Beyond Stuxnet

Looks like someone, and I’m guessing it’s not the Anonymous script kiddies, is getting ready to open a serious can of cyberwarfare whoop ass on someone.

W32.Duqu: The Precursor to the Next Stuxnet

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

See also:
Son of Stuxnet Found in the Wild on Systems in Europe
Duqu May Have Targeted Certificate Authorities for Encryption Keys
Stuxnet Clone ‘Duqu’: The Hydrogen Bomb of Cyberwarfare?
“Son of Stuxnet” Virus Uncovered
New virus a cyber ‘attack in the making’
Cyberattack forecast after spy virus found
Stuxnet successor on the loose?
Brace for “son of Stuxnet” — Duqu spies on SCADA
Duqu: Son of Stuxnet?
Symantec, McAfee differ on Duqu threat
Who’s behind worm Duqu, ‘son of Stuxnet’?
Stuxnet-based cyber espionage virus targets European firms
Key European Nuclear Firms Attacked By Variation On Stuxnet Virus

A couple of conclusions come to mind. First, the fact that Duqu is based on Stuxnet and the Stuxnet source code has never been released makes it a sure bet that the authors are one in the same, namely Israel and/or the United States, Second, the fact that Duqu is clandestinely collecting information from European manufacturers of industrial control system software, specifically software that controls nuclear facilities, strongly suggests that the eventual primary target of the apparent pending cyberattack will, once again, be Iran’s nuclear program.

/in other words, Duqu is setting up a cyberassault that will hopefully finish, once and for all, the job that Stuxnet so effectively started, halting Iran’s quest for a nuclear weapon in its tracks without having to bomb the [expletive deleted] out of their nuclear facilities

Advertisements

Tuesday Is The Time At Microsoft When We Patch

It’s a relatively small one this time, but critical.

Microsoft Fixes 22 Bugs in July Patch Tuesday

Microsoft addressed 22 security vulnerabilities across four security bulletins in July’s Patch Tuesday update. Three of the patches fix issues in the Windows operating system.

The four bulletins patched issues in all versions of the Windows operating system and in Microsoft Visio 2003 Service Pack 3, Microsoft said in its Patch Tuesday advisory, released July 12. Of the patches, only one has been rated “critical.” The remaining three are rated “important,” according to Microsoft.

“Today’s Patch Tuesday, though light, should not be ignored, as these patches address vulnerabilities that allow attackers to remotely execute arbitrary code on systems and use privilege escalation exploits,” said Dave Marcus, director of security research and communications at McAfee Labs.

Security experts ranked Microsoft bulletin MS11-053, which addressed a critical vulnerability in the Windows Bluetooth stack on Windows Vista and Windows 7, as the highest priority. Attackers could exploit the vulnerability by crafting and sending specially crafted Bluetooth packets to the target system to remotely take control, Microsoft said in its bulletin advisory.

See also:
Microsoft Security Bulletin Summary for July 2011
Microsoft fixes 22 security holes
Microsoft issues critical patch for Windows 7, Vista users
Microsoft Releases 4 Updates for Windows and Office
Microsoft warns of critical security hole in Bluetooth stack
Security Experts Warn of Microsoft Bluetooth Vulnerability
Patch Tuesday Fixes Critical Bluetooth Flaw in Windows 7
‘Bluetooth sniper’ Windows vuln fix in light Patch Tuesday
Microsoft Squashes Bluetooth Bug
Microsoft patches ‘sexy’ Bluetooth bug in Vista, Windows 7
Microsoft Fixes 22 Bugs in July Patch Tuesday
Businesses should not ignore critical Microsoft Patch Tuesday update, say experts
Microsoft Patch Tuesday: four security bulletins
Microsoft Patch Tuesday – 12th July 2011
Windows Update

This isn’t the first time you’ve had to update Windows, you know what to do, so get busy.

/until next time, same patch time, same patch channel

Behold Muslims Doing What They Do Best

Another day, more Muslims rampaging and killing innocent people in the name of Islam.

Bombing of Nigerian Beer Garden Kills 25

Suspected Islamic militants threw a bomb into a beer garden in northeastern Nigeria Sunday, killing 25 people and wounding at least 12 others.

Police and witnesses say the attackers drove up to the open-air pub in Maiduguri on motorcycles and tossed a bomb into the crowd of drinkers. Some witnesses say the attackers also fired gunshots into the crowd.

Authorities are blaming Boko Haram, an Islamic fundamentalist group whose name in the Hausa language means “western education is sinful.”

Not to be outdone by the Nigerian Muslims . . .

Muslim Mobs in Egypt Attack Christian Homes, Threaten Priest

Enraged Muslims burned down several Christian-owned homes, surrounded a church and threatened to kill a priest last week in two unrelated incidents in Upper Egypt.

On Saturday (June 25) in Awlad Khalaf village, just outside Sohag, 240 miles (386 kilometers) south of Cairo, local Muslims attacked Coptic Christian Wahib Halim Atteyah, robbed him of 32,000 Saudi Riyals (US$8,530), and bulldozed his home along with the other structures on his property, according to local media. The group then raided six other Coptic-owned homes and burned them to the ground . . .

See also:
Nigeria Boko Haram Islamists ‘bomb Maiduguri drinkers’
Beer garden bomb attack kills 25 in Nigeria
Deadly blast kills 25 in Nigeria
25 killed in Nigerian attacks
Nigerian Islamists open fire on beer garden, kill four
Mob torches Christian homes in Egypt
Report: Egyptian Muslims Torch 8 Christian Homes on Rumor of Church Construction
Christians, Muslims clash over new church in Egypt
Egyptian Muslims torch 8 Christian homes on rumors of church construction
Egypt Christians and Muslims in Violent Clashes Over Church Construction

And this is only a tiny sliver of the worldwide mayhem perpetrated by Muslims, on a daily basis, in the name of Islam. Pick up any paper tomorrow and, like clockwork, there’ll be more.

/just remember, Islam is the Religion of Peace and Tolerance, you know, except for the peace and the tolerance

We’re Number One, We’re Number One!

This is why it’s important to keep your computer security up to date.

US Ranks First for Bot-Infected Computers and Spam Output

According to data gathered by Microsoft’s Malicious Software Removal Tool (MSRT), the United States had the highest number of computers infected with botnet malware, during the first half of 2010.

Botnet are armies of infected computers, which connect to remote command and control (C&C) servers and listen to instructions from attackers.

Botnets can serve a variety of criminal activities, but the largest ones are primarily used to send spam.

According to a recent report from Symantec, during the first half of the year, 90% of the daily spam traffic was generated by five to six million compromised computers.

In the latest edition of its Security Intelligence Report (SIR), Microsoft reveals that during Q2, MSRT has cleaned 2,148,169 bot infections from US computers.

That’s four times more than in the second country on the list, Brazil, with 511,002. Spain (485,603), Korea (422,663) and Mexico (364,554) complete the top five.

“Unsurprisingly, the list is dominated by populous locations with large numbers of computer users, led by the United States and Brazil,” says Microsoft.

However, there are at least two regions with large numbers of computers that do not dominate the list – China, which finished 8th, and Russia, 9th.

See also:
Featured Intelligence – Battling Botnets
USA Is Still #1 In Botnets
United States Ranked Number One for Relaying Spam, Sophos Reports
Report: United States is world’s top spammer
US Has Most Botnet-infected PC’s
Microsoft Report: 2 Million US PCs Part of Botnets
Microsoft: Over 2 million U.S. PCs caught in botnets
Millions Of US Computers Completely Pwned By Botnets
Microsoft: Your Computer Could be One of 2.2 Million Infected Botnet PCs
Microsoft: Botnets are the ‘launch pad of cybercrime’

If you’re not sure whether you have an infected computer, run Microsoft’s Malicious Software Removal Tool (MRT). Go to Start/Run and then type in “mrt”.

/if you’re not part of the solution, you’re part of the problem