What is Malware?

Malware is a portmanteau, a run combining "malicious" and "software" to define a type of program that will swipe information from or cause damage to a computer. It includes such things as spyware and adware programs, including pop-ups and even tracking cookies, which are used to monitor users' surfing habits without consent. It also includes more menacing hazards, such as keyloggers, Trojan horses, worms, and viruses. In much simpler terms, it is any software that is intended by the developer to result in harm or exploit people's computers or personal records without permission.

The term "What is Malware is getting alot of searches.

The Menace Posed by Malicious software

The danger posed by malicious software has expanded roughly in parallel with the quantity of consumers using the Internet around the world. The earliest well-known examples of malicious software, which appeared during the early to mid-1990s, were mainly the result of experimentation and pranks by curious developers trying to improve their skills. Many of these caused little if any actual harm, and simply resulted in uncommanded behavior such as displaying a humorous picture on the victim's computer screen. This gradually gave way to efforts to exploit contaminated computer systems for annoying but relatively mundane purposes, such as circulating spam email and other varieties of advertising.

As Web use grew to become more prevalent, however, a new term was coined: cyber crime. Individuals with bad motives quickly realized the potential for using these same tools for stealing, extortion, and carrying out various political agendas. Other perpetrators have used dedicated computer software to target specific victims; this would include so-called "denial of service attacks" against large companies or government agencies, along with applications designed foridentity theft. To make matters more confusing, it is widely believed that the governments of many countries have either experimented with or have directly taken advantage of malware to conduct attacks against rival groups or nations, as well as for intelligence gathering; experts commonly refer to this as electronic warfare.

Types of Malicious software

Though new types of dangerous computer software are constantly under development, these software programs generally fall into a few extensive categories. Viruses are perhaps the best-known category, and consist of harmful programs designed to "infect" legitimate software. Once an individual installs and runs the infected program, the malware triggers and distributes itself to additional applications installed on the computer before having to take further action such as deleting critical files within the operating system. Similarly, "worms" are self-contained software programs that are able to relay themselves across a network directly. Both varieties of malware can cause significant damage by eating up essential system resources, which may cause the victimized computer to stop or crash. Viruses and worms commonly exploit shared files and databases like email address books to spread to additional computers.

Less visible but equally insidious threats include keyloggers, software programs that document every keystroke the user makes and then forward that important information to whomever set up the program to begin with. This makes it possible to steal information such as passwords, bank account numbers, and credit card numbers. A Trojan horse is a malicious program cloaked within another piece of software that appears to be legitimate. Once installed, though, the Trojan will deploy a "backdoor" through which to retrieve private data and move it to an additional computer. Hackers commonly employ these styles of malware for perpetrating identity theft.

Countering the Threat

Anti-virus programs are good protection when kept up to date. Some of these products can even scan email for any type of malicious or suspicious code, and alert the user to its presence, even if it is not currently recognized. Frequently, however, they miss certain types of threats, such as Trojans and spyware, so it is a good idea to run at least one anti-adwareprogram in conjunction with anti-virus. Using a firewall is also helpful because, while it won't keep malware out, it can keep such programs from accessing the Internet and delivering personal information to the intended target.

No single product can guarantee to protect a computer from all of these malicious programs. Developers on both sides are locked in a constant battle to get ahead of the other. Ultimately, the user is the last line of defense by being cautious about opening emails from unknown sources, and steering away from disreputable websites.

The raise of exploit kits according Solutionary SERT

Today I desire to discuss about a very interesting study by Solutionary’s Security Engineering Research Team (SERT) that shared the results related an analysis on malware and exploit kits diffusion observed with its solution ActiveGuard service platform.

The platform has collected and analyzed malicious events that hit company clients globally, the data have been provided to SERT to paint overall threat landscape. The study revealed that despite there was a 15% drop in event volume in the categories of Authentication Security, Distributed Denial of Service (DDoS) and Reconnaissance,  the cyber threat represented by exploit kits is increasing the incidence.

The report revealed the surprising efficiency of well-known vulnerabilities usually included in the popular exploit s sold in the underground, around 60% of total are more than two years old, and 70% the exploit kits analyzed (26)  were released or created in Russia.

The data is meaningful if it is considered that second place is occupied by the China with 7.7%, most popular and pervasive exploit kit is BlackHole 2.0 that exploits fewer vulnerabilities than other kits do, meanwhile most versatile of these is Phoenix exploit kit that supports 16 % percent of all vulnerabilities being exploited. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.

The data highlights the inadequacy of patch management process of private businesses  that don’t update their systems rapidly, in many cases entire infrastructures aren’t updated for long time for this reason there are still vulnerable to old exploit code dated back to 2004.

The phenomenon is really worrying, cyber security is crucial for the existence of any company and for all the business partners, we are facing with the lack of security culture, the security is still perceived as a cost and global crisis is aggravating the situation.

The report states

“SERT continuously performs batch analysis of malware variants received through various means, with much of the intense examination being left for particularly serious threats. As indicated by the accompanying chart, a majority (67%) of malware is not detected by anti-virus or anti-malware software. Although specific insights require close examination, trending from batch analysis can often provide a high-level perspective that is critical for strategic enterprise security planning. “

The use of exploit kit is also demonstrated by data related to the number of instances detected, 30% of the samples analyzed were traced back to JavaScript malware variants used for redirection, obfuscation and encryption, all functionality provided by the popular malicious kit.

The figures are very worrying, with an impressive frequency new vulnerabilities are discovered ,the trend observed in recent months demonstrates a market very active and prolific for the commercialization of 0-day vulnerabilities, in many cases dedicated exploit kits are sold directly in the underground market, once again the Russian underground is the most active in this sense.

“With a large concentration of exploit kits focusing on client-side exploitation (targeting desktop and end-user applications), organizations must pay close attention to patch management and endpoint security controls. Although these controls alone will not stop all attacks, they will significantly decrease the attack surface and reduce the overall likelihood of compromise.”

As correctly written in the report the large concentration of exploit kits focusing on client-side exploitation (targeting browser, desktop and end-user applications), due this reason organizations, but also final users, must pay close attention to keep their protected by antivirus and keep systems updated.

source securityaffairs.co

Iran hackers hijack Turkemenistan domains

Iranian hackers deface multiple big companies Turkmenistan domains (.tm) yesterday using DNS poisoning attack. All hacked domains are registered by NIC at Turkmenistan. Hacker managed to find and exploit a SQL Injection vulnerability in NIC website in order to get database of the site.

Because the passwords was stored in plain text, that make more easy for those hacker to access the domain panels of each domain and changing the DNS entries to shift websites on a rouge server with defaced page. The defaced message as shown below:

Defaced domains :

• www.youtube.tm
• www.gmail.tm
• www.msdn.tm
• www.intel.tm
• www.officexp.tm
• www.xbox.tm
• www.windowsvista.tm
• www.orkut.tm
• www.google.tm

source thehackernews.com

Use of electromagnetic waves to infiltrate sealed networks

In the last months I had the opportunity many times to read about the possible use, in cyber warfare context,  of electromagnetic waves to interfere with defense systems of the adversaries. I wrote about a project dubbed CHAMP  (Counter-electronics High-powered Microwave Advanced Missile Project) related to the use of microwaves to permanently knock out computers in a specific area. The project is born in US military environment, specifically developed by Air Force Research Laboratory, and it explores the possibility to design a directed-energy weapon capable of destroying and interfering with adversary’s electronic systems such as radar systems, telecommunication systems, computer systems and power distribution systems. While the project is started in military and is led by Boeing the technology comes from a small company called Ktech, acquired by Raytheon bought last year, specialized in the providing of microwave generators to generate EMP able to knock out electronics equipment. Recently a report published by Defense News revealed that the Intelligence and Information Warfare Directorate (I2WD) of the US Army is studying the use of electromagnetic waves to infiltrate sealed networks. The report illustrates that the US army is running the Tactical Electromagnetic Cyber Warfare Demonstrator program with the dual objective of sniffing data and injecting data into sealed cable networks. The intent is clear, a cyber army adopting electromagnetic waves could be able to spy on network or interfering with transmission altering the content of transmission for example introducing a malware in it. The research on the use electromagnetic waves is not new, NSA has been carrying out research in the topic for a long time, project TEMPEST is the demonstration. The technology could be used by a government with an unmanned aircraft flying over the location where target networks are located, let’s think for example a critical infrastructure and its control systems that could be infected despite they are isolated from internet. The approach is totally equivalent to the physical access to a network, the use of  electromagnetic waves allows to the attackers to access directly to the target network. The Stuxnet case demonstrated that accessing to the network of critical infrastructure is possible to cause serious damages, for the attack was used an infected USB flash drive containing the popular Stuxnet virus able to exploit zero-day vulnerabilities of the host.

What is the evolution? Attack the target network without physically access to it eluding the defense systems adopted to mitigate cyber threats.

Despite the technology is available and tests conducted demonstrated its efficiency, the use of  electromagnetic waves is still immature due significant range and bandwidth limitations, the source of waves in fact has to be very close to the target network and transmission of complex data is considered time consuming for the scope. Going back in time it is possible to find another interesting project, Suter, a military computer program developed by BAE Systems that has with purpose the attack of computer networks and communications. The program has been managed by Big Safari, a secret unit of the United States Air Force, Suter was integrated into US unmanned aircraft. The program has been tested with different aircrafts and used in Iraq and Afghanistan since 2006, according military experts a technology similar to Suter was used by the Israeli Air Force to attack Syrian radars in the Operation Orchardon on September 6th , 2007. No doubts the use of electromagnetic waves to interfere with defense systems is a winner choice that’s way many governments are working on projects on the this technology.

source: securityaffairs.co

Takedown of fifth most widespread Virut Botnet

NASK the domain registrar that operates the “.pl” Polish top-level domain registry has seized multiple domains used for cyber crime activities by spreading Waledac malware distributed by the Virut botnet. According to Poland’s Computer Emergency Response Team, Virut was first detected in 2006 and became a serious threat with an estimated size of more than 300,000 compromised computers.

NASK said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. Virut was responsible for 5.5% of infections in Q3 2012, making it the fifth most widespread threat of the time.

They determined that botnet consists of more than 308,000 uniquely compromised machines and that its primary function is to pump out spam and other malicious emails. The most recent take down effort was in December 2012. Unfortunately, the Virut botnet gang managed to get the malicious botnet domain names moved to a new registrar called home.pl quickly.

Symantec reported that with some 77,000 Waledac infected machines within the Virut botnet generating an average of 2,000 spam messages an hour for somewhere between 8 and 24 hours a day.

The Virut take down effort clearly illustrates the important and meaningful role registries and registrars can play in the fight against cyber crime in general. How long the shut-down of Virut will last this time is unknown.

source: thehackernews.com

New attacks against SCADA systems

Stuxnet first and news of countless zero-day vulnerabilities in the wild have strengthened the idea that citizens security is constantly menaced by group of hackers that for different purposes are able to inflict serious damages to the structures that surround us.

Critical infrastructures represent privileged targets for very different actors such as cyber terrorists or foreign state-sponsored hackers, a heated debate is underway in the worldwide security community that is concerned about the cyber threats that need to mitigate in dire economic conditions and with limited budgets.

The security portal ThreatPost recently published the news related to new cyber attacks, malware-based, that hit two Power Plants using USB drivers as method of infection.

The events raised the needs to adopt, at corporate level, best practices for any security aspect included removable storage, a critical issue for security of control system inside critical infrastructures.

According a report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), three instance of malware were discovered fortuitously after a scan of an USB drive used to back up control systems configurations. One of the instances detected is considered very sophisticated, increasing the level of alert on the event.

Further analysis revealed other absurd security flaw, for example it was absent a backup management for critical workstations inside the plant.

“The organization also identified during the course of the investigation that it had no backups for the two engineering workstations. Those workstations were vital to the facility operation and, if lost, damaged, or inoperable, could have a significant operational impact. The recommended practice is to maintain a system of ‘hot spares’ or other effective backups for all critical systems.”

The main problem is that majority of control systems are privately owned, and leak of investment in security advantages the work of hackers. Elementary security measures could sensibly improve security level of infrastructures, let’s think to the establishment of proper defensive measures  of the correct configuration of any devices exposed in internet.

The report states:

“While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations,”

Similar incidents are not rare, in October, ISC-CERT reported the infection of 10 computers linked to another power company’s turbine always via a USB drive…and the list is long.

Summarizing the vulnerability analysis proposed by ICS-CERT :

“in fiscal year 2012, ICS-CERT tracked 171 unique vulnerabilities affecting ICS products. ICS-CERT coordinated the vulnerabilities with 55 different vendors. The total number of different vulnerabilities increased from FY 2011 to FY 2012, but buffer overflows still remained as the most common vulnerability type”

Besides the security aspect, as I mentioned before, it’s necessary to evaluate the financial prospective of cyber security market in the defense sector.

Cyber strategy of any state puts the security of critical infrastructures at the topmost priority, in particular for the global oil and gas industry also in response to recent series of attacks. An analysis from Frost & Sullivan revealed that the market earned revenues of $18.31 billion in 2011 and estimates this to reach $31.27 billion in 2021. The investments are driven by the growth of the sector and related need of physical and cyber security.

Anshul Sharma, Senior Research Analyst at Frost & Sullivan Aerospace, Defence & Security, declared:

“Global oil and gas companies are investing capital in new infrastructure projects, driving the need for security solutions at these facilities,” “With increasing awareness of threats, companies are adopting a security-risk management approach and implementing risk assessment of their facilities to ensure security Return on Investment (ROI).”  “The threats may vary from information theft to a terrorist attack, but the economic impact and financial damage in case of an attack will be much more significant,” “It would also depend on the motive of the attacker. For example, a cyber attack to remotely control a SCADA system can have more serious consequences than a cyber attack to steal information.”

It’s clear that new opportunities for cyber security experts will be created in the incoming years, probably something is changing the mind of top manager that are driving the companies of the sector is a profitable business.

North Korea vs South Korea in Cyber War

Earlier this month is has been spread the news that South Korea is investing to improve the cyber capabilities of the country recruiting and training hackers to involve in the cyber defense due the increasing number of attacks suffered.

A cyber attack hit recently the presidential transition team, in particular the press rooms server, but real extent of the damage caused by the event was not determined according the, Yonhap News Agency reports. The authorities has identified the servers used by the attackers, 17 units were located in 10 foreign countries and 2 systems have been found within the country.

One of the servers was constantly connected to an IP address of the Joson Telecommunication Company, an affiliate of North Korea’s Posts and Telecommunications Ministry. North Korean cyber units are accused also for another attack that last year in June hit conservative  JoongAng Ilbo, a newspaper published in South Korea that is considered one of the big three newspapers of the country with an edition of 1.96 million copies. The popular paper also publishes an English edition, Korea JoongAng Daily, in partnership with the English International Herald Tribune.

The news has been provided by the National Police Agency’s Cyber Terror Response Center, the cyber division of the Korean National Police Agency (KNPA), operated within the Agency’s Investigation Bureau, that verified the origin of the attack against the newspaper’s website.

The security specialists form South traced back the attack to an IP address at North Korea’s Ministry of Posts and Telecommunications, the address was used repeatedly by the hackers to access to daily’s main server since a couple of months before the attacks, probably for cyber espionage purpose.

The National Police Agency’s Cyber Terror Response Center declared:

“The first hacking attack on the server was nearly timed with the North Korean Army’s warning on April 23 last year of provocation that a ‘revolutionary force will take action soon,’” “It seems that the North made meticulous preparations once it singled out a particular media outlet for the cyber attack.” 

The hackers gained the access to the administrator’s pc of the journal on June 7th and accessed to production environment two days later, defacing the front end of the Korea JoongAng with a picture of a white cat grinning and covering its mouth with the words, “Hacked by IsOne,” flashing beneath the picture.

The effect of the attacks was serious, it succeeded to blog the production of the paper, the Cyber Terror Response Center of the National Police Agency explained that their investigation was very difficult because the hackers wiped out entire system.

The North Korea, one of the most active countries in the cyber space, is not new to similar offensives, it launched a couple of large DDoS attacks on various targets in South Korea on July 7, 2009 on government website and on March 4th, 2011, state sponsored hackers also attacked Nonghyup Bank’s computer systems and accessed to e-mail accounts of students and alumni of Korea University.

During the attack occurred on July 7th, 435 different servers in 61 countries were used to conduct a distributed denial of service (DDoS) attack against South Korean government Internet sites, meanwhile in the offensive of 2011, March 4th, the DDoS hit state institutions such as the presidential office, the National Assembly and media media.

The national Police also succeeded to trace the origin of the DDoS attack, 17 servers used in the offensive are located in 10 in 10 countries overseas and one them has been also involved in the attack occurred in 2011 on Nonghyup Bank.

The malware used were the same that had been used in the DDoS attacks in July 2009 and in the hacking of the Korea University e-mail accounts. North Korea is considered a country with considerable hacking capabilities, According US official declarations North Korea has added new sophisticated cyber weapons to its arsenal causing much concern in political and military.

The professor Lee Dong hoon at the Center for Information Security Technologies at Korean University in Seoul declared that North Korea has been preparing for cyber warfare since the late 1980s and ranks third worldwide in this field after Russia and the US.

North Korea has the highest percentage of military personnel in relation to population than any other nation in the world, with approximately 40 enlisted soldiers per 1000 people with a considerable impact on the economy of the country.

A defector has declared that North Korea has increased its cyber warfare unit to staff 3,000 people and it is massive training its young prodigies to become professional hackers.

Intelligence sources in South Korea believe that the Nation has a large a cyber force that responds to the command of the country’s top intelligence agency, the General Reconnaissance Bureau that is responsible for collecting strategic, operational, and tactical intelligence for the Ministry of the People’s Armed Forces.

According the revelation of Army General James Thurman, the commander of US Forces Korea, the government of Pyongyang is massive investing in cyber warfare capabilities, recruiting and forming high skilled team of hackers. The groups will could be engaged in offensive cyber operation against hostile government and in cyber espionage activities.

The central government reserves for young hackers several incentives providing best tools on the market and providing living conditions for them and their families extremely advantageous. The importance assigned to the professional development of new cyber military is indicative of the perception of how the cyber warfare is strategic for the nation.

Last year in internet have been published satellite photos of the area that is suspected to host  North Korea’s ‘No. 91 Office’, a unit based in the Mangkyungdae-district of Pyongyang dedicated to computer hacking, its existence was revealed in a seminar on cyber terror in Seoul.

North Korea is a little states that due its cyber capabilities and the affinity with Chinese PLA it could scare the West, we are in the cyber era and every body could became, through the proper investment and political choice, a giant.

Pierluigi Paganini

2013/01/18 UPDATE

Maybe North Korea didn’t hack us after all, says South (transition commitee press room case)

The presidential transition team that Thursday blamed North Korean hackers for an attack on its press room now says there was no hacking. It all appears to have been a misunderstanding.

Reporting on the reversal, Yonhap quoted an official on the team as saying the allegations stemmed from a disconnect in communications within the team.

“Security authorities had asked the administrative office of the transition committee to advise reporters to use antivirus programs and change passwords often as the press room is vulnerable to outside hacking attempts,” spokesman Yoon Chang-jung said.

“There was some misunderstanding in the course of delivering this,” he said. — Yonhap News, January 17, 2013.

So in warning of a potential hacking attack, the message seems to have been misunderstood as a report of an actual hack.

The spokesman declined to say if there was any hacking attempt at all. – Yonhap News, January 17, 2013.

source: securityaffairs.co 

Shylock Banking Trojan spreads via Skype

The banking Trojan known as Shylock has been updated with new functionality, including the ability to spread over Skype. The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare's "The Merchant of Venice".

Shylock is one of the most advanced Trojans currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

According to security researchers from CSIS Security Group, the Skype infection is based on a malicious plugin calledmsg.gsm and allows the malware to send messages and transfer files, clean messages and transfers from Skype history and even bypass the Skype warning for connecting to servers.

Beside the new ability to spread through Skype, Shylock can also spread through local shares and removable drives. Infection by the Trojan allows hackers to steal cookies, inject HTTP into a website, setup VNC and upload files, among other functions.

The program also bypasses the warning and confirmation request that Skype displays when a third-party program tries to connect and interact with the application.

According to a map showing the distribution of Shylock infections that was published by CSIS, there's a high concentration of victims in the UK. However, there are also many Shylock-infected computers throughout mainland Europe and the US.

source: thehackernews.com

Oracle patches Java Zero Day vuln

Oracle delivered an unusual emergency patch to Java's critical Zero Day vulnerability on Sunday to fix a malicious bug that allowed hackers access to users web browsers. Exploits for the previously undisclosed flaw were being hosted in a number ofexploit kits and attacks have already been seen in the wild dropping ransomware and assorted other malware.

Security Alert CVE-2013-0422 include two vulnerabilities that are remotely executable. Oracle confirmed that the flaws were only present in Java 7 versions and did not impact Java on servers, Java desktop applications, or embedded Java.

Java is used in 3 billion machines, about 2 billion of which are desktop or laptop computers. Similarly, Back in August last year, Oracle issued an urgent fix to seal a dangerous security flaw within its Java software that’s left thousands of computers wide open to malicious attacks from hackers.

Lamar Bailey, director of security research and development for nCircle said, “We’re just two weeks into 2013 and already we’ve seen a surge of critical vulnerabilities and emergency patches. Oracle just added 86 new fixes to overloaded IT teams already struggling to keep up with emergency patches for Java, Internet Explorer and Ruby on Rails.

No matter how far behind IT teams are, they can’t afford to ignore this massive Oracle patch. Oracle Mobile Server has two CVEs that have a CVSS score of ten, that’s as bad as it gets. There are also two MySQL vulnerabilities that can be exploited remotely. All of these should be patched as soon as possible.”

January Patch include 86 security updates across all major product lines including Oracle Database and MySQL Server. Patches for a number of Oracle applications were released Tuesday, including nine for Oracle E-Business Suite (7 of which are remotely exploitable), 12 in Oracle PeopleSoft (7 remotely exploitable), 10 in Oracle Siebel CRM (5 remotely exploitable), and one each in Oracle Supply Chain Products Suite and Oracle JD Edwards Products.

source: thehackernews.com

Operation Red October: Cyber Espionage campaign against many governments

A new sensational discovered has been announced by Kaspersky Lab’s Global Research & Analysis Team result of an investigation after several attacks hit computer networks of various international diplomatic service agencies.

A new large scale cyber-espionage operation has been discovered, named Red October, name inspired by famous novel The Hunt For The Red October (ROCRA) and chosen because the investigation started last October.

The campaign hit hundreds of machines belonging to following categories:

• Government
• Diplomatic / embassies
• Research institutions
• Trade and commerce
• Nuclear / energy research
• Oil and gas companies
• Aerospace
• Military

The attackers have targeted various devices such as enterprise network equipment and mobile devices (Windows Mobile, iPhone, Nokia), hijacking files from removable disk drives, stealing e-mail databases from local Outlook storage or remote POP/IMAP server and siphoning files from local network FTP servers.

According security experts involved in the investigation the cyber-espionage campaign was started since 2007 and is still active, during this long period the attackers obtained a huge quantity of information such as service credentials that hav been reused in later attacks.

The control structure discovered is very complex and extended, more than 60 domain names and several server hosting located in many countries mainly Germany and Russia. A particularity of the C&C architecture is that the network is arranged to hide the mothership-server true proxy functionality of every node in the malicious structure.

Security experts were able to sinkhole six of the 60 domains used during the period 2 Nov 2012 - 10 Jan 2013, registering over 55,000 connections to the sinkhole from 250 different victim’s IPs from 39 different countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.

Red October Geo-distribution of victims

Which are the vulnerabilities exploited for the attacks?

The security expert discovered that at least three different known vulnerabilities have been exploited

• CVE-2009-3129 (MS Excel) [attacks dated 2010 and 21011]
• CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
• CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

Evidences collected during the investigation let security specialists to believe that attackers have Russian origins, but strangely they appear unrelated to any other cyber attacks detected until now. The exploits appear to have been created by Chinese hackers.

Attack Method

These attacks is structured in two distinct phases according a classic schema of targeted attacks:

1. Initial infection
2. Additional modules deployed for intelligence gathering

In the initial phase the malware is delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents), once victims opened the malicious document the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers, after the malware receives from the C&C server a number of additional spy modules.

The way to infect entire network is very efficient, the hackers used a module to scan target infrastructure searching for vulnerable machines. The attacks against each machine and related services is made exploiting the above vulnerabilities or gaining access to it using credentials collected during other attacks of the same campaign. The exploits appear to have been created by Chinese hackers.

What alarms me is that such campaigns could be going on for years with disastrous consequences ... what to do at this point? How is it possible that an operation so extended escape for so long to world wide security community? Who is behind the attacks? Cyber criminals or state-sponsored hackers?

UPDATE 2013/01/15

Jeffrey Carr, founder and CEO of Taia Global, Inc, posted on his blog

The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a ‘t’. I ran 13 IPs listed in Kaspersky’s report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:

Malicious servers

• 178.63.208.49 matches to 178.63.
• 188.40.19.247 matches to 188.40.
• 78.46.173.15 matches to 78.46.
• 88.198.30.44 matches to 88.198.

Mini-motherships

• 91.226.31.40 matches to 91.226.

It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it’s going to be one of the most important discoveries of the decade.

source: thehackernews.com

RIP Aaron Swartz

Aaron Swartz has committed suicide on January 11, 2013 in New York City. 

I have long been fought if you write something about this extraordinary boy, but not dedicate a tribute would be a shame. Aaron Swartz has decided to leave a huge void in the IT scenario. 

For me, as the entire world he is a legend, a guy that has profoundly changed our daily work.

Aaron Swartz is an eclectic persona; he is an hacker and active activist, co-founder of social news website Reddit and founder of the group Demand Progress. The EFF in a blog post states: “Aaron did more than almost anyone to make the Internet a thriving ecosystem for open knowledge, and to keep it that way. His contributions were numerous, and some of them were indispensable. When we asked him in late 2010 for help in stopping COICA, the predecessor to the SOPA and PIPA Internet blacklist bills, he founded an organization called Demand Progress, which mobilized over a million online activists and proved to be an invaluable ally in winning that campaign.”

In 2002 Swartz have been the youngest speaker at Comdex (Computer Dealers' Exhibition) expo, he was actively involved in the RSS 1.0 specification

In 2008, Swartz downloaded 20 million pages of legal documents from PACER, the Public Access to Court Electronic Records system, which charges 10 cents per page for access. In that occasion, with the help of other hacktivist Swartz sought to make the documents freely available. 

Aaron belongs to the categories of persons that something of special; he has demonstrated from a young age his enormous capabilities, probably the real cause of the tragedy.

Being only 14 years in the spotlight of the media circus that force you to grow up quickly, burn those steps that every teenager should live probably damaged beyond repair the fragile mind of the prodigy.

He is too far, was, he is and he will be an awkward figure with which to compare, he has left his body but his ideology is alive and strong as ever.

He has been a member of the Harvard University Ethics Center Lab, in 2011 July 19th he was arrested accused for the download of 4 millions of articles from JSTOR, he was awaiting trial, risking up to 35 years in prison. 

According to the indictment, Swartz had hidden a laptop connected to the computer network at MIT, which would allow him to download the articles. According to the indictment Swartz acted with the intent to make the documents available on a peer-to-peer, open access.

Aaron Swartz could have anything from life, but he has decided to devote his life in defense of the right of expression and of free access to the information.

Aaron’s suicide raises the question on the U.S. computer crime laws and related their punishment regimes. Many activists and ordinary people, including myself, are feasts of the inadequacy of punishment when compared to other crimes. The cyber world is complex, and even more is the judgment of a computer crime for many different purposes. 

Tim Berners-Lee, the father of the World Wide Web, wrote on Twitter. 

“Aaron dead. World wanderers, we have lost a wise elder. Hackers for right, we are one down. Parents all, we have lost a child. Let us weep.”

Swartz’s family and friends have set up a memorial page here.

We miss you too, Aaron, fly high my dear … This is another lesson you gave us ... certainly not the last.

source: thehackernews.com

Indonesian Presidents site hacked

Hackers crew Jember Hacker terrorists (JHT) deface the official website of Indonesian president (http://www.presidensby.info) with a message reads, “This is a PayBack From Jember Hacker Team”.

Hackers deface website of president Susilo Bambang Yudhoyono (SBY) apparently in protest at growing corruption and wealth inequality in the country and because of increasing anger at the current administration.

Deface page mention hacker code name as "MJL007" who performed the hack and government is working with law enforcement teams to examine log files in a bid to trace the origin of the attack.

"Corruption is rampant, the poor are everywhere. The rich get richer, the poor get poorer," hacker told. Mirror of hack is available at Zone-H.

Source: thehackernews.com

Happy Hacker is owner of Zues botnet!

Last week, Happy Hacker arrested in Thailand on charges of stealing millions from online bank accounts. According to new reports same hacker alleged as ZeuS Mastermind and used to have the profile of a miscreant nicknamed “bx1,” a hacker fingered by Microsoft before as a major operator of botnets powered by the ZeuS banking trojan. 

He remained smiling throughout a press conference in which Thai police explained that Thailand will seek to extradite Mr Bendelladj to the US state of Georgia, where a court has issued a warrant for his arrest.

24-year-old Algerian Hacker , Hamza Bendelladj arrested at a Bangkok airport enroute from Malaysia to Egypt. The ZeuS botnet is one of the most notorious in existence, and it’s also one that has earned its masters some pretty massive payouts.

The Email ID's daniel.h.b@universityofsutton.com, and danieldelcore@hotmail.com mentioned by Microsoft in a complaint submitted to the U.S. District Court for the Eastern District of Virginia, appear to be linked to the man.

Mr Bendelladj, who graduated in computer sciences in Algeria in 2008, has allegedly hacked private accounts in 217 banks and financial companies worldwide.

Source: thehackernews.com

Third Facebook Hacker Cup!!

Dear Hackers, Warm up your keyboards! Because Facebook open Registration for third Hacker Cup 2013, an annual worldwide programming competition where hackers compete against each other for fame, fortune, glory and a shot at the title of world champion, with $5,000 top prize.

The qualification round begins on January 25th. So Participate and enhance your programming competency.

The dates have been set for Facebook Hacker Cup 2013

• Jan 7 — Jan 27 — Registration
• Jan 25 — Jan 27 — Online Qualification Round
• Feb 2 — Online Elimination Round 1
• Feb 9 — Online Elimination Round 2
• Feb 16 — Online Elimination Round 3
• March 22 -23 — Onsite Finals at Facebook

Registrations Page - https://www.facebook.com/hackercup/register

This is your chance to compete against the world’s best programmers for awesome prizes and the title of World Champion.

source: thehackernews.com

Official Debian and Python wiki hacked

Administration from Debian and Python project official websites confirmed that their WIKI servers were compromised by some unknown hackers recently. Hackers was able to hack because of several vulnerabilities in "moin" package.

According to Brian Curtin at Python Project, Hacker user some unknown remote code exploit on Python Wiki server (http://wiki.python.org/) and was able to get shell access. The shell was restricted to "moin" user permissions, where but no other services were affected. Attacker deleted all files owned by the "moin" user, including all instance data for both the Python and Jython wikis.

Python Software Foundation encourages all wiki users to change their password on other sites if the same one is in use elsewhere. For now, Python Wiki is down and team is investigating more about breach.

Where as in Debian Wiki (http://wiki.debian.org/) security breach, user use some known vulnerabilities Directory traversal (CVE-2012-6080, CVE-2012-6495), Multiple unrestricted file upload vulnerabilities (CVE-2012-6081), Cross-site scripting (XSS) vulnerability (CVE-2012-6082).

Luca from Debian also mention,"We have reset all password hashes and sent individual notification to all Debian wiki account holders with instructions on how to recover their passwords".

In case of Debian, hacker compromise only 'wiki' user and have captured the email addresses and corresponding password hashes of all wiki editors. "The attacker(s) were particularly interested in the password hashes belonging to users of Debian, Intel, Dell, Google, Microsoft, GNU, any .gov and any .edu."

Both servers was compromised in December 2012, but it is not clear yet that same hacker do both hacks or not.

source: thehackernews.com