Blog

  • Malware inserted on PC production lines, says study

    posted by Keito
    2012-09-13 19:44:47
    'Cybercriminals have opened a new front in their battle to infect computers with malware - PC production lines.

    Several new computers have been found carrying malware installed in the factory, suggests a Microsoft study.

    One virus called Nitol found by Microsoft steals personal details to help criminals plunder online bank accounts.

    Microsoft won permission from a US court to tackle the network of hijacked PCs made from Nitol-infected computers.

    ---Domain game---

    In a report detailing its work to disrupt the Nitol botnet, Microsoft said the criminals behind the malicious program had exploited insecure supply chains to get viruses installed as PCs were being built.

    The viruses were discovered when Microsoft digital crime investigators bought 20 PCs, 10 desktops and 10 laptops from different cities in China.

    Four of the computers were infected with malicious programs even though they were fresh from the factory.

    Microsoft set up and ran Operation b70 to investigate and found that the four viruses were included in counterfeit software some Chinese PC makers were installing on computers.

    Nitol was the most pernicious of the viruses Microsoft caught because, as soon as the computer was turned on, it tried to contact the command and control system set up by Nitol's makers to steal data from infected machines.

    Further investigation revealed that the botnet behind Nitol was being run from a web domain that had been involved in cybercrime since 2008. Also on that domain were 70,000 separate sub-domains used by 500 separate strains of malware to fool victims or steal data.

    "We found malware capable of remotely turning on an infected computer's microphone and video camera, potentially giving a cybercriminal eyes and ears into a victim's home or business," said Richard Boscovich, a lawyer in Microsoft's digital crimes unit in a blogpost.

    A US court has now given Microsoft permission to seize control of the web domain, 3322.org, which it claims is involved with the Nitol infections. This will allow it to filter out legitimate data and block traffic stolen by the viruses.

    Peng Yong, the Chinese owner of the 3322.org domain, told the AP news agency that he knew nothing about Microsoft's legal action and said his company had a "zero tolerance" attitude towards illegal activity on the domain.

    "Our policy unequivocally opposes the use of any of our domain names for malicious purposes," Peng told AP.

    However, he added, the sheer number of users it had to police meant it could not be sure that all activity was legitimate.

    "We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes," he said.'

    http://www.bbc.co.uk/news/technology-19585433
  • Computer virus hits second energy firm

    posted by Keito
    2012-09-02 16:33:08
    'Computer systems at energy firm RasGas have been taken offline by a computer virus only days after a similar attack on oil giant Aramco.

    The attacks come as security experts warn of efforts by malicious hackers to target the oil and energy industry.

    The attack forced the Qatar-based RasGas firm to shut down its website and email systems.

    RasGas, one of the world's largest producers of liquid petroleum gas, said production was not hit by the attack.

    The company said it spotted the "unknown virus" earlier this week and took desktop computers, email and web servers offline as it cleaned up.

    The report comes only days after Saudi Arabia's Aramco revealed it had completed a clean-up operation after a virus knocked out 30,000 of its computers. The cyber- assault on Aramco also only hit desktop computers rather than operational plant and machinery.

    Both attacks come in the wake of alerts issued by security firms about a virus called "Shamoon" or "Disstrack" that specifically targets companies in the oil and energy sectors.

    Unlike many other contemporary viruses Shamoon/Disstrack does not attempt to steal data but instead tries to delete it irrecoverably. The virus spreads around internal computer networks by exploiting shared hard drives.

    Neither RasGas nor Aramco has released details of which virus penetrated its networks.

    The vast majority of computer viruses are designed to help cyber-thieves steal credit card numbers, online bank account credentials and other valuable digital assets such as login names and passwords.

    However, an increasing number of viruses are customised to take aim at specific industries, nations or companies.

    The best known of these viruses is the Stuxnet worm which was written to disable equipment used in Iran's nuclear enrichment efforts.'

    http://www.bbc.co.uk/news/technology-19434920
  • Oil Producer Saudi Aramco Reveals Cyber Attack Hit 30,000 Workstations

    posted by Keito
    2012-08-29 20:53:43
    'Saudi Aramco, the world's biggest oil producer, has resumed operating its main internal computer networks after a virus infected about 30,000 of its workstations in mid-August.

    Immediately after the Aug. 15 attack, the company announced it had cut off its electronic systems from outside access to prevent further attacks. Saudi Aramco said the virus "originated from external sources" and that its investigation into the matter was ongoing. There was no mention of whether this was related to this month's Shamoon attacks.

    “The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network,” Saudi Aramco said over Facebook.

    “We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever,” Saudi Aramco’s chief executive, Khalid al-Falih, said in a statement.

    However, one of Saudi Aramco’s websites which was taken offline after the attack - www.aramco.com - remained down yesterday. E-mails sent by Reuters to people within the company continued to bounce back.

    Supposed hacktivists have claimed the hit on the oil giant, saying they would hit the company again tomorrow. The group said it was “fed up of crimes and atrocities taking place in various countries around the world”, in a post on Pastebin. They said they were targeting the House of Saud, the ruling royal family of Saudi Arabia, and targeted Aramco as it was “the largest financial source for Al-Saud regime”.

    The group, calling itself the ‘Cutting Sword of Justice’, claimed to have hacked Aramco systems in several countries before sending a virus across 30,000 computers achieving a 75 percent infection rate of all the company’s systems. It refuted suggestions that a nation state was behind the attack.

    Symantec, one of the world’s largest internet security companies, said on the day after the Saudi Aramco attack that it had discovered a new virus that was targeting at least one organisation in the global energy sector, although it did not name that organisation.

    “It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable,” Symantec said in a blog posting about the virus, which it called W32.Disttrack. “Threats with such destructive payloads are unusual and are not typical of targeted attacks.”

    Saudi Aramco’s al-Falih said in his statement yesterday: “Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack.”'

    http://thehackernews.com/2012/08/saudi-aramco-oil-producers-30000.html