Thursday, September 30, 2010

30 Gulf Cartel Members Arrested in Northern Mexico

Via CNN (Sept 19, 2010) -

Mexico's navy on Wednesday announced the arrests of 30 members of the Gulf drug cartel following several armed confrontations in the northern state of Tamaulipas.

At least one marine and eight cartel members were killed in the firefights, navy spokesman Jose Luis Vergara said, according to the state-run Notimex news agency.

The operations against the cartel were based on information from the navy's intelligence apparatus and the national intelligence agency, Vergara said.

Authorities seized 43 assault rifles, 10 handguns, two rocket launchers, a rocket and 21 hand grenades from the cartel operatives.

They also recovered 10 helmets and six bulletproof vests.

The cartel members were holding 588,000 pesos ($47,000) and $393,343 in American currency, Vergara said.

Those arrested were involved in drug trafficking, extortion and kidnapping, he said.

The suspects were transported to Mexico City to be questioned further by authorities.

The Gulf cartel is one of Mexico's major drug-trafficking organizations, based In the city of Matamoros, across the border from Brownsville, Texas. The cartel is currently in a turf battle in the region with its former enforcers-turned-rivals, the Zetas cartel.

MIT Researchers Tout Network Intrusion Recovery System

Via NetworkWorld.com -

MIT Computer Science and Artificial Intelligence Laboratory researchers will next week detail a system they say will make it easier for companies to recover from nasty security intrusions.

The system, known as RETRO, lets administrators specify offending actions, such as a TCP connection or an HTTP request from an adversary, that they want to undo. RETRO then repairs the computer's file system by selectively undoing the offending actions-that is, constructing a new system state, as if the offending actions never took place, but all legitimate actions remained. By selectively undoing the adversary's changes while preserving user data, RETRO makes intrusion recovery more practical, the researchers state in a paper to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation.


---------------------------------------------------------------------------

Intrusion Recovery Using Selective Re-execution
http://people.csail.mit.edu/nickolai/papers/kim-retro.pdf

Wednesday, September 29, 2010

Reality Check: Is Stuxnet’s Iran Connection The New Iraqi WMD?

Via Forbes' Firewall Blog (by Jeffrey Carr)-

The Stuxnet worm isn’t just infecting thousands of industrial control systems–its hype is also spreading unchecked throughout the news outlets of the Western world. The latest take on the media’s new favorite piece of malicious software: this article in the New York Times wherein John Markoff makes a series of bad assumptions when he writes “As in real warfare, even the most carefully aimed weapon in computer warfare leaves collateral damage. The Stuxnet worm was no different.”

Markoff’s conclusion is presumably based upon the work of German researcher Ralph Langner of Langner Communications who has said of his own theory that it’s completely speculative. In fact he closes by passing this “non-technical stuff” over to others more qualified than he to do the analysis, which was a good thing because the three paragraphs under his heading “Ralph’s Theory – Completely Speculative From Here” are nothing more than sheer guesswork without any attempt by Langner to apply an analytic method to his guesstimate.

Unfortunately, as the media frenzy heated up and Langner was fast becoming the star attraction, he left the world of scientific objectivity far behind when he reportedly told the Christian Science Monitor that “Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.” Unknown is correct, but that didn’t stop Langner from making a guess – Iran’s Bushehr nuclear reactor.

So if Langner’s speculation is correct, the same minds behind the most sophisticated piece of malware that anyone has ever seen couldn’t figure out a way to deliver it without involving a dozen countries and contaminating thousands of hosts? Even worse, that of all the possible targets to pick from, they chose an IAEA-supervised civilian power facility that has zero military value and isn’t even operational yet?

The lynchpins that support his argument are almost as flimsy and can be applied to numerous facilities around the world. It’s an astoundingly weak case based on more flaws than I have the time to document here. The worst, though, is today’s post on Langner’s web page wherein he claims to have been proven right by Iran’s announcement that they were dealing with thousands of Stuxnet- infected hosts across their nation including ones on the commercial side of the Bushehr reactor.

Really, Ralph? That’s what proved you right? We already knew that Iran, Indonesia and India had thousands of infected computers. What you apparently didn’t know, Ralph, was that Iran wasn’t the most heavily hit country in the first five days of the attack. According to Kaspersky Labs data, India was first with 8565 infections, followed by Indonesia (5148), and Iran came in third with 3062. More importantly, these numbers don’t tell the whole story because they’re derived solely by the reporting of protected hosts back to the AV vendor (i.e., Kaspersky, Microsoft, ESET, F-Secure, etc.). In other words, no one really knows how widespread the Stuxnet infection rate is.

The worst part about this entire mess is that we’ve apparently learned nothing from the intelligence failure of Iraqi WMDs. Bad analysis combined with a political agenda supported by a non-critical media propelled us into a war that never should have happened. This past week we could be seeing history repeat itself. The Iranian government is not the most rational of regimes, and their politicians are not technically literate. If Iran attacks Israel because of unfounded conclusions drawn by ambitious researchers and a media that is far more competitive than critical, then you only have yourselves to blame for the consequences.


------------------------------------------------------------------

Some people have suggested that Stuxnet was designed to attack Iran's Bushehr nuclear power station, while others have speculated that it was designed to attack Natanz, but most of the theories (while sounding solid) lack any real solid evidence. However, the points outlined by Frank Rieger tell a very good story and I would personally pick Natanz over Bushehr (if it was a coin toss).

Then again, perhaps there wasn't any specific target behind Stuxnet. Maybe the people behind it just wanted the ability to break the high-speed process of their choosing at a time of their choosing, based on changing conditions on the ground. A sort of, sabotage network in the waiting.

Who knows.

But in hope of stimulating "alternative analysis", Carr has just posted another entry - Did The Stuxnet Worm Kill India’s INSAT-4B Satellite?

Stop the Internet Blacklist!

http://demandprogress.org/blacklist/

Just the other day, President Obama urged other countries to stop censoring the Internet. But now the United States Congress is trying to censor the Internet here at home. A new bill being debated this week would have the Attorney General create an Internet blacklist of sites that US Internet providers would be required to block.

This is the kind of heavy-handed censorship you'd expect from a dictatorship, where one man can decide what web sites you're not allowed to visit. But the Senate Judiciary Committee is expected to pass the bill this week -- and Senators say they haven't heard much in the way of objections! That's why we need you to sign our urgent petition to Congress demanding they oppose the Internet blacklist.


------------------------------------------------------------------------------------------------------

EFF - Tell Your Senator: No Website Blacklists, No Internet Censorship!
https://secure.eff.org/site/Advocacy?cmd=display&page=UserAction&id=455

EFF - An Open Letter From Internet Engineers to the Senate Judiciary Committee
http://www.eff.org/deeplinks/2010/09/open-letter

------------------------------------------------------------------------------------------------------

Here is the actual bill
http://www.govtrack.us/congress/bill.xpd?bill=s111-3804

A bill to combat online infringement, and for other purposes.

AppleTV Runs iOS, Already Jailbroken

Via Wired.com (Gadget Lab) -

Soon, thanks to the tireless efforts of the iPhone Dev Team, you will be able to install apps on your AppleTV. An upcoming Jailbreak tool, called Shatter, has already been used to unlock the new Apple TV’s firmware.

Shatter was used to jailbreak the newest iPod Touch shortly after its launch, and thanks to its iOS roots, the AppleTV is also susceptible to its power. The hack was carried out on the firmware restore download that has just been posted by Apple. This file, which contains the entire OS of the Apple TV, is an IPSW file, the file-extension for iPhone and iPad OS files.

So what’s inside? According to the Dev Team member Will Strafach, “the new AppleTV OS seems to be a mashup of the old AppleTV OS and iOS.” This, he says, means that existing AppleTV hacks (or “frappliances”) may already work. Frappliances are the plug-ins that add functionality to the original AppleTV. Also, all of the iOS software frameworks are present, which could allow hacks to enable video-conferencing, for example (if you could figure out how to hook up a camera) or even let you install the iPad Hulu app.

I suspect that Apple will add apps to the AppleTV in the form of channels, just like the Netflix “channel” that is there already. A jailbroken AppleTV, though, could theoretically run anything that will run on the iPhone or iPad. A final word from Strafach: “The most interesting thing about the new AppleTV OS is that all binaries are marked iPad-compatible. I do wonder what Apple is planning….”

Tuesday, September 28, 2010

Whitepaper: GPU-Assisted Malware

http://dcs.ics.forth.gr/Activities/papers/gpumalware.malware10.pdf

Abstract

Malware writers constantly seek new methods to obfuscate their code so as to evade detection by virus scanners. Two code-armoring techniques that pose significant challenges to existing malicious-code detection and analysis systems are unpacking and run-time polymorphism. In this paper, we demonstrate how malware can increase its robustness against detection by taking advantage of the ubiquitous Graphics Processing Unit. We have designed and implemented unpacking and run-time polymorphism for a GPU, and tested them using existing graphics hardware. We also discuss how upcoming GPU features can be utilized to build even more robust, evasive, and functional malware.

ZeuS Variants Targeting Mobile Banking

Via F-Secure Blog -

There's an interesting Windows+mobile case today involving a ZeuS variant that steals mTANs, using a Symbian (.sis) or Blackberry (.jad) component.

An mTAN is a mobile transaction authentication number, sent via SMS, and is used by some banks as a form of single use one-time password to authorize an online financial transaction. The SMS message may also include transaction data that allows you to ensure that nothing has been modified (via a Man-in-the-Browser attack).

Windows OS based online banking is constantly under attack from phishing, pharming, cross-site scripting, and password stealing trojans. Adding an "outside" device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is ever a cat-and-mouse game, and we've often predicted it's only a matter of time before some banking trojan focused on phones.

Enter case Mitmo: S21sec, a digital security services company, posted on their blog on Saturday: ZeuS Mitmo: Man-in-the-mobile. The ZeuS variants they've discovered (which we detect as Trojan-Spy:W32/Zbot.PUA and PUB) ask for mobile phone details and then send an SMS with a download link based on the answers given by the victim.

We've analyzed the Symbian component (which we detect as Trojan:SymbOS/ZeusMitmo.A) and can confirm S21sec's research. The Symbian file, cert.sis, calls itself "Nokia update" and is Symbian Signed for S60 3rd Edition mobile phones.

It is difficult to get the complete picture of this emerging threat vector as the C&C used by the Zbot.PUA is no longer online, but based on the analysis and their configuration files, this attack is not a one-off by some hobbyist. It's been developed by individuals with an excellent understanding of mobile applications and social engineer. We expect that they'll continue its development.

Monday, September 27, 2010

Out of Band Release to Address Microsoft Security Advisory 2416728

http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx

Today we provided advance notification to customers that we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728. The update is scheduled for release tomorrow, Tuesday, September 28, 2010 at approximately 10:00 AM PDT. The bulletin has a severity rating of Important and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems. Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.

Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.

--------------------------------------------------

Patch for ASP.NET Padding Oracle problem coming tomorrow...

Visualizing the Hosting Patterns of Modern Cybercriminals

http://www.sans.org/reading_room/whitepapers/dns/visualizing-hosting-patterns-modern-cybercriminals_33498

The Domain Name Service (DNS) forms the basis of all Internet hosting for companies, individuals and criminals alike. Passive DNS logging provides a domain history, linking it not only to Internet Protocol (IP) addresses, but to domain registrars, ISPs and geographic locations. This paper will demonstrate the applied utility of passive DNS records through pivots, relationships to Internet Service Providers (ISPs), and the power of link-nodal visualization. It will also show how 'bullet-proof' hosters layer their products from their legitimate bases of operations, package them, and provide resiliency to illegitimate purposes. The ultimate goal of the analysis, beyond education of how illicit hosting works, is to provide techniques for incident responders to employ in making intelligent decisions when selecting the most useful combination of layered defense techniques, either for efficiency or completeness, against an identified, mapped threat.

---------------------------------------------------------------------------------------------

Note: You have to add .pdf on the end of the file. Not sure why SANS Reading room can't get that right, but whatever.

ZeuS Mitmo: Man-in-the-Mobile

http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html (Part 1)

All of you who follow this blog already know that we've been tracking ZeuS for many years. We have seen many improvements in its features (injection, JavaScript, Jabber, VNC, etc.), but recently there have been some new additions that can be the next big milestone: the mobile world.

The reason is pretty obvious; many companies (not only financial institutions) are using SMS as a second authentication vector, so having both the online username and password is not enough in the identity theft process. There are some social engineering techniques in the wild that try to handle this issue by luring the user; the user thinks that is doing a specific operation, but in fact he is doing other forged one (man-in-the-browser, JabberZeus, etc.)


----------------------------------------------------------------------------------------------------

Part 2 - http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-iii.html
Part 3 - http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-iii.html

According to this VirusTotal.com report from today (9/27/2010), only one AV engines detects the malware.

Looks like F-secure just added this detection today as well.

My gut would tell me that the detection rate might be skewed due to the lack of mobile AV by many of the vendors.

Microsoft DRM Technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities

http://www.exploit-db.com/exploits/15061/

# Vulnerability Discovered By Asheesh kumar Mani Tripathi
# email informationhacker08@gmail.com
# company www.aksitservices.co.in
# Credit by Asheesh Anaconda
# Date 18th Sep 2010

# Description: Microsoft DRM technology (msnetobj.dll) ActiveX suffers from multiple remote vulnerabilities such as buffer overflow, integer overflow and denial of service (IE crash). This issue is triggered when an attacker convinces a victim user to visit a malicious website.

The "GetLicenseFromURLAsync" function does not handle input correctly. Remote attackers may exploit this issue to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers. Failed exploit attempts likely result in browser crashes.

Stuxnet Update: Iran Confirms Infections

Via H-Online.com -

The head of the Bushehr nuclear plant has confirmed that Stuxnet did infect the plant in Southern Iran, but that staff personal computers were primarily affected. An IT security team is reported to be in place checking computers and removing the malware. Mahmoud Jafari told the Iranian IRNA news agency, "We have not had any problems with the computer system which have affected work in the plant itself."

A day earlier, an IT expert at the Ministry for Industries and Mines had stated that thousands of computers in industrial facilities in Iran were infected by the malware. According to experts at the Iranian Mehr agency, a total of 30,000 computers are affected. Many of the control systems used in Iranian industrial plant are manufactured by German company Siemens.

[...]

In recent days, there have been repeated reports that the Stuxnet malware is specifically targeted at the Iranian nuclear programme, although this remains unconfirmed. The Tehran based ISNA agency has reported that the Iranian nuclear authorities are looking for ways to remove the trojan. Other Iranian media sources report that a number of ministries have formed a joint working group to fight the virus.

----------------------------------------------------------------------------------------------

Stuxnet Infection of Step 7 Projects
http://www.symantec.com/connect/blogs/stuxnet-infection-step-7-projects

Our research has also uncovered another method of propagation that impacts Step7 project folders, causing one to unknowingly become infected when opening an infected project folder that may have originated from a third party.

[...]

Stuxnet monitors Step7 projects (.S7P files) being worked on by hooking CreateFile-like APIs of specific DLLs within the s7tgtopx.exe process (the Simatic manager). Any project encountered by the threat in this way may be infected. Analysis additionally shows that projects inside Zip archives may also be infected through the same method.


-----------------------------------------------------------------------------------------------

NYTimes - A Silent Attack, But Not a Subtle One
http://www.nytimes.com/2010/09/27/technology/27virus.html

One big question is why its creators let the software spread widely, giving up many of its secrets in the process.

One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise.

While much has been made in the news media of the sophistication of Stuxnet, it is likely that there have been many other attacks of similar or even greater sophistication by intelligence agencies from many countries in the past. What sets this one apart is that it became highly visible.

Security specialists contrast Stuxnet with an intrusion discovered in the Greek cellphone network in March 2005. It also displayed a level of skill that only the intelligence agency of some foreign power would have.

Sunday, September 26, 2010

Early Stuxnet Variants Used 'Cunning' Hack of AutoRun to Spread

Via Threatpost.com -

Early versions of the Stuxnet worm used a novel and cunning method to manipulate Windows Autorun feature in order to spread, according to information published by a Symantec Researcher who helped analyze the worm after it was first identified.

Writing on the Symantec Connect blog, Symantec researcher Liam O Murchu detailed one method that early instances of the worm used to infect machines from infected USB drives that many security researchers believe were used to propagate the worm. The information provides new indication about the sophistication of the threat, as well as its evolution over time.

[...]

Security experts initially focused on Stuxnet's use of an until-then unknown flaw in the way Windows parses desktop shortcut (LNK format) files to spread from infected USBs to host systems. Microsoft published a tool to fix the LNK vulnerability in July.

However, O Murchu reveals in his blog post that the addition of the LNK exploit was a later development in the life of the worm - dating to approximately March, 2010. Earlier versions of the worm used a different method to jump from USB drives to vulnerable Windows systems, which O Murchu describes as a 'cunning' misappropriation of the AutoRun feature, a standard component on Windows systems since Windows 95 that allows application developers to dictate a series of actions that will take place when external media like CD ROMs, DVDs or USB flash drives are inserted into systems running Windows.

The Stuxnet authors did not discover a vulnerability in AutoRun, O Murchu wrote. Instead, they discovered a flaw in the way the function processes instructions from autorun.inf files. That flaw allowed the Stuxnet authors to craft an autorun.inf file that contained both legitimate AutoRun commands and the malicious executable. The finished file could be interpreted as either an executable file or as a correctly formatted autorun.inf file, O Murcho wrote. Thus the autorun.inf file would allow the USB drive to load on the Windows system, and launch the Stuxnet payload on the system, he said. If that failed, the authors also planted a bogus "Open" command on the context (or right-click) menu for the USB drive. Users who activated the context menu and clicked on the bogus Open command would launch the Stuxnet malware invisibly in the background, O Murcho wrote.

[...]

O Murchu's post is also ahead of presentations by O Murchu and Kaspersky Lab researcher Alexander Gostev at the annual Virus Bulletin Conference in Vancouver that will divulge further details about the inner functionings of the worm. At least two of the previously undisclosed, or "zero day" vulnerabilities used by Stuxnet to take control of systems are still unpatched and little is known about them.

Saturday, September 25, 2010

FARC Rebel Commander "Mono Jojoy" Killled by Colombian Army

Via Colombia Reports -

Top FARC commander "Mono Jojoy" was killed by Colombian state forces. President Juan Manuel Santos confirmed the death of the rebel leader from New York City, where he is attending the U.N. General Assembly.

The head of the FARC's Eastern Bloc and member of its Secretariat was killed in a massive air strike in a region called La Macarena in the central Colombian Meta department, 120 miles south of Bogota.

Some 20 other guerrillas were killed and five members of the security forces were injured in the attack, the government's Defense Minister Rodrigo Rivera said.

Mono Jojoy, also known as "Jorge Briceño Suárez," but born under the name Victor Julio Suarez Rojas, was thought to be group's second-in-command, and military leader of virtually all guerrillas in the rebels' war with the state.

Mono Jojoy was considered a hardliner within the command structure of the country's largest guerrilla group. He was responsible for holding hostages including politicians, policemen, and soldiers. The veteran guerrilla had a $1.3 million reward on his head, and 62 arrest warrants against him. The United States had requested his extradition to face drug trafficking charges.


----------------------------------------------------------------------------------------------------------------------

Víctor Julio Suárez Rojas (aka Jorge Briceño Suárez aka Mono Jojoy)
http://en.wikipedia.org/wiki/V%C3%ADctor_Julio_Su%C3%A1rez_Rojas

----------------------------------------------------------------------------------------------------------------------

According to publico.es (my own re-write below)...

Colombian intelligence intercepted a communication from FARC rebels ordering a special shoe for Mono Jojoy, who was suffering from sores on his feet due to diabetes. Security forces gained access to the item before it was delivered and a GPS tracking system was installed.

The system transmitted a signal for several days and was used to pinpoint Mono Jojoy to a specific camp, which bombed early Wednesday.

Censorship of The Economist: Blacked Out

http://www.economist.com/node/17082677?fsrc=scn/tw/te/dc/blackedout

Since January 2009 The Economist has been banned or censored in 12 of the 190-odd countries in which it is sold, with news-stand (as opposed to subscription) copies particularly at risk. India, the only democracy on our list, has censored 31 issues and at first glance might look like the worst culprit. However its censorship consists of stamping “Illegal” on maps of Kashmir because it disputes the borders shown. China is more proscriptive. Distributors destroy copies or remove articles that contain contentious political content, and maps of Taiwan are usually blacked out. In Sri Lanka both news-stand and subscription copies with coverage of the country may be confiscated at customs. They are then released a couple of weeks later (sometimes sooner if the story is also reported by another news outlet). In Malaysia the information ministry blacks out some stories that it judges may offend Muslims, among other things. And in Libya, four consecutive editions were confiscated in late August/early September 2009, the first of which featured a piece critical of Muammar Qaddafi.

Images can also prompt action. The cover of last year's Christmas issue showing Adam and Eve was censored in five countries. Malaysian officials covered up Eve's breasts. Pakistan objected to the depiction of Adam, which it said broke a prohibition on depicting Koranic figures.

Friday, September 24, 2010

BioCurious: A Hackerspace for Biotech

http://www.kickstarter.com/projects/1040581998/biocurious-a-hackerspace-for-biotech-the-community

Glad to see the project has been fully funded. Very cool idea.

Google Warning Gmail Users on China Spying Attempts

Via Threatpost.com -

Google is using automated warnings to alert users of its GMAIL messaging service about wide spread attempts to access personal mail accounts from Internet addresses in China. The warnings may indicate wholesale spying by the Chinese government a year after the Google Aurora attacks or simply random attacks. Victims include one leading privacy activist.

Warnings appeared when users logged onto Gmail, encountering a red banner reading "Your account was recently accessed from China," and providing a list of IP addresses used to access the account. Users were then encouraged to change their password immediately. Based on Twitter posts, there doesn't seem to be any pattern to the accounts that were accessed, though one target is a prominent privacy rights activist in the UK who has spoken out against the Chinese government's censorship of its citizens.

A Google spokesman declined to comment on the latest warnings specifically. The company has been issuing similar warnings since March when it introduced features to identify suspicious account activity.

[...]

Its not clear how the accounts were compromised. It is known that Google and its GMAIL messaging system, along with the networks of other high profile U.S. and European firms, were the targets of attackers believed to be affiliated with the Chinese Military. Those attacks, code named "Aurora" temporarily caused a rift in relations between the search giant and the Chinese government, with Google suspending all filtering of its search results in China. Recently, experts have warned that a new round of attacks similar to the original Aurora attacks had been detected, though its unclear if the e-mail hacking is related to that wave of activity.

Hanff, along with other users, said he appreciated the warning.

"For once google did something ethical. I was suprirsed to see that," he told Threatpost.com. However, Hanff said offering a feature to limit account access by IP address would do more to remove the threat of attacks such as the one his account suffered.

Thursday, September 23, 2010

ESET Whitepaper: Stuxnet Under the Microscope

http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

This report is devoted to the analysis of the notorious Stuxnet worm (Win32/Stuxnet) that suddenly attracted the attention of virus researchers this summer. This report is primarily intended to describe targeted and semi-targeted attacks, and how they are implemented, focusing mainly on the most recent, namely Stuxnet. This attack is, however, compared to the Aurora attack, outlining the similarities and differences between the two attacks.

The paper is structured as follows. In the first section we introduce the targeted attacks and their common characteristics and goals. In this section we present comparison of two attacks: Stuxnet vs. Aurora. The second section contains some general information on SCADA (Supervisory Control And Data Acquisition) systems and PLCs (Programmable Logic Controllers) as Stuxnet’s primary targets of. The third section covers the distribution of the Stuxnet worm. Here we describe vulnerabilities that it exploits to infect the target machine. The next section describes the implementation of Stuxnet: user- mode and kernel-mode components, RPC Server and their interconnection. We also describe the remote communication protocol that it uses to communicate with the remote C&C.

FBI Investigating 'Here You Have' Worm

Via PC World -

The FBI has launched an investigation into the "Here you have" worm, which disrupted corporate e-mail systems in the U.S. two weeks ago.

Representatives from the FBI's Miami field office spoke with IDG News Service this week seeking information on the hacker behind the worm. A hacker using the name Iraq Resistance has exchanged a number of e-mails with IDG over the past two weeks discussing the incident.

"Here you have" was a big deal in North America, temporarily gumming up e-mail systems in large organizations such as Disney, Proctor & Gamble and NASA. On the day it was unleashed it accounted for between 6 percent and 14 percent of all spam on the Internet, according to Cisco Systems.


-------------------------------------------------------------------------------------------------------------------------

Me and Iraq Resistance -- a conversation with a worm author
http://blogs.csoonline.com/1263/me_and_iraq_resistance_a_conversation_with_a_worm_author

On Sept. 9 the "Here you have" worm started spreading and many antivirus researchers immediately felt like they were getting a blast from the past. Even the worm's subject line, "Here you have" was lifted from the Anna Kournikova virus. And as with past old-school outbreaks, "Here you have's" author is happy for whatever publicity he can get to promote his criticism of the U.S. war in Iraq and a planned public burning of the Koran -- which seems to have inspired the worm in the first place. He's posted a YouTube video, and he seems happy to answer emails sent to his Yahoo address.

Here's what he's told me over the past few weeks. Most of these e-mails were sent just after the worm was released.


---------------------------------------------------------------------------------------------------------------------------

SecureWorks: Win32/Visal.B Email Worm Post-Mortem Analysis
http://www.secureworks.com/research/threats/visal-b/

SecureWorks: Here You Have Worm and E-Jihad Connection
http://www.secureworks.com/research/blog/index.php/2010/09/13/here-you-have-worm-and-e-jihad-connection/

Kremlin Bans Sale of S-300 Missile Systems to Iran

Via BBC (Sept 22, 2010) -

The Kremlin has formally banned the sale of S-300 air defence missile systems to Iran three months after new UN sanctions. A decree was issued by President Dmitry Medvedev prohibiting the sale, which had been in the pipeline for years.

Earlier, Gen Nikolai Makarov, head of Russia's general staff, confirmed that the missiles were "definitely" subject to the sanctions introduced in June. At that time, Russia's foreign minister said the S-300 deal was not affected.

[...]

Mr Medvedev's decree, published on Kremlin website, lists the S-300 among military items which must not be exported to Iran under the fourth round of sanctions imposed by the UN Security Council on Iran over its nuclear programme.

"The decision has been taken not to supply S-300 [systems] to Iran," Gen Makarov said at Ramenskoye airport outside Moscow, shortly before the decree was published.

"They are definitely subject to sanctions."

Asked if Russia had torn up its contract with Iran, he replied: "We'll see. That will depend on how Iran behaves."

Back in June Foreign Minister Sergei Lavrov said the new sanctions would not affect the S-300 contract. However, shortly afterwards, Prime Minister Vladimir Putin was quoted by French media as saying the sale had been suspended.


------------------------------------------------------------------------------------------------

Why the quasi-flip on the S-300 issue?

http://thecable.foreignpolicy.com/posts/2010/09/23/how_the_obama_team_convinced_russia_not_to_sell_arms_to_iran

A senior [U.S.] administration official, speaking to The Cable on background basis, said Moscow's refusal to sell the S-300 air defense system and various other advanced weaponries was a significant decision, because imposing sanctions on Iran is more costly for Russia than for the United States.

"They've made that very clear to us for the last two years that this is not a symmetrical transaction for them and they don't share the same threat assessment as us vis-a-vis Iran," the official said. "The decision was a bold one that acknowledges how important it is to us and how important Medvedev takes this reset with President Obama."

The officials explained that the Obama administration made clear to Medvedev and other Russian officials that the sale of the S-300 to Iran was a red line that couldn't be crossed, and one that was raised in every high-level meeting between the two countries. Israeli officials did the same in meetings with their Russian counterparts.

[...]

As for why the Russians finally decided to scuttle the arms deal after years of lobbying by Washington, the official speculated that Moscow now has something it needs -- and that it finally has faith that the U.S. is willing to help. Russia is jockeying for as much U.S. support as possible for their upcoming bid to join the World Trade Organization (WTO), and Moscow is planning to finalize its bid this year.

[...]

Experts, however, are divided on exactly what the Russian announcement means about the success of the reset policy, considering that Russia continues to aid Iran in other ways and remains at odds with the West about their occupation of Georgia.

Wednesday, September 22, 2010

eEye Revives Free Zero-Day Vulnerability Tracker Site

Via DarkReading.com -

Eye Digital Security founder Marc Maiffret's recent return to the company was capped off today with the rerelease of an updated version of the security firm's freebie zero-day vulnerability disclosure and analysis service he once spearheaded.

The new Zero Day Tracker contains the latest zero-day vulnerabilities and analysis on each one -- including some being reported by eEye researchers -- and ways to mitigate and protect against attacks using these bugs. "We're trying to be more of a zero-day historian, if you will. We'll keep track of something we've seen or ZDI [or others] have done," Maiffret says. "This is a completely free public resource.""

[...]

eEye will include unpatched bugs on the site, and the bugs it discloses won't include details on how to exploit them until a patch is released, he say


--------------------------------------------------------------------------------------------

VUPEN has been running a similar service for quite some time.
http://www.vupen.com/english/zerodays/

Both vendors are attempting to sell a product (i.e. eEye Blink and VUPEN Vuln Intel Services) but used together they can provide a nice overall of the threat landscape for administrators that can't keep a constant eye on the wide range of OSINT sources.

VUPEN includes reference links (unlike eEye) but lacks some severity details of the vulnerability (which Eye includes). With the assigned CVEs from VUPEN, information can be cross-referenced with the National Vulnerability Database and Secuina, leading to even more threat intelligence.

With all combined information, it would be trivial for those interested to run over to The Exploit Database and find public exploits for vulnerabilities.

Evercookie - Virtually Irrevocable Persistent Cookies

http://samy.pl/evercookie/

Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Specifically, when creating a new cookie, it uses the following storage mechanisms when available:
  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web History (seriously. see FAQ)
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite
[...]

DOWNLOAD

evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs.

v0.1 BETA, released 09/20/2010 - download source here

Monday, September 20, 2010

Company: Drone Program Using Hacked Software

Via AOL News (Sept 17, 2010) -

A lawsuit winding its way through the Massachusetts courts could threaten one of the worst-kept secrets around: the CIA's drone program, which targets high-profile terrorists and insurgents in Pakistan.

Intelligent Integration Systems Inc. (IISI), a Boston software company, is asking a judge to immediately stop customers, including the CIA, from using proprietary geospatial software that it says another company illegally reverse engineered. The request for a legal injunction filed earlier this month was posted Thursday evening by the Narcosphere.com.

At issue is a dispute between IISI, which makes geospatial software, and Netezza, a company that bought the software for use on its TwinFin operating platform, which is reportedly used by the CIA, among other customers, according to legal filings.

After a contractual dispute between the two companies, Netezza proceeded to reverse engineer the software and provided a flawed version to the CIA, IISI asserts in its latest filing. "According to Netezza's records, the CIA accepted this 'hack' of Geospatial on October 23, 2009, and put it into operation at that time," the filing says.

[...]

The lawsuit enters some unusual legal ground: Despite numerous reports about its high-profile drone strikes in Pakistan aimed at al-Qaida and Taliban fighters, the CIA has refused to confirm that such a program exists. Thus IISI's assertion that the CIA is using the program, even if true, would be hard to prove.

It may not matter, however. IISI does not need to prove the CIA is the customer to have the judge grant the injunction. If the judge grants the injunction, however, it's not clear what impact it might have on the CIA drone program, but it would presumably force the agency, and any other customers, to switch to other software.

IISI, for its part, is taking the position that it shouldn't matter who is using the software -- the law is the law.

Understanding the ASP.NET Vulnerability

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

Our recent advisory describes an ASP.NET vulnerability which was recently publicly disclosed. This blog post will give you more information about the vulnerability and the workaround. It will also provide a script which will help you detect ASP.NET applications on your server that are in a vulnerable configuration.

The Impact of the Vulnerability

ASP.Net uses encryption to hide sensitive data and protect it from tampering by the client. However, a vulnerability in the ASP.Net encryption implementation can allow an attacker to decrypt and tamper with this data.

But what can the attacker do with this capability? Part of the answer depends on the ASP.Net application being attacked. For example, if the ASP.Net application stores sensitive information, such as passwords or database connection strings, in the ViewState object this data could be compromised. The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack.

If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application. The public disclosure demonstrated using this technique to retrieve the contents of web.config. Any file in the ASP.Net application which the worker process has access to will be returned to the attacker.

Sunday, September 19, 2010

Long Island Man Charged In Times Sq. Bomb Investigation

Via CBS New York (Sept 15, 2010) -

A New York man was arrested Wednesday on charges that he unwittingly funded a Connecticut man’s attempt to bomb Times Square on May 1 by providing unlicensed banking services, an arrest that continues an effort by federal authorities to reduce the illegal flow of money that can finance terrorism.

Mohammad Younis, 44, was accused in an indictment in U.S. District Court in Manhattan of engaging in hawala activities, an informal banking system which relies on wire transfers, couriers and overnight mail. He was arrested at his Long Island home and brought to the courthouse, where he was expected to make an initial appearance. It was not immediately clear who would represent him in court.

A release issued by U.S. Attorney Preet Bharara said Younis provided thousands of dollars in cash on April 10 to two individuals who traveled from Connecticut and New Jersey to meet him on Long Island at the direction of a coconspirator in Pakistan. Authorities said one of the individuals was Faisal Shahzad, who has pleaded guilty to 10 terrorism and weapons counts in connection with the attempted bombing. He is awaiting sentencing.

The release said there were no allegations that Younis was aware of the intended use of the funds.

“By engaging in the alleged conduct, Mohammad Younis unwittingly funded a terror plot that, if successful, would have caused mass casualties in New York City,” Bharara said. “These charges remind us how international terrorists use the cover of informal money transfer systems to avoid detection and to inflict catastrophic harm.”

Younis was charged with conducting an unlicensed money transmitting business between Pakistan and the United States and conspiracy to do so. Both charges carry a potential of up to five years in prison.


-----------------------------------------------------------------------

Wikipedia - Hawala: How Hawala Works
http://en.wikipedia.org/wiki/Hawala#How_Hawala_works

Siemens: Stuxnet Can Manipulate PLCs on Specific Types of Systems

Via H-Online -

Siemens is reporting that industrial plants in Germany have also been hit by the Stuxnet worm. According to Wieland Simon, press spokesperson at Siemens, approximately one third of the 15 infections discovered at industrial plants worldwide have been found at sites in the German process industry sector. Siemens' own plants are said not to be affected.

Analyses by Siemens have reportedly confirmed that Stuxnet can, in theory, manipulate Programmable Logic Controllers (PLCs). However, this behaviour has so far not been observed in the wild. According to Simon, Stuxnet checks the configurations of infected WinCC or PC7 systems for existing data blocks. If it finds suitable blocks, it becomes active and modifies the controller code. If it doesn't find any, it remains inactive. The worm seems to look for specific types of systems to manipulate. Siemens couldn't provide any details about which systems precisely are or could be affected. Simon added that no system with an active worm has so far been observed.

On their web site, automation system security specialists Langner Communications have released a more detailed analysis of how Stuxnet manipulates PLCs. According to this analysis, the worm injects arbitrary code when transmitting blocks of code to the PLC. To compromise data transmissions, it diverts the data via a wrapper DLL before submitting it to the SIMATIC Device Operating System's original s7otbxdx.dll library for processing.


----------------------------------------------------------------------

The analysis by Langner is awesome stuff. They basically come to the same conclusion of many in the community: the attackers - 1) have heavy inside knowledge 2) are highly skilled 3) are going after a target they deem high-value 3) don't care about getting caught and going to jail.

So what types of physical systems was Stuxnet targeting?

Someone knows and that knowledge might offer a clue into why Stuxnet was built and who might be behind it.

Sadly, the public may never know that answer.

MI5: Somalia, Yemen Pose Increasing Threat to Security

Via globalsecurity.org (Sept 17, 2010) -

The head of Britain's security services has said al-Qaida plots targeting Britain are increasingly originating from Somalia and Yemen. He described Somalia as a "seedbed for terrorism" and said it resembles Afghanistan during the 1990s.

Jonathon Evans, director-general of Britain's domestic security services, MI5 said Britain's counter-terrorism strategies are getting better but the risk of lethal terror attacks remains.

Speaking Thursday evening to security industry professionals, Evans said that the nature of the threat is evolving.

Just a few years ago, he said, 75 percent of suspected terror threats were originating from northwest Pakistan, but today that percentage has dropped to 50 percent.

Now, he said, the threat to Britain's security is increasingly coming from elsewhere, namely from the African countries Yemen and Somalia.

Wyn Rees, Professor of International Security at Britain's University of Nottingham, agrees.

"By fighting against and driving al-Qaida out of a country like Afghanistan, it has effectively spread, it's been weakened, but it has gone to other parts of the world," said Rees.


-----------------------------------------------------------------------------------

AEI: Critical Threats - Somalia
http://www.criticalthreats.org/somalia

AEI: Critical Threats - Yemen
http://www.criticalthreats.org/yemen/

Saturday, September 18, 2010

Understanding the HDCP Master Key Leak

Via Freedom to Tinker (Sept 16, 2010) -

On Monday, somebody posted online an array of numbers which purports to be the secret master key used by HDCP, a video encryption standard used in consumer electronics devices such as DVD players and TVs. I don't know if the key is genuine, but let's assume for the sake of discussion that it is. What does the leak imply for HDCP's security? And what does the leak mean for the industry, and for consumers?

HDCP is used to protect high-def digital video signals "on the wire," for example on the cable connecting your DVD player to your TV. HDCP is supposed to do two things: it encrypts the content so that it can't be captured off the wire, and it allows each endpoint to verify that the other endpoint is an HDCP-licensed device. From a security standpoint, the key step in HDCP is the initial handshake, which establishes a shared secret key that will be used to encrypt communications between the two devices, and at the same time allows each device to verify that the other one is licensed.

[...]

Now we can understand the implications of the master key leaking. Anyone who knows the master key can do keygen, so the leak allows everyone to do keygen. And this destroys both of the security properties that HDCP is supposed to provide. HDCP encryption is no longer effective because an eavesdropper who sees the initial handshake can use keygen to determine the parties' private keys, thereby allowing the eavesdropper to determine the encryption key that protects the communication. HDCP no longer guarantees that participating devices are licensed, because a maker of unlicensed devices can use keygen to create mathematically correct public/private key pairs. In short, HDCP is now a dead letter, as far as security is concerned.

[...]

he impact of HDCP's failure on consumers will probably be minor. The main practical effect of HDCP has been to create one more way in which your electronics could fail to work properly with your TV. This is unlikely to change. Mainstream electronics makers will probably continue to take HDCP licenses and to use HDCP as they are now. There might be some differences at the margin, where manufacturers feel they can take a few more liberties to make things work for their customers. HDCP has been less a security system than a tool for shaping the consumer electronics market, and that is unlikely to change.

Microsoft Security Advisory Released - 'Padding Oracle' ASP.NET Vulnerability

http://www.microsoft.com/technet/security/advisory/2416728.mspx

Microsoft is investigating a new public report of a vulnerability [CVE-2010-3332] in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

-----------------------------------------------------------------------------------------

'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

Demo of ASP.NET Padding Oracle Attack (POET vs ASP.NET)
http://threatpost.com/en_us/blogs/demo-aspnet-padding-oracle-attack-091710

------------------------------------------------------------------------------------------

Padding Oracle Exploit Tool (POET)
http://netifera.com/research/

Stuxnet P2P component

http://www.symantec.com/connect/blogs/stuxnet-p2p-component

Our analysis of Stuxnet has been ongoing for some time now, although we have not posted any information on our blog about it we have been continuously analyzing the threat since it was discovered earlier this year. Initial investigation into the threat pointed to a command and control infrastructure as the method to control the threat. The command and control servers used were taken offline shortly after this control mechanism was discovered.

Our continued research has revealed that as well as being controlled via a command and control infrastructure, the threat also has the ability to update itself via a peer-to-peer component.

Infected machines contact each other and check which machine has the latest version of the threat installed. Whichever machine has the latest version transfers it to the other machine and in this way the worm is able to update itself without contacting a central command and control server. P2P networks are often used for the very reason that they are difficult to take down as there is no central point of failure. The creators of Stuxnet were aware that they might lose control of their command and control servers so they built in a P2P update function to prepare for that eventuality.

[...]

All of this means that even though the command and control servers for Stuxnet have been taken offline sometime ago, the attacks may stay be capable of updating and controlling the worm via this P2P communication channel.

We are preparing a full technical paper about Stuxnet and will be presenting it at VB 2010 in Vancouver on Sept 29th.

Friday, September 17, 2010

CVE-2010-2884: Flash 0-Day Patched in Chrome 6.0.472.62

http://www.adobe.com/support/security/advisories/apsa10-03.html

We now expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems on Monday September 20, 2010. A fix is now available for Google Chrome users. Chrome users can update to Chrome 6.0.472.62. To verify your current Chrome version number and update if necessary, follow the instructions here. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

-----------------------------------------------------------------------------------------------------------------

Why does Google Chrome have a fix before everyone else?

Brad Arkin, Senior Director, Product Security & Privacy for Adobe Systems, answered just that question on Twitter tonight.

According to Brad, it is a simply a question of regression testing.

Remember back in March, when it was announced that Adobe Flash would be built into Google Chrome? Well, this is one of the possible effects...

Chrome is supported on 3 platforms and Adobe Flash supports 60 platforms. Fewer platforms means less testing, which means less time needed for regression testing of patches.

As Brad points out in this tweet, in a 0day situation, Adobe doesn't want to hold back a fix for Chrome users just because it is still testing an updated Adobe Flash Player.

The results? Chrome gets its fix first.

Al Jazeera: The Rageh Omaar Report - From Minneapolis to Mogadishu



Al Jazeera looks at Americans who have traveled to Somalia to wage jihad with Shabaab.

----------------------------------------------------------

Hat-tip to The Long War Journal.

Former Los Alamos Scientist Indicted on Nuclear Charges

Via CNN -

A former Los Alamos National Laboratory nuclear scientist and his wife were indicted Friday on charges of trying to provide nuclear secrets to Venezuela, but U.S. officials stressed the Venezuelan government knew nothing about the plans.

The officials said they have no information from the undercover operation that Hugo Chavez's government has any plans to try to build a nuclear weapon.

Pedro Mascheroni, 75, and Roxby Mascheroni, 67, are U.S. citizens who worked as contractors at Los Alamos in New Mexico, officials said.

In 2008, Mascheroni had a series of conversations with an undercover FBI agent posing as an official of the Caracas government, according to the indictment.

"Mascheroni allegedly said he could help Venezuela develop a nuclear bomb within 10 years and that under his program Venezuela would use a secret underground nuclear reactor to produce and enrich plutonium and an open, above-ground reactor to produce nuclear energy," the Justice Department said.

Pi Record Smashed as Team Finds Two-Quadrillionth Digit

Via BBC -

A researcher has calculated the 2,000,000,000,000,000th digit of pi - and a few digits either side of it. Nicholas Sze, of technology firm Yahoo, determined that the digit - when expressed in binary - is 0.

Mr Sze used Yahoo's Hadoop cloud computing technology to more than double the previous record. The computation took 23 days to complete on 1,000 of Yahoo's computers.

The heart of the calculation made use of an approach called MapReduce originally developed by Google that divides up big problems into smaller sub-problems, combining the answers to solve otherwise intractable mathematical challenges.

At Yahoo, a cluster of 1,000 computers implemented this algorithm to solve an equation that plucks out specific digits of pi.

Thursday, September 16, 2010

Intel Confirms HDCP Master Key for Blu-ray Is Real

Via WUSA9.com (Washington DC) -

A spokesman for Intel confirms the HDCP Master Key for Blu-ray released online, is real.

Tom Waldrop, spokesman for Intel says the company has tested the code, and found it to work.

Waldrop says they believe the code was generated using a computer system, and was not leaked by anyone internally. He says to rip Blu-rays using the code, hardware would have to be created. He says it is costly and he believes it is unlikely anyone will use it to rip Blu-rays.

Waldrop says HDCP will continue to be used in Blu-ray discs and is still a secure way to keep people from pirating the movies.

Symantec Whitepaper: The Rise of PDF Malware

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_rise_of_pdf_malware.pdf

Introduction

The PDF file format has become a popular file format since its release as an open standard. Its portable nature, extensive feature list, and availability of free tools to read and author them have made it a de facto standard for printable documents on the Web. As it gained more popularity among general users, malware authors recognized the opportunity to use PDFs for malicious purposes.

As with Microsoft Office documents in the past, the PDF file format has become a target for malware authors and is currently being widely exploited as a means to deposit malware onto computers. In this paper we discuss the current PDF threat landscape, current vulnerabilities being exploited in PDF documents, methods employed by malware authors, trends seen in malicious PDF usage, outline Symantec’s detection names and their meaning, and discuss various techniques that are being used by malware authors to make detection more difficult. We will also outline some preventative measures users can take to avoid infection.


--------------------------------------------

Hap-tip to Mila Parkour @ the Contagio blog.

Apple Quicktime 7.6.8 - ‘_Marshaled_pUnk’ & DLL Hijack Fixes

Via ZDNet -

Apple has released a critical QuickTime media player update to fix a pair of gaping security holes that expose Windows users to code execution attacks.

The QuickTime 7.6.8 update, available for Windows 7, Windows Vista and Windows XP users, patches vulnerabilities that could be exploited in drive-by downloads (via rigged Web sites) and via booby-trapped image files.

The skinny:
  • An input validation issue exists in the QuickTime ActiveX control. An optional parameter ‘_Marshaled_pUnk’ may be passed to the ActiveX control to specify an arbitrary integer that is later treated as a pointer. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by ignoring the ‘_Marshaled_pUnk’ parameter. This issue does not affect Mac OS X systems.
  • A path searching issue exists in QuickTime Picture Viewer. If an attacker places a maliciously crafted DLL in the same directory as an image file, opening the image file with QuickTime Picture Viewer may lead to arbitrary code execution. This issue is addressed by removing the current working directory from the DLL search path. This issue does not affect Mac OS X systems.
More information in this Apple advisory.

Wednesday, September 15, 2010

ZeuS: Crime or Espionage?

http://www.infowar-monitor.net/2010/08/crime-or-espionage/

ZeuS is a well known crimeware tool kit that is readily available online. The tool allows even the most unskilled to operate a botnet. Typically, Zeus has been associated with banking fraud. Recently, there have been a series of attacks using the Zeus malware that appear to be less motivated by bank fraud and more focused on acquiring data from compromised computers. The themes in the emails — often sent out to .mil and .gov email addresses — focus on intelligence and government issues. After the user receives such an email, and downloads the file referenced in the email, his or her computer will likely (due to the low AV coverage) become compromised by the ZeuS malware used by the attackers and will begin communicating with a command and control server. It will then download an additional piece of malware, an “infostealer”, which will begin uploading documents from the compromised computer to a drop zone under the control of the attackers.

Are these series of attacks connected? Are these events indicating a blurring of the boundaries between online crime and espionage? Or are government and military personnel just another target for online criminal activity?


------------------------------------------------------------------------------------------------------

http://www.infowar-monitor.net/2010/09/crime-or-espionage-part-2/

This post is an overview of a collection of publicly available emails associated with these ongoing series of attacks. These are the socially engineered emails designed to lure potential victims into clicking on and executing the attackers’ malicious code. While the attacks are not targeted down to the individual, or even institutional level, and appear to have been sent to a wide variety of targets, the content of the emails is geared towards those interested in intelligence, military and security issues.

-------------------------------------------------------------------------------------------------------

Additional information:
http://holisticinfosec.blogspot.com/2010/08/is-zeus-apt-or-v3.html
http://blog.trendmicro.com/zeus-variant-targets-us-military-personnel/
http://contagiodump.blogspot.com/2010/08/cve-2010-1240-with-zeus-trojan.html

Tuesday, September 14, 2010

Stuxnet Attackers Used Four Different Windows Zero-Day Exploits

Via ZDNet -

The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft’s Windows operating system, according to a startling disclosure from the world’s largest software maker.

Two of the four vulnerabilities are still unpatched.

As new details emerge to shine a brighter light on the Stuxnet attack, Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine.

The malware also exploited two different elevation of privilege holes to gain complete control over the affected system. These two flaws are still unpatched.


--------------------------------------------------------------------------------------------

The following two vulnerabilities were used by the Stuxnet attackers and are currently patched.

MS10-046 - Vulnerability in Windows Shell Could Allow Remote Code Execution
MS10-061 - Vulnerability in Print Spooler Service Could Allow Remote Code Execution

--------------------------------------------------------------------------------------------

http://www.pcworld.com/businesscenter/article/205420/siemens_stuxnet_worm_hit_industrial_systems.html

A sophisticated worm designed to steal industrial secrets and disrupt operations has infected at least 14 plants, according to Siemens.

[...]

Researchers at Symantec have cracked Stuxnet's cryptographic system, and they say it is the first worm built not only to spy on industrial systems, but also to reprogram them.

Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs -- so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.

The software operates in two stages following infection, according to Symantec Security Response Supervisor Liam O'Murchu. First it uploads configuration information about the Siemens system to a command-and-control server. Then the attackers are able to pick a target and actually reprogram the way it works. "They decide how they want the PLCs to work for them, and then they send code to the infected machines that will change how the PLCs work," O'Murchu said.

[...]

Stuxnet comes with a rootkit, deigned to hide any commands it downloads from operators of the Siemens systems. Because of that, Symantec warns that even if the worm's Windows components are removed, the Siemens software might still contain hidden commands. Symantec advises companies that have been infected to thoroughly audit the code on their PLCs or restore the system from a secure backup, in order to be safe.

Stuxnet has infected systems in the U.K., North America and Korea, however the largest number of infections, by far, have been in Iran.

The first samples of the Stuxnet code date back to June of 2009, but security experts believe that it probably did not start infecting systems until earlier this year.

Defense contractors and companies with valuable intellectual property have been hit with targeted attacks for years now -- in January Google said it was the target of a sophisticated data-stealing effort known as operation Aurora. But Stuxnet marks the first time that someone has targeted the factory floor.

[...]

"We've definitely never seen anything like this before," O'Murchu said. "The fact that it can control the way physical machines work is quite disturbing."

[...]

Nobody knows who's behind Stuxnet, but recently Kaspersky Lab researcher Roel Schouwenberg said that it was most likely a nation state.

Symantec's O'Murchu agrees that the worm was done by particularly sophisticated attackers. "This is definitely not your typical operation," he said.

Critical Bugs Stop Haystack Anti-Censorship Project

Via H-Online.com -

Good luck finding that needle? Haystack’s certainly not having much luck at the moment. Rather than being needles in a haystack, users of the anti-censorship software are more like beacons in the night. Haystack is intended to enable opponents of the government in Iran to enjoy uncensored access to the internet. The Iranian government blocks web sites such as Facebook, Twitter and news sites. Haystack tries to beat the filters by encrypting data and embedding it in other innocuous connections. A proxy outside Iran then forwards the data to the correct web site and vice versa.

As a result of some major bugs, the project has now been suspended and users are being advised to stop using the software. Details are sketchy at present, but it appears that it is easier to trace Haystack users than Austin Heap, the man behind the project, would have users believe.

The bugs were uncovered during an independent security analysis by security specialist Jacob Appelbaum. According to Appelbaum, Haystack is the worse piece of software he has ever looked at, indeed he does not shy away from describing its authors as charlatans. He considers that using the software, which is still in the test phase, endangers users.

[...]

To avoid increasing the risk faced by testers in Iran, Applebaum will not publish any details, at least for the time being.

Because of the allegations concerning user security Haystack developer and co-founder of the Censorship Research Center (CRC), Daniel Colascione, has resigned. Colascione wrote, in an email to security analysts and project members, that he felt that in good conscience he could no longer represent the CRC. He regrets that the CRC did not work transparently and that users had been misled. However, he says the tool was not ready or intended for production use.


----------------------------------------------------------------------------------------

To me, it seems like you shouldn't be beta testing this type of software in countries where exposure (or vulnerabilities) can have lethal consequences.

Botnet-For-Hire Model Resurfaces in New IMDDOS Botnet

Via Threatpost.com -

Researchers have identified a new botnet based in China that was openly selling DDoS-for-hire services and had managed to plant roots inside a number of major U.S. ISPs. The botnet, known as IMDDOS, is mostly contained right now and the researchers are working with authorities to locate its operators.

A group of researchers at Damballa discovered the botnet a few months ago when they stumbled upon a couple of suspect domains while investigating another incident. They traced the domains back to a single domain in China. The more they looked into the botnet, the more infections they found, eventually identifying infected domains in a large number of ISPs in the U.S. and abroad.

The IMDDOS botnet was being leased out in discrete chunks to customers willing to pony up the cash. This is a fairly common business model for bot herders, but it's not that often that the crew behind the operation puts up a professional Web front end and hires a sales team to market their services. But that's the way this crew was going about it, the Damballa researchers said. A customer could rent out a specific piece of the botnet and then turn it loose on whatever target he had in mind.

Damballa officials said the operation appeared to be quite professional, and went so far as to include a dedicated sales team. They estimate that the IMDDOS botnet is somewhat larger in terms of activity than the Bobax botnet, but didn't have an estimated number of infected machines.

[...]

Most of the infections appear to be in mainland China and the main Chinese domain associated with the botnet has a list of other domains that are part of the botnet, which can be leased out to customers. Damballa researchers have been in touch with law enforcement authorities and the ISPs that they've identified as being infected by IMDDOS. They believe that the botnet is mostly contained at this point, as they've identified what they think are all of the C&C servers. However, it's not clear whether the hosting providers who own those servers will all cooperate in taking the botnet down.

Monday, September 13, 2010

Microsoft: Anti-Piracy Enforcement and NGOs

Via The Official Microsoft Blog -

A story in yesterday’s New York Times reports on anti-piracy enforcement actions in Russia that have been used for more nefarious purposes than protecting intellectual property rights.

As General Counsel for Microsoft, it was not the type of story that felt good to read. It described instances in which authorities had used piracy charges concerning Microsoft software to confiscate computers and harass non-governmental organizations (NGOs) and others engaged in public advocacy. It suggested that there had been cases when our own counsel at law firms had failed to help clear things up and had made matters worse instead.

Whatever the circumstances of the particular cases the New York Times described, we want to be clear that we unequivocally abhor any attempt to leverage intellectual property rights to stifle political advocacy or pursue improper personal gain. We are moving swiftly to seek to remove any incentive or ability to engage in such behavior.

[...]

Our first step is clear-cut. We must accept responsibility and assume accountability for our anti-piracy work, including the good and the bad. At this point some of the specific facts are less clear than we would like. We will retain an international law firm that has not been involved in the anti-piracy work to conduct an independent investigation, report on its conclusions, and advise us of new measures we should take.

[...]

Ultimately, our goals are straightforward. We aim to reduce the piracy and counterfeiting of software, and we aim to do this in a manner that respects fundamental human rights. Piracy is a very real problem. It costs jobs and business growth and can cheat consumers who think they’re paying for genuine products. We know for a fact that the reduction of software piracy has breathed new life into Russia’s own software industry and has created new jobs in our industry, both at Russian software companies and for U.S. software exporters. But none of this should create a pretext for the inappropriate pursuit of NGOs, newspapers, or other participants in civil society. And we certainly don’t want to contribute to any such effort, even inadvertently.

At the end of the day, it’s clear that we have a responsibility to take new steps to address this situation, working in partnership with the various stakeholders concerned about this issue. The steps described above should start to move us in that direction. If needed, we will take further steps to ensure that they are effective.


------------------------------------------------------------------------------------------------

Russia Uses Microsoft to Suppress Dissent
http://djtechnocrat.blogspot.com/2010/09/russia-uses-microsoft-to-suppress.html

Another Adobe Zeroday: Security Advisory for Flash Player

http://www.adobe.com/support/security/advisories/apsa10-03.html

A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems during the week of September 27, 2010. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.


------------------------------------------------------------------------

VU#275289 - Adobe Flash unspecified code execution vulnerability http://www.kb.cert.org/vuls/id/275289

------------------------------------------------------------------------

The vulnerability looks to be in Flash Player, which is an add-on that is normally added to Firefox or IE...but Flash Player is also bundled with Adobe Reader. So, if you are using Adobe Reader, then an attacker might be able to exploit a Flash vulnerability via a standard PDF file.

So what can you do?

I would suggest using an alternative PDF reader (e.g. FoxIT Reader, Sumatra PDF, Google Doc Viewer) and disabling the Flash player in your browser.

In addition, I would recommend enabling DEP for all programs on Windows XP.
http://technet.microsoft.com/en-us/library/cc700810.aspx

If you have to use Adobe Reader, I would suggest at least using Microsoft's EMET with Adobe Reader. It isn't known if it will stop this specific zero-day, but I am going to bet it does.

Since EMET contains extra "non-standard" mitigation techniques (i.e. EAF mitigation), it is likely the attacker didn't code their exploit to bypass it...but who knows at this point. Using EMET with Adobe Reader isn't going to hurt.

Mexico Captures Another Alleged Drug Kingpin

Via CNN (Sept 12, 2010) -

Mexican marines have captured an alleged top leader of the Beltran Leyva cartel, handing authorities a major victory in their fight against powerful drug organizations, the government said Sunday.

Sergio Villarreal, who is known to Mexican officials as "El Grande," was taken in the central Mexican state of Puebla, Alejandro Poire, a spokesman for Mexico's president on security issues, told reporters. Villarreal has appeared on the attorney general's list of Mexico's most wanted and had a bounty of more than $2 million on his head.

He offered no resistance when he was arrested mid-afternoon, along with two suspected accomplices, said Poire. He added authorities also recovered weapons and armed vehicles in the operation.

[...]

Villarreal's capture comes soon after the August arrest of American-born "La Barbie," or Edgar Valdez, believed to be one of Mexico's most ruthless drug traffickers. Valdez is similarly thought to have belonged to the Beltran Leyva cartel.

The former leader of that group, Arturo Beltran Leyva, was killed in a shootout with Mexican officials last year. Beltran's brother Carlos was later arrested, creating what authorities said was a vacuum and power struggle in one of Mexico's strongest cartels.

Anti-US Hacker Takes Credit for 'Here you have' Worm

Via ComputerWorld -

A hacker who claims he was behind a fast-spreading e-mail worm that crippled corporate networks last week said that the worm was designed, in part, as a propaganda tool.

The hacker, known as Iraq Resistance, responded to inquiries sent to an e-mail address associated with the "Here you have" worm, which during a brief period early Thursday accounted for about 10 percent of the spam on the Internet. He (or she) revealed no details about his identity, but said, "The creation of this is just a tool to reach my voice to people maybe... or maybe other things."

He said he had not expected the worm to spread as broadly as it had, and noted that he could have done much more damage to victims. "I could smash all those infected but I wouldn't," said the hacker. "I hope all people understand that I am not negative person!" In other parts of the message, he was critical of the U.S. war in Iraq.

On Sunday, Iraq Resistance posted a video echoing these sentiments and complaining, through a computer-generated voice, that his actions were not as bad as those of Terry Jones. Jones is the pastor at a small Florida church who received worldwide attention this week for threatening to burn copies of the Koran.

[...]

Tariq ibn Ziyad was the eighth century commander who conquered much of Spain on behalf of the Umayyad Caliphate. Iraq Resistance's YouTube video has a Spanish theme too. It shows a map of Andalucia, and Iraq Resistance lists his location as "Spain" in his YouTube profile.

 ------------------------------------------------------------------------------------

http://pandalabs.pandasecurity.com/%e2%80%9chere-you-have%e2%80%9d-worm-attack-could-have-been-lauched-from-spain/
The video shows a static picture of Andalucia, a region in the South of Spain. We have already sent all the information to the Spanish Guardia Civil, and we are doing some more research on this, so we’ll be probably publishing more information in the near future.
-----------------------------------------------------------------------------------

http://www.symantec.com/connect/blogs/new-round-email-worm-here-you-have

In this instance, the actual file downloaded would be named ‘PDF_Document21_025542010_pdf.scr’ and is housed on the domain ‘members.multimania.co.uk’. This file is a minor variation of W32.Imsolk.A@mm

Sunday, September 12, 2010

Russia Uses Microsoft to Suppress Dissent

Via NY Times (Sept 11, 2010) -

It was late one afternoon in January when a squad of plainclothes police officers arrived at the headquarters of a prominent environmental group here. They brushed past the staff with barely a word and instead set upon the computers before carting them away. Taken were files that chronicled a generation’s worth of efforts to protect the Siberian wilderness.

The group, Baikal Environmental Wave, was organizing protests against Prime Minister Vladimir V. Putin’s decision to reopen a paper factory that had polluted nearby Lake Baikal, a natural wonder that by some estimates holds 20 percent of the world’s fresh water.

Instead, the group fell victim to one of the authorities’ newest tactics for quelling dissent: confiscating computers under the pretext of searching for pirated Microsoft software.

Across Russia, the security services have carried out dozens of similar raids against outspoken advocacy groups or opposition newspapers in recent years. Security officials say the inquiries reflect their concern about software piracy, which is rampant in Russia. Yet they rarely if ever carry out raids against advocacy groups or news organizations that back the government.

As the ploy grows common, the authorities are receiving key assistance from an unexpected partner: Microsoft itself. In politically tinged inquiries across Russia, lawyers retained by Microsoft have staunchly backed the police.

Interviews and a review of law enforcement documents show that in recent cases, Microsoft lawyers made statements describing the company as a victim and arguing that criminal charges should be pursued. The lawyers rebuffed pleas by accused journalists and advocacy groups, including Baikal Wave, to refrain from working with the authorities. Baikal Wave, in fact, said it had purchased and installed legal Microsoft software specifically to deny the authorities an excuse to raid them. The group later asked Microsoft for help in fending off the police. “Microsoft did not want to help us, which would have been the right thing to do,” said Marina Rikhvanova, a Baikal Environmental Wave co-chairwoman and one of Russia’s best-known environmentalists. “They said these issues had to be handled by the security services.”

Microsoft executives in Moscow and at the company’s headquarters in Redmond, Wash., asserted that they did not initiate the inquiries and that they took part in them only because they were required to do so under Russian law.

After The New York Times presented its reporting to senior Microsoft officials, the company responded that it planned to tighten its oversight of its legal affairs in Russia. Human rights organizations in Russia have been pressing Microsoft to do so for months. The Moscow Helsinki Group sent a letter to Microsoft this year saying that the company was complicit in “the persecution of civil society activists.”

[...]

With pirated software prevalent in this country, it is not surprising that some of these groups might have some on their computers. Yet the issue, then, is why the police choose to focus on these particular targets — and whether they falsify evidence to make the charges more serious.

Microsoft also says it has a program in Russia to provide free and low-cost software to newspapers and advocacy groups so that they are in compliance with the law.

But the review of these cases indicates that the security services often seize computers whether or not they contain illegal software. The police immediately filed reports saying they had discovered such programs, before even examining the computers in detail. The police claims have in numerous instances been successfully discredited by defendants when the cases go before judges.

Given the suspicions that these investigations are politically motivated, the police and prosecutors have turned to Microsoft to lend weight to their cases. In southwestern Russia, the Interior Ministry declared in an official document that its investigation of a human rights advocate for software piracy was begun “based on an application” from a lawyer for Microsoft.

[...]

In all, 12 computers were confiscated [Baikal Environmental Wave]. The group’s Web site was disabled, its finances left in disarray, its plans disclosed to the authorities.

The police also obtained personnel information from the computers. In the following weeks, officers tracked down some of the group’s supporters and interrogated them.

“The police had one goal, which was to prevent us from working,” said Galina Kulebyakina, a co-chairwoman of Baikal Wave. “They removed our computers because we actively took a position against the paper factory and forcefully voiced it.”

“They can do pretty much what they want, with impunity,” she said.

Mexican Police Neutralize Car Bomb in Border City

Via Yahoo! News (AP) -

Mexican police carried out the controlled detonation of a car bomb Saturday in the troubled border city of Ciudad Juarez, across from Texas.

A phone tip around midnight led authorities to a dead body in a car in a shopping center parking lot, the federal Public Safety Department said in a statement. In a second car, police found the bomb.

Agents deactivated the device and removed most of the explosive material to analyze it before safely detonating the vehicle, the department said. There were no injuries.

Juarez is the same city where drug traffickers staged the first successful car bombing in Mexico, killing three people in July.

There have been three other vehicle explosions in recent weeks in Ciudad Victoria, capital of the border state of Tamaulipas.

Ciudad, across from El Paso, Texas, has been one of the cities most affected by Mexico's drug violence. More than 2,100 people have been murdered there so far this year — putting it on pace to surpass its previous high of 2,700, set last year.