This is a development that can only be described as frightening.
From the link:
The Stuxnet worm is a “groundbreaking” piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multi-pronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.
“It’s amazing, really, the resources that went into this worm,” said Liam O Murchu, manager of operations with Symantec’s (SYMC) security response team.
“I’d call it groundbreaking,” said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. By comparison, other notable attacks, like the one dubbed “Aurora” that hacked Google’s (GOOG) network, and those of dozens of other major companies, was child’s play.
O Murchu and Schouwenberg should know: They work for the two security companies that discovered Stuxnet exploited not just one zero-day Windows bug, but four, an unprecedented number for a single piece of malware.
Stuxnet, which was first reported in mid-June by VirusBlokAda, a little-known security firm based in Belarus, gained notoriety a month later when Microsoft (MSFT) confirmed that the worm was actively targeting Windows PCs that managed large-scale industrial-control systems in manufacturing and utility firms.
Hacked by a compromised USB thumb drive. Just goes to show you can worry all day about technical threats and software backdoors and plain old network hacking, but all those assets out in the wild — people’s heads with sensitive passwords, unattended laptops, USB drives, et al. — can be hard to lock down and are usually the easiest way into a network.
From the link:
It was a USB drive loaded with malware.
That’s how U.S. defense networks were compromised in 2008, according to U.S Deputy Defense Secretary William Lynn, who today offered the first official confirmation of a data breach that led to restrictions on the use of removable USB drives in the military.
In an article written for Foreign Affairs magazine, Lynn said the breach occurred when a single USB drive containing malicious code was inserted into a laptop computer at a U.S. base in the Middle East. The malware, placed on the drive by a foreign intelligence agency, was uploaded to a network run by the U.S. Central Command.
The malware then spread — undetected — on both classified and unclassified systems, essentially establishing a “digital beachhead” from which data could be transferred to servers outside the U.S, “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Lynn wrote.
Here’s additional coverage of this story.
Update 8/30/10: And even more coverage. Looks like the actual threat was very low-level and involved the W32.SillyFDC worm.
Not good. Looks like the attack originated in Ukraine.
From the link:
Three Web sites belonging to the U.S. Department of the Treasury have been hacked to attack visitors with malicious software, security vendor AVG says.
AVG researcher Roger Thompson discovered the issue Monday on three Web domains associated with the home page of the U.S. Bureau of Engraving and Printing. As of late Monday, all three Web sites were still actively serving malicious software and the Bureau of Engraving and Printing Web site should be avoided until it’s clear that they’ve been cleaned up, Thompson said in an interview via instant message.
Although the Treasury Department could not be reached for comment, IT staff there appear to be aware of the problem. On Tuesday morning, all three sites had apparently been taken offline and were returning a “page not found” error.
According to Thompson, hackers had added a small snippet of virtually undetectable iframe HTML code that redirected visitors to a Web site in the Ukraine that then launched a variety of Web-based attacks based on a commercially available attack-kit called the Eleonore Exploit pack.
… don’t hit the F1 key.
Just one more reason to go with Google Chrome.
From the first link:
Microsoft Releases Security Advisory to Address VBScript Vulnerability
added March 2, 2010 at 08:36 am
Microsoft has released a security advisory to address a vulnerability in VBScript. The advisory indicates that this vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. By convincing a user to view a specially crafted HTML document (web page, HTML email, or email attachment) with Internet Explorer and to press the F1 key, an attacker could run arbitrary code with the privileges of the user running the application.
US-CERT encourages users and administrators to do the following to help mitigate the risks:
- Review Microsoft Security Advisory 981169.
- Review the Microsoft Security Research & Defense blog entry regarding this issue.
- Review US-CERT Vulnerability Note VU#612021.
- Refrain from pressing the F1 key when prompted by a website.
- Restrict access to the Windows Help System.
US-CERT will provide additional information as it becomes available.
Malware and other dark computer arts will become a problem for smartphones and other mobile devices. It’s definitely a matter of when, and not if. This idea to combat the problem seems pretty ingenious. The solution involves checking the device’s RAM for usage or anomalies that expose the presence of malware.
From the link:
Yesterday at the RSA Conference in San Francisco, a researcher presented a new way to detect malware on mobile devices. He says it can catch even unknown pests and can protect a device without draining its battery or taking up too much processing power.
Experts agree that malware is coming to smart phones, and researchers have begun to identify ways to protect devices from malicious software. But traditional ways of protecting desktops against threats don’t translate well to smart phones, says Markus Jakobsson, a principal scientist at Xerox PARC and the person behind the new malware detection technology. He is also the founder of FatSkunk, which will market malware-detection software based on the research.
Most antivirus software works behind the scenes, comparing new files to an enormous library of virus signatures. Mobile devices lack the processing power to scan for large numbers of signatures, Jakobsson says. Continual scanning also drains batteries. His approach relies on having a central server monitor a device’s memory for signs that it’s been infected, rather than looking for specific software.
… to help pay for correcting its sieve-like OS and application coding. Now I’m not saying Microsoft is the only reason malware, phishing, botnets and other cybercrime goes on out there, but its shoddy and ubiquitous products are to blame for a very large majority. And that statement comes from a Microsoft user and supporter.
This internet usage tax idea from MS’s “trustworthy computing” veep is the height of stupidly ballsy statements. Maybe Microsoft should remunerate every computer user whose identity has been stolen, data compromised or computer files corrupted or lost due to yet another security fix that came a little too late.
Taxing internet usage to fix a problem largely caused by a single entity? Not a good idea. Try again, Scott Charney.
From the link:
How will we ever get a leg up on hackers who are infecting computers worldwide? Microsoft’s (MSFT) security chief laid out several suggestions Tuesday, including a possible Internet usage tax to pay for the inspection and quarantine of machines.Today most hacked PCs run Microsoft’s Windows operating system, and the company has invested millions in trying to fight the problem.
Microsoft recently used the U.S. court system to shut down the Waledac botnet, introducing a new tactic in the battle against hackers. Speaking at the RSA security conference in San Francisco, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney said that the technology industry needs to think about more “social solutions.”
Update 3/8/10 — Looks like I’m not alone in condemning this crazy idea.
Just the thing for the technically challenged wanna-be cybercriminal. It’s bad enough having to deal with nefarious coders, but these tools (and various “virus making for dummies” tools have been around forever) allow bored kids and garden variety criminals in on the lucrative world of botnets.
From the link:
In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.
Last week, the security firm NetWitness, based in Herndon, VA, released a report highlighting the kind of havoc the software can wreak. It documents a Zeus botnet that controlled nearly 75,000 computers in more than 2,400 organizations, including the drug producer Merck, the network equipment maker Juniper Networks, and the Hollywood studio Paramount Pictures. Over four weeks, the software was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo e-mail log-ins.
“They had compromised systems inside both companies and government agencies,” says Alex Cox, a principal analyst at NetWitness.
A survey conducted by another security firm–Atlanta-based Damballa–found Zeus-controlled programs to be the second most common inside corporate networks in 2009. Damballa tracked more than 200 Zeus-based botnets in enterprise networks. The largest single botnet controlled using the Zeus platform consisted of 600,000 compromised computers.
If this thing works, everyone ought to use to it.
From the link:
Researchers at SRI International and Georgia Tech are preparing to release a free tool to stop “drive-by” downloads: Internet attacks in which the mere act of visiting a Web site results in the surreptitious installation of malicious software. The new tool, called BLADE (Block All Drive-By Download Exploits), stops downloads that are initiated without the user’s consent.
“When your browser is presented with an [executable file] for download, it’s supposed to prompt you for what to do,” said Phil Porras, SRI’s program director. But software can also be pushed onto an unsuspecting user’s computer without ever asking for permission.
In the fourth quarter of 2009, roughly 5.5 million Web pages contained software designed to foist unwanted installs on visitors, according to Dasient, a firm that helps protect websites from Web-based malware attacks. Such drive-by downloads target computers that are not up-to-date with the latest security patches for common Web browser vulnerabiltiies, or are missing security updates for key browser plug-ins, such as Adobe’s PDF Reader and Flash Player. Attackers use software called exploit packs, which probe the visitor’s browser for known security holes.
Looks like malware purveyors have added affiliate programs to the business model. The upside of this activity is the longer the chain of unrelated participants — particularly with the paper trail of payments added to the mix — the more likely the chain breaks down somewhere and the legal system catches up with the entire bunch.
From the link:
Sites like Amazon offer affiliate programs that pay users for sending them new customers. And now, malware authors, always quick to adopt tactics that work elsewhere, have developed their own affiliate program, which was described in a talk given today at the Black Hat DC computer security conference in Washington, DC.
Kevin Stevens, an analyst at Atlanta-based security consulting company SecureWorks, says sites with names like “Earnings4U” offer to pay users for each file they can install on someone else’s PC; the practice is called “pay per install.” Stevens found sites offering rates ranging from $180 per 1,000 installs on PCs based in the U.S. to $6 per 1,000 installs on PCs based in Asian countries.
As he researched the practice, Stevens says he discovered a number of companies engaged in pay per install. These companies periodically change their names to dodge the authorities. He also found forums where users shared tips for making more money, and a variety of sophisticated tools developed to make it easier for them to install malware. “It’s almost like a real, legitimate business,” he said.
The end of the internet as we know it? Not so much. Maybe the black hats responsible for the worm got cold feet after Microsoft put a quarter million dollar bounty on their head.
From the link:
Malicious software installed on millions of computers has yet to wreak havoc on technology systems worldwide as some fear, but researchers warned that the “Conficker worm” could still strike in the future.
Also known as Downadup or Kido, Conficker turns infected PCs into slaves that respond to commands sent from a remote server that effectively controls an army of slave computers.
Researchers feared that the network created by Conficker might be deployed on Wednesday for the first time since the worm surfaced last year because its code suggested it would seek to communicate with its master server on April 1.
They formed an industry-wide task force to fight the worm, bringing widespread attention that experts said probably scared off the criminals who command the army of slave computers, known as a botnet.
“The Conficker-infected machines attempted to call home to get new commands from their master but those calls went unanswered,” said Joris Evers, spokesman for security software maker McAfee Inc.
This is a new, and disturbing, twist on malware/virus attacks. It’s an encryption trojan horse that extorts money from you to decrypt the files (.doc, .pdf, etc.) in your My Documents folder.
If you have a problem with FileFix Pro 2009 do keep in mind there are no-cost fixes (read: file decrypters) out there so don’t send these cybercriminals any money.
If you need a fix, here are options from the link:
Users who have fallen for the FileFix Pro 2009 con do not have to fork over cash to restore their files, according to other researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called “Anti FileFix” available for download that unscrambles files corrupted by the Trojan. And security company FireEye Inc. has created a free online decrypter that also returns files to their original condition.
Also from the link:
The new scam takes a different tack: It uses a Trojan horse that’s seeded by tricking users into running a file that poses as something legitimate like a software update. Once on the victim’s PC, the Trojan swings into action, encrypting a wide variety of document types — ranging from Microsoft Word .doc files to Adobe Reader .pdf documents — anytime one’s opened. It also scrambles the files in Windows’ “My Documents” folder.
When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message poses as an semi-official notice from the operating system: “Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application,” the message reads.
Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software. Price? $50.
I’m betting most readers of this blog know about fake virus warnings, and worse fake pop-up windows — quick hint, don’t zap them with the “x” on the window itself, drop down to the taskbar, right click and choose “close” — and how they can lead to malware or even betray that you already have a malware infection.
If you’re not aware of this insidious Windows problem, take the time to check this article out.
From the link:
Michael Vana knew something was up when he saw the pop-up from “Antivirus 2009” in the middle of his screen. The former Northwest Airlines avionics technician guessed that the dire warning of a system infection was fake, but when he clicked on the X to close the window, it expanded to fill his screen. To get rid of it, he had to shut down his PC.
Sound familiar? Dirty tricks like these, designed to get you to install and buy fake antivirus products, are more common than ever. (For advice on how to proceed if you’ve installed a phony antivirus on your PC, see “Antivirus 2009: How to Remove Fake AV Software.”) But while you might recognize such warnings as bogus, you might not know that the fake warning could be a red alert about an underlying bot malware infection. Knowing the difference is key.
“It’s not something you even blink at anymore,” says Christopher Boyd, senior director of malware research for communications security company FaceTime Communications, of requests for help in dealing with these warning pop-ups.
Cybercriminals are staying ahead of security experts and software developers.
This is a problem on many fronts. One, they are stealing money, information and data. They are criminals after all. Two, their activity clogs the “tubes” of the net. Three, because software experts spend an inordinate amount of time dealing with these nutbags, they have less time to spend developing new applications to get to the next generation of computing.
From the link:
Internet security is broken, and nobody seems to know quite how to fix it.
Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.
As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.
With vast resources from stolen credit card and other financial information, the cyberattackers are handily winning a technology arms race.
”Right now the bad guys are improving more quickly than the good guys,” said Patrick Lincoln, director of the computer science laboratory at SRI International, a science and technology research group.
This seems like a tech to look into — a level of protection to make certain your online transactions are secure.
From the link:
You’re about to go online to make a financial transaction, but you don’t realize that your computer has been breached by malicious hackers: it’s loaded with malware and spyware. Verdasys believes that its tool, SiteTrust, can intervene at this point to keep your identity safe. SiteTrust buries itself deep in a computer’s operating system, where it can take fundamental control of most of the machine’s operations. Malware can’t attempt to interfere in an online transaction without SiteTrust’s knowing.
Credit: Courtesy Verdasys
Cost: Free to customers through participating financial institutions