Malware inserted on PC production lines, says study
posted by Keito
2012-09-13 19:44:47'Cybercriminals have opened a new front in their battle to infect computers with malware - PC production lines.
Several new computers have been found carrying malware installed in the factory, suggests a Microsoft study.
One virus called Nitol found by Microsoft steals personal details to help criminals plunder online bank accounts.
Microsoft won permission from a US court to tackle the network of hijacked PCs made from Nitol-infected computers.
In a report detailing its work to disrupt the Nitol botnet, Microsoft said the criminals behind the malicious program had exploited insecure supply chains to get viruses installed as PCs were being built.
The viruses were discovered when Microsoft digital crime investigators bought 20 PCs, 10 desktops and 10 laptops from different cities in China.
Four of the computers were infected with malicious programs even though they were fresh from the factory.
Microsoft set up and ran Operation b70 to investigate and found that the four viruses were included in counterfeit software some Chinese PC makers were installing on computers.
Nitol was the most pernicious of the viruses Microsoft caught because, as soon as the computer was turned on, it tried to contact the command and control system set up by Nitol's makers to steal data from infected machines.
Further investigation revealed that the botnet behind Nitol was being run from a web domain that had been involved in cybercrime since 2008. Also on that domain were 70,000 separate sub-domains used by 500 separate strains of malware to fool victims or steal data.
"We found malware capable of remotely turning on an infected computer's microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim's home or business," said Richard Boscovich, a lawyer in Microsoft's digital crimes unit in a blogpost.
A US court has now given Microsoft permission to seize control of the web domain, 3322.org, which it claims is involved with the Nitol infections. This will allow it to filter out legitimate data and block traffic stolen by the viruses.
Peng Yong, the Chinese owner of the 3322.org domain, told the AP news agency that he knew nothing about Microsoft's legal action and said his company had a "zero tolerance" attitude towards illegal activity on the domain.
"Our policy unequivocally opposes the use of any of our domain names for malicious purposes," Peng told AP.
However, he added, the sheer number of users it had to police meant it could not be sure that all activity was legitimate.
"We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes," he said.'
Shamoon virus targets energy sector infrastructure
posted by Keito
2012-08-18 13:13:40'A new threat targeting infrastructure in the energy industry has been uncovered by security specialists.
The attack, known as Shamoon, is said to have hit "at least one organisation" in the sector.
Shamoon is capable of wiping files and rendering several computers on a network unusable.
On Wednesday, Saudi Arabia's national oil company said an attack had led to its own network being taken offline.
Although Saudi Aramco did not link the issue to the Shamoon threat, it did confirm that the company had suffered a "sudden disruption".
In a statement, the company said it had now isolated its computer networks as a precautionary measure.
The disruptions were "suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network", a statement read.
It said the attack had had "no impact whatsoever" on production operations.
On Thursday, security firms released the first detailed information about Shamoon.
Experts said the threat was known to have had hit "at least one organisation" in the energy sector.
"It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," wrote security firm Symantec.
The attack was designed to penetrate a computer through the internet, before targeting other machines on the same network that were not directly connected to the internet.
Once infected, the machines' data is wiped. A list of the wiped files then sent back to the initially infected computer, and in turn passed on to the attacker's command-and-control centre.
During this process, the attack replaces the deleted files with JPEG images - obstructing any potential file recovery by the victim.
'Under the radar'
Seculert, an Israel-based security specialist, also analysed the malicious code and concluded that it had unusual characteristics compared with other recent attacks.
"The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files," the company said.
"Why would someone wipe files in a targeted attack and make the machine unusable?"
Shamoon is the latest in a line of attacks that have targeted infrastructure.
One of the most high-profile attacks in recent times was Stuxnet, which was designed to hit nuclear infrastructure in Iran.
Others, like Duqu, have sought to infiltrate networks in order to steal data.'