Blog

  • Kaspersky researcher cracks Flame malware password

    posted by Keito
    2012-09-22 22:45:42
    'Researchers have cracked the password protecting a server that controlled the Flame espionage botnet giving them access to the malware control panel to learn more about how the network functioned and who might be behind it.

    Kaspersky analyst Dmitry Bestuzhev cracked the hash for the password Sept. 17 just hours after Symantec put out a public request for help getting into the control panel for Flame, which infected thousands of computers in the Mideast.

    27934e96d90d06818674b98bec7230fa - was resolved to the plain text password 900gage!@# by Bestuzhev.

    Symantec said it tried to break the hash with brute force attacks but failed. Flame has been investigated by a joint effort of Symantec, ITU-IMPACT and CERT-Bund/BSI.

    Meanwhile, researchers at Symantec report that Flame was being developed at least as long ago as 2006, four years before its Flamer's compilation date of 2010 and well before the initial deployment of the first Flame command and control server March 18 of this year.

    By May, Flame had been discovered and owners of infected computers in Iran and other Mideast countries were cleaning up. The malware itself also executed a suicide command in May to purge itself from infected computers.

    The command and control server also routinely wiped out its log files, which successfully obliterated evidence of who might be behind the attacks. "Considering that logging was disabled and data was wiped clean in such a thorough manner, the remaining clues make it virtually impossible to determine the entity behind the campaign," the Symantec report says.

    Despite Flame being neutralized earlier this year, more undiscovered variants may exist, the report concludes. Evidence for this is that the command and control module can employ four protocols to communicate with compromised clients, three of which are in use. "The existence of three supported protocols, along with one protocol under development, confirms the C&C server's requirement to communicate with multiple evolutions (variants) of W32.Flamer or additional cyberespionage malware families currently unknown to the public."

    A sophisticated support team ran the spy network that gathered data from infected computers and uploaded it to command servers, the Symantec report says. The team had three distinct roles - server admins, operators who sent and received data from infected client machines and coordinators who planned attacks and gathered stolen data.

    "This separation of operational and attacker visibility and roles indicates that this is the work of a highly organized and sophisticated group," the report authors conclude.

    The servers gathered the data encrypted then passed it along to be decrypted offline. Each infected machine had its own encryption key.

    Evidence from one of its command and control servers indicates the server can talk to at least four other pieces of malicious code that researchers believe are either undiscovered Flame variants or completely separate attacks, according to a Symantec report.

    This is accomplished with a versatile Web application called Newsforyou supported by a MySQL database that could be used as a component for other attacks.

    Researchers also discovered a set of commands the server could execute including one that wipes log files in an effort to minimize forensic evidence should the server be compromised. It also cleaned out files of stolen data in order to keep disk space free.

    "The Newsforyou application is written in PHP and contains the primary command-and-control functionality split into two parts," the report says, "the main module and the control panel." The main module includes sending encryption packages to infected clients, uploading data from infected clients, and archiving when unloading files.

    The application resembles a news or blog application, perhaps in an effort to avoid detection by automated or causal inspection, the researchers say.

    PHP source code for Newsforyou included notes that identified four authors - D***, H*****, O****** and R*** - who had varying degrees of involvement. D*** and H***** edited the most files and so had the most input. "O****** and R*** were tasked with database and cleanup operations and could easily have had little or no understanding of the inner workings of the application," the report says. ". It is likely D*** and O****** knew each other, as they both worked on the same files and during a similar time period in December 2006."

    Newsforyou employed both public key and symmetric key encryption depending on the type of data being encrypted. News files intended for clients were encrypted with symmetric keys while stolen data was encrypted using public/private key pairs.

    Despite Flame being exposed in May, the evidence left behind in compromised command and control servers indicates the overall spying project it was part of is still alive. "There is little doubt that the larger project involving cyber-espionage tools, such as Flamer, will continue to evolve and retrieve information from the designated targets," the report says.'
  • Private Key Found Embedded In Major SCADA Equipment

    posted by Keito
    2012-08-23 21:10:07
    "RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key. Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."

    http://it.slashdot.org/story/12/08/22/1853246/private-key-found-embedded-in-major-scada-equipment
  • Shamoon virus targets energy sector infrastructure

    posted by Keito
    2012-08-18 13:13:40
    'A new threat targeting infrastructure in the energy industry has been uncovered by security specialists.

    The attack, known as Shamoon, is said to have hit "at least one organisation" in the sector.

    Shamoon is capable of wiping files and rendering several computers on a network unusable.

    On Wednesday, Saudi Arabia's national oil company said an attack had led to its own network being taken offline.

    Although Saudi Aramco did not link the issue to the Shamoon threat, it did confirm that the company had suffered a "sudden disruption".

    In a statement, the company said it had now isolated its computer networks as a precautionary measure.

    The disruptions were "suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network", a statement read.

    It said the attack had had "no impact whatsoever" on production operations.

    'Rendered unusable'

    On Thursday, security firms released the first detailed information about Shamoon.

    Experts said the threat was known to have had hit "at least one organisation" in the energy sector.

    "It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," wrote security firm Symantec.

    The attack was designed to penetrate a computer through the internet, before targeting other machines on the same network that were not directly connected to the internet.

    Once infected, the machines' data is wiped. A list of the wiped files then sent back to the initially infected computer, and in turn passed on to the attacker's command-and-control centre.

    During this process, the attack replaces the deleted files with JPEG images - obstructing any potential file recovery by the victim.

    'Under the radar'

    Seculert, an Israel-based security specialist, also analysed the malicious code and concluded that it had unusual characteristics compared with other recent attacks.

    "The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files," the company said.

    "Why would someone wipe files in a targeted attack and make the machine unusable?"

    Shamoon is the latest in a line of attacks that have targeted infrastructure.

    One of the most high-profile attacks in recent times was Stuxnet, which was designed to hit nuclear infrastructure in Iran.

    Others, like Duqu, have sought to infiltrate networks in order to steal data.'

    http://www.bbc.co.uk/news/technology-19293797