Stuxnet - Malware That James Bond Would Be Proud Of?

Posted on September 29, 2010 by Paul Stanfield

UPDATE September 30, 2010:  Further to the story below, the New York Times reports that experts deconstructing the Stuxnet virus have found a file named "Myrtus", which is supposedly the Hebrew word for Esther's name (Hadassah) before she was selected as queen.  Esther is a book in the Hebrew Bible (Old Testament) in which a plot by the leaders of Persia (now known as Iran) to destroy the Jews is foiled by Esther, which then allowed the Jews to kill about 75,000 Persians in reprisal.  The naming of this file could be signficant as a calling card or could just be an attempt to shift blame (or could just be the name of someone's mother or cat). 

This sounds more and more like Tom Clancy is making this up.

ORIGINAL POST:  As our many readers will surely recall, this blog was all over the Stuxnet story when it broke a few months ago.  For those that don't remember, Stuxnet is a malware that targets commercial systems (primarily power plants) by attacking a vulnerability in a Siemen's system using a particular Microsoft operating system.  It was originally thought to be delivered via a USB thumb drive but experts now say it is in the wild and can be delivered in different ways.  Also, it was originally thought to be used just to copy plans for the power plants but now it is surmised that it could be used to sabotage such plants.  Experts that have now broken the code for the malware see a sophistication, knowledge and complexity that is not commonly available to any one or more non-affiliated hackers.  This has lead the same experts to speculate (emphasis on the speculative nature as there is no hard evidence, yet) that this was probably the actions of a nation state.

Experts to whom this blog has spoken have stated that because Stuxnet was first discovered in Iran and most of the activity is still in Iran and specifically at one of their nuclear power plants (one that has been mysteriously delayed in coming on line), it probably came from one of the nations not particularly happy about Iran having nuclear power.  Likely suspects are (you guessed it) the CIA or maybe even Mossad.

Of course, nobody really knows and maybe never will.  However, the lesson to be learned from this is that malware (whether state sponsored or otherwise) is rapidly becoming more sophisticated and could pose much greater risks in the future.

Cue the 007 music.

Tags: , , , , , , , , ,

Malware Might Have Played A Part In Deadly Plane Crash

Posted on August 23, 2010 by Paul Stanfield

OK, now it's serious.  It's one thing to lose credit card information or for your Facebook account to be high jacked, but malware is said to have been instrumental in the cause of death and destruction in the crash of a Spainair flight two years ago.  Investigators have determined that ground computers were infected with malicious code that may have prevented the pilots from being warned that the flaps were in the wrong configuration for takeoff.

This blog has previously discussed the malicious code problem here, here and here.  Experts in virus protection are becoming increasingly pessimistic about the ability of reactive virus protection to be effective.

A video of the crash can be seen here.  Warning, this is unsettling in that it is video of an event where a large number of people lost their lives.

I told you this was serious.

Tags: , , , , , , , , ,

Virus Protection Using Whitelisting

Posted on June 7, 2010 by Paul Stanfield

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco


ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.
 

Tags: , , , , , , , , , , ,

Viruses, Malware and Spyware, Oh my!

Posted on June 3, 2010 by Paul Stanfield

The recent McAfee debacle, which we detailed here, has once again brought into focus the problems inherent with protecting a computer or computer network from code designed to have a non-optimum effect on such computer or network.
Since the early 1970s, when a virus called Creeper was created and introduced into ARPANET, the precursor to the internet, anti-virus software and other means of combating viruses have been created. The code to combat Creeper was called Reaper and so, the dance began.
Viruses are probably better referred to generically as malicious code, which includes a broad range of things including attack scripts, viruses, worms, Trojan horses, backdoors, malicious active content, malware, adware, spyware and many other names.
Malicious code is designed to do a variety of things, including crippling or disrupting computer operations, stealing information, perpetuating pranks and allowing unauthorized intrusions.
As soon as viruses started creating havoc, people started looking for a way to combat them. Shortly thereafter, other people (particularly those who depended on some other people for computer resources or storage) begin to question such people’s response to the virus problem. Then, lawyers got involved (there’s always a silver lining) and suits were brought alleging that not enough was done to protect the computer resources against invasion, whether to steal information, create havoc, generally be a pain in the hard drive or a combination of all.
Although the law is still developing in this area, it is plain that the application of commonly applied negligence principles will require at least a reasonable amount of protection against intrusion and malicious code.
There are two basic approaches to combating such threats and they are generally referred to as “blacklisting” and “whitelisting”. Blacklisting is the most commonly used method and it involves developing a huge database of virus signatures and checking each transmission to and from a computer for such signatures and routinely scanning the storage areas of such computers for evidence of malicious code.  The database needs to be continually updated and entirely new stains of viruses must be recognized and negated after they are released into the wild.
Whitelisting takes the approach of initially scanning drives for their contents and then not allowing anything else to run on that computer unless it is specifically approved. This method does not depend on scanning after the initial scan and does not have to be updated. New virus strains are of no concern as they may reside on the computer but will not be allowed to execute.
You can expect that the issue will arise in some case as to whether one method is better than the other and if the other method is available, was it negligence not to employ such method?
In a subsequent edition, we will post an interview with CoreTrace, a local company that markets the “whitelisting” approach.
 

Tags: , , , , ,