Officials confirm, Stuxnet was a US-Israel Creation


We have met the creator of Stuxnet, and the creator is us…

US, Israel and European officials confirm that Stuxnet was part of an ever increasing program of computer attacks against Iran to slow or stop it’s nuclear ambitions.

According to an article on the New York Times:

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.

Really no shocker here, most assumed that it was US and Israel backed. Now we know for sure. According to The Register, members of Israel’s ultra cool Unit 8200 and our cyber ninjas at the NSA worked together to create the cyberweapon Stuxnet.

The Times article hints that the cyber attacks were intended to slow down Iran’s progress on obtaining nuclear weapons and satiate Israel so they would not perform a physical strike, leading to an un-stabilized Middle East.

But what one has to ask, if they knew the attacks would only delay Iran from obtaining nukes, why do this at all? They seemed to be determined to obtain nuclear weapons. What would be gained by delaying them another year or so?

I am curious if this is why key members of Iran’s nuclear program are being and have been assassinated. Knowing that Stuxnet was only a temporary fix, someone (apparently Israel) is taking further steps to hamstring Iran’s nuclear ambitions.

Move over Stuxnet, Say Hello to the new Cyberweapon: “Flame”



(Screenshot of Iran CERT warning for “Flame” Malware)

Yesterday Iran’s Computer Emergency Response Team released a warning about a new modular malware that resembled Stuxnet and Duqu. Dubbed “Flame”, the new cyberweapon is causing quite a stir in the media with it’s “advanced features and complexity”.

But looking at the malware’s features disclosed by Iran’s CERT team, it doesn’t seem very game stopping:

  • Distribution via removable medias
  • Distribution through local networks
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  • Scanning the disk of infected system looking for specific extensions and contents
  • Creating series of user’s screen captures when some specific processes or windows are active
  • Using the infected system’s attached microphone to record the environment sounds
  • Transferring saved data to control servers
  • Using more than 10 domains as C&C servers
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  • Bypassing tens of known antiviruses, anti malware and other security software
  • Capable of infecting Windows Xp, Vista and 7 operating systems
  • Infecting large scale local networks

All of these “threats” have been seen before. I especially liked the “bypassing tens of known anti-viruses…” line.

But there are several features that do set “Flame” apart from the pack. First of all the malware is very large, a whopping 20MB. Also, it contains several files and seems to be able to attack using swappable modules. But there is more.

According to an article on The Register, Flame has the following features:

  • It has been active for at least 2 years, but possibly 5-8 years
  • Contains exploits for known and fixed vulnerabilities
  • Uses open source libraries
  • Uses a SQLlite database
  • Uses some Scripts written in Lua (of Angry Birds fame)

All the big name security companies that have analyzed it seem to agree that with it’s complexity, it was most likely written by a Nation State and not individuals or small groups.

The malware could have been created by Israel (and possibly the US) as many of the countries that have detected infection would be logical targets for them.

As according to Symantec:

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear.”

I am not sure of it’s “CyberWeapon” title, as it seems to be an information gatherer. Definitely worth keeping an eye on, but as with “APT” and “Stuxnet”, I am sure the media will beat this topic to death.

 

p/s: Credit to http://cyberarms.wordpress.com

Son of Stuxnet


The security industry is currently buzzing with talks about a threat dubbed as the precursor to the next STUXNET.

According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.

Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that DUQU has codes very similar to that of STUXNET.

Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:

avp.exe (Kaspersky)
Mcshield.exe (McAfee)
avguard.exe (Avira)
bdagent.exe (Bitdefender)
UmxCfg.exe (CA)
fsdfwd.exe (F-Secure)
rtvscan.exe and ccSvcHst.exe (Symantec)
ekrn.exe (ESET)
tmproxy.exe (Trend Micro)
RavMonD.exe (Rising)
If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.

TROJ_SHADOW.AF requires command lines in order to execute properly. Available commands include: collecting information on the affected system, terminating malware processes, and deleting itself. It can steal a wide array of information on any affected system, such as:

1. Drive information such as:

FreeSpace
Drive device name
2. Screenshots
3. Running Processes and Owner of Running Processes
4. Network Information such as

IP address
IP routing table
TCP and UDP table
DNS Cache table
Local Shares
5. Local shared folders and connected users
6. Removable drives serial number
7. Window names
8. Information on open files on local computer using NetFileEnum

Upon execution, RTKT_DUQU.A decrypts a configuration file in its body to get the registry path containing the location of TROJ_DUQU.ENC, and the process where to inject the DLL. From our analysis, the decrypted registry path in the two samples are HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3 and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432, respectively.

These registry paths contain the “FILTER” entry, which contains encrypted data which RTKT_DUQU.A will decrypt to get the path of TROJ_DUQU.ENC, as well as a process name where TROJ_DUQU.ENC will be injected.

Decrypting TROJ_DUQU.ENC results into a DLL file that is injected in the process specified in the registry. The decrypted DLL is detected as TROJ_DUQU.DEC. Once TROJ_DUQU.DEC is loaded, it accesses TROJ_DUQU.CFG to get configuration information.

Information contained in the configuration file include:

Service registry key
File path of component files
Websites it will try to connect to for DNS checking
Processes wherein TROJ_DUQU.DEC will inject itself into
TROJ_DUQU.DEC communicates with the C&C server to receive and execute commands. These commands include downloading other malicious files, which in this case, appears to be the infostealer TROJ_SHADOW.AF.

Enterprise networks are also protected from DUQU through the Trend Micro Threat Discovery Appliance, which detects the malware’s connection to the C&C server through the rule 473 TCP_MALICIOUS_IP_CONN. Also, Deep Security is able to detect the changes made inside the Drivers folder (%Window%\system32\drivers) by DUQU variants,through the rule Integrity Monitoring Rule: 1003517 – Microsoft Windows – System driver files modified.