December 20, 2014

Tumblr attacked with viral worm that posts hate messages

(LiveHacking.Com) –  The GNAA, an “anti-blogging” group, is claiming responsibility for a worm which hit Tumblr this week. The worm posted unpleasant posts on victim’s accounts and spread when others viewed the post. The text posted on victim’s blogs starts with “Dearest Tumblr users,” but it quickly turns into a bewildering rant about the “self-indulgent” and “decadent” ways of Tumblr bloggers.

The GNAA, whose acronym is intentionally inflammatory and isn’t worth repeating here, has attacked other major sites in the past including CNN, President Obama’s re-election campaign and Wikipedia.  As another “prank” the group pretended to be looters on Twitter in the aftermath of hurricane Sandy. In an interview, a spokesman for the group claims they told Tumblr weeks ago about the potential security vulnerability but they were ignored.

During the attack Tumblr posted the following status message: “There is a viral post circulating on Tumblr which begins “Dearest ‘Tumblr’ users”. If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible. Thank you.”

An analysis of the worm by Sophos shows that “the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.” The contents of the post contained a base64 string of encoded JavaScript, which itself was hidden inside an iFrame. The Javascript then downloaded more from a subdomain of strangled.net.

“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post – our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” wrote Graham Cluley of Sophos.

According to SCMagazine, Tumblr has fixed the security issue which allowed the worm to spread. The worm did not do any other damage other than spreading the inflammatory spam message. According to Tumblr, users’ accounts were not compromised.

The fix was confirmed by the blogging platform, “Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.”

 

Chevron was a victim of Stuxnet

(LiveHacking.Com) – Chevron, the US headquartered international oil and gas company, has admitted that Stuxnet infected its IT network. Speaking to the Wall Street Journal, Mark Koelmel, general manager of the company’s earth sciences department said that the notorious malware was found on its networks in 2010.

Stuxnet is known for destroying centrifuges used in Iran’s uranium enrichment program. It is thought it was designed by a nation state with the intention of targeting Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes inside the enrichment facilities.

Chevron was not damaged by its encounter with Stuxnet and it appears that it got onto its network by accident. But this is the first time that a U.S. company has admitted that the malware got onto its systems. There are probably many more Stuxnet infections in the U.S. and mainland Europe that went unreported for reasons of security or to avoid embarrassment.

Stuxnet specifically targets industrial equipment that is controlled by devices known as programmable logic controllers, or PLCs. These devices have been sold and used in their millions all over the world and potentially the Stuxnet malware would have destroy other equipment across the global. Just like a real world virus, once it is out there, it can’t be controlled.

“I don’t think the U.S. government even realized how far it had spread,” Koelmel said. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

The U.S. has almost admitted that it wrote Stuxnet, which makes the U.S. a probable target for any retaliatory cyber attacks. It now seems that the lid is off “Pandora’s box” and worse still the very weapons used to attack others have come back to haunt their creators.

Ultimately private enterprise will have to clean up in the aftermath of Stuxnet without any help from the government. “We’re finding it in our systems and so are other companies,” said Koelmel. “So now we have to deal with this.”

In brief: Skype being used to spread DORKBOT worm

(LiveHacking.Com) – Skype is being used to distribute a variant of the DORKBOT worm. Users are being spammed with instant messages saying “lol is this your new profile pic?” If they click on the link (which cunningly includes the username of the recipient) a variant of the DORKBOT malware family is downloaded to the PC.

DORKBOT allows an attacker to take complete control of the PC and includes password theft capabilities for a large number of popular websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. It can also be used to launch a distributed denial-of-service (DDOS) attacks. It can also download other malware to the PC when instructed by the command and control server.

Once the Windows machine has been infected, the worm sends out other “lol” messages to the user on the victim’s contact list. In turn, the unsuspecting recipients think the message was sent from someone they know and click on the link and the cycle starts again.

“Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact,” said Skype to the BBC. “We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable.”

Worm Tries to Crack Weak Passwords on Remote Desktops Connections

(LiveHacking.Com) – Microsoft has published details of a worm called Morto which attempts to break into remote servers which use the Windows Remote Desktop. The worm attempts to compromise the systems by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted.

As with all accounts (both local and remote) it is essential for users and system administrators to set strong passwords. According to Microsoft the worm tries the following passwords:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

Microsoft are reporting that although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable.

Stuxnet: The Industrial Sabotage Mystery Deepens

Since its discovery a few months ago, the purpose and intention of the Stuxnet worm has remained shrouded in mystery. This Windows based worm is the first ever malware designed to attack industrial equipment.

Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers).

[ad code=6 align=left]

PLCs contain code to control automated industrial systems in manufacturing plants or factories. Programmers use the Siemens’ software from a Windows PC to create code and then upload their code to the PLCs. The Stuxnet worm infects the PCs and then uploads its own code to the PLC.

Since the discovery of Stuxnet, conspiracy theories about its purposes have been rampant and these theories have included nation states, well funded hackers, Israeli spies and Iran’s nuclear program. But Symantec have just revealed (http://www.symantec.com/connect/blogs/stuxnet-breakthrough) that the Stuxnet virus only attacks systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. This is sure to reignite the speculations about its target and origin.

What Stuxnet does is monitor the frequency of these drives and only attacks systems that run between 807Hz and 1210Hz which is very high and only used in particular industrial applications. Stuxnet then modifies the output frequency for a short time to 1410Hz and then to 2Hz and then to 1064Hz and thus effects the operation of the connected motors.

Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.

If you work with PLCs and variable-frequency drives over 807Hz please contact Live Hacking as soon as possible as you might be able to shed some light on this increasingly mysterious malware.