Monday, April 30, 2012

Determined Adversaries and Targeted Attacks

Via Microsoft Security Intelligence Report -

Over the past two decades the internet has become fundamental to the pursuit of day-to-day commercial, personal, and governmental business. However, the ubiquitous nature of the internet as a communications platform has also increased the risk to individuals and organizations from cyberthreats. These threats include website defacement, virus and worm (or malware) outbreaks, and network intrusion attempts. In addition, the global presence of the internet has allowed it to be used as a significant staging ground for espionage activity directed at industrial, political, military, and civil targets.

During the past 5 years, one specific category of threat has become much more widely discussed. Originally referred to as Advanced Persistent Threats (APT) by the U.S. military — referring to alleged nation-state sponsored attempts to infiltrate military networks and exfiltrate sensitive data — the term APT is today widely used in media and IT security circles to describe any attack that seems to specifically target individual organization, or is thought to be notably technical in nature, regardless of whether the attack was actually either advanced or persistent.

In fact, this type of attack typically involves two separate components — the action(s) and the actor(s) — that may be targeted against governments, military organizations or, increasingly, commercial entities and civil society.

The actions are the attacks themselves, which may be IT-related or not, and are referred to as Targeted Attacks in this paper. These attacks are initiated and conducted by human actors, who are collectively referred to in this paper as Determined Adversaries. These definitions are important because they emphasize the point that the attacks are carried out by human actors who may use any tools or techniques necessary to achieve their goals; these attacks are not merely malicious software or exploits. Using an encompassing term such as APT can mask this reality and create the impression that all such attacks are technically sophisticated and malware-driven, making it harder to plan an effective defensive posture.

For these reasons, this paper uses Targeted Attacks and Determined Adversaries as more specific and meaningful terms to describe this category of attack.


Be sure to check out Microsoft's Security Intelligence Report (SIR) Volume 12.
The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people.

Sunday, April 29, 2012

Snow Leopard Users Most Prone to Flashback Infection

Via -

Of the Macs that have been infected by the Flashback malware, nearly two-thirds are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said Friday.

Doctor Web, which earlier this month was the first to report the largest-ever malware attack against Apple Macs, mined data it's intercepted from compromised computers to come up with its findings.


In a Friday blog post, Doctor Web published an analysis of the communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place on April 13, more than a week after Doctor Web broke the news of the botnet's massive size.


Not surprisingly, 63.4% of the Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple's operating system that comes with Java.

Snow Leopard accounted for the largest share of OS X last month, according to metrics company Net Applications, making it the prime target of Flashback.

Leopard, or OS X 10.5, is the second-most-common Flashback-infected operating system, said Doctor Web: 25.5% of the 95,000 Macs harboring the malware ran that 2007 edition.

Apple bundled Java with Leopard as well, but unlike Snow Leopard and Lion, it no longer ships security updates for the OS, and so has not updated Java on those Macs.

Last month, Leopard powered 13.6% of all Macs.

But while Snow Leopard's and Leopard's infection rates are higher than their usage shares, the opposite's true of OS X 10.7, or Lion. The 2011 OS accounted for 39.6% of all copies of OS X used last month, yet represented only 11.2% of the Flashback-compromised Macs.

Doctor Web did not connect those dots in its analysis, but the numbers make clear that versions of Mac OS X that included Java -- Snow Leopard and Leopard -- are much more likely to be infected by Flashback. Conversely, Lion -- by default, sans Java -- is significantly more resistant to the malware.

The Russian company's data also showed that many Mac users don't keep their machines up-to-date, something ZDNet blogger Ed Bott noted on Friday.

Twenty-four percent of the Snow Leopard-infected Macs were at least one update behind, 10.4% were three or more behind, and 8.5% were four or more behind.

Lion users were no better patch practitioners: 28% were one or more updates behind.


To protect Snow Leopard and Lion systems from the Java-exploiting Flashback, users should launch Software Update from the Apple menu and download this month's Java updates. Software Update will also serve the newest version of those operating systems to Macs running outdated editions.

People running Leopard can disable Java in their browser(s) to stymie attacks.

Later this year, Oracle will release Java 7 for OS X. Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.

Saturday, April 28, 2012

Friday, April 27, 2012

Photos: Space Shuttle Discovery

Grabbed these shots today, at about 4:45pm EST. Free entrance and parking at Steven F. Udvar-Hazy Center.


Space Shuttle Discovery (Orbiter Vehicle Designation: OV-103) @ Steven F. Udvar-Hazy Center, an annex of the Smithsonian Institution's National Air and Space Museum.

Wednesday, April 25, 2012

US Experts To Help Decrypt 'FARC' Computers

Via (23 April 2012) -

A team of U.S. computer experts has arrived in Colombia to help national authorities recover information from the computer of deceased FARC leader "Alfonso Cano," reported Colombian newspaper El Espectador Monday.

Investigators with the Prosecutor General's office are working to break encryption codes on seven computers, 38 USB sticks and 24 hard drives recovered after a military bombing killed Cano in November, 2011.

The technology was retrieved from a FARC camp after the attack in Suarez, a town in the southwestern Cauca department.

The heavily-encrypted data uses four languages and multiple passwords, and requires the "meticulous" skills of the U.S. team to salvage and analyze it.

Investigators have already recovered some information from Cano's computer, including a plan to attack five army air bases with remote controlled helicopters.


Some of the 'plans' may be more aspirational, than operational ;)

Tuesday, April 24, 2012

The Mobile Exploit Intelligence Project

Dan Guido, working with Mike Arpaia, brings his well received intelligence-driven security ideas from "The Exploit Intelligence Project" of 2011, into the mobile space.

Nissan Gets Hacked, Intellectual Property Possible Target

Via (April 24, 2012) -

Nissan Motor Company has announced that its information systems have been hacked. So far, the company doesn't know who the hackers were, or where they struck from and it's unclear what data may have been compromised. Nissan believes that the hackers were looking for intellectual property related to its EV drivetrains.

Nissan maintains that it quickly secured its system and issued a statement alerting customers and employees that its data systems were breached. Nissan says that the infiltration was noticed on April 13 so it has been roughly 10 days since the database was compromised.

The statement read:
We have detected an intrusion into our company's global information systems network.

On April 13, 2012, our information security team confirmed the presence of a computer virus on our network and immediately took aggressive actions to protect the company's systems and data. This included actions to protect information related to customers, employees and other partners worldwide. This incident initially involved the malicious placement of malware within our IS network, which then allowed transfer from a data store, housing employee user account credentials.

As a result of our swift and deliberate actions we believe that our systems are secure and that no customer, employee or program data has been compromised. However, we believe that user IDs and hashed passwords were transmitted. We have no indication that any personal information and emails have been compromised. Regardless, we are continuing to take appropriate precautionary measures.

Due to the ever-evolving sophistication and tenacity of hackers targeting corporations and governments on a daily basis, we continue to vigilantly maintain our protection and detection systems and related countermeasures to keep ahead of emerging threats. Our focus remains on safeguarding the integrity of employee, consumer and corporate information.
Nissan says that it opted to keep the hack secret for the last 10 days until it had a better idea what was going on according to a spokesman cited by The Detroit Bureau.


Looks like Active Directory might have got popped.

Primary Sources....

Nissan Statement: Nissan is Taking Actions to Protect and Inform Employees and Customers Following an Intrusion into the Company's Global Network Systems

The Detroit Bureau: Nissan Scrambles After Major Cyber-Attack

Monday, April 23, 2012

Both Mac and Windows are Targeted at Once

Via Symantec Security Response Blog -

Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers.

On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS.


When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type malware written in Python. However, if the threat is running on a Windows operating system, it downloads a standard Windows executable file dropper. Both droppers drop a Trojan horse program that opens a back door on the compromised computer.


The Trojan only checks whether it is a Windows operating system or not in this code, but the downloaded Python dropper checks again whether it is a Mac operating system or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not a popular script to write malware in, but it works fine on a Mac operating system because Python has already been installed by default.

Finally, one of two back door Trojans is dropped on to the computer. These two Trojans are downloaded from the same server, but are a little bit different from each other.

The back door Trojan for the Mac operating system written in Python can control the “polling times”, which is related to how many times it gets commands from the server at certain time intervals. The author has done this in order to avoid IDS or IPS detection by reducing network communication. The network connection is also encrypted by RC4 or compressed by Zlib.


Recently, malware that targets Mac computers, such as OSX.Flashback and OSX.Sabpab, are increasing. This recent increase provides evidence that malware authors now consider Mac computers a viable battleground along with the Windows platform. Certainly it is now time for you to arm your Mac computer with a good security product.

Symantec detects the Java Applet malware as Trojan.Maljava, the droppers as Trojan.Dropper, and the back door Trojans as Backdoor.Trojan. We continue to watch out for both Mac and Windows malware in order to protect our customers.

Defense Clandestine Service: Pentagon Reorganizes Intel into New Spy Shop

Via CBS News -

The Pentagon is rebranding and reorganizing its clandestine spy shop, sending more of its case officers to work alongside CIA officers to gather intelligence in places like China, after a decade of focusing intensely on war zones.

Several hundred case officers will make up the new Defense Clandestine Service. Drawn from the Defense Intelligence Agency, the officers will be sent to beef up U.S. intelligence teams in areas that are now receiving more attention. Those include Africa, where al Qaeda is increasingly active, to parts of Asia where the North Korean missile threat and Chinese military expansion are causing increasing U.S. concern.

The new effort was described by a senior defense official who spoke on condition of anonymity because he was not authorized to speak publicly about the classified program.

Defense Department case officers already secretly gather intelligence across the globe on terrorism, weapons of mass destruction and other issues, mostly working out of CIA stations in embassies and operating undercover like their CIA counterparts.

But an internal study by the Director of National Intelligence last year found the agency still focused more on its traditional mission of providing the military with intelligence in war zones, and less on what's called "national" intelligence — gathering and disseminating information on global issues and sharing that intelligence with other national security agencies, the official said.

The study also found that the Pentagon did not always reward clandestine service overseas with promotions, so its most experienced case officers often left for the CIA, or switched to other career paths within the Pentagon.


The case officers in the field — some military and some civilian — will answer directly to the top intelligence representative in their post, usually the CIA's chief of station, in addition to serving their agency back home. The arrangement is likely to curb complaints seen in earlier expansions of the Defense Department's spy mission, which the CIA and other agencies saw as the military stepping on their territory.

The changes were worked out by the top Pentagon intelligence official, Under Secretary of Defense for Intelligence Michael Vickers, and his CIA counterpart who heads the National Clandestine Service, and briefed to Congress before Defense Secretary Leon Panetta signed off on the new program last Friday.


Looks like they are playing better together, post-CIFA days.

Monday, April 16, 2012

Recent Purported CEIEC Document Dump Booby-Trapped

Via ShadowServer -

In recent weeks thousands documents have been released online by a hacktivist going by the online moniker of "Hardcore Charlie." These documents appear to have potentially been sourced and possibly stolen from various businesses and governments in different countries including the United States, the Philippines, Myanmar, Vietnam, and others. In particular Hardcore Charlie has been attempting to draw attention to some of the documents that apparently relate to U.S. military operations in Afghanistan. The twist in all of this is that the documents are purported to have been stolen by Hardcore Charlie from the Beijing based military contractor China National Import & Export Corp (CEIEC). If true, that would mean that the documents were stolen at least twice. These are allegations that CEIEC has strongly denied and condemned in a post on their website.

This entire turn of events has raised more questions than they have answered. Are the documents legitimate? Where were they original stolen from? If these were really stolen twice, who stole them first? We unfortunately do not have the answer to any of these questions. However, one thing we do have are words of caution and some interesting information about a handful of the documents found in this dump. Within the document dump in a folder related to Vietnam are 11 malicious documents (8 unique) that exploit vulnerabilities (CVE-2010-3333 and CVE-2009-3129) in Microsoft Office to install malware. These documents installed four different types of backdoors that reported back to six distinct command and control servers. Two of the backdoors were unfamiliar to us and the other two were the well known Poison Ivy RAT and the Enfal/Lurid. At least one hostname could be tied back to a known set of persistent actors engaged in cyber espionage.


Vietnamese Targeting and Timeline

These nine unique samples from the document dump from Hardcore Charlie appear to lead to multiple different attack campaigns targeting Vietnamese interests. The malicious documents have Vietnamese names and will open legitimate clean versions of the documents in Vietnamese upon successful exploitation. At least one of the trojan samples even saves itself as a file that might blend in on a Vietnamese computer. Another has strings related to the Vietnamese version of Google, while another uses a DNS name that is in Vietnamese as well. We would suspect this may just be the tip of the ice berg.

As for timing -- several indicators seem to point to these documents being approximately a year old. The most obvious and more tamper proof piece of evidence being a VirusTotal submission from April 2011. You may note the document from this submission was named BC cua chi binh voi BCS.doc. However, this file has the same MD5 hash of of32f5ad4f09135fcdde86ecd4c466a993, which matches the file was saw named Danh sach.doc. This indicates that his activity is not new and these files may have been unknowingly included in this document dump


These malicious documents within the data dump raise several questions and can lead to plenty of speculation. Were these malicious documents resident on victim systems from previous targeted APT campaigns and exfiltrated alongside the legitimate documents as part of another cyber espionage operation? Could it be that they were intentionally placed into this data dump? Anything is possible and we do not have all the answers. However, we can tell you that a few of the malware samples had previously been submitted to VirusTotal in early 2011. Additionally meta data of the clean documents dropped by a few of the malware payloads showed that the documents were also created in 2011, indicating that the malicious documents have likely been circulating in the wild for more than year.

Although many questions remain, the following facts are clear:

  • A small subset of the documents contained in the purported CEIEC dump are malicious.
  • These malicious documents drop a mix of malware families including Poison Ivy, Enfal/Lurid and two unnamed families.
  • Some of the malware samples extracted from the CEIEC dump connect to infrastructure used in previous APT campaigns.

These documents just go to show that malicious files can end up pretty much anywhere. We are stating the obvious but remember to exercise caution when viewing files you downloaded from the Internet. Microsoft patched the two vulnerabilities used in these attacks quite some time ago. They patched CVE-2009-3129 with MS09-067 and CVE-2010-3333 with MS10-087. Malicious documents that exploit vulnerabilities in Microsoft Office, Adobe Acrobat [Reader], or components loaded by these pieces of software are still some of the most common ways in which cyber espionage attacks are conducted. Staying current with the latest versions and security patches for any software you run is highly recommended.

Saturday, April 14, 2012

SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link

Via (Kaspersky) -

We can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

The remote C&C website - rt*** is hosted on a VPS located in the U.S, Fremont, CA.

“” is a free dynamic DNS service. Interesting, the C&C at IP 199.192.152.* was used in other targeted attacks (known as “Luckycat”) in the past.


The Java exploits appear to be pretty standard, however, they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator. This was obviously done in order to avoid detection from anti-malware products.

At the moment, it is not clear how users get infected with this, but the low number and it’s backdoor functionality indicates that it is most likely used in targeted attacks. Several reports exist which suggest the attack was launched through e-mails containing an URL pointing to two websites hosting the exploit, located in US and Germany.

The timing of the discovery of this backdoor is interesting because in March, several reports pointed to Pro-Tibetan targeted attacks against Mac OS X users. The malware does not appear to be similar to the one used in these attacks, though it is possible that it was part of the same or other similar campaigns.

One other important detail is that the backdoor has been compiled with debug information - which makes its analysis quite easy. This can be an indicator that it is still under development and it is not the final version.


Kaspersky redacted part of the C2 info, but Symantec did not...

Symantec - OSX.Sabpab
Next, the Trojan connects to the following location and opens a back door on the compromised computer: hxxp://

Fighting the OSX/Flashback Hydra

Via ESET Threat Blog -

The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission of MRT: remove Flashback.


When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this.

When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it.

Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size.

Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID.

The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter.


Flashback Malware Removal Tool
This Flashback malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.

This update is recommended for all OS X Lion users without Java installed.

Monday, April 9, 2012

S. Korean Government Says North Preparing for Third Nuclear Test

Via Washington Post -

As North Korea prepares for a long-range rocket launch within the next week, the South Korean government has released fresh evidence that, it says, suggests a nuclear test soon could follow.

Seoul’s Ministry of Unification, in charge of policy toward Pyongyang, on Sunday sent a report to journalists detailing activity at a test site in North Korea’s northeast, the location for previous nuclear tests in 2006 and 2009. The report, citing recent commercial satellite images, said that the North is “on its way to another grave provocation” by gathering dirt at the entrance to a tunnel.

According to the analysis, that dirt would be used to plug the tunnel before conducting an underground test, which would be the North’s third.

“The effort is believed to be in its final stages,” said the report, which was drafted by Seoul’s intelligence agency. “The soil around the tunnel’s entrance appeared to have been brought in from another region and has been growing in amount since March.”

If North Korea conducts a nuclear test soon after launching its rocket, it would match the pattern set by the reclusive country in 2006 and 2009, in which launches brought international condemnation. In both cases, Pyongyang, outraged by the outrage, tested nuclear devices soon after.

But predictions about a third nuclear test have run rampant in the past two years, and progressive media in Seoul suggested that the latest release was an attempt by the ruling conservative party to gain voter support in advance of Wednesday’s parliamentary elections.

The announcement might be a “red herring election move by conservatives,” the liberal Hankyoreh newspaper said in a headline on its Web site.

Intelligence Surge Boosts U.S. Confidence on Iran’s Nuclear Program

Via Washington Post -

More than three years ago, the CIA dispatched a stealth surveillance drone into the skies over Iran.

The bat-winged aircraft penetrated more than 600 miles inside the country, captured images of Iran’s secret nuclear facility at Qom and then flew home. All the while, analysts at the CIA and other agencies watched carefully for any sign that the craft, dubbed the RQ-170 Sentinel, had been detected by Tehran’s air defenses on its maiden voyage.

“There was never even a ripple,” said a former senior U.S. intelligence official involved in the previously undisclosed mission.

CIA stealth drones scoured dozens of sites throughout Iran, making hundreds of passes over suspicious facilities, before a version of the RQ-170 crashed inside Iran’s borders in December. The surveillance has been part of what current and former U.S. officials describe as an intelligence surge that is aimed at Iran’s nuclear program and that has been gaining momentum since the final years of George W. Bush’s administration.

The effort has included ramped-up eavesdropping by the National Security Agency, formation of an Iran task force among satellite-imagery analysts and an expanded network of spies, current and former U.S. officials said.

At a time of renewed debate over whether stopping Iran might require military strikes, the expanded intelligence collection has reinforced the view within the White House that it will have early warning of any move by Iran to assemble a nuclear bomb, officials said.

“There is confidence that we would see activity indicating that a decision had been made,” said a senior U.S. official involved in high-level discussions about Iran policy. “Across the board, our access has been significantly improved.”


There is also the chastening experience of Iraq. A decade ago, analysts at the CIA and other agencies were confident that Iraq had stockpiles of banned weapons, including the components of a nuclear weapons program. A costly U.S. invasion and futile search for those stockpiles proved them wrong.

The sting of that intelligence failure was still fresh when U.S. spy agencies came under pressure to ramp up collection efforts against Iran. By 2006, U.S. intelligence officials and top Bush advisers had become alarmed by deep gaps in U.S. knowledge of Iran’s nuclear efforts and ambitions.

Michael V. Hayden, then the new CIA director, recalled a White House briefing in which Bush became visibly agitated.

At the time, Iran was rapidly expanding its stockpile of enriched uranium at its main Natanz facility while working on what was then a secret site at Qom. American officials feared that Iran might surprise the world with a nuclear weapons test that would leave U.S. leaders with two highly unpalatable options: Attack Iran or accept the emergence of a new nuclear power in the Middle East.

At one point, Bush turned to Hayden and said, “I don’t want any U.S. president to be faced with only two choices when it comes to Iran,” according to Hayden. Efforts to reach Bush for comment were not successful.

The meeting became the impetus for overhauling the CIA’s approach to a country considered one of its hardest targets. The agency’s Iran experts and operatives were moved from its Near East Division to a group focused exclusively on Iran, much as the CIA had formed its Counterterrorism Center 20 years earlier.

“We put the best people on the job and put the most talented people in charge,” Hayden said. “Then we said, ‘Tell us what you need to get the job done.’ ”

Known internally as “Persia House,” the Iran Operations Division was set up in the agency’s Old Headquarters Building. Over time, it swelled from several dozen analysts and officers to several hundred. The division is now headed by a veteran case officer who previously served as CIA station chief in Islamabad, Pakistan.

“It got a robust budget,” said a former senior CIA official who worked in the Near East Division at the time. The Iran division’s emphasis was “getting people overseas in front of people they needed to be in front of — there are a lot of places to meet Iranians outside Iran.”


One of those operations was exposed last year, when an RQ-170, flown from an airstrip in Afghanistan, crashed inside Iran. Officials in Tehran have triumphantly claimed credit for bringing the stealth drone down and have released pictures showing the drone apparently patched up after the crash. U.S. officials say a technical failure caused the crash.


Despite the setback, U.S. officials said that some surveillance flights continue and that the damage to American espionage capacity overall has been limited.

That is partly because the drone flights were only a small part of a broad espionage campaign involving the NSA, which intercepts -e-mail and electronic communications, as well as the National Geospatial-Intelligence Agency, which scours satellite imagery and was the first to spot the uranium enrichment plant at Qom.


The expanded espionage effort has confirmed the consensus view expressed by the U.S. intelligence community in a controversial estimate released publicly in 2007. That estimate concluded that while Iran remains resolutely committed to assembling key building blocks for a nuclear weapons program, particularly enriched uranium, the nation’s leaders have opted for now against taking the crucial final step: designing a nuclear warhead.

“It isn’t the absence of evidence, it’s the evidence of an absence,” said one former intelligence official briefed on the findings. “Certain things are not being done.”

Kaspersky Lab Confirms Flashback Botnet Infected More Than 600,000 Mac OS X Computers

Via Kaspersky Lab News -

Kaspersky Lab’s experts recently analyzed Flashfake, a massive botnet that infected more than 600,000 computers worldwide, and concluded that more than 98% of the infected computers were most likely running a version of Mac OS X. To infect victims’ computers, the cyber criminals behind the Flashfake botnet were installing a Flashfake Trojan that gained entry into users’ computers without their knowledge by exploiting vulnerabilities in Java. To analyze the botnet, Kaspersky Lab’s experts reverse-engineered the Flashfake malware and registered several domain names which could be used by criminals as a C&C server for managing the botnet. This method enabled them to intercept and analyze the communications between infected computers and the other C&Cs.

The analysis showed that there were more than 600,000 infected machines, with the largest regions being the United States (300,917 infected computers), followed by Canada (94,625), the United Kingdom (47,109) and Australia (41,600). Using a heuristic “OS fingerprinting” method, Kaspersky Lab’s researchers were able to gauge which operating systems the infected computers were running, and found that 98% were most likely running Mac OS X. It is anticipated that the other 2% of machines running the Flashfake bot are very likely to be Macs as well.


Flashfake is a family of OS X malware that first appeared in September 2011. Previous variants of the malware relied on cyber criminals using social engineering techniques to trick users into downloading the malicious program and installing it in their systems. However, this latest version of Flashfake does not require any user-interaction and is installed via a “drive-by download,” which occurs when victims unwittingly visit infected websites, allowing the Trojan to be downloaded directly onto their computers through the Java vulnerabilities. After infection the Trojan uploads additional payload which hijacks victims’ search results inside their web browsers to conduct a “click-fraud” scam.

Although no other malicious activities have currently been detected by the Trojan, the risk is still significant because the malware functions as a downloader on users’ computers, which means the cyber criminals behind Flashfake can easily issue new, updated malware - capable of stealing confidential information such as passwords or credit card details - and install it onto infected machines.

Although Oracle issued a patch for this vulnerability three months ago, Apple delayed in sending a security update to its customer base until 2 April. Users who have not updated their systems with the latest security should install and update immediately to avoid infection.


Earlier this week, Dr.Web reported the discovery of a Mac OS X botnet Flashback (Flashfake). According to their information, the estimated size of this botnet is more than 500, 000 infected Mac machines.

Individual Mac OS X users, can query Dr. Web's database of infected Macs to determine if their machine was seen in the collected data....

After sinkholing one of the Flashback C2, Kaspersky created - which can be used in a similar fashion to Dr. Web above.


Corporations can check their the user-agent data collected at their outbound proxies.

The bots can be identified by a unique variable in their User-Agent HTTP header named “id”, the rest of the User-Agent is statically controlled by the Trojan. See example below:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1; sv:2; id:9D66B9CD-0000-5BCF-0000-000004BD266A) Gecko/20100101 Firefox/9.0.1"

The 'id' variable would contain the Hardware UUID of the infected OSX system.


F-Secure Lab’s has released a free removal tool -


10 Simple Tips for Boosting The Security Of Your Mac

American Universities Infected by Foreign Spies Detected by FBI

Via Bloomberg (April 8, 2012) -

While overshadowed by espionage against corporations, efforts by foreign countries to penetrate universities have increased in the past five years, Figliuzzi said. The FBI and academia, which have often been at loggerheads, are working together to combat the threat, he said.

Attempts by countries in East Asia, including China, to obtain classified or proprietary information by “academic solicitation,” such as requests to review academic papers or study with professors, jumped eightfold in 2010 from a year earlier, according to a 2011 U.S. Defense Department report. Such approaches from the Middle East doubled, it said.

“Placing academics at U.S. research institutions under the guise of legitimate research offers access to developing U.S. technologies and cutting-edge research” in such areas as information systems, lasers, aeronautics and underwater robots, the report said.


While most international students, researchers and professors come to the U.S. for legitimate reasons, universities are an “ideal place” for foreign intelligence services “to find recruits, propose and nurture ideas, learn and even steal research data, or place trainees,” according to a 2011 FBI report.

In one instance described in the report, the hosts of an international conference invited a U.S. researcher to submit a paper. When she gave her talk at the conference, they requested a copy, hooked a thumb drive to her laptop and downloaded every file. In another, an Asian graduate student arranged for researchers back home to visit an American university lab and take unauthorized photos of equipment so they could reconstruct it, the report said.

A foreign scientist’s military background or purpose isn’t always apparent. Accustomed to hosting visiting scholars, Professor Daniel J. Scheeres didn’t hesitate to grant a request several years ago by Yu Xiaohong to study with him at the University of Michigan. She expressed a “pretty general interest” in Scheeres’s work on topics such as movement of celestial bodies in space, he said in a telephone interview.

She cited an affiliation with the Chinese Academy of Sciences, a civilian organization, Scheeres said. The Beijing address Yu listed in the Michigan online directory is the same as the Academy of Equipment Command & Technology, where instructors train Chinese military cadets and officers. Scheeres said he wasn’t aware of that military connection, nor that Yu co-wrote a 2004 article on improving the precision of anti- satellite weapons.

Once Yu arrived, her questions made him uncomfortable, said Scheeres, who now teaches at the University of Colorado. As a result, he stopped accepting visiting scholars from China.

“It was pretty clear to me that the stuff she was interested in probably had some military satellite-orbit applications,” he said. “Once I saw that, I didn’t really tell her anything new, or anything that couldn’t be published. I didn’t engage that deeply with her.”


Unlike its counterparts in other countries, which rely on their own operatives, China’s intelligence service deploys a freelance network including students, researchers and false- front companies, said David Major, president of the Centre for Counterintelligence and Security Studies in Falls Church, Virginia and a former FBI official.

China has “lots of students who either are forced to or volunteer to collect information,” he said. “I’ve heard it said, ‘If it wanted to steal a beach, Russia would send a forklift. China would send a thousand people who would pick up a grain of sand at a time.’”

China also has more than 3,000 front companies in the U.S. “for the sole purpose of acquiring our technology,” former CIA officer S. Eugene Poteat, president of the Association of Former Intelligence Officers in McLean, Virginia, wrote in the fall/winter 2006-2007 edition of “Intelligencer: Journal of U.S. Intelligence Studies.”


Universities “may not fully grasp exactly who they’re spinning off their inventions to,” Figliuzzi said. “The company could be a front for a foreign power, and often is. We share specific intelligence with university presidents, and we’ve opened some eyes.”

Michigan State’s Simon learned to be wary of front companies by serving on the National Security Higher Education Advisory Board, established by the FBI and CIA in 2005. It “makes you more aware that you need to look below the surface of some of these offers,” she said. “A short-term solution may turn into an institutional embarrassment.”