We Are In The Midst Of a Hot Cyberwar, Make No Mistake About It. Iran Fires The Latest Salvo (That We Know Of).

In December of last year, several banks' (Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC) websites were inundated by DDoS (distributed denial of service) attacks.  DDoS attacks generally do not seek to penetrate the sites or to obtain information or steal anything but try to overwhelm the capacity of the website to respond to the traffic directed toward them.  The attacks in December were launched by an entity that had access to multiple computers, such as in a data center, and exceeded the capabilities usually found in your standard run of the mill hackers.

Today, the New York Times ran an article that lays the attacks at the doorstep of Iran.  An independent hacker group called Izz ad-Din al-Qassam Cyber Fighters has tried to take credit for the attack, saying it was retaliation for the anti-Muslim movie that prompted riots throughout the Muslim world and which was involved in the Benghazi consulate attack.  Izz ad-Din al-Qassam called it Operation Ababil, referring to Allah sending birds to drop bricks on elephants sent by the King of Yemen to Mecca.  However, U.S. officials think it is the work of Iran and is in retaliation for economic sanctions and the release by the U.S. and/or Israel of the Stuxnet, Flame and DuQu malware. 

Whatever it is, the DDoS attacks spewed 70 gigabits per second at the sites, which included a new wrinkle involving requests for encryption, and which adversely affected the sites' performance.  The attacks used a readily available malware toolkit called Itsoknoproblemobro

It is certain that the attacks that we have heard of are only the tip of the malware iceberg and it is probably as certain that these attacks and counterattacks will continue to escalate.  Warriors on the front lines of these wars will be keyboard commandos and may someday sport the malware marksman ribbon on their dress uniforms.  This is war.

Cyberwar Enters The Next Phase. Move Over Stuxnet and DuQu, Here Comes Flame.

We have written on several occasions about the new wave in malware that are probably the products of nation state(s) because of the complexity or the code and the resources required to write and deploy such creations. (See here, here and here).

These nasty creatures go by the name of Stuxnet and DuQu and so now appears their cousin who has the moniker "Flame" because that name appears in its code.

Stuxnet caused the Iranian nuclear centrifuges to spin out of control and self destruct and DuQu extracts information and sends it to an unknown site. 

Flame apparently can eavesdrop on users by recording their e-mail or instant messaging via a screen shot and  can snoop on audio using the computer's microphone or via video conferencing programs. To top it off, it may be able to use near field communications to monitor near by devices.  Flame does not appear to be destructive but is apparently the most complex system yet to invade the privacy of the unwitting recipients.  To date, it apparently has been deployed mainly in the middle east with about half of the reports coming from Iran.

It is incredibly complex with a file weight of about 20 times the size of Stuxnet, but in spite of its large file size, it has gone undetected for at least 2 years.

If war is just the continuation of politics by another means, this could be political.

Move Over Stuxnet, Here Comes DuQu - Son of Stuxnet, Stuxnet 2.0 or Demon Spawn?

The latest addition to the family of badass malware is DuQu.  DuQu was born sometime in the near recent past but only became obvious to the world on September 1, 2011 when the Laboratory of Cryptography and System Security (CrySyS) notified the world of its birth. 

If the proud parents were to issue a birth announcement it would read something like:

"The Stuxnet family is proud to announce its latest variant, DuQu, named after its propensity to create files with DQ as a prefix.  Born: Sometime lately.  Weight: Heavy.  Breadth: Remains to be seen.  The bouncing baby malware shares a good portion of its mother's (Stuxnet) source code.  Its father is undetermined but likely is a good looking roving nation state with sabotage or corporate espionage on its mind, like Mossad or the CIA, who are also related to Stuxnet, so birth anomalies are possible.  DuQu shares its likely father's fondness for stealth and trickery."

Most experts like Symantec would agree with the announcement's statement on DuQu's lineage but Dell's SecureWorks doesn't necessarily buy it.

Stuxnet has been used to infect the Iranian nuclear program by causing the centrifuges used to purify uranium to exceed their design for spinning speed and destroy themselves.  DuQu seems to extract information and send it to an unknown site.  Although not proven, this blog along with others have surmised that the sophistication of Stuxnet, the targets and the amount of programming resources required point to the involvement of a group of people more technically advanced and well funded than the average virus creator.  We also chronicled Stuxnet's move from being merely menacing to becoming a military weapon.

Anti virus groups are moving to address the issues, Microsoft says it will address the zero day defect that DuQu exploits when it gets around to it but proposes an emergency fix and the "whitelisting" folks like CoreTrace say that they've been ahead of this all along.

As this new arrival grows and spreads, the real purpose and the damage it may do can be assessed but if malware continues to be more sophisticated than some of the applications we regularly use, problems will abound.

Updates: Stuxnet, Bilski, COICA, Arcade Fire (HTML5)

Updates on a few of our earlier posts:

<">

Stuxnet Moves From Merely Military Malware To Military Malware Menace.

We have mentioned the virus/malware known as Stuxnet several time in this blog.  When it first burst onto the scene, we thought it was interesting and possibly a new and more sophisticated virus.  Then it appeared that it may be the actions of a nation or nations and we became more intrigued.  Now, it is surmised that it has capabilities of causing more than delays in the construction of nuclear power plants and may be capable of causing another Chernobyl.  For our younger readers, that's not a good thing and moves Stuxnet into the frightening category.

I'm pretty sure we haven't heard the last of this.

Stuxnet - Military Malware?

We hate to say we told you so (actually, we revel in it), but we surmised early on (without any real information) that the Stuxnet virus was the result of a nation state's activity to impact the Iranian nuclear development.  Now it appears that we were probably correct.  Stuxnet set back the Iranian nuclear program by several years by causing the centrifuges to rotate in excess of their capacity.  It has been hailed as being as effective as a military strike but in spite of being more sophisticated than any previous malware, it was messy in that it didn't really cover its tracks like some other malware. 

Kinda like a military strike.

Stuxnet - Malware That James Bond Would Be Proud Of?

UPDATE September 30, 2010:  Further to the story below, the New York Times reports that experts deconstructing the Stuxnet virus have found a file named "Myrtus", which is supposedly the Hebrew word for Esther's name (Hadassah) before she was selected as queen.  Esther is a book in the Hebrew Bible (Old Testament) in which a plot by the leaders of Persia (now known as Iran) to destroy the Jews is foiled by Esther, which then allowed the Jews to kill about 75,000 Persians in reprisal.  The naming of this file could be signficant as a calling card or could just be an attempt to shift blame (or could just be the name of someone's mother or cat). 

This sounds more and more like Tom Clancy is making this up.

ORIGINAL POST:  As our many readers will surely recall, this blog was all over the Stuxnet story when it broke a few months ago.  For those that don't remember, Stuxnet is a malware that targets commercial systems (primarily power plants) by attacking a vulnerability in a Siemen's system using a particular Microsoft operating system.  It was originally thought to be delivered via a USB thumb drive but experts now say it is in the wild and can be delivered in different ways.  Also, it was originally thought to be used just to copy plans for the power plants but now it is surmised that it could be used to sabotage such plants.  Experts that have now broken the code for the malware see a sophistication, knowledge and complexity that is not commonly available to any one or more non-affiliated hackers.  This has lead the same experts to speculate (emphasis on the speculative nature as there is no hard evidence, yet) that this was probably the actions of a nation state.

Experts to whom this blog has spoken have stated that because Stuxnet was first discovered in Iran and most of the activity is still in Iran and specifically at one of their nuclear power plants (one that has been mysteriously delayed in coming on line), it probably came from one of the nations not particularly happy about Iran having nuclear power.  Likely suspects are (you guessed it) the CIA or maybe even Mossad.

Of course, nobody really knows and maybe never will.  However, the lesson to be learned from this is that malware (whether state sponsored or otherwise) is rapidly becoming more sophisticated and could pose much greater risks in the future.

Cue the 007 music.

More Sophisticated Spyware Hits Utility Systems - "Stuxnet" Gone Wild

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.