Duqu, The Next-Generation Cyber Attack Weapon

Researchers found an alarm for a new piece of malware with “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran. The new malware, identified as Duqu, is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” according to Symantec’s security response team. 

Symantec said it got a copy of the in-the-wild malware from an unnamed research lab with strong international connections. The company found that parts of Duqu are “nearly identical to Stuxnet” but noted that the malware has a completely different goal.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created after the last recovered Stuxnet file. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

The company said Stuxnet and Duqu shared the same modular structure, injection mechanisms, and a driver that is digitally signed with a compromised key. Unlike Stuxnet, Symanted said the new malware does not contain any code related to industrial control systems.  It was built to be a  remote access Trojan (RAT) that does not self-replicate.

“The threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants,” Symantec warned.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.

Noted that Duqu uses HTTP and HTTPS to communicate to a command and control server which is currently operational.

To know more about Duqu and to see the similarities between Stuxnet and Duqu Click Here

-News Source (ZD net, Yahoo, Symantec) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Duqu, The Next-Generation Cyber Attack Weapon"https://www.voiceofgreyhat.com/2011/10/duqu-next-generation-cyber-attack.html</a>

Stuxnet Clones May Be Used To Hit US

Officials at the US Department of Homeland Security are warning that cybercriminals could create clones of offshoots of the Stuxnet computer worm and attack American power plants, water treatment facilities, and other key parts of the infrastructure, various media outlets have reported.
The self-replicating malware, which was originally detected last July, was used to disrupt nuclear-enrichment programs in Iran, according to Reuters reports on Thursday. Stuxnet reportedly targeted Siemens-branded industrial control systems, exploiting four previously unidentified vulnerabilities in Microsoft Windows in order to seize control of the operating systems.
"Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now," officials from Homeland Security said in a submission to the House Energy and Commerce Committee, reports Telegraph Technology Correspondent Christopher Williams.
"The Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems," they continued, adding that officials would "remain vigilant and continue analysis and mitigation efforts of any derivative malware."
Forensic evidence suggests that Stuxnet, which has been referred to by cybercrime experts as one of if not the most complex computer virus ever determined, could have been the product of a joint operation launched by the US and Israel, Williams said.
According to Reuters, Roberta Stempfley, acting assistant secretary with the Office of Cyber Security and Communications, and Sean McGurk, director of the National Cybersecurity and Communications Integration Center, also testified before a House Energy and Commerce subcommittee on Tuesday.
Furthermore, Dan Goodin of the Register reports that Stempfley and McGurk warned the House Subcommittee on Oversight and Investigations that several different nation states, terrorist networks, organized crime groups, and individuals located within American territory are currently capable "of targeting elements of the US information infrastructure to disrupt, or destroy systems upon which we depend."
Williams reports that similar concerns prompted the British government to invest £650 million (approximately $1 billion) in cybersecurity in 2010.

-News Source (Red Orbit)

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Stuxnet Clones May Be Used To Hit US"https://www.voiceofgreyhat.com/2011/07/stuxnet-clones-may-be-used-to-hit-us.html</a>

Flamer/Skywiper Stuxnet- Newly Found Cyber-Weapon Discovered By Iran National CERT (MAHER)

Flamer/Skywiper Stuxnet- Newly Found Cyber-Weapon Discovered by Iran National CERT (MAHER)

After "Duqu" now The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). The name “Flamer” comes from one of the attack modules, located at various places in the decrypted malware code. In fact this malware is a platform which is capable of receiving and installing various modules for different goals. At the time of writing, none of the 43 tested anti viruses could detect any of the malicious components. Nevertheless, a detector was created by Maher center and delivered to selected organizations and companies in first days of May. 

Key Features of “Flamer” :-

• Distribution via removable medias

• Distribution through local networks

• Network sniffing, detecting network resources and collecting lists of vulnerable passwords

• Scanning the disk of infected system looking for specific extensions and contents

• Creating series of user’s screen captures when some specific processes or windows are active

• Using the infected system’s attached microphone to record the environment sounds

• Transferring saved data to control servers

• Using more than 10 domains as C&C servers

• Establishment of secure connection with C&C servers through SSH and HTTPS protocols

• Bypassing tens of known antiviruses, anti malware and other security software

• Capable of infecting Windows Xp, Vista and 7 operating systems

• Infecting large scale local networks

For additional information about "Flamer" click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Flamer/Skywiper Stuxnet- Newly Found Cyber-Weapon Discovered By Iran National CERT (MAHER)"https://www.voiceofgreyhat.com/2012/05/flamerskywiper-stuxnet-newly-found.html</a>

Security experts can't verify Iran's claims of new worm

 

Without a sample of the new worm that an Iranian official says attacked the country's computers, it's impossible to verify his claims, a security researcher said Monday.

Kevin Haley, the director of Symantec's security response group, said that his team has not found an example of the worm, dubbed "Stars" by the Iranian military commander responsible for investigating Stuxnet, the sophisticated malware that attacked the country's uranium enrichment facilities beginning in June 2009.

"Generally, samples [of malware] do get traded among security vendors," said Haley, explaining that when one antivirus company lacks malware it wants to analyze, it asks other firms to share their samples. "[Iran'] makes this a little more difficult, because we have no direct relationships there," added Haley. "But perhaps someone else does."

Although Symantec has asked researchers in other companies if they have a sample, as of late Monday it has not been able to acquire one.

No other security vendor has stepped forward to say it has a copy of Stars.

Security experts need the malware to corroborate claims by Brigadier Gen. Gholam Reza Jalali, the head of Iran's Passive Defense Organization, the military unit that defends the country's nuclear program.

On Monday, Jalali told Iran's Mehr News Agency that the Stars worm had been detected and thwarted, but provided no information on its function or targets, or when it was discovered.

Jalali's claim came just a week after he blamed Siemens for helping U.S. and Israeli teams create Stuxnet.

Stuxnet, which targeted industrial control systems manufactured by Siemens, has been called a "groundbreaking" piece of malware because it used multiple "zero-day" vulnerabilities, hid while it wreaked havoc on Iran's uranium enrichment hardware, and required enormous resources to create.

It's possible that Stars was not a targeted attack aimed at Iran, but simply part of a more traditional broad-based assault, said Haley.

"It could be a mass attack that got through their defenses," he said. "That could have raised the alarm. They're already paranoid about attacks."

Symantec sees millions of threats every day, the vast majority of which are not targeted, Haley said.

If that's the case, trying to identify Stars would be impossible. "In the case of Stuxnet, we actually had samples, we just didn't understand the significance of the threat until later," Haley said. "Finding [Stars] in our database would be like finding a needle in a haystack" without more information from Iran.

"And even if we found something, we wouldn't know if it was the one they're talking about," said Haley.

Other antivirus vendors, including Helsinki-based F-Secure and U.K. securitycompany Sophos, also acknowledged that they could not verify Iran's claims.

"We can't tie this case to any particular sample we might already have," admitted Mikko Hypponen, F-Secure's chief research officer, in a blog post Monday. "We don't know if Iran[ian] officials have just found some ordinary Windows worm and announced it to be a cyber war attack."

Graham Cluley, a senior security technology consultant at Sophos, also said his company had not been able to identify the malware.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security experts can't verify Iran's claims of new worm"https://www.voiceofgreyhat.com/2011/04/security-experts-cant-verify-irans.html</a>

Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled

Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled

Flame the next generation cyber weapon which is also known as 'The Super Spy' has already fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Recently security firm Kaspersky lab has published a new report on the sophisticated nation-state sponsored Flame cyber-espionage campaign. During the research, conducted by Kaspersky Lab in partnership with International Telecommunication Union’s cybersecurity executing arm - IMPACT, CERT-Bund/BSI and Symantec, a number of Command and Control (C&C) servers used by Flame’s creators were analyzed in detail. The analysis revealed new, groundbreaking facts about Flame. Particularly, traces of three yet undiscovered malicious programs were found, and it was discovered that the development of the Flame platform dates back to 2006.

Main findings:

• The development of Flame’s Command and Control platform started as early as December 2006.
• The C&C servers were disguised to look like a common Content Management System, to hide the true nature of the project from hosting providers or random investigations.
• The servers were able to receive data from infected machines using four different protocols; only one of them servicing computers attacked with Flame.
• The existence of three additional protocols not used by Flame provides proof that at least three other Flame-related malicious programs were created; their nature is currently unknown.
• One of these Flame-related unknown malicious objects is currently operating in the wild.
• There were signs that the C&C platform was still under development; one communication scheme named “Red Protocol” is mentioned but not yet implemented.
• There is no sign that the Flame C&Cs were used to control other known malware such as Stuxnet or Gauss.

The Flame cyber-espionage campaign was originally discovered in May 2012 by Kaspersky Lab during an investigation initiated by the International Communication Union. Following this discovery, ITU-IMPACT acted swiftly to issue an alert to its 144 member nations accompanied with the appropriate remediation and cleaning procedures. The complexity of the code and confirmed links to developers of Stuxnet all point to the fact that Flame is yet another example of a sophisticated nation-state sponsored cyber operation. Originally it was estimated that Flame started operations in 2010, but the first analysis of its Command and Control infrastructure (covered by at least 80 known domains names) shifted this date two years earlier.

The findings in this particular investigation are based on the analysis of the content retrieved from several C&C servers used by Flame. This information was recovered despite the fact that Flame’s control infrastructure went offline immediately after Kaspersky Lab disclosed the existence of malware. All servers were running the 64-bit version of the Debian operating system, virtualized using OpenVZ containers. Most of the servers’ code was written in the PHP programming language. Flame’s creators used certain measures to make the C&C server look like an ordinary Content Management System, in order to avoid attention from the hosting provider.

Sophisticated encryption methods were utilized so that no one, but the attackers, could obtain the data uploaded from infected machines. The analysis of the scripts used to handle data transmissions to the victims revealed four communication protocols, and only one of them was compatible with Flame. It means that at least three other types of malware used these Command and Control servers. There is enough evidence to prove that at least one Flame-related malware is operating in the wild. These unknown malicious programs are yet to be discovered.

Another important result of the analysis is that the development of the Flame C&C platform started as early as December 2006. There are signs that the platform is still in the process of development, since a new, yet not implemented protocol called the “Red Protocol” was found on the servers. The latest modification of the servers’ code was made on May 18, 2012 by one of the programmers.

“It was problematic for us to estimate the amount of data stolen by Flame, even after the analysis of its Command and Control servers. Flame’s creators are good at covering their tracks. But one mistake of the attackers helped us to discover more data that one server was intended to keep. Based on this we can see that more than five gigabytes of data was uploaded to this particular server a week, from more than 5,000 infected machines. This is certainly an example of cyber espionage conducted on a massive scale,” commented Alexander Gostev, Chief Security Expert, Kaspersky Lab. 

Here we want to remind you that after the episode of 'Duqu'; In the middle of this year The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). Later it was spotted in the wild when software giant Microsoft confirmed that its Windows Server Update Services (WSUS), Windows Update (WU) has been infected by Flame malware. Also in many fields, the name of 'Flame' was on the high node. 

For detailed analysis on Flame's command and control (C&C) servers click Here

-Source (Kaspersky)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Three Secrets & Full Analysis of Flame's Command & Control Servers Unraveled"https://www.voiceofgreyhat.com/2012/09/Full-Analysis-of-Flame-Command-and-Control-Servers-Unraveled.html</a>

dna-stuxnet.in hacked by shadow008

Hacker site hacked again. This time famous black hat community, specialist in server rooting site dna-stuxnet.in got hacked by Shadow008 (Pak Cyber Army)

Hacked Site:- 
http://www.dna-stuxnet.in/


Mirror Link:- 
http://zone-h.com/mirror/id/14090295

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">dna-stuxnet.in hacked by shadow008"https://www.voiceofgreyhat.com/2011/05/dna-stuxnetin-hacked-by-shadow008.html</a>

U.N. Nuclear Agency Reportedly Fears that it Was Hacked By Iran

The U.N. nuclear agency is investigating reports from its experts that their cellphones and laptops may have been hacked into by Iranian officials looking for confidential information while the equipment was left unattended during inspection tours in the Islamic Republic, diplomats have told The Associated Press.
One of the diplomats said the International Atomic Energy Agency is examining "a range of events, ranging from those where it is certain something has happened to suppositions," all in the first quarter of this year. He said the Vienna-based nuclear watchdog agency was alerted by inspectors reporting "unusual events," suggesting that outsiders had tampered with their electronic equipment.
Two other diplomats in senior positions confirmed the essence of the report but said they had no further information. All three envoys come from member nations of the International Atomic Energy Agency and spoke on condition of anonymity because their information was privileged.
Agency spokeswoman Gill Tudor said the IAEA had no comment on the issue. IAEA inspectors are in Iran touring various facilities every other week.
A woman answering the cell phone of Ali Asghar Soltanieh, Iran's senior envoy to the agency, said Soltanieh "wishes to give no interviews" after the caller identified himself as an AP reporter and before the reporter could say what the call was about.
An agency official, who also spoke on condition that he not be identified, said strict security measures included inspectors' placing their cellphones into seamless paper envelopes, then sealing these and writing across the seal and the envelope to spot any unauthorized opening while they were away.
He said inspectors are not allowed to take their cellphones with them while touring Iran's uranium enrichment facilities and other venues. Laptops, he said, are either locked in bags or sealed the same way as cellphones when they are left temporarily unattended by inspectors. The computers also are sometimes left unattended in hotel rooms at the end of a work day, he said.
But the diplomat who spoke at greatest length about the reported breach said the Iranians had found ways to overcome the security measures. He said he had no further details.
Iran has been under IAEA inspections for nearly a decade after revelations that it was running a secret uranium enrichment program and has been hit with four rounds of U.N. Security Council sanctions over its refusal to halt the activity.
Tehran insists it wants only to provide peaceful nuclear energy for its rising population and notes that the Nuclear Nonproliferation Treaty allows for enrichment as a source of fuel.
But international concerns have grown. The uranium enrichment program could also make fissile warhead material. Also, Iran refuses to cooperate with U.N. investigations of suspicions that it ran alleged experiments related to making nuclear weapons.
Low-enriched uranium can be used to fuel a reactor to generate electricity, which Iran says is the intention of its program. But if uranium is further enriched to around 90 percent purity, it can be used to develop a nuclear warhead.
Olli Heinonen, who stepped down last year as the IAEA's deputy director general in charge of investigating Iran's nuclear program, said information on the laptops is encrypted – and therefore difficult to decipher. Anybody gaining access to information on cellphones would find little sensitive material, he said.
Heinonen speculated that any attempt to access such equipment might have been meant to plant spyware designed to infect the IAEA computer network once the cellphones or laptops are connected and siphon off information.
"It's possible if there is tampering that something is planted in the computer and when you work with sensitive data it transmits it or it contaminates other computers with sensitive information – like Stuxnet," he said.
IAEA officials attribute a temporary breakdown of Iran's enrichment program late last year to the Stuxnet computer worm, and Tehran has acknowledged that Stuxnet affected a limited number of centrifuges – a key component in uranium enrichment – at its main uranium enrichment facility in the central city of Natanz. Tehran blames the United States and Israel for creating and planting the malware

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">U.N. Nuclear Agency Reportedly Fears that it Was Hacked By Iran"https://www.voiceofgreyhat.com/2011/05/un-nuclear-agency-reportedly-fears-that.html</a>

Vulnerable information security

A drill against hacking conducted by the National Computing and Information Agency has shown the vulnerability of the country’s information infrastructure. Members of college hacking clubs found unencrypted passwords to a data center that operates the entire information system of the government. In a mock attack in 2007, 57 of 67 government organizations were also found to be vulnerable.

Prosecutors announced Monday that the April 12 cyber attack on the National Agricultural Cooperatives Federation, or Nonghyup, was traced to North Korea. North Korea can also target computer networks of other financial institutions, Korea Exchange, and the Korea Financial Telecommunications and Clearings Institute as well as networks of nuclear power plants, military facilities and transportation systems. The 2007 Hollywood action film “Die Hard 4.0” describes how terrorists can paralyze American transportation, financial, electricity and gas systems by hacking the country’s central computer network. Such a dreadful situation could happen in real life.

In the past, cyber hackers took advantage of the weakness of a system to spread malignant codes and create network disruptions. Nowadays, however, they have become more organized and sophisticated with clear purposes and targets as seen in the hacking into financial institutions and online game sites. To break into computer networks with high security, hackers turn personal computers into zombie PCs. They also employ a stealth method that makes it difficult to detect and analyze malignant codes and hacking techniques.

Stuxnet, which targets national infrastructure, is more dangerous. The malware infiltrates a government organization’s integrated control system and paralyzes it. Last year, Stuxnet attacked a nuclear power plant in Iran and shut down 20 percent of the facility’s centrifuges. Automated control systems at China’s Sanchia dam and high-speed railway were also affected by the malware. Stuxnet moves from PC to PC and infiltrates computers at industrial facilities via USB drivers. Prosecutors said 1,300 personal computers in Korea were infected with the malignant code.

In the wake of the distributed denial of service (DDoS) attack in 2009, the government strengthened its preparedness against cyber attacks and fostered security personnel. As seen in the massive cyber attack on Nonghyup, however, even experts were found to have weak security awareness. In addition, identifying the route of the attack is tough because the bank’s network system was operated by a subcontractor. In this digitalized era, information security is part of a country’s infrastructure. The government needs to conduct a comprehensive review of domestic information infrastructure to preempt a security crisis that can paralyze the entire country.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Vulnerable information security"https://www.voiceofgreyhat.com/2011/05/vulnerable-information-security.html</a>

USA Accused For Planting "Flame" Malware to Hack France President's Network

USA Accused For Planting "Flame" Malware to Hack France President's Network

A well known French newspaper named "L'Express" has accused that United States is using dangerous cyber weapon "Flame" to break into the computer networks inside France’s presidential palace also known as the Elysee. In his report L'Express has published details of what it claims was a sophisticated state-sponsored hack into the offices of the French presidency earlier this year with the intention of stealing data. According to the newspaper, the malware attack took place in May 2012, shortly before the second round of presidential elections in France, but has been kept secret until now. The newspaper alleges that the attackers reportedly found their targets on Facebook, identifying people working inside the presidential palace and connecting with them on the social network. The social engineering laid the groundwork for the next phase of the attack; the victims were then sent links to a fake Elysee intranet page where their login credentials were stolen. Workers at the Élysée Palace are said to have been befriended on Facebook by hackers, who then sent their victims a link to what purported to be a login page for the Élysée intranet site. In this way, it's claimed, login credentials were stolen. It is alleged that malware was then installed on the network, infecting computers belonging to senior political advisors, including Xavier Musca, Secretary-General of Nicolas Sarkozy's office. The United States Embassy in Paris has denied any involvement in hacking its ally. “We categorically refute allegations of unidentified sources,” Mitchell Moss, Embassy spokesman, told l’Express. “France is one of our best allies. Our cooperation is remarkable in the areas of intelligence, law enforcement and cyber defense. It has never been so good and remains essential to achieve our common fight against extremist threat.” Though the secretary  of Department of Homeland Security Janet Napolitano did not deny the U.S. was involved. She told l’Express: “We have no greater partner than France, we have no greater ally than France. We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”

While talking about Flame, we would like to remind you that after the episode of 'Duqu'; In the middle of this year The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted Stuxnet attacking the country's internal system. This newly found Stuxnet have been dubbed Flame (also known as Flamer or Skywiper). Flame the next generation cyber weapon which is also known as 'The Super Spy' has already fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Later it was spotted in the wild when software giant Microsoft confirmed that its Windows Server Update Services (WSUS), Windows Update (WU) has been infected by Flame malware. Also in many fields, the name of 'Flame' was on the high node. 

-Source (NS & threatpost)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">USA Accused For Planting "Flame" Malware to Hack France President's Network"https://www.voiceofgreyhat.com/2012/11/USA-Accused-For-Planting-Flame-to-Hack-France.html</a>

Duqu is Still in Operation, Researcher Found New Duqu Variant

Duqu is Still in Operation, Researcher Found New Duqu Variant 

Last month researchers at Kaspersky Lab managed to solve the Duqu Mystery. They discovered that this dangerous stuxnet was written by custom object oriented C called “OO C”. But was the sufficient to stop this dangerous cyber weapon? The answer is big no, and today a new Duqu variant rise up, which clearly indicating that the attacks are still ongoing and still security experts failed to put a solid brick between Duqu & cyber space. The latest Duqu driver was compiled in February 2012, more than four months after Duqu was first flagged as a unique piece of malware “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran. 

Symantec identified the newly compiled Duqu driver as mcd9×86.sys and said it contains no new functionality beyond spying and collecting data from infected machines. Kaspersky Lab’s Costin Raiu says the latest variant has been engineered to escape detection by the open-source Duqu detector toolkit released by CrySyS Lab.

-Source (ZDnet) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Duqu is Still in Operation, Researcher Found New Duqu Variant"https://www.voiceofgreyhat.com/2012/04/duqu-is-still-in-operation-researcher.html</a>

3 UK websites Hacked by CYB3r.Pr3dat0r of ICA & Team DNA StuXnet

3 UK websites hacked by CYB3r.Pr3dat0r of ICA & Team DNA StuXnet.

Hacked Sites:- 
http://www.myinternetspeed.co.uk/
http://www.testwebcam.co.uk/
http://www.dummycctvshop.co.uk/

Mirror Links:- 
https://www.zone-h.org/mirror/id/14901671
https://www.zone-h.org/mirror/id/14901663
https://www.zone-h.org/mirror/id/14901684

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">3 UK websites Hacked by CYB3r.Pr3dat0r of ICA & Team DNA StuXnet"https://www.voiceofgreyhat.com/2011/09/3-uk-websites-hacked-by-cyb3rpr3dat0r.html</a>

Cybercrime can ruin the entire economies

Russian anti-virus guru Eugene Kaspersky does a quick calculation in his head as he blinks at the ceiling.Satisfied, he announces: "About 200000."

That's the number of virus-infected computers in a targeted attack on SA's internet infrastructure that would shut it off from the rest of the world. No e-mail. No electronic transactions. No web searches. No e-government. No Skype, Twitter or Facebook. Nothing.

He's not being alarmist - it happened in Estonia in 2007.
And 200000 rogue computers is not a huge number. Organised syndicates or loners with modest technical know-how and resources can harness millions of virus-infected machines they effectively control to add muscle to their efforts - from stealing money and identities to managing online corporate espionage or collapsing the infrastructure and function of a country's economy and government.
Kaspersky is CEO and founder of Kaspersky Lab, one of the world's top four anti-virus software companies and Europe's biggest. Worldwide, the software anti-virus industry is worth about $7-billion a year in profit for firms in the sector. His fortune is estimated at $800-million and Forbes rates him as Russia's 125th-richest person. He was in SA to talk to business executives and security experts about the rising cybercrime threat to business, governments and organisations of all types.
"There are literally millions of computer viruses in the wild," he says. "Last year alone we collected 20million of them. Most are variations on a theme and can be dealt with automatically in our labs. However, there are teams of experts at anti-virus organisations around the world that work against new threats round the clock. Once a virus is discovered, it can be reverse-engineered and countered with an antidote pretty quickly," says Kaspersky.
He worries about the ability of viruses, or malware (malicious software) to perform increasingly sophisticated and sinister attacks. Typically, these are denial of service (DOS) assaults using networks of computers infected by malware to bring down websites or online services by bombarding them with data. People who control these botnets can trigger a destructive payload at will.
The 2007 Estonian attack showed a botnet with enough resources could shut down banks, government departments, education networks, the media - just about any organisation with an online presence.
DOS attacks are just one aspect of the destructiveness of modern malware. Malware can also help with identity theft and data theft. The damage can be devastating.
"Estimates put the cost to business of cybercrime at anything between $100-billion to $1-trillion," he says . "One of the reasons it's so hard to put a figure on it is organisations that have been compromised are reluctant to talk about it."
Another is they don't know about it. Data theft is big business but differs from other forms of pilfering in that the original data stays where it is while a copy is spirited away, often undetected, via the ether.
"Some businesses are aware and active in countering virus attacks. Banks, for example, now build losses from cybercrime into the cost of doing business - they have a budget for it which includes defending against it and compensating for it when breaches occur. Computer viruses have permeated every part of society," he says.
In August 2008, a Spanair airliner crashed just after taking off from Madrid. It was that year's deadliest aviation accident and 154 people died.
Kaspersky says the airline found the computer system used to monitor aircraft technical problems was infected with malware that probably prevented detection of a system failure.
Last year marked the appearance of the Stuxnet virus, a virus so complicated to produce and dispatch it was probably at least partly the work of, or funded by, a nation state. Speculation is Stuxnet's purpose was to sabotage an Iranian nuclear reactor, although it can damage a variety of industrial systems.
Computer viruses have come a long way since the first, written in 1982 by US schoolboy Rich Skrenta, 15. Called Elk Cloner and written for early Apple II systems, it replicated itself on floppy disks and displayed a poem, sometimes corrupting disks it infected.
Brain was the first virus to infect IBM PCs and was released in 1986. It was written by two Pakistani brothers and distributed with their medical software to prevent piracy. It replicated itself and slowed systems.
The advent of the commercial internet in the early 1990s provided the ideal vehicle to spread viruses.
More advanced techniques used by virus writers meant they could be used to do anything from data theft and identity fraud to corporate espionage, blackmail and extortion.
Kaspersky says a Swedish bank was attacked in February and the remote access Trojan fooled operators into thinking that the screens they were monitoring had been frozen by a Windows blue screen computer error.
"The first rule when this happens is don't touch anything. They didn't. But the machine wasn't frozen, the virus had generated the blue screen and was diverting funds in the background from a perfectly functioning system that the operators thought wasn't working.
"Now malware writers are using social networks like Facebook and Twitter to spread their work." Organisations were threatened from within by disgruntled staff or criminals as shown by malware found on organisations' computers not connected to the internet.
Kaspersky says the computer virus threat is on the rise and inadequately protected businesses are vulnerable.
"Cybercrime is an industry now. Governments are finding it difficult to fight it because any laws they make regarding cybercrime are difficult if not impossible to enforce in the online world where attacks may come from networks made up of computers in different countries.
"Even on home soil, laws are difficult to keep relevant as the nature of attacks change. And in Japan, for example, there's simply no law against writing computer viruses.
"Lack of understanding the real threat of viruses is a dangerous game for businesses and organisations of all sizes to play," he says.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Cybercrime can ruin the entire economies"https://www.voiceofgreyhat.com/2011/05/cybercrime-can-ruin-entire-economies.html</a>

Duqu Hits The Nuclear Program of Iran

Few days before we have talked about Duqu, the next generation cyber attack tool. Here Duqu shows his 1st magic by hitting the nuclear program of Tehran

Iran’s nuclear program comes under another cyber threat with ‘Duqu,’ a worm that gathers intelligence data and assets from entities. The new threat comes after Stuxnet, a virus allegedly produced by the United States and Israel that slowed Iran’s first nuclear plant Bushehr before it was inaugurated last month. First there was the Stuxnet computer virus that wreaked havoc on Iran’s nuclear program. Now “Duqu” appears to be quite similar, according to researchers on Oct. 18.
“Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” security software firm Symantec said on its website. It was named Duqu because it creates files with “DQ” in the prefix. The U.S. Department of Homeland Security said it was aware of the reports and was taking action.

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Duqu Hits The Nuclear Program of Iran"https://www.voiceofgreyhat.com/2011/10/duqu-hits-nuclear-program-of-iran.html</a>

Iran Preparing Stronger Cyber Defense

Iran Preparing Stronger Cyber Defense 

While looking at the rise of cyber crime not only US and UK also Iran is preparing a strong cyber defense. According to the Iran's Press TV report - During the recent years cyber security has been high on the agenda in Iran. Tehran says that the reason for its special attention towards the issue is due to the growing number of attacks on Iran’s cyber space by US and Israel. That’s why the first national conference on cyber security kicked off in Iran’s interior ministry. The event which hosted high ranking executive and defense officials and experts, aimed at discussing ways to further strengthen the Iranian cyber space against any attacks.
Less than four months ago Iran launched a cyber defense headquarters with the help of its defense and communications ministries. The office categorizes Iran’s national assets to three parts including physical, human and cyber assets. The headquarters says that its responsibility is to protect the three categories with special emphasis on the country’s cyber assets.
Experts say that lack of enough security in a country’s cyber space is like sleeping in a house without locking the door. In 2009 some of Iran’s Uranium enrichment facilities were targeted by a computer worm called Stuxnet. Blaming the US and Israel, Iran managed to neutralize the cyber attack. In 2011 Iran’s nuclear program comes under another cyber threat with ‘Duqu'. Also hacker collective group Anonymous targeted Iran while performing massive DDoS attack on the 1st may last year.
The main task of cyber defense is to prevent computer worms or as some call it cyber weapons from breaking into or stealing data from the countries maximum security networks. These areas include nuclear facilities, power plants, data centers and banks. Iran has also established its own laws and definitions of cyber crime. Today there are several laws in dealing with the issue and a special branch of the police force is dedicated to patrolling Iran’s cyber space.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Iran Preparing Stronger Cyber Defense"https://www.voiceofgreyhat.com/2012/02/iran-preparing-stronger-cyber-defense.html</a>

Flame -The "Super Spy" Even On Offline Computers Turning Users into Data Mules

Flame -The "Super Spy" Even On Offline Computers Turning Users into Data Mules

The program known as Flame has fascinated the cyber-security industry with its sophistication and versatility as a Swiss-Army knife of cyber-spying. Now researchers have discovered another unexpected tool in its data-stealing arsenal: You.

Malware analysts at the security firm Bitdefender say they’ve found a unique capability within Flame’s code that would potentially allow it to steal data even from computers that aren’t connected to the Internet or to other networked machines. Instead of simply uploading stolen data to a remote server as traditional spyware does, Flame can also move the target information–along with a copy of itself–onto a USB memory stick plugged into an infected machine, wait for an unwitting user to plug that storage device into an Internet-connected PC, infect the networked machine, copy the target data from the USB drive to the networked computer and finally siphon it to a faraway server.

Spreading itself over an infected USB device is hardly a new trick for malware. But Bitdefender’s researchers say they’ve never before seen a cyberespionage program that can also move its stolen digital booty onto the USB stick of an oblivious user and patiently wait for the opportunity to upload it to the malware’s controllers.

“It turns users into data mules,” says Bitdefender senior malware analyst Bogdan Botezatu. “Chances are, at some point, a user with an infected flash drive will plug it into a secure computer in a contained environment, and Flame will carry the target’s information from the protected environment to the outside world…It uses its ability to infect to ensure an escape route for the data. This is is somewhat revolutionary for a piece of malware.”

Flame was designed to use the same .lnk autorun vulnerability first exploited by the NSA-built Stuxnet malware to invisibly install itself on USB devices. To hide its trove of stolen data on the user’s device, Flame copies both itself and its data to a folder labelled with a single “.” symbol, which Windows fails to interpret as a folder name and thus renders as invisible to the user. “What we have here is a little hack/exploit performed on how the operating system is interpreting file names,” Bitdefender’s researchers wrote in a blog post on Flame last week.

When an infected USB is plugged into a networked machine, Flame checks that it can contact its command and control server through that computer. Then it moves its target data off the USB to the PC, compresses it, and sends it to the remote server via HTTPS, according to Bitdefender’s analysis. The researchers found that while Flame is capable of infecting networked PCs for the purpose of exfiltrating its data, the version they analyzed had rendered that infection capability inactive, perhaps to avoid the spyware spreading too far, so that only PCs already infected with Flame would be capable of acting as gateways back to the malware controller’s server. The fact that the spyware’s infection technique was turned off may be evidence that the “data mule” in the Flame operation may in fact have been aware of his or her role as an data smuggler.

Regardless, Botezatu says Flame’s USB-piggybacking trick fits with its profile as a highly sophisticated spying tool meant to steal a target’s most protected secrets–not just another cybercriminal keylogger designed to catch credit card numbers. “Most of the infrastructure it targets is highly contained, often without Internet access,” says Botezatu. “It’s natural for Flame to have a mechanism for moving data from one environment to another that doesn’t rely on Internet or network communications.” For additional details can be found here

-Source (Forbes)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Flame -The "Super Spy" Even On Offline Computers Turning Users into Data Mules"https://www.voiceofgreyhat.com/2012/06/flame-super-spy-even-on-offline.html</a>

DARPA Launched Cyber Fast Track (Fund To Innovate Military)

The Defense Advanced Research Projects Agency on Thursday launched Cyber Fast Track, an effort to fund innovative cybersecurity efforts by groups and people who don't usually do work for the government, including hobbyists, boutique security labs, and other small groups of hackers, DARPA project manager Peiter "Mudge" Zatko announced at Black Hat, a UBM TechWeb event, in Las Vegas.

The Cyber Fast Track program, first announced at the annual ShmooCon cybersecurity conference in January, will fund between 20 and 100 projects a year, Zatko said. The short, fixed-price contracts will be awarded with little turnaround time--about 10 days from the receipt of proposals--based on a simple proposal template so as to lower the barrier to entry. Projects will be carried out over no more than a few months. 

Cyber Fast Track will fund experimental projects, including commodity high-end computing, open software tools, and others, that might help the military. For example, Zatko raised possibilities like cheap unmanned aerial vehicles and an automated war-dialer that could repeatedly ring phones in a given area to discourage bomb-makers from building improvised explosive devices. Cyber Fast Track may also fund community efforts, possibly including a bug hunting exercise.
In addition to funding fast, cheap innovation that can later be leveraged by the Department of Defense, Zatko sees Cyber Fast Track as a way to link hackers up with government. "The way government is set up, it's almost impossible for the small businesses, the researchers, the hackers, to get money for research without giving up intellectual property or being purchased and having their company gutted," Zatko said. "I want to make it easier."
While some hackers may be reticent of the federal government, Zatko comes with impeccable hacker credentials. He was a member of the L0pht hacker group, created a famous password-cracking tool, and in 1998 testified before Congress that hackers could shut down the Internet in a half hour.
Zatko said that it is difficult for organizations like the L0pht to parse the legalese and government-talk in government contracts, and challenging for them to put together proposals. It takes too long and too much money for venture-backed companies, meanwhile, to justify crafting proposals.
When research is complete, researchers will be able to keep commercial rights to whatever they create, but the government will get government purpose rights that allow it to use, modify, repurpose, or release technical data on the projects in question. They may also be asked to present their efforts to a forum of undergraduate students at a U.S. military service academy, and will be encouraged to continue to update DARPA on the status of their projects once the contract has ended.
In his time at DARPA, Zatko has also been responsible for CINDER, a project that was initially reported by the government to be about insider threats, but which Zatko says is more about combating attacks like Stuxnet and next-generation advanced persistent threats. 

-News Source (Information Week)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">DARPA Launched Cyber Fast Track (Fund To Innovate Military)"https://www.voiceofgreyhat.com/2011/08/darpa-launched-cyber-fast-track-fund-to.html</a>

Operation Intifada By Anonymous (DDOS attack on Israel Gov)

The latest target of Operation Anonymous, which following the dissolution of LulzSec is the last substantial non-amorphous hacker collective left out there, could lead to some substantial geopolitical fallout. That is because the target of the just announced upcoming DDOS attack is none other than the Israeli Parliament, the Knesset, and while Israel has allegedly been happy to dispense hack attacks in the past, the onslaught on the Iranian nuclear power plant courtesy of the Stuxnet virus coming to mind, we doubt it will as happy to be seen on the receiving end of decentralized computer warfare. Either way, with the world focusing on Greece tomorrow, this development, and specifically what form of retaliation Israel adopts, will be yet another important factor to keep track of over the next 24 hours. 

-Source Zerohedge

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Operation Intifada By Anonymous (DDOS attack on Israel Gov)"https://www.voiceofgreyhat.com/2011/06/operation-intifada-by-anonymous-ddos.html</a>

Duqu Mystery Finally Solved By Researcher at Kaspersky Lab

Duqu Mystery Finally Solved By Researcher at Kaspersky Lab

After so many drama finally the deep mystery of DUQU solved. Researcher at kaspersky lab has found out that this dangerous stuxnet was written by custom object oriented C called “OO C”. The mystery began earlier this month, when Kaspersky researchers struggled to determine what programming language had been used to develop the Duqu. So the researchers have taken the help of programming community to find out the truth. They got a wild feed back, 200 comments and 60+ e-mail messages with suggestions about possible languages and frameworks that could have been used for generating the Duqu Framework code. 

Let us review the most popular suggestions:-

• Variants of LISP
• Forth
• Erlang
• Google Go
• Delphi
• OO C
• Old compilers for C++ and other languages

There are two main possibilities. The code was either written using a custom OO C framework, or it was entirely written in OO C manually, without any language extensions.No matter which of these two variants is true, the implications are impressive. The Payload DLL contains 95 Kbytes of event-driven code written with OO C, a language that has no automatic memory management or safe pointers was pointed out by Kaspersky’s Igor Soumenkov.“This kind of programming is more commonly found in complex ‘civil’ software projects, rather than contemporary malware. Additionally, the whole event-driven architecture must have been developed as a part of the Duqu code or its OOC extension.” said Mr Igor

This made an assumption that the developers are old school and don’t trust C++. That’s why they relied on C. Another reason for using OO C is because back in the good old days it was more portable than C++. Duqu was created by a professional team that wrote the framework based on old code. To know the full story click here.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Duqu Mystery Finally Solved By Researcher at Kaspersky Lab"https://www.voiceofgreyhat.com/2012/03/duqu-mystery-finally-solved-by.html</a>

Google Hackers Who Unleashed Hydraq/Aurora Trojan Strikes Again

Google Hackers Who Unleashed Hydraq/Aurora Trojan Strikes Again 

Computer security firm Symantec has unveiled, that a hacker group which unleashed the Hydraq or Aurora Trojan horse against Google and 34 other companies in 2009 has also been linked to attacks that have compromised systems at defense contractors, human rights organizations, and other large groups. According to the official blog of Symantec- they have been monitoring the activities of that hacker group since last three years and figure out that these attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform". The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but we are now seeing an increased adoption of "watering hole" attacks (compromising certain websites likely to be visited by the target organization). The overall campaign by this group has been dubbed by the name "Elderwood Project".  

Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011. The past few months however has seen four such zero-day vulnerabilities used by the Elderwood attackers. Although there are other attackers utilizing zero-day exploits (for example, the Sykipot, Nitro, or even Stuxnet attacks), we have seen no other group use so many. The number of zero-day exploits used indicates access to a high level of technical capability. Here are just some of the most recent exploits that they have used:

•  Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
•  Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
•  Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
•  Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535) 

Symantec have published a research paper that details the links between various exploits used by this attacking group, their method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing evolution and sheer resilience of entities behind targeted attacks. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Hackers Who Unleashed Hydraq/Aurora Trojan Strikes Again"https://www.voiceofgreyhat.com/2012/09/Google-Hackers-Who-Unleashed-Hydraq-Trojan-Strikes-Again.html</a>