A new variant of the Lethic botnet virus has been discovered
November 15, 2010
A new variant of the Lethic botnet virus has been discovered this morning, and it comes signed with a digital certificate from the same company whose identity was stolen by the infamous Stuxnet industrial control system virus discovered in German power grid software company Siemens in July.
Lethic is an email spam-transmission botnet network that ranks relatively low in terms of compromised computers that have beed observed in the recent past. However, it bears a disproportionately high responsibility for the world's shady pharmaceutical companies and replica watch junk mail that many Internet users have been getting since June of 2010.
So far, takedown efforts at various Internet security command posts and control systems back in January only provided a temporary relief from the botnet, and now it appears that security issues could be on the increase again.
Recent variants of the Lethic botnet come signed with digital certificates from Taiwanese IT hardware manufacturer Realtek Semiconductor Corp., just like variants of Stuxnet that recently infected power plants in Iran, India and elsewhere. Stuxnet is capable of reprogramming SCADA-based industrial control systems, and that is where the seriousness of these security risks are now at.
Authorities in Iran admitted that the virus did infect systems at its controversial Bushehr Nuclear Power Plant but denied categorically that this was the reason for subsequent delays in bringing the reactor online, blaming instead a mystery minor leak.
The digital Realtek certificate misused by the Stuxnet worm was verified by a certificate authority. Lethic's Realtek signature, by contrast, wasn't verified and is most likely some sort of forgery, according to Internet security experts.
Zscaler & Associates, the security company that first noticed the abuse of the Realtek certificate say that this is clear evidence that the malware authors are targeting the same organization for convenience rather than any collusion between the unknown Stuxnet and Lethic groups.
Mike Geide of Zscalar & Associates performed a detailed analysis of these security issues and now concludes that even though the Realtek signature used in recent variants of Lethic was a counterfeit, the same methodology could have been applied by the same group of hackers to other variations of similar malware.
"While this isn't a digital signature per se, it still identifies some critical data that may be able to tie certain malware samples to the same author or group or authors," says Geide.
On Nov. 3, the U.S. Computer Emergency Readiness Team (CERT) warned that SCADA, a lesser known search engine that indexes specialized Internet devices and other complex equipment used to control power grids, refineries and even nuclear power plants is actually assisting potential hackers in discovering and accurately pinpointing critical industrial control systems that are extremely vulnerable to tampering.
In July, German power specialist Siemens said that it had discovered some critical Internet security issues in its power-grid management software and had provided its users safety patches to clear the problem. Now some security experts are saying that the patches were'nt enough since the security vulnerabilities appear to still be there.
The year-old search engine known as Shodan makes it very easy to locate Internet-facing SCADA (Supervisory Control And Data Acquisition) systems, in which some of them were designed by Siemens. As white-hat hacker and Errata Security expert Robert Graham says, the Shodan search engine can also be used to identify systems with known security vulnerabilities, which is exactly what hackers are looking for.
“The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems and application servers in more than one data center,” CERT wrote in an advisory published late yesterday.
“These critical control and management systems have been found to be readily accessible from the Internet and with specialized tools such as Shodan, and the resources required to identify them now have been greatly reduced.”
Besides opening up industrial control systems to attacks that target unpatched security vulnerabilities, the information provided by Shodan also makes some networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned.
CERT advised senior system administrators to tighten security by:
CERT's warning comes a few weeks after reports that a worm called Stuxnet burrowed into SCADA systems controlling nuclear power plants. The attack, which many researchers speculate was intended to disrupt Iran's nuclear aspirations, demonstrated the success in which determined hackers have in penetrating critical and (almost) national security control systems in use today.
Short for Sentinel Hyper-Optimized Data Access Network, Shodan contains a wealth of information about network routers, switches, servers, load balancers and other specific hardware that is directly attached to the Internet.
Its database was done by indexing metadata contained in the headers the hardware broadcasts to other devices. Various searches can be filtered by port, hostname and country. In other words, not only can it identify a Solaris server, it can in many cases identify a Solaris server located in Pakistan that still remains vulnerable to a known exploit.
Shodan can also easily determine if the server is running Linux, Windows or any other version or type of operating system, along with about 20 other important system parameters such as how long the server has been running, if there's been any recent IP address or network changes, and when did those changes take place, etc. etc.
Source: Zscaler & Associates.
You can link to the Internet Security web site as much as you like.