Posts Tagged ‘worm’
Tuesday, March 18, 2014 @ 05:03 PM gHale
A 27-year-old Moroccan man with Russian citizenship known on the hacking scene as Diabl0, is now under arrest in Thailand on suspicion of being involved in cyber attacks against Swiss financial organizations.
Police arrested Farid Essebar after Swiss police alerted Thai authorities through the embassy in Bangkok about the hacker and three other members of his gang being in Thailand, according to a report in the Bangkok Post.
In Switzerland, Essebar stands accused of hacking into the computer systems of several banks, causing damage estimated at around $4 billion (€2.87 billion).
Police in Thailand have been tracking Diabl0 for the past two years. Apparently, they wanted to make sure he’s the man wanted by Swiss authorities before arresting him. Police said Essebar visited Thailand, Hong Kong and other neighboring countries several times in the past years.
Police Colonel Songsak Raksaksakul, chief of the International Cases and International Crime Division of the Department of Special Investigation, said Essebar never gambled and never purchased any assets in Thailand, despite visiting a number of tourist destinations.
Diabl0 first ended up arrested in 2005 by Moroccan authorities. He ended up sentenced for his involvement in the creation of Zotob, a notorious worm that infected computers, including the ones of organizations like CNN, ABC News, NYT, Boeing and the US Department of Homeland Security.
He received a sentence of two years, but ended up released after one.
Monday, December 2, 2013 @ 04:12 PM gHale
Industrial control systems could feel the affect of a new Linux worm that exploits a PHP vulnerability. In addition to ICSes, other devices connected to the Internet, such as routers, set-top boxes, and security cameras could also fall victim.
The malware spreads by exploiting a PHP vulnerability patched back in May 2012, said researchers at Symantec. The developer used proof-of concept code published in October to create the worm Symantec called Darlloz.
“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target,” Symantec’s Kaoru Hayashi said in a blog post.
The variant analyzed by Symantec can infect only devices running on Intel architectures. However, researchers have also spotted versions for other architectures as well, including MIPS, PPC and ARM.
Researchers said while they haven’t spotted any Darlloz attacks in the wild, a large number of users who don’t even realize their devices are running Linux are at risk.
Symantec recommends users to check all their devices connected to the network and make sure they update their software.
Incoming HTTP POST requests to paths such as -/cgi-bin/php, -/cgi-bin/php5, -/cgi-bin/php-cgi, -/cgi-bin/php.cgi and -/cgi-bin/php4 should end up blocked.
Tuesday, November 27, 2012 @ 05:11 PM gHale
There is some new malware that appears to try to modify corporate databases especially in the Middle East.
While the malware is also showing up in other parts of the world, W32.Narilam first discovered Nov. 15 follows a similar pattern of other worms by copying itself onto infected machines, adding registry keys and propagating through removable drives and network shares, said researchers at Symantec.
“What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd,” wrote Symantec security researcher Shunichi Imano in a blog post.
Once Narilam finds the targeted databases, it looks for financial terms such as “BankCheck,” “A_sellers” and “buyername” and Persian terms like “Pasandaz” (“Savings”) and “Vamghest” (“Instant Loans”). The malware also deletes tables with the following names: A_Sellers, person and Kalamast.
“The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” Imano said. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.
The overall infection rate is low at the moment, but those whose networks do not have the proper protection could see business disrupted, Imano said.
“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database,” he said. “As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”
Thursday, August 9, 2012 @ 03:08 PM gHale
Cyber criminals are now using the Police Virus malware as fully functioning ransomware, according to a new report.
The Police Virus is a common technique used by criminals to infect computers by masquerading as law enforcement agencies demanding money for fictional crimes, said researchers from security firm PandaLabs.
Scams like these across the globe demand money for things like copyright infringement, missed court dates and even parking tickets.
PandaLabs detected the evolution of the scam from standard scareware to ransomware in its latest quarterly threat report, which analyzed incidents from April through June 2012.
The firm went on to warn the campaigns are continuing to evolve at a rapid pace, with criminals creating increasingly effective ways to hold users data to ransom and demand payment for its safe return.
“The first versions of the new Police Virus only use encrypted .doc files, and the encryption wasn’t too hard to crack, so it was possible to decrypt the files without the key,” the report said.
“Now, however, a more sophisticated encryption is being used, and the decryption key is required to unlock the files. And not only that, the files are encrypted with a different key for each infected computer, so, unless you are able to access the server that stores all keys, it is absolutely impossible to access the files.”
The evolution came alongside a boom in the number of Trojan viruses hitting the cyber street. The report revealed Trojans are now the most common form of cyber attack, accounting for 79 percent of all threats.
Worms were the second biggest threat detected, responsible for 11 percent of all attacks, the report said.
Trojans continued to prove the most effective attack method during the quarter speaking for 76 percent of all infections, while viruses came second accounting for eight percent.
“It is interesting to note that worms have only caused six percent of infections despite accounting for almost 11 percent of all new malware”, said Luis Corrons, technical director of PandaLabs.
“The figures corroborate what is well known: massive worm epidemics have become a thing of the past and have been replaced by an increasing avalanche of banking Trojans and specimens such as the Police Virus.”
Looking to the future Corrons warned the scam is one of the numerous cyber crime kits currently on sale and will likely remain an ongoing problem in the foreseeable future.
“This so called Police Virus appears to be created for and distributed by a cyber criminal gang from Eastern Europe or Russia, and police forces from across Europe are working together to try and identify and arrest them,” said Corrons.
Wednesday, August 1, 2012 @ 01:08 PM gHale
Morto The Worm added file infection capability to its ability to compromise remote desktop protocol (RDP) connections by exploiting weak administrator passwords.
Microsoft warned last year that once Morto compromises a system, it connects to a remote server to download additional information and update its components. The worm also terminates processes for locally running security applications to ensure its activity continues uninterrupted.
The new Morto variant “infects .EXE files found on fixed and removable drives as well as on default RDP and Administrative shares, but avoids infecting files that contain strings like ‘windows’, ‘winnt’, ‘qq’, ‘Outlook’, ‘System Volume Information’ or ‘RECYCLER’ in their path, said Edgardo Diaz Jr. with the Microsoft Malware Protection Center.
Morto also leaves an infection marker, ‘PPIF’ in infected files.”
Similar to earlier memory resident viruses, Morto’s payload and infection routine executes in the context of other processes, Diaz said. To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called “Global\_PPIftSvc” ends up created, he added.
Diaz cautioned organizations to use strong passwords for administrator and user accounts and to verify passwords are not similar to the ones the malware is using to spread.
Tuesday, May 29, 2012 @ 05:05 PM gHale
Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
Over the weekend a new super worm exploded onto the cyber security landscape.
Known as Flame or sKyWIper, it appears to be targeting sites in the Middle East, just like Stuxnet and Duqu did. But what does it have to do with SCADA or ICS security? At this stage the answer appears to be nothing and — everything.
Let’s start with what Flame is. Rather than just being a typical worm, Flame appears to be a carefully crafted attack toolkit for industrial or political espionage. According to Aleks at Kaspersky Labs “it is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.”
Flame: ‘More Powerful than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents
Cyber Warning: Duqu’s Back
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet
Now the first unusual thing about Flame is that it is massive. While the typical worm is 50 Kbytes in size, Flame weighs in at 20 Mbytes, nearly 400 times larger.
The reason for this large size is Flame is a multi-functional toolkit for information stealing, completely reconfigurable by its masters for new tasks.
According to the crysys report on sKyWIper (aka Flame):
sKyWIper has very advanced functionality to steal information and to propagate. Multiple exploits and propagation methods can be freely configured by the attackers. Information gathering from a large network of infected computers was never crafted as carefully as in sKyWIper. The malware is most likely capable to use all of the computers’ functionalities for its goals. It covers all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, network, wifi, Bluetooth, USB and system processes.
Flame is a Swiss Army Knife of malware in the sense that it can intercept everything imaginable, but it is not a pile of existing malware code thrown together. It is very cleverly crafted. Like Stuxnet, it has multiple propagation vectors – USB keys, printer sharing, and domain controller rights to name a few.
Its modular architecture allows its creators to massively change functionality and behavior at any time. It also allows its operators to use a sophisticated scripting language called Lua to manage its activities. Plus its code injection techniques are pretty amazing.
Flame is no script kiddy project. It is probably not even an organized crime project. All reports from the anti-virus companies analyzing Flame indicate it was created by a well funded professional team of developers. As Kaspersky Labs put it:
“…the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.”
What does Flame have to do with SCADA and ICS Security?
On the surface, very little. As currently configured, Flame is clearly an information stealer. There is no evidence that it has SCADA or ICS related modules installed at this time.
That said, Symantec and others report that Flame appears to be the same worm that the Iranian Oil Ministry reported was impacting its facilities at the Kharg Island terminal last month. Iran’s National CERT (MAHER) is also now reporting on the existence of this worm inside Iran.
What does all this mean to the average control engineer? The good news is that like Stuxnet, Flame appears to be highly targeted. Like Duqu, it steals information rather than destroying equipment. But the bad news is that this worm clearly indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.
Call it “cyber warfare” or “cyber hype”, the bottom line is that the information/networked world is getting nastier by the day and SCADA and ICS is part of that world.
Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.