How Sophisticated are Targeted Malware Attacks?

Via TrendMicro Blog -

Malware attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace. Prior to the highly publicized “Aurora” attack on Google and at least twenty other companies, targeted malware attacks had been taking place and they continue to affect government, military, corporate, educational and civil society networks. While such attacks against the US government and related networks are well known, other governments and an increasing number of companies are facing similar threats.

Earlier this year, the Canadian, South Korean and French governments have all had serious security breaches to sensitive networks. Recently, the European Commission and the External Action Service were also compromised. There have also been acknowledged security breaches at the security firms RSA and Comodo which—at least in the case of RSA—appear to be the result of targeted malware attacks.

Technically sophisticated or simply well-executed?

Such attacks are almost always described as sophisticated or targeted, adjectives which have basically become synonymous with successful. The statements issued after breaches often suggest that attackers knew exactly what to exploit and, in some cases, exactly what they were looking for. It is difficult to assess such claims based solely on the murky details that emerge publicly. Therefore I am not suggesting that such characterizations are necessarily incorrect. Rather, I am suggesting that the level of targeting and sophistication are results of prior knowledge gained by the attackers and not necessarily caused by some technical brilliance in the tools and methods used.

[...]

Laying the groundwork

A recent sample, which I received via contagiodump.blogspot.com, illustrates the level of reconnaissance that “noisy” attackers can generate. The malware sample was a .CHM file that exploits Microsoft HTML Help. The malware, which is detected by Trend Micro as CHM_CODEBASE.AG, drops BKDR_SALITY.A and proceeds to generate network traffic with well-known BKDR_SALITY.A servers.

However, the malware made another set of network connections to win{BLOCKED}.dyndns.info. The Web page accessed on this server contains JavaScript code that uses the res:// protocol to enumerate the specific software on the compromised computer and submits the listing to win{BLOCKED}.dyndns.info. This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007.

[...]

The script at win{BLOCKED}.dyndns.info detects an extensive list of software:

• Microsoft Office (Word and Outlook) from Windows 97 through to 2010
• Adobe Reader (7.0 to 9.3)
• Adobe Flash
• Java
• Instant messaging programs (Skype, Yahoo! Messenger, MSN, Google Talk, and QQ)
• Programming and graphics tools (Delphi, .net, Photoshop and Dreamweaver)

It also checks for file sharing programs, Web browsers, remote administration tools, email clients, download managers and media players. Security software are also detected including major antivirus products and personal firewalls, as well as the PGP encryption software. In addition, it checks for virtual machine software and tries to detect if it is within VMware. Finally, it checks for Microsoft updates from KB842773 through to KB981793.

This malware sample is admittedly odd because it conducts these checks after the user’s computer is already compromised. If this were being used for profiling, wouldn’t it have been done before the attack? One possible explanation is that the attackers are deliberately sending out “noisy” attacks with the hopes that administrators would simply clean compromised systems and move on. However, by then the attackers would have a profile of the machines in an organization that was compromised. They will know the preferred antivirus products, the specific versions of installed software and other information they can use to stage a targeted attack in the future. When the attackers are ready, they will stage an attack aimed at acquiring specific data. The attackers will know exactly what versions of what software to exploit in order to compromise the target. The attack will be characterized as sophisticated and targeted because prior information about the organization has helped make the attack successful.

-----------------------------------------------------------------

An excellent reminder that truely targeted malware doesn't become targeted in a vacuum - it is built using integllience acquired by the attacker.

The Evolution of TDL: Conquering x64

http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf

Introduction

It has been about two years since the Win32/Olmarik (also known as TDSS, TDL and Alureon) family of malware programs started to evolve. The authors of the rootkit implemented one of the most sophisticated and advanced mechanisms for bypassing various protective measures and security mechanisms embedded into the operating system. The fourth version of the TDL rootkit family is the first reliable and widely spread bootkit targeting x64 operating systems such as Windows Vista and Windows 7. The active spread of TDL4 started in August 2010 and since then several versions of the malware have been released. Comparing it with its predecessors, TDL4 is not just a modification of the previous versions, but new malware. There are several parts that have been changed, but the most radical changes were made to its mechanisms for self-embedding into the system and surviving reboot. One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals.

It is the abundance of references to TDL4 combined with an absence of a fully comprehensive source of essential TDL4 implementation detail that motivated us to start this research. In this report, we investigate the implementation details of the malware and the ways in which it is distributed, and consider the cybercriminals’ objectives. The report begins with information about the cybercrime group involved in distributing the malware. Afterwards we go deeper into the technical details of the bootkit implementation.

Critical NASA Network was Open to Internet Attack

Via NetworkWorld.com -

Six NASA servers exposed to the Internet had critical vulnerabilities that could have endangered Space Shuttle, International Space Station and Hubble Telescope missions -- flaws that would have been found by a security oversight program the agency agreed to last year but hasn't yet implemented, according to a report by the agency's inspector general.

NASA's CIO Linda Cureton says she has patched the vulnerabilities, but IG Paul Martin found that NASA still has no ongoing program for spotting and correcting similar problems as they arise and is giving itself until the end of September just to come up with a plan, according to the report titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack." The deadline for the plan is Sept. 30.

The six vulnerable servers were associated with IT projects that control spacecraft or contain critical NASA information, the report says. The audit also found other servers that exposed encryption keys, encrypted passwords and user-account information, all of which could enable attackers to gain unauthorized network access. The report didn't assess the agencywide network that isn't directly used for missions.

[...]

One server was found vulnerable to FTP bounce attacks, which if exploited, "could have significantly disrupted NASA's space flight operations and stolen sensitive data," the report says. Other servers weren't securely configured, exposing the encryption keys, encrypted passwords and user account lists to attackers.

The IG says NASA didn't know about these problems but could have if it performed broad risk assessment, part of the agreed-to security program. "As a result, NASA's Agency-wide mission network was vulnerable to a variety of cyber attacks with the potential for devastating adverse effects on the mission operations the network supports," the report says.

--------------------------------------------------------------------------------

NASA have been targeted in the past by more sophisticated attackers as well.

Avocado: NASA's Titan Rain (Suspected APT)
http://djtechnocrat.blogspot.com/2008/11/avocado-nasas-titan-rain.html (Nov 2008)

In April 2005, cyber-burglars slipped into the digital network of NASA's supposedly super-secure Kennedy Space Center east of Orlando, according to internal NASA documents reviewed by BusinessWeek and never before disclosed. The violated network is managed by a joint venture owned by NASA contractors Boeing (BA) and Lockheed Martin (LMT).

Undetected by the space agency or the companies, the program, called stame.exe, sent a still-undetermined amount of information about the Shuttle to a computer system in Taiwan. That nation is often used by the Chinese government as a digital way station, according to U.S. security specialists.

By December 2005, the rupture had spread to a NASA satellite control complex in suburban Maryland and to the Johnson Space Center in Houston, home of Mission Control. At least 20 gigabytes of compressed data—the equivalent of 30 million pages—were routed from the Johnson center to the system in Taiwan, NASA documents show. Much of the data came from a computer server connected to a network that tracks malfunctions that could threaten the International Space Station.

Photo of the Day - MESSENGER: First Image Ever Obtained from Mercury Orbit

http://messenger.jhuapl.edu/gallery/sciencePhotos/image.php?page=1&gallery_id=2&image_id=432

Date acquired: March 29, 2011
Image Mission Elapsed Time (MET): 209877871
Image ID: 65056
Instrument: Wide Angle Camera (WAC) of the Mercury Dual Imaging System (MDIS)
Center Latitude: -53.3°
Center Longitude: 13.0° E
Resolution: 2.7 kilometers/pixel (1.7 miles/pixel)
Scale: Debussy has a diameter of 80 kilometers (50 miles)

Of Interest: Early this morning [March 29], at 5:20 am EDT, MESSENGER captured this historic image of Mercury. This image is the first ever obtained from a spacecraft in orbit about the Solar System's innermost planet. Over the subsequent six hours, MESSENGER acquired an additional 363 images before down linking some of the data to Earth.

Taliban Create Lashkar-e-Khorasan to Hunt Predator Spies

Via The Long War Journal (March 28, 2011) -

The Taliban have created a group assigned to hunt down tribesmen suspected of providing information to the CIA that enables the Predator campaign to target terrorist leaders in Pakistani tribal areas.

The group, known as the Lashkar-e-Khorasan, or Army of the Khorasan, was established in North Waziristan last year by both the Haqqani Network and Taliban forces under the command of Hafiz Gul Bahadar, The Express Tribune reported. The creation of the group was confirmed by Pakistani intelligence officials, tribesmen, and members of the Taliban.

The Pakistani government continues to maintain that Bahadar and the Haqqani Network are "good Taliban" as they do not attack the Pakistani state. But both Bahadar and the Haaqani Network shelter al Qaeda and also various Taliban groups that do conduct attacks in Pakistan and Afghanistan.

The Lashkar-e-Khorasan was first established as a "loose network with members casually going out and trying to find out who is providing information to the US," but has become an "organized" unit that is "scientifically on the counter-intelligence line," a Taliban member associated with Bahadar's group told the The Express Tribune.

The unit is estimated have more than 300 fighters and to operate primarily in the Datta Khel, Mir Ali, and Miramshah areas. These three areas are strongholds of the Haqqani Network and Bahadar's Taliban forces, as well as for al Qaeda and allied terror groups, and have been heavily targeted by the CIA.

[...]

The Taliban's usage of the term "Khorasan" indicates that they are working in conjunction with al Qaeda in the effort to hunt down the spy network in North Waziristan. Al Qaeda's forces in Pakistan and Afghanistan are known as Qaidat al-Jihad fi Khorasan, or the Base of the Jihad in the Khorasan. It was in North Waziristan that the US killed Mustafa Abu Yazid, the leader of Al Qaeda in the Khorasan, in a Predator strike last summer.

McAfee and SAIC Study Shows Corporate Intellectual Capital is the Newest Cybercrime Currency

http://www.mcafee.com/es/about/news/2011/q1/20110328-01.aspx

SANTA CLARA, Calif. and McLean, VA - March 28 - McAfee and Science Applications International Corporation (SAIC) [NYSE:SAI] today announced findings from a global study on the security of information economies. In the study, “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency,” security experts and senior IT decision makers illustrate how cybercriminals have made the shift from stealing personal information, to targeting the corporate intellectual capital of some of the most well-known global organizations. Cybercriminals understand there is greater value in selling a corporations’ proprietary information and trade secrets which have little to no protection making intellectual capital their new currency of choice.

The cyber underground economy is making its money on the theft of corporate intellectual capital which includes trade secrets, marketing plans, research and development findings and even source code. McAfee and SAIC collaborated with Vanson Bourne to survey more than 1,000 senior IT decision makers in the U.S., U.K., Japan, China, India, Brazil and the Middle East. The study is a follow up to a report released in 2008 called “Unsecured Economies.” The new study reveals the changes in attitudes and perceptions of intellectual property protection in the last two years. The findings revealed which countries were perceived as the least safe to store corporate data, the rate at which organizations are experiencing breaches and the response rate to prevent or remediate data breaches.

“Cybercriminals have shifted their focus from physical assets to data driven properties, such as trade secrets or product planning documents,” said Simon Hunt, vice president and chief technology officer, endpoint security at McAfee. “We’ve seen significant attacks targeting this type of information. Sophisticated attacks such as s Operation Aurora, and even unsophisticated attacks like Night Dragon, have infiltrated some of the of the largest, and seemingly most protected corporations in the world. Criminals are targeting corporate intellectual capital and they are often succeeding.”

“The distinction between insiders and outsiders is blurring,” said Scott Aken, vice president for cyber operations at SAIC. “Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely – just as an insider would. Having defensive strategies against these blended insider threats is essential, and organizations need insider threat tools that can predict attacks based on human behavior.”

[...]

To download “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency,” please visit http://www.mcafee.com/us/resources/reports/rp-underground-economies.pdf.

Signaling Dissent: Unorthodox Links to the Internet

Via economist.com -

With a tin can, some copper wire and a few dollars’ worth of nuts, bolts and other hardware, a do-it-yourselfer can build a makeshift directional antenna. A mobile phone, souped-up with such an antenna, can talk to a network tower that is dozens of kilometres beyond its normal range (about 5km, or 3 miles). As Gregory Rehm, the author of an online assembly guide for such things, puts it, homemade antennae are “as cool as the other side of the pillow on a hot night”. Of late, however, such antennae have proved much more than simply cool.

According to Jeff Moss, a communications adviser to America’s Department of Homeland Security, their existence has recently been valuable to the operation of several groups of revolutionaries in Egypt, Libya and elsewhere. To get round government shutdowns of internet and mobile-phone networks, resourceful dissidents have used such makeshift antennae to link their computers and handsets to more orthodox transmission equipment in neighbouring countries.

Technologies that transmit data under the noses of repressive authorities in this way are spreading like wildfire among pro-democracy groups, says Mr Moss. For example, after Egypt switched off its internet in January some activists brought laptops to places like Tahrir Square in Cairo to collect, via short-range wireless links, demonstrators’ video recordings and other electronic messages. These activists then broadcast the material to the outside world using range-extending antennae.

According to Bobby Soriano, an instructor at the Philippine branch of Tactical Tech, a British organisation that teaches communication techniques to dissidents in five countries, such antennae can even foil government eavesdropping and jamming efforts. Directional antennae, unlike the omnidirectional sort, transmit on a narrow beam. This makes it hard for eavesdroppers to notice a signal is there.

The Key Skill-Set of Great Penetration Testers

via thehackeracademy.com (March 24, 2011) -

I was reading an article entitled “Ideal Skill Set For the Penetration Testing” that I found fascinating. And while the author had some good points about the some of the more easily forgotten background skills that are required to be a great pen tester (e.g. OS and programming language skills), I think Keatron missed the majority of the real key skills that are required to become a great penetration tester.

Because, while it’s important to have all of the skills that he mentioned, one could have all of those skills and still be missing a lot. In fact, I know a lot of people (even those who have penetration testing jobs) that have all of those skills in spades and yet have trouble executing on penetration tests.

For me, the difference between Keatron’s list and a great penetration tester comes down to one thing: intelligence types. Specifically, the difference between convergent intelligence and divergent intelligence. Convergent intelligence is the ability to derive a solution from the evidence available to us, while divergent intelligence is the act of taking a single thought or concept and finding multiple applications for it.

In the Western world, we have traditionally emphasized the importance of convergent intelligence – all of our schooling focuses on developing this type of intelligence. Yet, it is the ability to develop divergent intelligence that actually leads us to be great penetration testers.

Comodo CA Compromised by Iran?

http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Report of Incident on 15-MAR-2011
An RA suffered an attack that resulted in a breach of one user account of that specific RA. This RA account was then used fraudulently to issue 9 certificates (across 7 different domains). All of these certificates were revoked immediately on discovery. Monitoring of OCSP responder traffic has not detected any attempted use of these certificates after their revocation.

Fraudulently Issued Certificates
9 certificates were issued as follows:

Domain: mail.google.com [NOT seen live on the internet]
Serial: 047ECBE9FCA55F7BD09EAE36E10CAE1E

Domain: www.google.com [NOT seen live on the internet]
Serial: 00F5C86AF36162F13A64F54F6DC9587C06

Domain: login.yahoo.com [Seen live on the internet]
Serial: 00D7558FDAF5F1105BB213282B707729A3

Domain: login.yahoo.com [NOT seen live on the internet]
Serial: 392A434F0E07DF1F8AA305DE34E0C229

Domain: login.yahoo.com [NOT seen live on the internet]
Serial: 3E75CED46B693021218830AE86A82A71

Domain: login.skype.com [NOT seen live on the internet]
Serial: 00E9028B9578E415DC1A710A2B88154447

Domain: addons.mozilla.org [NOT seen live on the internet]
Serial: 009239D5348F40D1695A745470E1F23F43

Domain: login.live.com [NOT seen live on the internet]
Serial: 00B0B7133ED096F9B56FAE91C874BD3AC0

Domain: global trustee [NOT seen live on the internet]
Serial: 00D8F35F4EB7872B2DAB0692E315382FB0

[...]

Our Interpretation

• The circumstantial evidence suggests that the attack originated in Iran.
• The perpetrator has focused simply on the communication infrastructure (not the financial infrastructure as a typical cyber-criminal might).
• The perpetrator can only make use of these certificates if it had control of the DNS infrastructure.
• The perpetrator has executed its attacks with clinical accuracy.
• The Iranian government has recently attacked other encrypted methods of communication.
• All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.

---------------------------------------------------------------------

Microsoft Security Advisory (2524375)
Fraudulent Digital Certificates Could Allow Spoofing
http://www.microsoft.com/technet/security/advisory/2524375.mspx

Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

-----------------------------------------------------------------

Cyber Attack Attribution is Inherently Difficult

Seems like a very effective method to enable a government to man-in-the-middle their own citizens for surveillance purposes. However, based on just the public information, the attribution to Iran should be taken with a gain of salt.

July 15, 2010: US Congress - Planning For The Future of Cyber Attack Attribution

'Given that the Internet is intended to be open and anonymous, the attribution of cyber attacks can be very, very difficult to achieve and should not be taken lightly." - Congressman David Wu (Chairman, Subcommittee on Technology and Innovation, Committee on Science and Technology)

Errata Security - No Reason to Believe Comodo Attack Came From Iran
http://erratasec.blogspot.com/2011/03/no-evidence-comodo-compromise-was-from.html

In the end, if you are responsible for information / cyber security of a corporation, it doesn't really matter if it is 16 year old kids or Iran - you don't want them on your network and you don't want them stealing your data. Period.

Japan in Crisis: Tokyo HackerSpace

http://www.tokyohackerspace.org/en/japan-in-crisis

To all the people on the good planet Earth, the crew of Tokyo HackerSpace has a message that we would like to send to you:

By now, everyone knows of the crisis in northern Japan. It will still be a few weeks before life is under control here. We are looking forward to the day that the power plants are safe and the tremors have subsided.

Many of our members have been cooped up in our homes waiting out the storm, but not laying idle.

The Japanese government is doing the best that they can to manage the crisis and help people who have lost loved ones, homes, utilities and possessions.

Tokyo HackerSpace has already begun to lay plans for projects which we feel can help the people of Japan, utilizing the best of our abilities and resources.

Our first course of action has been to order up the required parts for 150 solar powered LED lanterns. We will be assembling them here and shipping them up (or delivering by hand) to aid organizations. These lanterns provide just enough light so that people can feel safe at night without power, find their way in the dark, and maintain the sense of community. They charge during the day via the sun, and will help to light the way for 8 hours each night.

We also have on the way several geiger counters and geiger tubes, from which we will be making community sensors, in order to help to keep the public in harms way informed on a minute by minute and hour by hour basis. While the initial exposure has been low, our concern is the long term effects, food and water supply, and ground soil conditions over the next several months.

Or longer term projects include solar cell phone charging stations, low energy cooking equipment, internet, wifi, and laptop loans, and other technical concerns.

We are calling upon Hacker Spaces all over the world, and friends of Hacker Spaces, and friends of friends of Hacker Spaces, to help out.

Soon we will release a list of critical equipment and supplies which we may have difficulty sourcing locally. If you have access to anything on the list, please contact us to make shipping arrangements. If not, please DO NOT ship us anything not on the list (In some cases, it may be VERY specific). Items not on our list will only crowd our space and waste your shipping money and time. If you have something specific or unique you think we could use, feel free to send us an email and inquire.

In the meantime, we ask that anyone who can, please donate to only reputable charities. Or, if you prefer, you may donate directly to us, and we will utilize it for the above mentioned projects, or give the money directly to Japanese aid organizations known to be doing good work in the area.

You can donate via Paypal to theTHSstore@gmail.com

Good night and good luck.

Music: Hooverphonic - 2Wicky

-------------------------------------------------------------------------------------------

Hooverphonic are a Belgian rock/pop group, formed in 1995.

Official Hooverphonic Homepage
http://www.hooverphonic.com/be-en/home

SecureWorks Threat Analysis - RSA Compromise: Impacts on SecurID

http://www.secureworks.com/research/threats/rsacompromise/

Executive Summary

RSA is the security division of EMC software, best known for the popular SecurID two-factor authentication tokens used in high-security environments. RSA announced that a cyberattack resulted in the compromise and disclosure of information "specifically related to RSA's SecurID two-factor authentication products". The full extent of the breach remains publicly unknown. RSA states that "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack." Organizations that make use of SecurID should be alert for attempts at circumventing their authentication infrastructure, though no specific attacks are known to be occurring at the time of this publication.

[...]

Recommended Actions

Recommended actions
With the potential impacts from the previous section in mind, the response should focus on a few key areas.

• Direct attacks against an ACE server.
  
  • Confirm current patch levels and general server hardening
  • Monitor IPS/IDS logs
  • Monitor server logs
• Brute-Force attacks attempting to determine the specific seed used for a given account's SecurID token, as well as attacks aimed at compromising other authentication factors.
• Monitor for repeat authentication failures, both on the ACE server and on intermediate appliances and systems
• Monitor for authentication failures not followed by success both on the ACE server and on intermediate appliances and systems
• Changes in source of authentication attempts.
• Multiple concurrent logins for a single account.

Caution is also warranted surrounding the integrity of communication channels over which OTPs and tokencodes are submitted. Even under a conservative scenario where seeds were disclosed, but specific customer ownership was not, it may be possible to determine which seed is in use by observing a small number of submitted tokencodes. PINs can also be exposed through such observation. Considering these factors yields the following recommendations:

• Ensure OTPs are only submitted over encrypted channels.
• Be vigilant for phishing or impersonation schemes that may seek to capture OTPs.
• Educate users' expectations as to which systems prompt for OTPs to protect against phishing and social engineering attempts.

Conclusion

Until additional information becomes available regarding the specific information that was compromised, a good deal of assumption and speculation is involved in preparing an appropriate response. However, certain information would be of interest to threat actors and fit RSA's criteria that the information could "... potentially be used to reduce the effectiveness of a current two-factor authentication implementation ..." while not facilitating "... a successful direct attack on any of our RSA SecurID customers." Monitoring for anomalies and additional intelligence may allow customers to further focus response efforts.

By focusing on the publicly available information and factors discussed in this analysis, customers can implement a specific response to decrease the likelihood of exposure via the SecurID authentication compromise.

Microsoft SRD: Blocking Exploit Attempts of the Recent Flash 0-Day

Via Microsoft SRD Blog -

We’ve recently become aware of a new exploit in the wild targeting a 0-day vulnerability in Adobe Flash Player. This exploit differs from the typical Flash Player attacks we’ve seen where a victim is lured into browsing to a website hosting malicious Flash content. Instead, these attacks involve a malicious Flash .swf file that is embedded into a Microsoft Excel document and then sent to a victim via email.

[...]

First, customers using Microsoft Office 2010 are not susceptible to the current attacks. The current attacks do not bypass the Data Execution Prevention security mitigation (DEP). Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application. In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process. What’s more, if an Office document originates from a known unsafe location such as email or the internet, Office 2010 will activate the Protected View feature.

[...]

For users who want additional protections as well as users of Microsoft Office prior to 2010, the Enhanced Mitigation Experience Toolkit (EMET) can help. Turning on EMET for the core Office applications will enable a number of security protections called security mitigations. The exploits we’ve seen so far are broken by three of these mitigations: DEP, Export Address Table Access filtering (EAF), and HeapSpray pre-allocation. EMET is of value even to Microsoft Office 2010 as it has the first of the three enabled by default, but does not have the second or third ones.

To be protected by EMET, there are a few steps you need to follow. You first need to download the tool, install it, and then finally configure it to protect an application. It’s a good idea to configure EMET to protect not just Excel, but all of the Office applications as even though the attacks we’ve seen only target Excel, Flash Player can also be hosted in other Office applications as well.

[...]

Since Flash Player can also be hosted in a web browser, you may wish to turn on EMET for the browser you use. This can be done by adding the browser executable to the list of protected applications per the above steps. In general it is a good idea to utilize a browser that opts into DEP by default such as Internet Explorer 8 and 9 (as well as several third party browsers).

Beyond EMET, there is a workaround that Office 2007 users can use to prevent the Flash Player (as well as other ActiveX controls) from loading inside an Office application. This is done by changing the ActiveX setting in the Trusted Center to “Disable all controls without notification”....

The ActiveX setting in the Trust Center can also be set via group policy or registry. For more information, please refer to “Security policies and settings in the 2007 Office system”. As a final note, please be aware that the setting has the potential to break add-ons for Microsoft Office. It is a good idea to test any add-ons you use before making this change too widely.

------------------------------------------------------------------------------------------------------

For those interested in the Office 10 sandbox, check here - it’s basically the next generation of MOICE.

Sadly, not everyone is running Office 10, so If you are running Office 2003 or 2007, I would recommend installing the Microsoft Office Isolated Conversion Environment (MOICE) - http://support.microsoft.com/kb/935865

MOICE takes a potentially risky binary file type and convert it within a sandboxed process to the new XML format (much safer) and then back to the binary format and opens it. The hope of doing this conversion was to remove any exploit code that was hidden away within the file.

APT: RSA Identified an Extremely Sophisticated Cyber Attack in Progress

Open Letter to RSA Customers
http://www.rsa.com/node.aspx?id=3872

Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

----------------------------------------------------------------------------------------------------

Rich Mogull @ Securosis has written a good non-hype summary outlining what is known, what is not and what RSA SecurID customers need to do....

What You Need to Do
If you aren’t a SecureID customer… enjoy the speculation.

If you are, make sure you contact your RSA representative and find out if you are at risk, and what you need to do to mitigate that risk. how high a priority this is for you depends on how big a target you are- the Big Bad APT isn’t interested in all of you.

Based on how the letter was worded it might mean that the attackers have a means to generate certain valid token values (probably only in certain cases). They would also need to compromise the password associated with that user. I’m speculating here, which is always risky, but that’s what I think we can focus on until we hear otherwise. Thus reviewing the passwords tied to your SecureID users might be reasonable.

Open Questions

1. While we don’t need to know all the details of the attack, we do need to know something about the attacker to evaluate our risk. Can you (RSA) reveal more details?
2. How is SecureID affected and will you be making mitigations public?
3. Are all customers affected or only certain product versions and/or configurations?
4. What is the potential vector of attack?
5. Will you, after any investigation is complete, release details so the rest of us can learn from your victimization?

Finally- if you have a token from a bank or other provider, make sure you give them a few days and then ask them for an update.

Radiation Risk to the US

Via UCS All Things Nuclear Blog -

Given the fact that Japan is thousands of miles from the United States, it is highly unlikely that Americans would be exposed to radioactive material from direct inhalation of a plume from the Fukushima nuclear complex.

While wind patterns will likely carry the radioactive plume eastward, radioactive material will be so diffuse by the time it reaches Hawaii, Alaska, or the mainland United States that it is highly unlikely to create significant health concerns.

Related to this, UCS just released a statement about potassium-iodide pills:

The people of Japan should be given priority access to potassium iodide (KI) pills used to protect against thyroid cancer following inhalation of radioactive iodine.

Given the fact that Japan is thousands of miles from the United States, it is highly unlikely that Americans would be exposed to radioactive iodine from direct inhalation of a plume from the Fukushima nuclear complex. Direct inhalation is the kind of exposure that potassium iodide pills would be most effective against.

Regardless, there are reports that global supplies of potassium iodide pills are being depleted because Americans are buying them, prompting fears that there will not be adequate supplies in Japan in the event of a larger radiological release.

Besides inhalation, another way Americans could be exposed to radioactive iodine is if agricultural products were contaminated. Radioactive iodine could be ingested by dairy cows, for example, and then would be concentrated in milk. Potassium iodide, however, would not be an effective countermeasure in that situation. Moreover, federal and state health authorities would test for such contamination and could take products off the market if necessary.

----------------------------------------------------------------------

Translation: Stop freaking out and stop wasting money on KI pills - because there are real people in real danger that really need them. Take that money and donate it to the American Red Cross instead.

America Red Cross: Japan Earthquake and Pacific Tsunami
https://american.redcross.org/site/Donation2?idb=0&5052.donation=form1&df_id=5052

Trojan.Linxder and The Flash 0-day (CVE-2011-0609)

Via FireEye Malware Intelligence Lab Blog -

Adobe recently reported the existence of a new zero day flaw in flash player which, according to them, can affect flash player 10.2.152.33 and earlier versions. Soon after, additional news broke out showing that this flaw had been used as part of limited targeted attacks. The initial attacks used a swf file embedded inside an MS excel file to lure users into clicking it. Once a user opens this excel file, the flash file embedded inside gets activated, exploiting this vulnerability. Bugix-security blog described the exploitation process in great detail here.

Today, I would like to extend this analysis by talking more about the malware behind the exploit. What kind of malware is this? What does it do, and who might be the people behind this attack? During the course of my investigation, I found some clues leading me to the potential hackers behind these attacks. My preliminary analysis shows that Chinese hackers are probably the master minds of this attack. I will come to reasons for this conclusion later.

[...]

From a user perspective it happens very quickly:

Attacker Excel file---> Exploit SWF ---> a.exe ---> svshost.exe & crsenvironscan2.xls

One can see that an unaware user will feel that he has actually opened crsenvironscan2.xls.

crsenvironscan2.xls

As I have explained above, this excel file is just there to deceive the end user into thinking that he/she has actually opened a benign file. The attackers knew that for this attack to execute successfully, without leaving any tell-tale traces behind, they need to provide a valid data file compelling enough to lure users into clicking it.

[...]

One can see that last saved date (3/8/2011) is very close to the known release time of this attack. Apparently it looks as if this file was last saved on a computer having loged-in username as 'linxder'.

Who is this linxder? My colleague Darien pointed me to few links on google that tells us that a guy named “linxder” is a known chinese threat actor. This guy is an old-school hacker that has a fairly expansive social network.

[...]

If one searches linxder's baidu profile, we can see that he talks a ton about weaponizing flash containers in other file formats, which is exactly what happens in this attack.

Based on this evidence it can be said with a reasonable confidence that the chinese hackers are the master minds of this attack. Although it's also possible that some rival group is trying to mislead the world by wrongly involving linxder in this matter.

WhisperCore Brings Device-level Encryption to Android

Via H-Online.com (Security) -

Whisper Systems, the developers of the RedPhone voice encryption and TextSecure SMS encryption systems for Android phones, has now released WhisperCore. The software is a device-level encryption system that is intended to protect all the data on a user's Android phone.

Whisper Systems CTO and co-founder, Moxie Marlinspike, told CNET that WhisperCore "uses AES with 256-bit keys in XTS mode, the same disk encryption protocol that's proven itself in the PC space with tools like TrueCrypt or LUKS (Linux Unified Key Setup)".

This first release is an early beta labelled version 0.1 and is described as a tech-demo. This release is only currently available for Nexus S phones but is expected to expand to other devices soon. WhisperCore will be available for free for individual use with pricing for commercial use dependent on deployment size.

The web site currently available states that the system integrates with the Android operating system and protects all the data and programs on the phone. It includes full-disk encryption and can be set so as to also protect data held on the phone's SD card.

The WhisperCore Beta is available to download on the Whisper Systems web site. Three installers are available, for 64-bit Linux, Mac OS X and 64-bit Windows. As a beta it should not be used where security or stability is important.

Blood Money: Pakistan Acquits CIA Contractor Raymond Davis

Via BBC (South Asia)

A Pakistani court has acquitted a US CIA contractor of two counts of murder at a hearing held at a prison in Lahore, a government official has said.

Raymond Davis, 36, was alleged to have shot dead two men in the eastern city of Lahore in January following what he said was an attempted armed robbery.

The acquittal came when relatives of the dead men pardoned him in court.

They confirmed to the judge overseeing the case that they had received compensation - known as "blood money".

Under Pakistani law, relatives of a murder victim can pardon the killer.
Reports say about 18 family members of the two dead men were in court on Wednesday and confirmed that they wanted Mr Davis to be freed and pardoned because they had received "blood money".

-----------------------------------------------------------------------

Under Sharia law (and Pakistan law), Qisas can in some cases result in blood money being paid out to the family of victims. The amount varies from country to country and from case to case.

According to the Guardian UK...

Television stations reported that the American spy had left the jail with US consulate officials and was being flown on a special flight to London.

Twitter Enables Always-on SSL Encryption

Via WashingtonPost.com (Faster Forward Blog) -

Twitter is adding a security option that you should turn on immediately unless you think eavesdroppers could make more creative use of your account than you.

The San Francisco micro-blogging service now allows you to encrypt your use of the site — not just when you log in, as is already the case, but throughout. It’s often referred to as “always-on SSL,” (short for “Secure Sockets Layer,” the earliest level of encryption offered by financial sites) or “HTTPS” (after the prefix you’ll see in your browser instead of the usual “http”).

[...]

A blog post by Twitter spokeswoman Carolyn Penner explains how to choose this option: Log into the site, click the Settings link in the menu below your username at the top right of the page, scroll down and click the checkbox next to “Always use HTTPS.” Then click the Save button to keep those changes (you may need to enter your password again). The post also notes that while Twitter’s official iPhone and iPad applications also encrypt your session, its mobile does not — there, you’ll still need to type in or bookmark https://mobile.twitter.com yourself.

Twitter’s programs for Android, BlackBerry and other non-Apple devices don’t yet benefit from this new option either, Penner wrote in an e-mail. “We’re working on it,” she said.

CVE-2011-0609 - Adobe Flash Player ZeroDay

Found some additional information related to the Adobe Flash Zero-day exploit and the dropped malware….

Bugix Security has a goodbreak down on the exploit, it uses of two SWF files embedded in an XLS
http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

Filename: crsenvironscan.xls
Size:126,444 bytes
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2

The first SWF provide a heap spray and sets up memory....the second SWF is loaded and appear to trigger the bug (possible vuln in the way Flash Player parser)

The dropped EXE is encrypted….

Filename: a.exe
Size: 46,048 bytes
MD5 Hash: 1e09970c9bf2ca08ee48f8b2e24f6c44

According to VT, the dropped malware has zero AV detection as of 3/15/11 14:46 GMT
http://www.virustotal.com/file-scan/report.html?id=62db3743cc62c66a4b8806d8fe23966472b9841b7d91e9025f474990bd88cc89-1300200408

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

http://www.adobe.com/support/security/advisories/apsa11-01.html

Release date: March 14, 2011
Vulnerability identifier: APSA11-01
CVE number: CVE-2011-0609
Platform: All Platforms

Summary
A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.13 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

--------------------------------------------------------------------------------------

Given that the primay attack vector is Flash embedded in Office documents, I would recommend disabling the Flash Browser Plug-in (for Firefox, IE and Chrome) until patches are released. Additionaly, the exploit could be triggered in a drive-by-download browser fashion, if a victim browses (or tricked into browsing to) a malicious Flash file on the Internet.

For defense-in-depth, I would recommend upgrading Adobe Reader to the latest version and making sure that 'Protected Mode' is enabled. Users running newer versions of Windows (Vista / Windows 7) should get added protection from ASLR and DEP.

India Seizes 61 Pirates After Gunfight in the Arabian Sea

Via Telegraph UK -

The operation is one of the most successful since Somalian pirates escalated their campaign of extortion and kidnap on the Indian Ocean two years ago. The Indian authorities have yet to disclose the nationality of the suspects but they are believed to be from either Somalia or Yemen.

They were arrested after an Indian naval ship closed in on a hijacked fishing vessel just under 700 miles off the Kerala coastal port of Cochin. The boat was carrying 61 suspected pirates and 13 of the boat's crew who had been held captive.

The suspected pirates had hijacked the boat, the Mozambique-flagged Vega 5 in December last year and had since used it as a base for attacks on other ships.

They were finally caught on Sunday after they opened fire on the approaching Indian naval ship. They were forced to jump overboard when their own vessel was set ablaze caught fire in fierce retaliatory fire from the Indian ship. The 13 original crew members were freed in the raid. Indian officials said they found 80 to 90 small arms or rifles and some heavy weapons on the fishing vessel.

The number of pirate attacks and the scale of their demands has increased singnificantly in recent months. More than 660 people are currently believed to be held hostage in pirates from raids on 30 ships.

India has intensified its operations against pirates in the Indian Ocean. It arrested 28 pirates last month and 15 in January.

The End of The Counterterrorism Blog

Via CT Blog (by Douglas Farah) -

To Our Readers:

Thank you for your faithful readership through the past five years. Over its short run, the Counterterrorism Blog served an important role both as a leading terrorism news and information aggregator and as a site where noted practitioner-experts presented commentary and analysis. This combined to make the site a regular “one-stop” bookmark for the interested public, media and policy community at a crucial time. CTB has had a remarkable run, and a tremendous impact – in addition to being visited over 8.2 million times, the CTB spurred news stories, held Congressional briefings, embedded reporters in war zones, and informed the policy debate – even earning a negative review from Al Qaeda!

As the world has changed and the terrorism community has evolved so has the ability of the volunteer contributing experts on the Counterterrorism Blog to dedicate their time and energy to this enterprise. In light of this, the Board has made the decision to discontinue publishing here. In addition to their other policy, professional, publishing, teaching and research responsibilities, many of the CTB’s former contributing experts will be posting on other blogs and can continue to be read.

Thanks again for all the support through the years in making the CTB a leading voice in the Counterterrorism community and for your support and interest.

The Counterterrorism Foundation Board, publishers

-----------------------------------------------------------------------

I have been reading the CT Blog for years and hate to see it come to an end. The expert written blog entries were always a great source of quality information on terrorism and counterterrorism events around the world. I wish the best to all involved.

Security Research Index

http://research.phreedom.org/

The Security Research Index is a project indended to help the security community keep up with all the research presented at conferences around the world. Today there are way more conferences that any single person can attend and the number of presentations is overwhelming. I started this project because I wanted to have a place where I could go and read only the important details from each presentation.

At this website we will publish short reviews of presentations we find interesting. Unlike the abstracts published on the conference sites, our reviews are written after the presentation and aim to describe only the most important contribution to the state of the art, ignoring the background information and hype.

Contributors

The reviews on this site are provided by the following people:

• Alexander Sotirov
• Chris Eng

Google: Unpatched MHTML Vulnerability in IE Under Active Exploitation in Targeted Attacks

http://googleonlinesecurity.blogspot.com/2011/03/mhtml-vulnerability-under-active.html

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

---------------------------------------------------------------------------------------

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure
http://www.microsoft.com/technet/security/advisory/2501696.mspx

Suggested Workaround = Enable the MHTML protocol lockdown

Microsoft KB2501696 - Automated Microsoft "Fix it" to enable and disable suggested workaround
http://support.microsoft.com/kb/2501696

CNCERT: Surge in Attacks on Chinese Government Websites

Via Hostexploit.com -

At a conference for security professionals held in Beijing on Wednesday, the Chinese National Response Center (CNCERT) released its report on the state of computer network security in China in 2010. The report reveals that attacks on websites decreased by more than 21 percent but hackers increasingly targeted government agency websites with attacks jumping up by 67.6 percent.

The report contains the results of a number of detailed and scientific analyses and evaluates the threats being posed on a national and international level. The needs of users in China today, from basic network security to public network environments through to network information systems are assessed with advice and suggestions on how best to face the ever increasing challenges posed in a fast paced technological environment.

The overriding message of the report is that Chinese Government’s website security is weak as the increase in targeted attacks all too clearly illustrates. It notes too that this is problem for governments of all developed countries which urgently needs to be addressed. Similarly China is struggling to keep financial institutions protected from cybercriminals in an environment where Trojans and botnets are posing a major threat to network security. The increasing proliferation of mobile malware is also cause for concern along with the serious challenges posed by attacks on industrial control systems.

The report emphasizes the importance that China places on the protection of industrial control systems and recommends that all major systems should take immediate action to protect network security from external attack.

The Ministry of Industry and Information Technology reports that despite a crackdown on networks hosting malicious botnets, in collaboration with domain name registrars and internet service providers, systems have struggled to keep Trojans at bay with a significant increase over 2009. CNCERT found that nearly 5 million IP addresses were infected by a Trojan in 2010.

Brain: Searching for the First PC Virus in Pakistan

Via USA Today -

It was in 1986 that brothers Basit and Amjad Farooq circulated a floppy disk carrying Brain -- the first PC virus in history.

F-Secure researcher Mikko Hypponen was one of the early handful of self-styled virus hunters. When Hypponen reverse engineered Brain, he found buried in the code a block of text with the Farooq brothers' names, phone number and address, near Lahore Railway Station, Lahore, Pakistan.

Hypponen recently traveled to Pakistan and found the Farooq brothers 25 years later working at the same address.

----------------------------------------------------------

Full 10-Minute Documentary by F-Secure's Mikko Hypponen

SpyEye Botmasters Fight Back – Targeting Swiss Security Site’s SpyEye Tracker

Via RSA Blog -

The RSA FraudAction Research Lab recently discovered evidence of cybercriminal attempts to sabotage the Swiss white hat site, abuse.ch through new plug-ins to the latest SpyEye Trojan variants found in the wild, SpyEye v. 1.3.10. This move is significant in that it shows how fraudsters are eager to damage the non-profit website’s availability and credibility – a sign of the apparent effectiveness of SpyEye Tracker and that it represents more than just a thorn in the side of many Zeus- and SpyEye-toting botmasters.

RSA researchers have found proof that fraudsters are using a DDoS plug-in for the SpyEye Trojan designed to leverage botnets to knock out availability of abuse.ch. In addition, RSA FraudAction researchers found SpyEye config files into which legitimate website domains were deliberately inserted in an attempt to throw off the white hat site’s blocklists.

-----------------------------------------------------------------------------------

KrebsOnSecurity: SpyEye, ZeuS Users Target Tracker Sites
http://krebsonsecurity.com/2011/03/spyeye-zeus-users-target-tracker-sites/

Hackers vs Apple: An Interview with Charlie Miller and Dino Dai Zovi

Via H-Online.com -

Heise's new Mac & i magazine recently interviewed Charlie Miller and Dino Dai Zovi, co-authors of “The Mac Hacker's Handbook” about Apple security and how to compromise it. The H is able to present that interview in full. Both Miller and Dai Zovi are well known for their exploits against the Apple Mac software environment. Miller is a researcher currently employed by the security consultants Independent Security Evaluators. He previously worked for the NSA and has won prizes for successful exploits at several Pwn2Own contests.

Like Miller, Dai Zovi is a regular at Pwn2Own and was successful at the first Pwn2Own contest at CanSecWest 2007, where he hijacked a MacBook Pro through a cross-platform QuickTime flaw. He has been named by eWeek as one of the top 15 most influential people in security and currently works as an independent security consultant, author and speaker.

---------------------------------------------------------------------

Very entertaining interview. Gives the reader a very good overview of the real security threats to Apple, their current security stance (and why it is the way it is) and steps Apple can take now to get ahead of the malware - which is expected to grow with market share.

Some parts are quite technical, so some knowledge of exploit development and mitigation will be a plus to readers. But there are also some very funny parts. Good read.

Visualizing Wi-Fi Networks Through Light

http://yourban.no/2011/02/22/immaterials-light-painting-wifi/

The city is filled with an invisible landscape of networks that is becoming an interwoven part of daily life. WiFi networks and increasingly sophisticated mobile phones are starting to influence how urban environments are experienced and understood. We want to explore and reveal what the immaterial terrain of WiFi looks like and how it relates to the city.


Immaterials: Light painting WiFi from Timo on Vimeo.

This film is about investigating and contextualising WiFi networks through visualisation. It is made by Timo Arnall, Jørn Knutsen, Einar Sneve Martinussen. The film is a continuation of our explorations of intangible phenomena that have implications for design and effect how both products and cities are experienced. Matt Jones of BERG has summarised these phenomena as ‘Immaterials’, and uses sociality, data, time and radio as examples. Radio and wireless communication are a fundamental part of the construction of networked cities. This generates what William Mitchell called an ‘electromagnetic terrain’ that is both intricate and invisible, and only hinted at by the presence of antennas (2004, p.55).

------------------------------------------------------------------------------------

Hat-tip to Threatpost.com for bringing this awesome project to my attention.

Malware in Recent Korean DDoS Attacks Destroys Systems

Via McAfee Labs Blog -

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns.

[...]

The two layers make it harder to analyze the malware because an analyst must understand many components and cannot simply follow the code flow within one malware binary. However, forensics are easier because in postmortem we can identify which task files have been created on an infected computer.

The malware in its current incarnation was deployed with two major payloads:

• DDoS against chosen servers
• Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

• Overwrite the first sectors of all physical drives with zeroes
• Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

-------------------------------------------------------------------------------------------------------------------------

It is funny sometimes, how short of a memory we have in the infosec community....

PCs Used in Korean DDoS Attacks May Self Destruct (July 2009)
http://voices.washingtonpost.com/securityfix/2009/07/pcs_used_in_korean_ddos_attack.html

There are signs that the concerted cyber attacks targeting U.S. and Korean government and commercial Web sites this past week are beginning to wane. Yet, even if the assaults were to be completely blocked tomorrow, the attackers could still have one last, inglorious weapon in their arsenal: New evidence suggests that the malicious code responsible for spreading this attack includes instructions to overwrite the infected PC's hard drive.

[...]

Update, July 10, 10:00 a.m. ET: South Korean anti-virus firm Hauri has published an exhaustive analysis of this malicious software, available at this link here (PDF). It states that when July 10, AM 00:00 comes, the malicious code deletes files with certain extensions, that the "operating system not found" error appears at the next boot, and that the system cannot then be started normally.

G20 Data Targeted: PCs at French Ministry of Finance Infected with Spyware

Via H-Online.com -

The French Budget Minister, François Baroin, has confirmed a report by Paris Match magazine which said that his ministry fell victim to a cyber attack in December 2010. During the attack, 150 PCs were reportedly infected with spyware. The as yet unknown attackers appear to have targeted documents in connection with the French G20 presidency. The report said that although no official traces have been confirmed, there is evidence that the documents found their way to the unknown attackers via Chinese computers.

First evidence of an attack already appeared in January 2011. Since then, the French Network and Information Security Agency, Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), has been investigating the case. The report didn't state how the attackers compromised the PCs or which vulnerabilities were exploited.

Reportedly, other government ministries were also attacked, but without success. A similar attack on the G20 presidency was apparently already carried out last year when the Canadian Department of Trade and Commerce chaired the G20.

---------------------------------------------------------------------------------------

http://blogs.mcafee.com/mcafee-labs/cyberattack-targets-france%e2%80%99s-g20-plans

In total, over 150 computers in the ministry have been infiltrated through targeted spear-phishing emails containing a malicious attachment. First detected 2 months ago, it seems the investigators from the General Secretariat of Defense and National Security (SGDSN) were able to use a variety of lures to trace suspect exchanges between the compromised computers and some remote servers that were driving the attack. A Ministry senior official who wishes to remain unnamed added that some of the compromised data was redirected to sites in China.

------------------------------------------------------------------------------------

http://nakedsecurity.sophos.com/2011/03/07/french-ministry-hacker-attack-secret-g20-plans/

Inevitably the finger of suspicion is likely to point towards China for the hacking attack, but I think it's dangerous to conclude that a hack was state-endorsed unless there's definitive proof.

The truth is that proving the origin of a hack attack is complicated by the fact that cybercriminals can use compromised PCs owned by innocent people to act as a go-between when trying to break into someone's computer. In other words - yes, a Chinese computer might have tried to connect to yours, but it may be under the control of someone in, say, Great Britain.

We'd be naive to think that the Chinese (and just about every other country around the world) isn't using the internet for its political, commercial and military advantage, but we should be very cautious about making assumptions without having all the proof in front of us.

Financial Terrorism Suspected in 2008 Economic Crash

Via Washington Times (Feb 28, 2011) -

Evidence outlined in a Pentagon contractor report suggests that financial subversion carried out by unknown parties, such as terrorists or hostile nations, contributed to the 2008 economic crash by covertly using vulnerabilities in the U.S. financial system.

The unclassified 2009 report “Economic Warfare: Risks and Responses” by financial analyst Kevin D. Freeman, a copy of which was obtained by The Washington Times, states that “a three-phased attack was planned and is in the process against the United States economy.”

While economic analysts and a final report from the federal government's Financial Crisis Inquiry Commission blame the crash on such economic factors as high-risk mortgage lending practices and poor federal regulation and supervision, the Pentagon contractor adds a new element: “outside forces,” a factor the commission did not examine.

“There is sufficient justification to question whether outside forces triggered, capitalized upon or magnified the economic difficulties of 2008,” the report says, explaining that those domestic economic factors would have caused a “normal downturn” but not the “near collapse” of the global economic system that took place.

Suspects include financial enemies in Middle Eastern states, Islamic terrorists, hostile members of the Chinese military, or government and organized crime groups in Russia, Venezuela or Iran. Chinese military officials publicly have suggested using economic warfare against the U.S.

In an interview with The Times, Mr. Freeman said his report provided enough theoretical evidence for an economic warfare attack that further forensic study was warranted.

“The new battle space is the economy,” he said. “We spend hundreds of billions of dollars on weapons systems each year. But a relatively small amount of money focused against our financial markets through leveraged derivatives or cyber efforts can result in trillions of dollars in losses. And, the perpetrators can remain undiscovered.

-----------------------------------------------------------------------------------

Economic Warfare: Risks and Responses by Kevin D. Freeman
http://www.scribd.com/doc/49755779/Economic-Warfare-Risks-and-Responses-by-Kevin-D-Freeman

I suggest you try Bugmenot.com if you don't have an Scribd account.

Contagio: Mobile Malware Mini-Dump

Mila Parkour has put together a little mini-dump of mobile malware. Take a sample, leave a sample.

http://contagiodump.blogspot.com/2011/03/take-sample-leave-sample-mobile-malware.html

Kudos to Mila for her service to the security community.

Experts Fear Looted Libyan Arms May Find Way to Terrorists

Via NY Times -

Security analysts say the armed uprising in Libya poses a long-term security threat — that weapons looted from government stockpiles could circulate widely, including heat-seeking antiaircraft missiles that could be used against civilian airliners.

Photographs and video from the uprising show civilians carrying a full array of what were once the Libyan military’s weapons — like the SA-7, an early-generation, shoulder-fired missile in the same family as the more widely known Stinger — that intelligence agencies have long worried could fall into terrorists’ hands.

They also show large groups of young men equipped with a complete suite of lightweight, simple-to-use and durable infantry arms, including assault rifles, machine guns and rocket-propelled grenades, which have been a staple of fighting in Africa and Asia since midway through the cold war. Mines, grenades and several types of antitank missiles can be seen as well.

Past examples of state arsenals being looted by civilians — whether in Uganda in 1979, Albania in 1997 or Iraq in 2003 — have shown that once these weapons slip from state custody they can be sold through black markets, swiftly and quietly, to other countries and groups for use in wars where they can present long-lasting and destabilizing problems. Analysts are particularly concerned about the heat-seeking missiles, known as Man-Portable Air-Defense Systems, or Manpads.

“The danger of these missiles ending up in the hands of terrorists and insurgents outside of Libya is very real,” said Matthew Schroeder, the director of the Arms Sales Monitoring Project at the Federation of American Scientists in Washington. “Securing these missiles should be a top priority of the U.S. intelligence community and their counterparts overseas.”

The principal threat, the analysts said, is not necessarily that the rebels themselves, who want international sympathy and support, might use such weapons against airliners. Rather, the concern is that because these missiles can sell for at least several thousand dollars on black markets, opportunists will gather and offer them to third parties — pushing them into the underground trade.

Col. Muammar el-Qaddafi’s military was not particularly well-led, competent or large at the start of this conflict, with an army of roughly 45,000 soldiers, according to an assessment by Jane’s Information Group.

But over the decades, Colonel Qaddafi has spent heavily to equip his forces and amass reserve munitions and arms. He has been accused of procuring weapons to pass on to many foreign groups, including Palestinian and Irish fighters, rebel groups and friendly governments in sub-Saharan Africa.

The weapons that have emerged from storehouses in recent days confirm that despite international sanctions, Libya had acquired arms from multiple sellers in the former Eastern bloc, accumulating an arsenal that looks like the bounty of cold war clearance sales.

Microsoft: Friends Don't Let Friends Use IE6

Via ZDNet -

Microsoft has launched a new Web site that is aimed at stepping up its campaign to move users off Internet Explorer (IE) 6.

The new site — the Internet Explorer 6 Countdown — went live on March 4. The site “is dedicated to watching Internet Explorer 6 usage drop to less than 1% worldwide, so more websites can choose to drop support for Internet Explorer 6, saving hours of work for web developers,” according to the page.

The site includes links to tools for businesses that are stuck with IE 6 because they’ve developed internal-facing apps that are dependent on Microsoft’s 10-year-old, non-standards-compliant browser.Gartner analysts have complained in the past that Microsoft’s tools for moving business users off IE 6 are too pricey.

The new IE Countdown site also includes a world map, highlighting which countries around the world still have the most IE 6 installations. (China is No. 1.)

Analysis Shows DroidDream Trojan Designed for Future Monetization

Via Threatpost.com -

A detailed analysis of the DroidDream Trojan that was found in dozens of apps in the Android Market this week shows that the malware has a modular construction that likely was designed to give attackers the ability to monetize infected devices through installations of adware or spyware.

The Trojan itself is not especially clever or sophisticated and its communications with its command-and-control server on the back end are essentially by the book, as well. After infection, the DroidDream malware calls home to its C&C server to announce its presence and ask for further instructions. That's all rote, pro forma stuff.

What's most interesting in the DroidDream construction is that the Trojan is designed to act mainly as a downloader module, a shell to pull down other malicious modules in the future. This is the kind of malicious behavior that has been common in desktop and server malware for years now, but hasn't been seen widely on mobile devices as of yet. Most mobile malware up till now has been designed to carry out one or two specific tasks, say sending SMS messages to premium numbers or stealing online banking credentials.

"The highly modular architecture of the Trojan is interesting and points out of a few important conclusions. First of all, it has been designed to be easy to include in popular applications, to be uploaded on the Market with misleading names. Secondly, it has a classical command-and-control architecture – it sends an initial 'I’m here' query with basic info and then deploys a more complex downloader to infect the device further," Kaspersky Lab malware researcher Denis Maslennikov wrote in his analysis of the DroidDream Trojan. "This is pretty similar to many Windows Trojans. Finally, the ability to install other applications on the devices hints at the way through which the author was planning to monetize the infections – by deploying Adware or Advertising-supported apps on the device."

Officials Believe FBI Agent Who Disappeared in Iran 4 Years Ago Is Alive

Via FoxNews.com (AP) -

Four years after a retired FBI agent mysteriously vanished inside Iran, U.S. officials have received proof he is alive, a remarkable development that has dramatically intensified secret negotiations to bring him home, The Associated Press has learned.

The U.S. had lacked reliable information about whether Robert Levinson was alive or dead since he disappeared in March 2007 from the Iranian island of Kish. It remains unclear who exactly is holding Levinson or where he is, but the proof that he is alive is a rare hopeful sign in a case that had seemingly gone cold.

Iran has repeatedly said it has no information about Levinson, but U.S. diplomats and investigators have long said they believed he was taken by Iranian government agents.

As years passed, many in the U.S. government believed the 63-year-old with diabetes and high blood pressure might have died. But late last year, Levinson's family received proof that he was alive. Investigators confirmed its authenticity and that it was recent, current and former officials said. Officials say they believe he is still alive.

The AP has known about the proof since shortly after it arrived but delayed reporting it because officials said any publicity would jeopardize the ability to get Levinson home. The government announced Thursday afternoon that there were signs he was alive, so the AP published its story.

The AP is not disclosing the nature of the proof because officials believe that would hurt efforts to free him.

The current and former officials who discussed the matter and the pending announcement insisted on anonymity because the issue is so sensitive.

Next Wednesday will mark the fourth anniversary of Levinson's disappearance. With proof that he is alive, the case becomes one of the longer international hostage situations involving U.S. citizens. Levinson is unique, however, in that no one has publicly acknowledged holding him.

The government's announcement said Levinson may be in southwest Asia and renewed its calls for help from Iran. The statement was a change in tone from what had been stalemated discussions. The U.S. has previously expressed deep frustration over what it said was Iran's lack of cooperation.

[...]

Iran shares borders with the southwest Asian countries of Pakistan and Afghanistan, raising the possibility that Levinson was shuttled into one of those countries. Both border crossings are known smuggling routes. The route into Pakistan leads into a lawless tribal region that's home to insurgents, terrorist groups and criminal organizations.

Pakistani Intelligence and the CIA: Mutual Distrust and Suspicion

Via STRATFOR (Security Weekly) -

On March 1, U.S. diplomatic sources reportedly told Dawn News that a proposed exchange with the Pakistani government of U.S. citizen Raymond Davis for Pakistani citizen Aafia Siddiqui was not going to happen. Davis is a contract security officer working for the CIA who was arrested by Pakistani police on Jan. 27 following an incident in which he shot two men who reportedly pointed a pistol at him in an apparent robbery attempt. Siddiqui was arrested by the Afghan National Police in Afghanistan in 2008 on suspicion of being linked to al Qaeda.

During Siddiqui’s interrogation at a police station, she reportedly grabbed a weapon from one of her interrogators and opened fire on the American team sent to debrief her. Siddiqui was wounded in the exchange of fire and taken to Bagram air base for treatment. After her recovery, she was transported to the United States and charged in U.S. District Court in New York with armed assault and the attempted murder of U.S. government employees. Siddique was convicted in February 2010 and sentenced in September 2010 to 86 years in prison.

Given the differences in circumstances between these two cases, it is not difficult to see why the U.S. government would not agree to such an exchange. Siddique had been arrested by the local authorities and was being questioned, while Davis was accosted on the street by armed men and thought he was being robbed. His case has served to exacerbate a growing rift between the CIA and Pakistan’s Inter-Services Intelligence directorate (ISI).

Pakistan has proved to be a very dangerous country for both ISI and CIA officers. Because of this environment, it is necessary for intelligence officers to have security — especially when they are conducting meetings with terrorist sources — and for security officers to protect American officials. Due to the heavy security demands in high-threat countries like Pakistan, the U.S. government has been forced to rely on contract security officers like Davis. It is important to recognize, however, that the Davis case is not really the cause of the current tensions between the Americans and Pakistanis. There are far deeper issues causing the rift.

2011 Becomes the Year of Mobile Malware

Via Veracode Blog (March 2, 2011) -

Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place..

[...]

The malicious apps that were pulled were legitimate apps that were pirated, modified by the attackers, and republished. To downloaders of these apps they behaved and looked like well-functioning apps. There was no reason for these users to rate these apps poorly in the Android Marketplace’s reputation system or to leave comments that the apps were suspicious. This shows that reputation systems are a poor method of ensuring an app store is free of malware.

To Google’s credit they did remove the apps and have, or will, wipe the apps from users’ devices but this is too little, too late. The mobile devices are already compromised as the malware took advantage of kernel vulnerabilities to root the devices and download more malware that didn’t come through the app store. Anyone who ran the malicious apps now has a compromised device running software with root permissions that Google cannot wipe.

The exact same thing could happen tomorrow even though we know what Android kernel exploit code was used and there are new versions of Android that fix these issues. This is because many Android phones cannot be updated to the new versions of Android, 2.2.2 and 2.3, that fix the root holes. Many Android phone providers have customized their versions of Android so up to half of Android phones running 2.0, 2.1, 2.2 are sitting ducks to the same problem tomorrow.

-------------------------------------------------------------------------------------------------

Android Malware DroidDream: How it Works
http://blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/

When the host application—Bowling Time, in this case—is launched by a user, DroidDream will start by sending sensitive data to a command and control server. The sensitive data includes: IMEI, IMSI, Device Model & SDK Version.

[...]

DroidDream is configured to perform at least one successful check-in with the command and control server, at which point the command and control server will respond and acknowledge the presence of malware on the infected device. We found that the DroidDream authors have configured the malware to make sure the device is not already infected with another variant of DroidDream. If the device is already infected, the malware will not re-infect it.

When DroidDream attempts to infect a device, it uses two known exploits, exploid and rageagainstthecage, to break out of the Android security container. Both of the vulnerabilities being exploited were patched by Android 2.3 (Gingerbread). If exploid fails to root the device, the malware will attempt to use rageagainstthecage. Once the phone is rooted, DroidDream is configured to searched for a specific package named com.android.providers.downloadsmanager. If the malware does not find this package on the device, it will silently install a second malicious application without the user’s knowledge. If DroidDream does find the downloadsmanager package, it will not continue infecting the device with the second malicious application.

At Lookout, we are currently in the process of confirming what this second application is capable of, but our initial analysis shows that it appears to be able to send additional sensitive information to a remote server. The second malicious application also appears that to have the capability to silently install other applications.

Pakistani Court: US National Arrested in Killings Has No Immunity

Via monstersandcritics.com -

A Pakistani court ruled Thursday that a US national held for killing two people had failed to provide evidence that he had diplomatic immunity, lawyers said.

The US government has repeatedly said that Raymond Davis, a former special forces soldier, was an employee of its embassy in Islamabad, a claim that many Pakistani officials have challenged.

He was arrested after he allegedly shot two motorbike riders January 27 in Lahore, the capital of the eastern province of Punjab, in what he said was self-defence during an armed robbery attempt.

Asad Manzoor Butt, a lawyer representing the victims, said Judge Yousuf Ojla ruled the accused had failed to produce any documents that could show that he was really a US diplomat and enjoyed diplomatic immunity.

[...]

During Thursday's court proceedings, Davis was represented for the first time by a lawyer. Previously, he had told the court that he could not be charged because he had diplomatic immunity.

The Davis case has increased tensions between the United States and Pakistan. The Pakistani government fears his release could provoke a public backlash in an already politically unstable environment where anti-Americanism dominates.

Alberto Rodriguez, a US embassy spokesman, said his government had yet to see an official response about diplomatic immunity for Davis.

'We are working closely with the government of Pakistan to resolve this issue as it is important for our bilateral relations,' he said.

Senator John Kerry, chairman of the US Senate's Foreign Relations Committee, held talks with Pakistani civilian and military leaders last week to try to persuade them to release Davis.

The New York Times and Washington Post reported last week that Davis was not an embassy employee but a security contractor for the Central Intelligence Agency who had worked for private security firms, including Blackwater Worldwide, which is now known as Xe Services, for the CIA, operating out of a safe house in Lahore.