Posts Tagged ‘Germany’
Thursday, May 16, 2013 @ 07:05 PM gHale
A data fuzzing library of open source software called Fuzzino is now up and running.
This library allows existing test tools to prepare for fuzzing and looks to eliminate the need to reinvent the wheel and make developing new fuzzing tools unnecessary, said researchers from FOKUS (Fraunhofer Institute for Open Communication Systems in Germany). Fuzzing is the process of testing a system for hidden weaknesses by presenting the system with random and sometimes erroneous input data.
Fuzzino uses models of protocols or interfaces to generate test cases and then uses “Smart Fuzzing” heuristics to generate Data fuzzing and Behavioral fuzzing.
This reduces the number of test cases needed over purely random fuzzing, researchers said. An example given is work done by FOKUS and system experts on a risk assessment for a money-processing machine.
The experts examined the system’s protocols, developed functional test cases and then used those test cases to fuzz the system. The results of that fuzzing generated more test cases from which specific security tests could generate. This process offered a far higher coverage of risk than a user could normally manage in the same time.
Eclipse is the underlying technology behind Fuzzino and users will need Eclipse EMF 2.7 and JUnit 4 to compile it and integrate it with their testing tools.
FOKUS developers said users should keep in mind Fuzzino is not a full featured fuzzing tool. They describe it as “a test data generator for enabling your testing tool to perform fuzzing.” Users can receive fuzz data from the tool as XML documents or directly within Java to avoid the processor intensive serialization and deserialization process. Users can also directly instantiate fuzzing heuristics from Fuzzino in their testing tool.
More information on how to use the tool is available in the documentation folder of the source code. Fuzzino has a license under version 2.0 of the Apache License.
As mentioned, fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program then undergoes monitoring for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing commonly sees use to test for security problems in software or computer systems.
Thursday, April 18, 2013 @ 03:04 PM gHale
A new “magic” malware is active, persistent and had remained undetected on targeted machines in the UK for the past 11 months.
Attackers targeted several thousands of different entities, most in the UK at 78 percent, while six percent were in Italy and four percent each in Germany and the United States, according to a report from Seculert’s Aviv Raff.
The sample Seculert flagged had an unusual behavior when it communicated with its command and control (C&C) server as it used a custom-made protocol, and always used “a magic code” at the beginning of the conversation, Raff said.
Raff said he did not know why the UK was the main target, but he did say this is a persistent attack that went under the radar for almost a year.
“Furthermore, this malware is still under development,” he said. “We have seen several indications of features that are not yet implemented, and functions that are not yet used by the malware.
“For instance, in case the attacker would like to open a browser on the victim’s machine, the malware will pop up on the RDP session for the attacker via a box with the message ‘TODO:Start browser!’ ”
Raff said the real intention of the attackers behind this “magic” malware is unknown.
“As the malware is capable of setting up a backdoor, stealing information and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” he said.
“But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack.”
Asked what he felt made this different from other advanced persistent threats (APTs), which also included a backdoor and data stealing capabilities, Raff said, “We suspect that this is only the first phase of the attack, and like previous ones, the next phase will include a wiper module to cover the attacker’s tracks.”
Friday, April 5, 2013 @ 07:04 PM gHale
Darkleech malware injected invisible iFrames that link to malicious web pages into thousands of web sites, researchers said.
The malware uses an Apache web server module to add the iFrames, although no researchers have found a credible attack vector for the route of the malicious module installation. Darkleech is also very careful when selecting victims to have the iFrames injected into, running a blacklist of users it won’t send dangerous content to. Infected servers are in 48 countries, but are mostly concentrated on sites in the U.S., the UK and Germany.
Networking giant Cisco investigated Darkleech for six weeks in February and March 2013 and found 2,000 infected servers during this period.
Darkleech uses an Apache module to inject invisible iFrames into web pages; the iFrames link to malicious sites where visitors can potentially have their systems compromised using the Blackhole exploit kit, Cisco said. The Blackhole kit uses a number of exploits and targets security holes in Oracle’s Java, Adobe Flash and Reader, and other popular plugins. There are plenty of holes and users often run without up-to-date plugins. One study by WebSense found only one in twenty browsers with Java installed has a current version.
Darkleech uses a subtle approach to hijacking its victims, the researchers said. The iFrames end up dynamically generated by an Apache module when the victim visits an infected site. Web administrators find this difficult to detect because the web site’s own source code remains untouched. Certain IP addresses won’t end up injected with iFrames though, and will go on a blacklist instead – visitors from security and hosting firms end up ignored, as are recently attacked users, various browsers and bots, and those accessing via search from a number of search engines or sites.
Mary Landesman and Gregg Conklin, from Cisco Web Security, sampled 1,239 infected sites as part of their investigation and determined the attackers concentrated their efforts on sites running versions of Apache 2.2.22 or later and typically installed on Linux systems, but how the attackers managed to inject Darkleech remains unclear.
The Darkleech software appears to backdoor the system by replacing the SSH daemon with a specially crafted one. This daemon implements a backdoor which transmits the access credentials of anyone logging in to a third-party site. Given this depth of infection, administrators should revert to a backup copy of the site after reinstalling the system, and ensure all user name and password combinations end up changed.
During the period of the Cisco engineer observation, Darkleech spread on web sites like the Los Angeles Times and a blog belonging to Seagate. The malicious iFrames remained undetected for around a month.
Monday, February 18, 2013 @ 05:02 PM gHale
Year-over-year, the number of malicious web-based attacks increased by nearly 600 percent, according to a new report.
These attacks were staged predominantly on legitimate sites and challenge traditional approaches to security and trust, according to the report from Websense Security Labs. The timed, targeted nature of these advanced threats indicates a new breed of sophisticated attacker who is intent on compromising increasingly higher-yield targets.
Key report findings:
• Each week, organizations faced an average of 1,719 attacks for every 1,000 users.
• Malicious websites increased by nearly 600 percent worldwide.
• North American malicious sites increased by 720 percent and EMEA saw a 531 percent increase.
• Legitimate web hosts were home to 85 percent of those malicious sites.
• Half of web-connected malware downloaded additional executables in the first 60 seconds.
• Only 7.7 percent of malware interacted with the system registry—circumventing many behavioral detection systems and antivirus solutions.
• Thirty-two percent of malicious links in social media used shortened URLs. Once cybercriminals gain access to a host, they typically hide their own malicious pages deep in the directory tree. This process generates very long and complex web links that might tip off a wary user. Link shortening solves that problem.
• The United States of America, Russia and Germany were the top three countries hosting malware. Meanwhile, the Bahamas made its debut into the list of top five countries hosting phishing sites, with a second place ranking.
• China, the United States of America and Russia were the top three countries hosting command and control servers.
• Only one in five emails were legitimate and email spam increased to 76 percent. Worldwide spam volumes reached more than a quarter of a million emails per hour.
• One in 10 malicious mobile applications asked for permission to install other apps, something rarely required by legitimate apps.
Analysis and news headlines show that multistage attacks with multiple vectors have challenged security capabilities, as they worked to find weak spots and circumvent defenses. Attacks identified by Websense indicate a need for integration at the actual defense level and deep content security intelligence with real-time security defenses.
When independent solutions are in place, there is no way to ensure that email, web, mobile, social and data loss defenses are each prepared to perform their role to cohesively address an emerging threat. As a result, individual defenses are at the mercy of the least prepared security solution.
Thursday, November 15, 2012 @ 12:11 PM gHale
By Richard Sale
Major U.S. oil companies already facing increasingly sophisticated cyber attacks by China have also been infected by the Stuxnet virus that has attacked computers in countries from Germany, Indonesia to Kazakhstan, U.S. intelligence sources said.
Victims of the Stuxnet virus, intelligence sources said, include Baker Hughes, ConocoPhillips, Marathon, and Chevron, which last week was the first of the group to declare it had been attacked by the virus.
India on Stuxnet Alert
Talk to Me: Stuxnet, Flame a Global Alert
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
In a Wall Street Journal story late last week, Chevron, the billion dollar oil company based in California, confirmed its computer systems were infected with Stuxnet, a virus developed by the U.S. and Israel to strike Iranian nuclear facilities at Natanz.
Chevron spokesman Morgan Crinklaw was quoted by The Wall Street Journal as saying the company was protected from major damage to its network, adding the company made “every effort to protect our data systems from those types of threats.”
According to U.S. officials, any industrial component is liable to be targeted by such sophisticated attacks. James Lewis, cyber expert at the Center for International and Strategic Studies (CSIS), said “thousands of places around the world were infected but only one was damaged,” the Iranian facility at Natanz.
Lewis said “Stuxnet is an interesting weapons design. You need to introduce the virus and then you need to trigger it. It only works against a specific configuration.” The first stage of the virus uses a “beacon” that performs surveillance of the target, mapping an electrical blueprint of Iran’s centrifuges, with the data sent back to the National Security Agency in Maryland. The second stage, a trigger, added a number of “zero-day exploits” that can cause physical damage. The virus was only configured for Iranian nuclear facilities. It wasn’t designed to spread, U.S. officials said.
But it did.
U.S. sources confirmed the account of researchers at Symantec and Kaspersky Labs that stated Stuxnet had two versions. The first, launched in 2010, had a 21-day period after which the virus would be null and void. Shortly thereafter, the U.S. and Israel launched a second version, believing the first was ineffective. The second version had a different trigger, and U.S. sources said they believed Israel introduced some error in the code trigger. They didn’t elaborate.
Naming the Victims
Chevron was one of the first oil companies to be a victim of the Stuxnet virus. Others, including Baker Hughes, Marathon, ExxonMobil, Shell, and BP, have yet to make any public admission of the attacks of the virus because reporting incidents could trigger liability.
Blair Nicholas, of the law firm Bernstein Litowitz Berger and Grossman based in San Diego, said in a recent news report, “To the extent that there aren’t adequate procedures in place to protect the companies’ crown jewels and somebody gets the key to the jewelry box, there is certainly potential for shareholder derivative liability.”
Besides Chevron, none of Stuxnet’s corporate victims, including Marathon Oil, ConocoPhillips and Baker Hughes, has disclosed the attacks in filings with regulators.
These same companies have already been victims of Chinese-backed industrial espionage assaults that have cost them billions of dollars in plans and intellectual property, sources said, and some of the Chinese attacks remained undetected for years.
In attacks on Baker Hughes and Shell Oil, the Chinese targeted bid data as well as project plans and financial information.
Conoco and Exxon experienced similar breaches, but they went unreported because of client confidentiality. Studies have already been done of malware aimed at seizing data in the computers of a drilling rig working on a ConocoPhillips project, sources said.
None of these companies have commented on this matter to the U.S. press.
New Threats to Platforms
New computer-controlled oil platforms are already a reality. But offshore-onshore contact and the processes out on the platform are often controlled by onshore personnel via networked PCs. When onshore and offshore networks are linked the chances of attacks by viruses and hackers increase dramatically.
Experts say that while oil companies have improved offshore safety, they have lagged in the field of information security. For example, several experts said virus attacks have led to electronic equipment becoming unstable, and while personnel undergo scenario training to reduce risks, such training is seldom employed in the field of information security.
This is especially dangerous when the current trend is going toward the direction of unmanned robot-controlled platforms, which leave electronic equipment more exposed to attack. Ludolf Luehmann, manager of IT at Shell, Europe’s largest oil company, said in a recent news report, “We see an increasing number of attacks on our IT systems and information, and there are various motivations behind it: Criminal and commercial,” all focusing on research and development to gain a competitive advantage.
Cyber war experts like Lewis are aware most industries operate on computers vulnerable to attack, and hackers are increasing in numbers, becoming more knowledgeable and skilled, and making more daring attacks on systems. “The Chinese have been very successful,” Lewis said.
Oil companies are warning the worst case scenario would be one in which valves were accessed, which could set offshore rigs on fire, kill personnel and halt production. The cost of down time on an offshore rig is $6.3 million a day, experts said. The financial loss could be huge.
Stuxnet, which crippled Iran’s nuclear centrifuges, shows the potential devastation of a worm created to cause damage. Experts believe this kind of attack could be replicated on oil producing offshore rigs.
Riemer Brower, head of IT security at Abu Dhabi Company for Onshore Oil Operations, said the oil industry has avoided any damaging incidents so far, but he warned that “the oil companies in charge are no longer really in control.”
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.
Tuesday, October 30, 2012 @ 10:10 AM gHale
Germany just overtook the U.S. when it comes to email users getting the most malicious email messages.
Germany topped the chart with 13.87% of malicious mail directed at its users, followed by Spain (7.43%), Russia (6.85%), India (6.39%), Vietnam (5.95%), Australia (5.94%), China (5.80%) and the U.S (5.62%), according to a report on September’s spam by Kaspersky. The U.S. had led the chart for the previous eight months.
Kaspersky said 3.4% of all emails contained malicious files, a drop of 0.5 percent compared to the previous month. Germany saw a six percent point rise in its detections and Spain saw a four percent rise, while United Kingdom’s share dropped two percent to 4.67%.
It was also a month for drastic changes in the top ten malware detected by Kaspersky. Long-term leader “Trojan-Spy.HTML.Fraud.gen” fell out of the top ten completely, giving its top spot to “Backdoor.Win32.Androm.kv” (aka Backdoor.Trojan and PWS-Zbot.gen.ana), a backdoor Trojan which enables remote access, found in 6.32% of the malicious emails. Right behind was “Email-Worm.Win32.Bagle.gt”, an email address harvester and malicious program downloader, and then the “Email-Worm.Mydoom.m” and “Mydoom.l” email address harvesters. Also in the top ten were four ransomware Trojans.
Of the spam that didn’t have malicious programs attached, Kaspersky noted a rise in mails with an oil and gas theme, such as bogus lottery mails apparently from Russian energy companies Gazprom and Lukoil.
They also noted an increase in spam pointing users at infected coupon sites with good imitations of legitimate Groupon mailings, the appearance of Michelle Obama’s name in lottery email which claims to come from the “World Wide Web Owner” and mass English-language mailings of the controversial film “The Innocence of Muslims” which lacked the expected malicious attachments or dangerous links.
Overall, spam levels grew by 2.3 percent points from August to reach 72.5% of all email traffic, and phishing mails tripled, to reach 0.03%.
Wednesday, October 24, 2012 @ 05:10 PM gHale
Over 1,000 of the 13,500 most popular Android apps show signs of a flawed and insecure implementation of the SSL/TLS encryption protocol, new research showed.
Tests performed on 100 selected apps confirmed 41 of them were vulnerable to known attacks, according to researchers. They were able to harvest users’ bank and credit card details as well as the access tokens for their Facebook, Twitter and email accounts, and messaging services, said the researchers from Leibniz University in Hannover, Germany and Philipps University in Marburg, Germany.
In one test, the researchers injected a bogus virus signature into Zoner AntiVirus for Android that referred to the app itself. The AV app proceeded to classify itself as a threat and then offered to delete itself.
The researchers first examined the apps for typical signs the code might insufficiently check the certificates which verify a communication partner’s identity. As they could not be completely certain the identified code was actually in play, they then carried out targeted man-in-the-middle attacks to crack the encrypted connection.
The vulnerabilities they found are in two categories: 20 apps simply accepted any certificate, while the other 21 did check whether the certificate carried a valid signature, but didn’t verify whether it was with the correct name. This allowed the security experts to fool the anti-virus software with a valid certificate for its own server.
The researches plan to release the MalloDroid tool they developed for their code analysis. While the experts haven’t disclosed any actual names, the affected applications are some of the popular items. Google Play said users have installed the affected apps 39.5-185 million times.
Friday, September 21, 2012 @ 02:09 PM gHale
ZeroAccess malware is on over one million computers spread throughout almost 200 countries worldwide. On top of that, the threat ended up installed over nine million times on devices.
All of that happened in about two months. ZeroAccess generates a profit for its masters with the aid of a peer-to-peer network utilized to download malicious plugins. These components are capable of carrying out diverse tasks where criminals make a big profit.
Cybercriminals can earn as much as $100,000 per day if the botnet is operating at maximum capacity, said researchers at Sophos.
After monitoring the threat for a period of two months, Sophos was able to pinpoint the locations of the infected machines. Apparently, the malware infected computers in places we’d least expect, such as Kiribati and various other islands in the middle of the Pacific ocean.
However, most of the infected machines appear to be in the United States (55%), Canada, United Kingdom, Germany, Turkey, Spain, France, Austria, Italy and Japan.
“We have also reverse-engineered the mechanisms by which the ZeroAccess owners keep tabs on the botnet, and discovered an array of techniques used that are designed to bury the call-home network communications in legitimate-seeming traffic,” said James Wyke, senior threat researcher at SophosLabs.
In order to avoid becoming victims of ZeroAccess, users must be aware of what they install and what websites they visit.
Wednesday, September 19, 2012 @ 01:09 PM gHale
A new version of the TDSS/TDL-4 botnet is rapidly growing because it is doing what a good botnet does and that is evading security.
This botent is using a domain generation algorithm (DGA) to avoid detection, said researchers at Damballa Security.
The algorithm helps the latest version of the botnet carry out click-fraud campaigns and it rapidly moves communication between victims and command-and-control servers from domain to domain, a technique known as domain fluxing.
Since this version appeared in May, it has infected 250,000 unique victims, including machines inside government agencies, ISP networks and 46 of the Fortune 500. Damballa researchers said they found 85 command and control servers and 418 domains related to the new version, primarily hosted in Russia, Romania and the Netherlands. Some of the domains belong to the Russian Business Network (RBN), the researchers said. In the last week, the botnet grew 10 percent, Damballa researchers said.
The TDSS/TDL-4 malware is a rootkit, infecting a computer’s master boot record, making it difficult to remediate. The rootkit hides any other malware present; the malware infected more than 4.5 million computers making it one of the most prolific botnets on record.
Discovery of the new variant began in early July when Damballa’s DGA proprietary detection technology, saw domain fluxing activity from its ISP and telecommunications customers. The DGA algorithm generates upwards of thousands of domains over a period of time, with only a handful actually registered as the command-and-control server needs it. The process repeats and the throwaway domains never appear again, Damballa said. The researchers were able to decipher this was malware behavior, despite the lack of a binary sample.
Damballa worked with its partner at the Georgia Tech Information Security Center, and they built a sinkhole to observe the new threat and hopefully capture a sample. Soon, the researchers saw attempted command and control connections from victim machines similar to known TDSS/TDL-4 activity. Some were Damballa customers who were able to provide the researchers with a memory snapshot of infected machine, giving them some code to overlap against existing botnet code for comparison.
“This was discovered and modeled without having access to a binary. We were able to identify a cluster of DGA activity, model it, identify command and control and map out the infrastructure,” said Manos Antonakakis, director of academic sciences at Damballa. “We were just seeing activity between the protocols observed from the network standpoint and mapped without a binary. This has not been done in the past.”
This is the reverse of the traditional malware analysis process; usually researchers have a binary sample and will reverse engineer it to come up with a signature-based protection.
“It’s very unusual not to have a sample,” Antonakakis said. “The fact the security community is not coming back with a binary sample indicates to us that there are samples out there, but no one is associating them with this malware and they’re not creating signatures for it. We’ve seen 30,000 new infections in the last five days (most of the infections have been in the United States or Germany).”