Skip navigation
Help

Rootkits

warning: Creating default object from empty value in /var/www/vhosts/sayforward.com/subdomains/recorder/httpdocs/modules/taxonomy/taxonomy.pages.inc on line 33.

An anonymous reader writes "Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework."

0
Your rating: None
Original author: 
Sean Gallagher


The Evernote interface for Chinese users—and the gateway to commands for a very sneaky backdoor.

Your average workaday botnet uses a command and control server to give the malware bots on infected PCs their marching orders. But as network security tools begin to block traffic to suspicious domains, some enterprising hackers are turning to communications tools less likely to be blocked by corporate firewalls, using consumer services to deliver their bidding to their digital minions. Today, security researchers at Trend Micro revealed the latest case of the consumerization of botnet IT: malware that uses an Evernote account to communicate.

The backdoor malware, designated as VERNOT.A by Trend Micro, is delivered via an executable file that installs the malware as a dynamic-link library. The installer then ties the DLL into a legitimate running process, hiding it from casual detection. Once up and running, the backdoor starts to collect information about the system it has made its home—the computer's name, the person and organization identified as its registered owners, the operating system version, and its timezone. Then it connects to Evernote—specifically the Chinese interface to the Evernote service—to fetch information from notes saved in an account, including commands to download, run, and rename files on its host system.

According to a blog post by Trend Micro Threat Response Engineer Nikko Tamaña, the backdoor may have also used Evernote as a location to upload stolen data. Fortunately (or unfortunately, depending on how you look at it), the account that was hard-coded into the backdoor's channel to home had already been shut down—ironically, because its password was reset after Evernote's recent security breach.

Read 2 remaining paragraphs | Comments

0
Your rating: None

Aurich Lawson

Researchers have uncovered a never-before-seen version of Stuxnet. The discovery sheds new light on the evolution of the powerful cyberweapon that made history when it successfully sabotaged an Iranian uranium-enrichment facility in 2009.

Stuxnet 0.5 is the oldest known version of the computer worm and was in development no later than November of 2005, almost two years earlier than previously known, according to researchers from security firm Symantec. The earlier iteration, which was in the wild no later than November 2007, wielded an alternate attack strategy that disrupted Iran's nuclear program by surreptitiously closing valves in that country's Natanz uranium enrichment facility. Later versions scrapped that attack in favor of one that caused centrifuges to spin erratically. The timing and additional attack method are a testament to the technical sophistication and dedication of its developers, who reportedly developed Stuxnet under a covert operation sponsored by the US and Israeli governments. It was reportedly personally authorized by Presidents Bush and Obama.

Also significant, version 0.5 shows that its creators were some of the same developers who built Flame, the highly advanced espionage malware also known as Flamer that targeted sensitive Iranian computers. Although researchers from competing antivirus provider Kaspersky Lab previously discovered a small chunk of the Flame code in a later version of Stuxnet, the release unearthed by Symantec shows that the code sharing was once so broad that the two covert projects were inextricably linked.

Read 24 remaining paragraphs | Comments

0
Your rating: None

DavidGilbert99 writes "Eugene Kaspersky and Mikko Hypponen have been watching the cyber security world every since happy hackers were writing viruses for nothing more than their own entertainment. Today however things are very much different. At the DLD 2013 conference, the pair debated the current state of cyber warfare and cyber weapons. Kaspersky said that while cyber weapons may be much 'cleaner' than traditional missiles, guns and bombs, they are 'much worse' as they can be used by just about anyone who has some level of computer proficiency. Both agreed that it was very difficult to protect against the highly-complex nation-state developed malware like Stuxnet, Flame and Gauss. Hypponen said that we are in the 'first stages of a cyber-arms race' warning: 'I think we've only seen the very beginning of these problems.'"

Share on Google+

Read more of this story at Slashdot.

0
Your rating: None

burning fire computerHe's unassuming, even a little dweebish, but nonetheless Adriel Desautels represents a new breed of Internet mercenary that wields terrifying power across the world.

Desautels is a hacker, and he trades in Zero Day exploits. Zero Days are bits of code that can penetrate, manipulate and/or incapacitate normal functions on a computer, and, most importantly, they have not yet been seen by the internet community.

Their lack of history makes them incredibly difficult to defend against, and so they're incredibly lucrative—both to state and non-state actors.

A post by Ryan Gallagher on Slate today outlines how companies or individuals peddling Zero Days in black and gray markets make a killing at the cost of societal stability.

From the post:

“As technology advances, the effect that zero-day exploits will have is going to become more physical and more real,” [Desautels] says. “The software becomes a weapon. And if you don’t have controls and regulations around weapons, you’re really open to introducing chaos and problems.”

Desautels' company, Netragard, Inc., could be considered one of the good guys: They've pledged to only sell their exploits within the U.S., to the government and properly-vetted private entities.

Others though, are not so well-meaning—the primary motivator in most unregulated markets is money. As Gallagher notes, one post by the hacker group Anonymous outlined how the company Endgame sold 25 exploits for $2.5 million—a package Bloomberg called "cyber warfare in a box."

Of other concern is that the market has little to no oversight, allowing groups to decide exactly whom they direct their wares to:

Desautels says he knows of “greedy and irresponsible” people who “will sell to anybody,” to the extent that some exploits might be sold by the same hacker or broker to two separate governments not on friendly terms.

In a time when American defense secretaries await the first "cyber pearl harbor," the idea that organizations can sell exploits to shady individuals with nefarious agendas makes the idea all the more realizable.

Also, it puts into the spotlight the burgeoning cyber arms race taking place across the globe, really since the U.S. announced with pride that it was responsible for Stuxnet, thus inviting itself to become victim to attacks (and promptly realizing its defenses were insufficient).

What often goes without mentioning, though, especially when infrastructure is so often the target, is what the moral implications are for the "manufacturers" of these weapons of war: An exploit that takes out water treatment plants or exposes the names of covert operatives could be the digital equivalent of a cluster bomb.

Equally the moral equivalent.

We've covered mercenary Zero Day exploits at Business Insider, most recently that of "Red October," but the lengthy, in-depth post on Slate today is also definitely worth a read.

OR CHECK OUT: The 18 things SEALs never leave home without >

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

0
Your rating: None

A newly discovered form of malware that targets Linux servers acting as Web servers allows an attacker to directly inject code into any page on infected servers—including error pages. The rootkit, which was first publicly discussed on the Full Disclosure security e-mail list on November 13, appears to be crafted for servers running the 64-bit version of Debian Squeeze and NGINX.

An analysis of the rootkit by Kaspersky Labs found that the malware inserts HTML iframe elements into every page served up to Web browsers connecting to the server. It does this by replacing the code that builds TCP/IP packets (tcp_sendmsg) with its own code. The malware then retrieves the code to be inserted into the iframe by connecting, botnet-like, to a command and control network with an encrypted password.

The rootkit, designated as Rootkit.Linux.Snakso.a by Kaspersky, is a new approach to drive-by downloads. They usually are based on PHP script—not code injected into the kernel of the operating system. Because the new rootkit infects the entire server and not just a specific page, the malware could affect dozens or even hundreds of websites at a time if it infects the server of a Web hosting provider.

Read 1 remaining paragraphs | Comments

0
Your rating: None

e065c8515d206cb0e190 writes "Several websites have announced the launch of Silent Circle, PGP's founder Phil Zimmermann''s new suite of tools for the paranoid. After a first day glitch with a late approval of their iOS app, the website seems to now accept subscriptions. Have any slashdotters subscribed? What does SilentCircle provide that previous applications didn't have?"


Share on Google+

Read more of this story at Slashdot.

0
Your rating: None

mikko

Mikko Hyppönen is the Chief Research Officer at F-Secure, where he’s spent the last two decades tracking, dissecting, and disabling malware, from viruses to trojans to worms to botnets. His long time in the field gives him a sense of history: last year he documented his search for the minds behind Brain, released in 1986 and considered the first MS-DOS based computer virus. Via email he discussed how malware has changed over the last twenty years, the future of smartphone viruses, and just whether antivirus companies are outmatched in a world of government-sponsored malware such as Stuxnet and Flame.

Continue reading…

0
Your rating: None