Cyberwar Enters The Next Phase. Move Over Stuxnet and DuQu, Here Comes Flame.

We have written on several occasions about the new wave in malware that are probably the products of nation state(s) because of the complexity or the code and the resources required to write and deploy such creations. (See here, here and here).

These nasty creatures go by the name of Stuxnet and DuQu and so now appears their cousin who has the moniker "Flame" because that name appears in its code.

Stuxnet caused the Iranian nuclear centrifuges to spin out of control and self destruct and DuQu extracts information and sends it to an unknown site. 

Flame apparently can eavesdrop on users by recording their e-mail or instant messaging via a screen shot and  can snoop on audio using the computer's microphone or via video conferencing programs. To top it off, it may be able to use near field communications to monitor near by devices.  Flame does not appear to be destructive but is apparently the most complex system yet to invade the privacy of the unwitting recipients.  To date, it apparently has been deployed mainly in the middle east with about half of the reports coming from Iran.

It is incredibly complex with a file weight of about 20 times the size of Stuxnet, but in spite of its large file size, it has gone undetected for at least 2 years.

If war is just the continuation of politics by another means, this could be political.

Move Over Stuxnet, Here Comes DuQu - Son of Stuxnet, Stuxnet 2.0 or Demon Spawn?

The latest addition to the family of badass malware is DuQu.  DuQu was born sometime in the near recent past but only became obvious to the world on September 1, 2011 when the Laboratory of Cryptography and System Security (CrySyS) notified the world of its birth. 

If the proud parents were to issue a birth announcement it would read something like:

"The Stuxnet family is proud to announce its latest variant, DuQu, named after its propensity to create files with DQ as a prefix.  Born: Sometime lately.  Weight: Heavy.  Breadth: Remains to be seen.  The bouncing baby malware shares a good portion of its mother's (Stuxnet) source code.  Its father is undetermined but likely is a good looking roving nation state with sabotage or corporate espionage on its mind, like Mossad or the CIA, who are also related to Stuxnet, so birth anomalies are possible.  DuQu shares its likely father's fondness for stealth and trickery."

Most experts like Symantec would agree with the announcement's statement on DuQu's lineage but Dell's SecureWorks doesn't necessarily buy it.

Stuxnet has been used to infect the Iranian nuclear program by causing the centrifuges used to purify uranium to exceed their design for spinning speed and destroy themselves.  DuQu seems to extract information and send it to an unknown site.  Although not proven, this blog along with others have surmised that the sophistication of Stuxnet, the targets and the amount of programming resources required point to the involvement of a group of people more technically advanced and well funded than the average virus creator.  We also chronicled Stuxnet's move from being merely menacing to becoming a military weapon.

Anti virus groups are moving to address the issues, Microsoft says it will address the zero day defect that DuQu exploits when it gets around to it but proposes an emergency fix and the "whitelisting" folks like CoreTrace say that they've been ahead of this all along.

As this new arrival grows and spreads, the real purpose and the damage it may do can be assessed but if malware continues to be more sophisticated than some of the applications we regularly use, problems will abound.

Updates: Stuxnet, Bilski, COICA, Arcade Fire (HTML5)

Updates on a few of our earlier posts:


Stuxnet Moves From Merely Military Malware To Military Malware Menace.

We have mentioned the virus/malware known as Stuxnet several time in this blog.  When it first burst onto the scene, we thought it was interesting and possibly a new and more sophisticated virus.  Then it appeared that it may be the actions of a nation or nations and we became more intrigued.  Now, it is surmised that it has capabilities of causing more than delays in the construction of nuclear power plants and may be capable of causing another Chernobyl.  For our younger readers, that's not a good thing and moves Stuxnet into the frightening category.

I'm pretty sure we haven't heard the last of this.

Stuxnet - Military Malware?

We hate to say we told you so (actually, we revel in it), but we surmised early on (without any real information) that the Stuxnet virus was the result of a nation state's activity to impact the Iranian nuclear development.  Now it appears that we were probably correct.  Stuxnet set back the Iranian nuclear program by several years by causing the centrifuges to rotate in excess of their capacity.  It has been hailed as being as effective as a military strike but in spite of being more sophisticated than any previous malware, it was messy in that it didn't really cover its tracks like some other malware. 

Kinda like a military strike.

Stuxnet - Malware That James Bond Would Be Proud Of?

UPDATE September 30, 2010:  Further to the story below, the New York Times reports that experts deconstructing the Stuxnet virus have found a file named "Myrtus", which is supposedly the Hebrew word for Esther's name (Hadassah) before she was selected as queen.  Esther is a book in the Hebrew Bible (Old Testament) in which a plot by the leaders of Persia (now known as Iran) to destroy the Jews is foiled by Esther, which then allowed the Jews to kill about 75,000 Persians in reprisal.  The naming of this file could be signficant as a calling card or could just be an attempt to shift blame (or could just be the name of someone's mother or cat). 

This sounds more and more like Tom Clancy is making this up.

ORIGINAL POST:  As our many readers will surely recall, this blog was all over the Stuxnet story when it broke a few months ago.  For those that don't remember, Stuxnet is a malware that targets commercial systems (primarily power plants) by attacking a vulnerability in a Siemen's system using a particular Microsoft operating system.  It was originally thought to be delivered via a USB thumb drive but experts now say it is in the wild and can be delivered in different ways.  Also, it was originally thought to be used just to copy plans for the power plants but now it is surmised that it could be used to sabotage such plants.  Experts that have now broken the code for the malware see a sophistication, knowledge and complexity that is not commonly available to any one or more non-affiliated hackers.  This has lead the same experts to speculate (emphasis on the speculative nature as there is no hard evidence, yet) that this was probably the actions of a nation state.

Experts to whom this blog has spoken have stated that because Stuxnet was first discovered in Iran and most of the activity is still in Iran and specifically at one of their nuclear power plants (one that has been mysteriously delayed in coming on line), it probably came from one of the nations not particularly happy about Iran having nuclear power.  Likely suspects are (you guessed it) the CIA or maybe even Mossad.

Of course, nobody really knows and maybe never will.  However, the lesson to be learned from this is that malware (whether state sponsored or otherwise) is rapidly becoming more sophisticated and could pose much greater risks in the future.

Cue the 007 music.

Malware Might Have Played A Part In Deadly Plane Crash

OK, now it's serious.  It's one thing to lose credit card information or for your Facebook account to be high jacked, but malware is said to have been instrumental in the cause of death and destruction in the crash of a Spainair flight two years ago.  Investigators have determined that ground computers were infected with malicious code that may have prevented the pilots from being warned that the flaps were in the wrong configuration for takeoff.

This blog has previously discussed the malicious code problem here, here and here.  Experts in virus protection are becoming increasingly pessimistic about the ability of reactive virus protection to be effective.

A video of the crash can be seen here.  Warning, this is unsettling in that it is video of an event where a large number of people lost their lives.

I told you this was serious.

More Sophisticated Spyware Hits Utility Systems - "Stuxnet" Gone Wild

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.

Virus Protection Using Whitelisting

Last week, we posted an article about some of the ways of protecting a computer or computer network from malicious code.  We discussed primarily methods called "blacklisting" (the more widely used approach) and "whitelisting" (an approach receiving increased attention in recent days).

There is an Austin based company called CoreTrace that features the whitelisting approach.  When we asked, they were kind enough to provide us access to one of their subject matter experts. 

We discussed various aspects of this issue with Greg Valentine, CoreTrace's Director of Technical Sales and Services.  

Pertinent portions of that conversation follow:

ATLB:  CoreTrace’s products are designed to protect computers and networks from viruses, spyware, malware and other harmful stuff. How does it do it and how does that compare to the conventional anti-virus software we regularly see?

Greg:  CoreTrace has a product called “Bouncer”. Bouncer works at the operating system level and allows only the programs or executable code that has been whitelisted by the system administrator through Bouncer to run on that computer. Typical antivirus software works by maintaining a huge database library of virus signatures (which you have to keep up to date) and it attempts to eliminate them by searching a computer’s hard drives, comparing the code it finds on the hard drives to the virus library and then if it finds a match, it eliminates the virus code. There are a few challenges with this type of a defense.
1. This is reactive in nature – By definition, a signature does not exist until someone gets infected.
2. Because it is reactive, antivirus is vulnerable to a ‘zero-day’ attack. This simply means that a ‘bad guy’ can create a new piece of malware and as long as the antivirus companies are not aware of his new virus/worm then they will be blind to it.
3. In order to be protected by antivirus, you must deploy the updated signatures as quickly as possible. This can lead to inadequate testing before pushing out the ‘change’. If the antivirus vendor has made a mistake in their signature update then you could be causing more harm.
a. See McAfee’s recent ‘false positive’ signature update fiasco

ATLB:  You used the term “whitelisting”. What does that mean?

Greg:   At the time it is first installed, Bouncer takes an inventory of the executable programs on the hard drives of the computer and approves each of them to run. It puts them on a “whitelist”, i.e. stuff that is allowed to run. It is called whitelist because the antivirus providers say the stuff in their libraries is on the “blacklist”.

ATLB:  So, if a virus or other malware is present on the machine when Bouncer is first installed, then it will be allowed to run?

Greg:  That’s true, unless it is specifically found and eliminated later. That’s the reason that a good antivirus software should be run before Bouncer is installed or it should be installed in new machines before they are attached to the internet or anywhere else that they could become infected. Should you discover that one of your systems was infected prior to deploying Bouncer, you can rest a little easier at least in the knowledge that the infection will not be able to spread (to any other Bouncer protected computers).

ATLB:  Doesn’t having to authorize every piece of code to run on a system require an inordinately large amount of administrator time?

Greg:  The program takes an inventory of all the programs running on the machine at the time of the installation and thereafter the administrator does not have to be involved. The administrator can ‘pre’-authorize all software from a specific company or with a specific signature and software installed later from that company or with that signature will automatically be whitelisted and allowed to run.

ATLB:  How much computer resources does the CoreTrace system utilize and how does this compare to antivirus software?

Greg:  Our software requires a very small amount of hard disk space for our program. Since it merely prevents unauthorized programs from running, it doesn’t regularly use many computer resources. Antivirus software needs to run on a regular basis to see if any identified malware has been added since the last scan. You may have noticed that when your antivirus software is running its scan, which may last an hour or two, your computer is devoting significant resources to the scan and can have an effect on the capabilities of the computer. Bouncer only needs to check the program as it is launched. This check against the whitelist is extremely fast and does not impact the load time for any whitelisted applications.

ATLB:  How often is your software updated?

Greg:  Except for enhancements and upgrades to the program for operational purposes, our software does not need to be regularly updated. Since our method of operation is to keep anything but authorized programs from executing, we don’t have to continually seek out new viruses and add them to our database. Because of this method, we can never be behind when a new virus comes out, because regardless of the sophistication or newness of the virus signature, it can be deposited on the computer’s hard drive but because it is not authorized, it simply can’t harm the computer or its contents. Compare that to antivirus databases that are required to be updated constantly on a real time basis and must necessarily contain millions of virus signatures and sometimes can only catch a virus after it has infected a number of machines, if the virus doesn’t match their database.

ATLB:  Is there a version for single workstations or computers?

Answer:  Not yet. Right now, our program is only deployed on an enterprise basis.