enforcement agency (masquerading as Symantec) replied “We can’t make a decision in ten minutes.  We need more time.”

It seems that this then prompted the release of the source code. We spoke with a security expert who has downloaded the archive of the source code and his initial impression is that the release is genuine. According to our expert (who wishes to remain unnamed due to fears of possible reprisals by Symantec) the archive contains the following directries:


AccessServer
CE_Remote
CM
Development
InfoDev
Java_Remote
LU_Patches
Mac_ThinHost
RAPS
SCA
Shared
Tivoli
Unix_Host
pcA-NG
pcAnywhereExpress
pca32
pca_LiveState_2.0
pca_ONiCommand_3.0
r12.0-M1

The Development directory contains documentation including a document called “Programming Style Guide” which is marked as “Symantec Confidential” and pertains to “pcAnywhere / Decomposer / Packager”. The “pca32″ project seems to contain source code with valid Microsoft Visual Studio project files.

According to ComputerWorld there is no official word yet from Symantec as “it happened so recently that we’re still in the process of analyzing and won’t be able to confirm until the morning.”

Symantec Releases pcAnywhere Patch and Declares it Safe to Use

(LiveHacking.Com) – Symantec has released a patch that, according to them, eliminates all known vulnerabilities affecting customers using pcAnywhere 12.0 and pcAnywhere 12.1. This is the latest step (but not the last) in an on going saga about source code stolen from Symantec in 2006. Only last week  updated Symantec  its “Claims by Anonymous about Symantec Source Code” page to notify its customers that “all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk” and to “recommends that customers only use pcAnywhere for business critical purposes.” Now with the release of the latest patch it has dropped this warning and now advise customers to upgrade to pcAnywhere 12.5 and apply all relevant patches.

Hotfixes are now available for the following Symantec products:

  • Symantec pcAnywhere 12.5.x
  • Symantec pcAnywhere 12.0.x, 12.1.x
  • Symantec pcAnywhere Solution (shipped with Altiris IT Management Suite 7.x) 12.5.x, 12.6.x
  • Symantec pcAnywhere Solution (shipped with Altiris Client Management Suite 7.x) 12.5.x, 12.6.x
  • Remote pcAnywhere Solution s(hipped with Altiris Deployment Solution 7.1) 12.5.x, 12.6.x

According to the security advisory these hotfixes address the  local file tampering elevation of privilege vulnerability and the remote code execution vulnerability previously fixed only in pcAnywhere 12.5. However since pcAnywhere allows for direct PC to PC communication, the theft of the source code has made the encodings and encryption elements within pcAnywhere vulnerable. There is no word yet from Symantec  about any changes they have made to these encoding to protect users. This is mostly likely why Symnatec keep repeating the mantra of “follow general security best practices” which in short means blocking the pcAnywhere assigned ports (5631, 5632) on Internet facing network connections and disabling or removing Access Server and use remote sessions via secure VPN tunnels.

 

Symantec Says Only Use pcAnywhere for Business Critical Purposes

(LiveHacking.Com) – In the on going saga about source code stolen from Symantec in 2006, the company has now updated its “Claims by Anonymous about Symantec Source Code” to notify its customers that “all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk” and to “recommends that customers only use pcAnywhere for business critical purposes.”

It has also published a White Paper discussing the security implications where it says “Malicious users with access to the source code have an
increased ability to identify vulnerabilities and build new exploits.” Since pcAnywhere allows for direct PC to PC communication, the theft of the source code has made the encoding and encryption elements within pcAnywhere vulnerable. This makes it possible for a hacker to launch a successful man-in-the-middle attack (depending on configuration and use). If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.

The white paper also outlines some pcAnywhere Security Best Practices including blocking the pcAnywhere assigned ports (5631, 5632) on Internet facing network connections and disabling or removing Access Server and use remote sessions via secure VPN tunnels.

Symantec Releases Hotfix for pcAnywhere

(LiveHacking.Com) – Symantec has released a hotfix for its pcAnywhere product to address multiple vulnerabilities. According to Symantec, pcAnywhere is susceptible to local file tampering elevation of privilege exploits and remote code execution exploits and as a results it is possible to execute arbitrary code on a targeted system as “System”.

Affected Products:

  • Symantec pcAnywhere 12.5.x
  • IT Management Suite 7.0 pcAnywhere Solution 12.5.x
  • IT Management Suite 7.1 pcAnywhere Solution 12.6.x

The remote code execution is the result of pcAnywhere not properly validating/filtering external data input during login and authentication via port 5631/TCP. Successful exploitation would require either gaining unauthorized network access or enticing an authorized network user to run malicious code against a targeted system. Results could be a crash of the application or possibly successful arbitrary code execution in the context of the application on the targeted system.

The local file tampering vulnerability exists because some of the pcAnywhere files installed as writable by everyone and so open tampering. A local user can potentially overwrite these files with code of their choice in an attempt to leverage elevated privileges.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit it.

Norton Source Code Was Stolen in 2006 According to Symantec

(LiveHacking.Com) – The hacking group calling itself “Lords of Dharmaraja” caused a stir recently when they claimed to have stolen the source code for Norton Antivirus. Symantec, the makers of Norton Antivirus, quickly denied the allegations say that the hackers had source code for for Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 which are both more than five years old. However Symantec have now acknowledged that source code for a 2006 version its Norton security products did in fact get stolen.

“Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006,” said Symantec spokesperson Cris Paden. “We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.”

“Due to the age of the exposed source code, except as specifically noted below, Symantec customers – including those running Norton products — should not be in any increased danger of cyber attacks resulting from this incident,” he continued. “Customers of Symantec’s pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow general best practices. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”

Affected products include:

  • Norton Antivirus Corporate Edition
  • Norton Internet Security
  • Norton SystemWorks (Norton Utilities and Norton GoBack)
  • pcAnywhere 12.0, 12.1 and 12.5
  • Symantec Endpoint Protection v11.0, which is four years old
  • Symantec AntiVirus v10.2, which is five years old code, and a product that has been discontinued

Symantec go on to say that “customers of Symantec’s pcAnywhere product may face a slightly increased security risk as a result of this exposure. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information.”

Confusion over Lords of Dharmaraja Hackers

(LiveHacking.Com) – The hacking group calling itself “Lords of Dharmaraja” came into the spotlight a few days ago when it claimed it had a copy of the source for Norton Antivirus. Symantec, the makers of Norton Antivirus, quickly clarified the situation and confirmed that the hackers had a) only access to some API documentation and b) did have some source code, but it was for Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2 which are both more than five years old.

What isn’t really appreciated is that this little known hacking group first came to the attention of authorities last year when it began posting documents including a memo that triggered a U.S. investigation into a possible cyber-attack by Indian military intelligence. It now appears as if that memo was fake, but the security breach was not.

Reuters has obtained a large digital cache what emails that were posted by the group before being taken down by sites like PasteBin. Many of these emails, which were sent between April and October of last year, were addressed to Bill Reinsch, a member of an official U.S. commission monitoring economic and cyber-security relations between the US and China. It now seems that the hackers created these memos simply to draw attention to their work, or to taint relations between India and the United States.

It is still unclear how Symantec’s source code ended up with the Lords of Dharmaraja.

Hackers Steal Source Code to Norton AntiVirus?

(LiveHacking.Com) – Symantec, the company behind Norton AntiVirus, has confirmed that a group of hackers has stolen portions of source code for two of its security products. The hackers, who call themselves The Lords of Dharmaraja, have posted at least twice to Pastebin claiming to have access to the source code for Norton Antivirus:

“Now we release confidential documentation we encountered of Symantec corporation and it’s Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies.”

But according to a statement released from Symantec the information released is just a document from 1999, that describes an application programming interface (API) for the virus Definition Generation Service. “This document explains how the software is designed to work (what inputs are accepted and what outputs are generated) and contains function names, but there is no actual source code present,” Cris Paden, senior manager of corporate communication for Symantec told SecurityWeek.

Both posts have now been removed from Pastebin, which is quite unusual as it is normally a safe haven for hackers to post anything from stolen credit card numbers to cracked passwords.

The latest news from from Symantec, via SecurityWeek, is that the products in question are Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, and not any of its consumer products under the “Norton” branded. Further in a statement relased on Facebook Symantec said “The code involved is four and five years old. This does not affect Symantec’s Norton products for our consumer customers. Symantec’s own network was not breached, but rather that of a third party entity.”

Many governments require companies such as Symantec to submit their source code for inspection to prove they are not spying on the government. This is where the hackers could have got hold of the code. Comments posted by Yama Tough on Google+ and Pastebin seem to confirm this idea in that they suggest that the Symantec code was taken from an Indian government server.