Beyond Stuxnet

Looks like someone, and I’m guessing it’s not the Anonymous script kiddies, is getting ready to open a serious can of cyberwarfare whoop ass on someone.

W32.Duqu: The Precursor to the Next Stuxnet

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

See also:
Son of Stuxnet Found in the Wild on Systems in Europe
Duqu May Have Targeted Certificate Authorities for Encryption Keys
Stuxnet Clone ‘Duqu’: The Hydrogen Bomb of Cyberwarfare?
“Son of Stuxnet” Virus Uncovered
New virus a cyber ‘attack in the making’
Cyberattack forecast after spy virus found
Stuxnet successor on the loose?
Brace for “son of Stuxnet” — Duqu spies on SCADA
Duqu: Son of Stuxnet?
Symantec, McAfee differ on Duqu threat
Who’s behind worm Duqu, ‘son of Stuxnet’?
Stuxnet-based cyber espionage virus targets European firms
Key European Nuclear Firms Attacked By Variation On Stuxnet Virus

A couple of conclusions come to mind. First, the fact that Duqu is based on Stuxnet and the Stuxnet source code has never been released makes it a sure bet that the authors are one in the same, namely Israel and/or the United States, Second, the fact that Duqu is clandestinely collecting information from European manufacturers of industrial control system software, specifically software that controls nuclear facilities, strongly suggests that the eventual primary target of the apparent pending cyberattack will, once again, be Iran’s nuclear program.

/in other words, Duqu is setting up a cyberassault that will hopefully finish, once and for all, the job that Stuxnet so effectively started, halting Iran’s quest for a nuclear weapon in its tracks without having to bomb the [expletive deleted] out of their nuclear facilities

When Chinese RATs Attack

Oh, hey, look what China did, again. Isn’t this supposed to be an act of war now?

Massive Global Cyberattack Targeting U.S., U.N. Discovered; Experts Blame China

The world’s most extensive case of cyber-espionage, including attacks on U.S. government and U.N. computers, was revealed Wednesday by online security firm McAfee, and analysts are speculating that China is behind the attacks.

The spying was dubbed “Operation Shady RAT,” or “remote access tool” by McAfee — and it led to a massive loss of information that poses a huge economic threat, wrote vice president of threat research Dmitri Alperovitch.

. . .

Analysts told The Washington Post that the finger of blame for the infiltration of the 72 networks — 49 of them in the U.S. — points firmly in the direction of China.

See also:
Revealed: Operation Shady RAT
McAfee’s Operation Shady RAT exposes national cybersecurity lapses
McAfee discovers massive series of cyber attacks
Hacking Campaign Targets U.S. Government, Signs Point to China
Operation Shady RAT: five-year hack attack hit 14 countries
China Suspected Of Shady RAT Attacks
Q+A: Massive cyber attack dubbed “Operation Shady RAT”
Operation Shady RAT: A frightening web of global cyber-espionage
Operation Shady RAT smells like Chinese hacking
All cursors point to China in global hack attack that threatens nations
China accused of biggest ever global cyber spying attacks
Hackers Based in China Attack UN, Olympic Networks, Security Firms Report
Operation Shady RAT and the cyberhacking
APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks

Why did it take a private security company to uncover the largest case of cyberspying in world history and why aren’t we doing something about it?

/does China have to steal every last piece of sensitive and secret computer data we possess before we start taking this threat seriously?

Can You Hack It?

Calling all hackers, do you pack what it takes?

NSA is looking for a few good hackers

The National Security Agency has a challenge for hackers who think they’re hot stuff: Prove it by working on the “hardest problems on Earth.”

Computer hacker skills are in great demand in the U.S. government to fight the cyberwars that pose a growing national security threat — and they are in short supply.

For that reason an alphabet soup of federal agencies — DOD, DHS, NASA, NSA — are descending on Las Vegas this week for Defcon, an annual hacker convention where the $150 entrance fee is cash only — no registration, no credit cards, no names taken. Attendance is expected to top 10,000.

The NSA is among the keen suitors. The spy agency plays offense and defense in the cyberwars. It conducts electronic eavesdropping on adversaries, and it protects U.S. computer networks that hold super-secret material — a prime target for America’s enemies.

See also:
NSA Wants to Hire Hackers at DefCon
US gov’t building hacker army for cyber war
U.S. government hankers for hackers
U.S. Federal Agencies Look to Hire Hackers at Defcon; Cyber Criminals Offer Services to the Public
US government agencies scouting for computer hackers: report
Federal Agencies to Recruit Hackers at Defcon
R u h4X0R? n33d @ jo8? NSA wants you (locked up in a cubicle, not a cell)
The NSA Wants More Hackers for Their ‘Collection of Geeks’
Welcome to the National Security Agency – NSA/CSS
National Security Agency
Defcon
DEF CON

Would you rather work for them or be hunted down by them? If you’re good enough, it probably pays pretty well and beats sitting in a prison cell.

/don’t forget to bring your white hat

Super Bot

This sure looks like a nasty piece of work.

Massive botnet ‘indestructible,’ say researchers

A new and improved botnet that has infected more than four million PCs is “practically indestructible,” security researchers say.

“TDL-4,” the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is “the most sophisticated threat today,” said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.

“[TDL-4] is practically indestructible,” Golovanov said.

. . .

TDL-4 infects the MBR, or master boot record, of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks.

Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.

But that’s not TDL-4’s secret weapon.

What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.

See also:
TDL4 – Top Bot
Sophisticated TDL-4 Botnet Has 4.5 Million Infected Zombies
‘Indestructible’ rootkit enslaves 4.5m PCs in 3 months
TDL-4 creates 4.5 million PC ‘indestructible’ botnet
Security Researchers Discover the Mother of All Botnets
TDL-4: The ‘indestructible’ botnet?
There’s a Botnet Called TDL-4 That’s Virtually Indestructable
‘Indestructible’ Botnet Enslaves 4.5 Million PCs
‘Indestructible’ Zombie PC Botnet Borrows Exploit From Israeli, U.S. Cyberweapon
Have cybercriminals created the perfect botnet — undetectable and indestructible?

If you ever needed a reason and reminder to keep your operating system, anti-virus, and anti-spywware software patched and up to date, this would be a good one.

/remember, if you’re not part of the solution, you’re potentially part of the problem

When Do We Attack China?

This is a pretty bold threat, seeing as how the United States’ government, infrastructure, corporations, and individuals are being seriously cyberattacked ever second of every day.

Cyber Combat: Act of War

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.

The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country’s military.

In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.

See also:
Pentagon warns that cyber-attacks will be seen as ‘acts of war’
US Pentagon to treat cyber-attacks as ‘acts of war’
‘Cyber attacks are an act of war’: Pentagon to announce new rules of engagement against state sponsored hackers
US could respond to cyber-attack with conventional weapons
U.S. Government Says Cyber Attacks May Be Acts of War
Pentagon: Computer hacking can constitute an act of war
U.S. will treat cyber-attacks as act of war
Get Your Cyber War On
Acts of War in the Computer Age
The cyber arms race
Matt Gurney: U.S. military says a cyber attack means war. But with who?
The Pentagon Is Confused About How to Fight a Cyber War

So, with all the thousands of state sponsored cyberattacks unfolding 24/7/365, who are we going to attack first, China, Russia? There’s plenty of the usual suspects probing the United States’ cyberdefenses constantly, it’s hard to choose just one culprit. And what if we get the source of a cyberattack wrong? The exact origin of most of these exploits is extremely difficult to pin down. What if we mistakenly launch a missile strike on China for hacking damage that was actually caused by the Russian Mafia, how cool would that be? Probably not very cool at all.

/and, of course, when we announce a brinkmanship policy like this, and then immediately fail to back up our words with deeds, it become much more than just a joke, it manifests a profound, telltale show of national weakness

A Paradigm Shift?

It looks like we’re going to get to see how a real world missile defense system performs under hostile fire.

Iron Dome to Become Operational

Following the recent escalation on the Gaza strip border, the IDF will deploy for the first time the Iron Dome missile defense system in strategic locations in the south of Israel as soon as Sunday, in order to shot down rockets and mortar shells fired at Israeli civilians.

The Iron Dome is a one of a kind portable anti missile system, designed to protect an area stretching over 10 square kilometers from short-range rockets and mortar shells. The system can calculate whether the rockets fired are a threat to civilian population or strategic sites based on their trajectory, thus intercepting only the ones which pose a threat and not handling the ones which will land in open areas.

The Israeli Defense Forces hope the system will perform as expected and intercept all incoming rockets. If it does do so, the IDF will mark another unprecedented historical achievement, which could mean a “game changer” in the Middle East.

See also:
Israel to deploy ‘Iron Dome’ anti-rocket system
Iron Dome Defense To Start Working Sunday in Southern Israel
Iron Dome heads south
Israel deploys air defense system ‘Iron Dome’ near Gaza
Israel to deploy Iron Dome anti-missile system across southern territories
Iron Dome to be deployed in South soon, IDF says
IDF Considers Deploying Iron Dome as of Sunday
What about the Iron Dome?
Vilnai: Israel has strategic reason not to use Iron Dome
Iron Dome

if Iron Dome works, what will the frustrated Hamas terrorists do, or the Hezbollah terrorists for that matter, with their vast Iranian supplied arsenal rendered useless?

/if I were a South Korean, living in Seoul, I’d be paying close attention

Pushing The Cyberwarfare Envelope

A computer worm so sophisticated that it attacks specific targets in specific countries, gee I wonder who would be capable of developing something that advanced?

Stuxnet Compromise at Iranian Nuclear Plant May Be By Design

Iran has confirmed that more than 30,000 PCs have been infected by the Stuxnet worm in that country, including some at the Bushehr nuclear power plant. The nature of the Stuxnet worm and the infiltration of Iranian nuclear facilities has led to speculation about whether the worm was developed by the United States or its allies expressly for that purpose.

The Pentagon response to the implication is the standard cagey reply given for just about anything related to national security or military engagements. Fox News reports that, “Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack.”

McAfee AVERT Labs has a thorough analysis of the Stuxnet worm which explains the threat in detail. “Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729). It also utilizes a rootkit to conceal its presence, as well as 2 different stolen digital certificates.”

Another interesting tidbit from McAfee supporting the speculation that Iran may have been the intended target of Stuxnet is that the initial discovery seemed to be primarily focused in the Middle East.

Speaking on the subject of whether the threat may have been specifically crafted for Iran, Randy Abrams, director of technical education at ESET said, “It appears that it is possible that Stuxnet may have been responsible for problems in Iran’s nuclear program over the past year, however that is speculation and it is unlikely that the Iranian government is going to say if that was the case. It is even possible that it was the case and they don’t know it.”

Abrams added, “It is entirely possible that Stuxnet was created by the United States working alone or in conjunction with allies. The fact that it is possible does not indicate it is true however. There have been a number of recent defections in Iran. It is also possible that this was an internal attack. There is still a legitimate question as to whether or not Iran was actually the target.”

See also:
Stuxnet Update
Iranian power plant infected by Stuxnet, allegedly undamaged
Iran admits Stuxnet worm infected PCs at nuclear reactor
Pentagon Silent on Iranian Nuke Virus
Stuxnet Worm Affects 30,000 Computers in Iran
Stuxnet worm assault on Iranian nuclear facilities’ computers may be Western cyber attack: experts
Computer worm infects Iran’s nuclear station
Stuxnet: Future of warfare? Or just lax security?
Stuxnet – a new age in cyber warfare says Eugene Kaspersky
Has the West declared cyber war on Iran?
Web virus aimed at nuclear work, says Tehran
Report: Stuxnet Worm Attacks Iran, Who is Behind It?
US, Israel behind cyber-attack on Iran?

Well, diplomacy sure as hell isn’t working and no one really wants to launch airstrikes against the Iranian nuclear facilities, especially fraidy cat Obama. So, maybe this is a third option, use the Iranians’ own computers to remotely destroy their nuclear related equipment, perfect, if it actually works. I know I’ve got my fingers crossed. Go U.S. or go Israel or go whoever is responsible for this brilliant plan!

/all your nuclear related computers are belong to us!