More Sophisticated Spyware Hits Utility Systems - "Stuxnet" Gone Wild

Posted on July 27, 2010 by Paul Stanfield

Cyber security experts are scrambling to assess the past effects and the potential of a recently detected malware that has targeted utility systems primarily in the Middle East (beginning in Iran) and the United States. Microsoft has named the Trojan intruder “Stuxnet”.

On a very basic level, here is what Stuxnet does:
1. So far, it has targeted a Siemens system (SCADA) used primarily in the operation and control of electric power plants;
2. It has been carried on USB sticks that, when attached to a computer, automatically executes without any further action by a user, even if the AutoRun function is disabled;
3. The Trojan then seeks out and copies certain database information, including power plant designs;
4. Stuxnet exploits a flaw in the shortcut links files in Windows.

Microsoft has issued a work around that essentially turns off the shortcut function and changes the shortcut icons appearance on the screen.

So, if this only targets utility companies, unless you are a utility company or have one as a client, why should you care? Experts surmise that this was created to carry out industrial espionage but the same technique can be used for other targets. It could be used to target other trade secrets, personal financial information, medical records, etc.

We talked to a local security expert and there are reports that Stuxnet or variants are “in the wild” and could be delivered by a manner other than USB sticks via networks and remote web servers.

McAfee alleges that it has a defense against Stuxnet as does Symantec. As we noted in earlier posts (see here and here), these are examples of blacklisting. CoreTrace has demonstrated effectiveness against the intruder by using the whitelisting capabilities of its product Bouncer. See the YouTube video here:  http://bit.ly/bFCEdc.

This attack seems to be much more targeted and much more sophisticated that most of the prior threats and may herald a new age of malware menace.

So, it’s a dangerous cyber world out there. Use protection.
 

Tags: , , , , , , , , , , , , , ,

Viruses, Malware and Spyware, Oh my!

Posted on June 3, 2010 by Paul Stanfield

The recent McAfee debacle, which we detailed here, has once again brought into focus the problems inherent with protecting a computer or computer network from code designed to have a non-optimum effect on such computer or network.
Since the early 1970s, when a virus called Creeper was created and introduced into ARPANET, the precursor to the internet, anti-virus software and other means of combating viruses have been created. The code to combat Creeper was called Reaper and so, the dance began.
Viruses are probably better referred to generically as malicious code, which includes a broad range of things including attack scripts, viruses, worms, Trojan horses, backdoors, malicious active content, malware, adware, spyware and many other names.
Malicious code is designed to do a variety of things, including crippling or disrupting computer operations, stealing information, perpetuating pranks and allowing unauthorized intrusions.
As soon as viruses started creating havoc, people started looking for a way to combat them. Shortly thereafter, other people (particularly those who depended on some other people for computer resources or storage) begin to question such people’s response to the virus problem. Then, lawyers got involved (there’s always a silver lining) and suits were brought alleging that not enough was done to protect the computer resources against invasion, whether to steal information, create havoc, generally be a pain in the hard drive or a combination of all.
Although the law is still developing in this area, it is plain that the application of commonly applied negligence principles will require at least a reasonable amount of protection against intrusion and malicious code.
There are two basic approaches to combating such threats and they are generally referred to as “blacklisting” and “whitelisting”. Blacklisting is the most commonly used method and it involves developing a huge database of virus signatures and checking each transmission to and from a computer for such signatures and routinely scanning the storage areas of such computers for evidence of malicious code.  The database needs to be continually updated and entirely new stains of viruses must be recognized and negated after they are released into the wild.
Whitelisting takes the approach of initially scanning drives for their contents and then not allowing anything else to run on that computer unless it is specifically approved. This method does not depend on scanning after the initial scan and does not have to be updated. New virus strains are of no concern as they may reside on the computer but will not be allowed to execute.
You can expect that the issue will arise in some case as to whether one method is better than the other and if the other method is available, was it negligence not to employ such method?
In a subsequent edition, we will post an interview with CoreTrace, a local company that markets the “whitelisting” approach.
 

Tags: , , , , ,