Category Archives: Forensics

Jun 05

Flame malware using Windows Update to spread

Posted on by

Security researchers today published detailed information about how the Flame cyber-espionage malware spreads through a network by exploiting Microsoft’s Windows Update mechanism.

Their examinations answered a question that had puzzled researchers at Moscow-based Kaspersky Lab: How was Flame infecting fully-patched Windows 7 machines?

Key to the phony Windows Update process was that the hackers had located and exploited a flaw in the company’s Terminal Services licensing certificate authority (CA) that allowed them to generate code-validating certificates “signed” by Microsoft.

Armed with those fake certificates, the attackers could fool a Windows PC into accepting a file as an update from Microsoft when in reality it was nothing of the kind.

One of the certificates was valid between February 2010 and February 2012, and used to sign the malicious file in late December 2010, adding more information to experts building a timeline of Flame’s development and attacks.

Other security experts were even more impressed with what Flame managed. Earlier Monday, Mikko Hypponen, F-Secure’s chief research officer and the first to announce that Flame was abusing Windows Update, called the feat “the Holy Grail of malware writers” and “the nightmare scenario” for antivirus researchers.

Microsoft released a security alert and patch due to the disturbing news that the hugely complex Flame malware has spoofed MS-signed certificates, potentially making Microsoft Update a malware delivery mechanism.

Microsoft is aware of active attacks using unauthorized digital certificates derived from a Microsoft Certificate Authority. An unauthorized certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

It’s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.

And that’s exactly what turns out to have occurred with the recent Flame cyberespionage tool that has been infecting machines primarily in the Middle East and is believed to have been crafted by a nation-state.

According to Microsoft, which has been analyzing Flame, along with numerous antivirus researchers since it was publicly exposed last Monday, researchers there discovered that a component of Flame was designed to spread from one infected computer to other machines on the same network using a rogue certificate obtained via such a man-in-the-middle attack. When uninfected computers update themselves, Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.
The massive and complex Flame malware, linked to state-sponsored espionage and information-gathering, has managed to spoof Microsoft-signed digital certificates, creating the potential for man-in-the-middle attacks on the Microsoft Update system.

May 31

What is the Flame virus or Flame malware?

Posted on by

The computers of high-ranking Iranian officials appear to have been penetrated by a data-mining virus called Flame, in what may be the most destructive cyberattack on Iran since the notorious Stuxnet virus, an Iranian cyberdefense organization confirmed on Tuesday.

Israel has dismissed suggestions that it might be behind the Flame cyber-attack.

Several media reports linked comments made by the country’s vice prime minister with the malware, which has infected more than 600 targets.

However, a spokesman for the Israeli government told the BBC that Moshe Ya’alon had been misrepresented.

Security experts said it was still too early to pinpoint the source of the attack.

Mr Ya’alon, who is also Israel’s minister of strategic affairs, discussed the attacks on Israel’s military radio station, Army Radio.

“There are quite a few governments in the west that have rich high-tech [capabilities] that view Iran, and particularly the Iranian nuclear threat, as a meaningful threat – and can possibly be involved with this field,” he said.

“I would imagine that everyone who sees the Iranian nuclear threat as a significant one, and that is not only Israel, it is the entire Western world, headed by the United States of America, would likely take every single measure available, including these, to harm the Iranian nuclear project.”

When asked to clarify Mr Ya’alon’s comments by the BBC, a spokesman for the minister said: “There was no part of the interview where the minister has said anything to imply that Israel was responsible for the virus.”

In a message posted on its Web site, Iran’s Computer Emergency Response Team Coordination Center warned that the virus was dangerous. An expert at the organization said in a telephone interview that it was potentially more harmful than the 2010 Stuxnet virus, which destroyed several centrifuges used for Iran’s nuclear enrichment program. In contrast to Stuxnet, the newly identified virus is designed not to do damage but to collect information secretly from a wide variety of sources.

Security experts have only begun examining the thousands of lines of code that make up Flame, an extensive, data-mining computer virus that has been designed to steal information from computers across the Middle East, but already digital clues point to its creators and capabilities.
Related

Researchers at Kaspersky Lab, which first reported the virus Monday, believe Flame was written by a different group of programmers from those who had created other malware directed at computers in the Middle East, particularly those in Iran. But Flame appears to be part of the state-sponsored campaign that spied on and eventually set back Iran’s nuclear program in 2010, when a digital attack destroyed roughly a fifth of Iran’s nuclear centrifuges.

What is Flame?
Flame is a sophisticated attack toolkit that leaves a backdoor, or Trojan, on computers and can propagate itself through a local network, like a computer worm does. Kaspersky Lab suspects it may use a critical Windows vulnerability, but that has not been confirmed, according to a Kaspersky blog post. Flame can sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather information about discoverable Bluetooth devices nearby and turn the infected computer into a discoverable Bluetooth device. The attackers can upload additional modules for further functionality. There are about 20 modules that have been discovered and researchers are looking into what they all do. The package of modules comprises nearly 20 megabytes, over 3,000 lines of code, and includes libraries for compression, database manipulation, multiple methods of encryption, and batch scripting. The malware is named after one of the main modules that is responsible for attacking and infecting additional computers. There are multiple versions circulating, which are communicating with as many as 80 different command-and-control servers. Kaspersky has an updated technical analysis here and McAfee’s technical blog post is here. This report on the malware, from the Laboratory of Cryptography and System Security (CrySyS Lab) at Budapest University of Technology and Economics, refers to the threat as “sKyWIper.”
“Flame is very modular. Basically a target will get infected with the main component and then the attackers will only upload modules to the target as they see fit,” Schouwenberg said. “We assume that we don’t have all the modules that exist in the wild.”

How does it spread?
Flame spreads within a network via a USB thumb drive, network shares, or a shared printer spool vulnerability, but spreads only when instructed to do so by the attackers. It’s unclear what the initial point of entry is. “We expect to find a spear phishing e-mail with a Zero-Day exploit,” Schouwenberg said.

How long has Flame been around?
“We have the first confirmed report of Flame in the wild in 2010, but there is circumstantial evidence that dates it back to 2007 and some speculate it may go back further than that,” Schouwenberg said Kaspersky Lab researchers discovered the malware several weeks ago after being asked by the United National’s International Telecommunication Union for help in uncovering malware dubbed “Wiper” that was stealing and deleting sensitive information on computers in Iran’s oil sector.

How does Flame relate to Wiper?
“Wiper could be a Flame module that is uploaded to a target machine when the attackers want to wipe the data from the computer. There is no evidence to link the two together, but the timing is coincidental,” Schouwenberg said. “So, we have an open mind to Wiper being a Flame plug-in.” Iran’s National Computer Emergency Response Team (CERT), which is called “Maher,” said software to detect Flame was sent to companies in that country at the beginning of May and a removal tool is ready now. Recent incidents of mass data loss in Iran “could be the outcome of some installed module of this threat,” the center said, speculating that attacks in which data from Iran’s gas company computers may have been linked to Flame. Officials in Iran suspect that Wiper and Flame are somehow linked, the Associated Press reports.

Why wasn’t Flame discovered earlier?
Whoever created Flame took extreme efforts to write the code so that it would evade detection for as long as possible. “Clearly it’s another multimillion-dollar project with government funding, so one of the top priorities has been stealth,” Schouwenberg said. While a later variant of Stuxnet was detected because it spread aggressively, Flame only spreads after it is instructed to do so remotely. Flame is unusually large in size and uses an uncommon scripting language, Lua, so it doesn’t look malicious at first glance. “Flame authors have adopted the concept of hiding in plain sight,” he said. Because Flame doesn’t use a rootkit technology, free anti-rootkit tools won’t be able to detect it. “Finding it is going to be more complicated,” according to Schouwenberg.

Who is being targeted with Flame?
The highest proportion of infections are in Iran, followed by “Israel/Palestine,” Sudan, Syria, Lebanon, Saudi Arabia and Egypt, according to Kaspersky. Symantec says the primary targets are in “the Palestinian West Bank, Hungary, Iran and Lebanon.” “With Flame, we haven’t been able to say what binds all the targets together other than that they are in the same geographical region,” Schouwenberg said. “We are trying to work with incident response teams globally to contact these victims and find out more, but right now we don’t know what type of data has been stolen.” Victims include educational institutions, state-related organizations and individuals.

This post sponsored by www.osxantimalware.com Antivirus for Mac

May 29

Stuxnet type malware discovered in Middle East

Posted on by

Researchers have discovered what they say is the most sophisticated malware ever discovered running rampant in the Middle East. First revealed by Kaspersky Lab, Flame is several times larger than Stuxnet, and appears to have been targeted at Iran’s oil ministry and main oil export terminal.

Flame is a backdoor Trojan with worm-like features that allow it to replicate in a local network and on removable media on command. Once a machine’s infected, it starts sniffing network traffic, taking screenshots, intercepting the keyboard and even recording audio conversations.

It’s a huge package of modules, comprising almost 20 MB in size when fully deployed.

What’s most astonishing is that Kaspersky believes that the Worm.Win32.Flame virus has been out there undetected for over two years.

Among other things, it can use a computer’s microphone to record conversations, take screenshots of particular applications when in use, record keystrokes, sniff network traffic and communicate with nearby Bluetooth devices.

One of the toolkit’s first versions was likely created in 2010 and its functionality was later extended by leveraging its modular architecture, said Vitaly Kamluk, chief malware expert at Kaspersky Lab.

Flame is much bigger than both Duqu and Stuxnet, which at around 500KB in size were already considered large by security experts. The size of all Flame components combined adds up to over 20MB and one file in particular measures over 6MB alone, Kamluk said.

Another interesting aspect of the threat is that some parts of Flame were written in LUA, a programming language that’s highly uncommon for malware development. LUA is often used in the computer gaming industry, but Kaspersky Lab hasn’t seen any malware samples before Flame that were written in the language, Kamluk said.

Flame spreads to other computers by copying itself to portable USB devices and also by exploiting a now-patched Microsoft Windows printer vulnerability that was also leveraged by Stuxnet.

Sponsored by: 1 to 1 Risk Control Oklahoma City IT and Cybersecurity Consulting

Apr 24

Your TV may be insecure on the network

Posted on by
It’s still premature to say you need firewall or antivirus protection for your television set, but a duo of recently diagnosed firmware vulnerabilities in widely used TV models made by two leading manufacturers suggests the notion isn’t as far-fetched as many may think.
The most recent bug, found in a wide range of high-definition TVs from Samsung, was disclosed on Thursday by an Italy-based researcher who regularly finds security flaws in Microsoft Windows, video games, and even the industrial-strength systems used to control dams, gas refineries, and other critical infrastructure. While poking around a Samsung D6000 model he inadvertently discovered a way to remotely send the TV into an endless restart mode that persists even after unplugging the device and turning it back on.
The TV was connected by ethernet cable to a home network, so he thought it would be funny to use a computer connected to the same network to send it a message that contained a series of custom headers. Without warning, the TV spiraled into an endless loop of restarts. For about five seconds, the device would appear to work correctly, but then would stop responding to commands entered by remote control or through the panel. A few seconds later, the TV would restart and repeat the process. Unplugging the power cord or ethernet cable did nothing.
You cannot change the volume, channels or access any function,” he wrote in his description of the attack. “After 35 seconds the TV stop(s) working and back. This happens 3 times. At fourth time, the TV shuts down. In less than 3 minutes, the TV is off remotely. It is necessary to turn on the TV physically.”
As more and more electronic devices connect to the Internet and home networks, it’s likely their internal software will be visited by the same vicious exploits that for years have preyed on products from Microsoft, Adobe, and more recently, Apple.
Apr 23

They’re spying on your car

Posted on by

Congress is on the verge of passing a transportation bill that will make black boxes mandatory in all new cars. The truth of the matter is that most Americans already have black boxes in their cars. They’ve been around since 1996, are found in at least 60 million vehicles, and are a feature in 85% of new cars every year.

Virtually every car that has an air bag has some kind of recording ability. The recorders capture information about how fast you were going and whether you slammed on the brakes in the seconds before and after a crash. They capture just a snapshot, not a continual record of your driving activity — which would be far more concerning for privacy.

Many drivers don’t realize they already have a black box. Black boxes have been a source of info in countless criminal cases to show how fast a driver was going when he or she slammed into pedestrians or another car.

 

The new law will make the recorders mandatory in all vehicles starting in 2015, meaning that manufacturers who have not been including them will have to start.

The bill is actually good for privacy in a few ways. In the past, there were questions about whether the data belonged to the manufacturer or the owner. This would establish that the data in the recorder belongs to the owner  of a vehicle, meaning that interested parties such as insurance companies, dealerships, or advertisers won’t be able to collect info from your black box without your permission.