Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Poison Ivy RAT tool used in sophisticated cyber attacks

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

August 27, 2013

According to several internet security experts, the so-called 'Poison Ivy' Remote Access Tool (RAT)-- often considered a tool for novice script kiddies has transformed itself into a rather ubiquitous tool of cyber-espionage campaigns in the last few month.

A new study performed by malware protection firm FireEye has revealed that 'RAT' served as a lynchpin of many sophisticated cyber attacks, including the compromise of RSA SecurID data in 2011, and various assaults against chemical makers, government offices, U.S. and European defense contractors and human-rights groups in the second half of 2012.

A webcam sextortionist of the 'peeping Tom' variety has been jailed for 6 years in the United States after targeting several young women in cyberattacks that relied on a modified version of Poison Ivy, an incident which shows that the tool has malign uses beyond cyber-espionage.

Poison Ivy still remains very popular and effective more than eight years after its original release. FireEye has compiled a list of nation state-type cyber attackers making use of the tool.

Those include a group called admin@338 which specialises in cyberattacks targeting the financial services industry. Then you have the th3bug group who have been hammering universities and healthcare facilities for the past four years, and menuPass, a group that has run several cyberespionage attacks against U.S. and European defense contractors since 2009.

Overall, Poison Ivy is the preferred RAT tool of several hackers located in China. Over recent months, other attackers elsewhere in the world have begun adopting the same methodology as well, and RAT is increasing in popularity.

A hacking campaign by a Middle East group called Molerats actually switched during June and July to using Poison Ivy to attack Israeli government targets. The latest malware was signed with a fake Microsoft certificate, similar to earlier attacks using the XtremeRat trojan.

Additionally, FireEye has also intercepted Egyptian and Middle Eastern themed attacks using decoy content in Arabic whose targets still remain uncertain for now but may include targets in the Palestinian authority as well.

"The cyber attacks against Israeli and Palestinian targets that were first documented in 2012 are ongoing," said FireEye. "The attackers, which we have called 'Molerats', have also targeted government entities in Britain and in the U.S."

"In addition to using XtremeRAT, which is popular among Middle Eastern attackers, we have found that Molerats have adopted the use of Poison Ivy RAT, which is traditionally favoured by Chinese attackers," added FireEye.

"For now, we don't know if this is an intentional attempt by MoleRats to deflect attribution to China-based threat actors, or if they have simply added another publicly-available RAT to their arsenal. But this development should raise a warning flag for those who attribute all Poison Ivy attacks to threat actors based in China," said the security firm.

"The ubiquity of off-the-shelf RATs makes determining positive attribution an increasing challenge," it added.

The three FireEye researchers involved in this study are Nart Villeneuve, Ned Moran and Thoufique Haq. The study began in January 2013.

"You can easily download the default version of Poison Ivy," explained FireEye's Ned Moran. "But each of these groups are using a custom version of the tool. We don't believe that these specific custom versions are available for resale, however."

RATs such as Poison Ivy require little technical savvy while offering unfettered access to compromised machines, hence their utilization by even well resourced professionals. It can be considered as easy to use front end attacks that might be actually quite sophisticated when viewed as a whole.

"RATs are often delivered as a key component of coordinated attacks that utilize previously unknown (zero-day) software holes and clever social engineering," explained Darien Kindlund, manager of threat intelligence at FireEye. "Attackers can point and click their way through the target’s network to steal data and intellectual property," using tools such as Poison Ivy, he added.

FireEye released a white paper on its research into the hacker tool along with Calamine, a set of free tools to help various organizations detect possible Poison Ivy infections of various types.

In other internet security news

Over the weekend, internet users in China were met with very slow response times or no response at all as the country's .cn domain extension came under severe DDoS (distributed denial of service) attacks from many parts of the world.

The attacks were the largest of its kind ever in the history of that country's internet communications, according to the China Internet Network Information Center, a state agency that manages the .cn country TLD (top level domain).

To be sure, the double-barreled attacks took place at around 2.00 AM Sunday, and then again at 4 AM. The second attack was long-lasting and large-scale, according to state media, which said that internet service was slowly being restored in some parts of the country.

Official state media said the attacks targeted websites with the .cn country domain, as well as the popular microblogging site Sina Weibo.

Distributed Denial of Service (DDoS) attacks aren't technically hack attempts per se, since they can be done without breaking into any server systems.

Typically, DDoS attacks overwhelm a website's servers by flooding them with hundreds of thousands of requests per minute. That makes websites either unreachable, extremely slow or unresponsive.

To bring down larger sites, attackers will sometimes organize large numbers of infected computers to send requests all at once.

Chinese authorities closely regulate content and websites available to internet users in the country. The restrictions are extremely sophisticated, leading some to call it "The Great Firewall."

It's still unclear whether the attack is related to political events in China, which appears to be in the midst of carrying out a big crackdown on internet dissent.

The Chinese government is also wrapping up the trial of former political kingpin Bo Xilai, leading some Web users in China to note the timing of the attack.

".Cn domain names under attack?," one user said on Weibo. "Saw this news and laughed. On every 'festive occasion' doesn't China's internet become paralyzed?"

Another user lodged a more practical complaint, noting that the sluggish internet would probably leave many Chinese without sleep.

In other internet security news

Microsoft's new Windows 8 operating system is so vulnerable to the average hacker that Germany's businesses and government workers should not use it, the country's top authorities have warned in a series of leaked documents.

According to several files published in the German weekly 'Der Zeit', the Euro nation's officials fear Germans' data is not secure thanks to the OS' Trusted Computing technology-– a set of specifications and protocols that relies on every computer having a unique cryptographic key built into the hardware that's used to dictate what software can be run.

Authorities at Germany's Federal Office for Information Security (BSI) later clarified that it was the Trusted Computing specs in Windows 8 in conjunction with the Trusted Platform Module (TPM) chip embedded in the hardware that creates the alleged security issues.

BSI released a statement that backtracked slightly, insisting that using Windows 8 in combination with a TPM may make a system safer, but noting that it is investigating "some critical aspects related to specific scenarios in which Windows 8 is operated in combination with a hardware that has a TPM 2.0".

Trusted Computing is a controversial large set of specifications developed by a group of companies including AMD, Cisco, Fujitsu, Hewlett-Packard, IBM, Intel, Microsoft and Wave Systems Corp.

The technology is designed to stop the use of software and the files which do not contain the correct digital rights permissions (thus protecting the property of vendors behind the protocols), including "unauthorised operating systems" (a specific function of the much-maligned Secure Boot).

Microsoft argues that Secure Boot protects users from rootkits and other malware attacks. The set of permissions is automatically updated online, outside of the control of the user.

A machine that contains a Trusted Platform Module and runs software adhering to the Trusted Computing specifications is, arguably, under the control of the vendor-– in this case Microsoft.

It also identifies the machine to the vendor, meaning that users' identities can be linked to their machines as well as their online activities. As Microsoft is a U.S. company, opponents to the protocols argue, users' data is theoretically accessible to U.S. spooks in the National Security Agency via the Foreign Intelligence Surveillance Act, as Der Zeit points out.

A TPM 2.0 chip is being built into more and more computers running Windows 8. The newspaper obtained an internal document from Germany's Ministry of Economic Affairs written at the beginning of 2012. It warned of "the loss of full sovereignty over information technology" and that "the security objectives of confidentiality" and integrity are no longer guaranteed".

It continued-- "The use of Trusted Computing is unacceptable for the federal administration and the operators of critical infrastructure."

And Trusted Platform Module 2.0 is considerably more invasive than older versions. Once this is rolled out across all Windows PCs, the Germans fear, there will be "simply no way to tell what exactly Microsoft does to its system through remote updates".

"From the perspective of the BSI, the use of Windows 8 in combination with a TPM 2.0 is accompanied by a loss of control over the operating system and the hardware used. This results in new risks for the user, especially for the federal government and critical infrastructure."

We previously described Trusted Computing as the "widely derided idea of computing secured for, and against, its users".

The leaked documents advised that Windows 7 is still safe to use, at least until 2020. Windows 8, on the other hand, is so tied up with Trusted Computing protocols that it is already "unfit for use".

As can be expected, Microsoft has denied there was any backdoor. In a lengthy statement, a spokeswoman insisted that users cannot expect "privacy without good security". Redmond argued that users could purchase machines whose manufacturers had disabled the TPMs.

Presumably this will one day become a selling point, although Microsoft still argues that this will actually make the hardware less "secure".

She said-- "TPM 2.0 is designed to be on by default with no user interaction required. Since most users accept OS defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated. We believe that government policies promoting this result are ill-advised."

It's also important to note that any user concerns about TPM 2.0 are addressable. The first concern, generally expressed as “lack of user control,” isn't correct as most OEMs have the ability to turn off the TPM in x86 machines. Thus, purchasers can buy PCs with TPMs disabled (of course, they will also be unable to utilize the security features enabled by the technology).

The second concern, generally expressed as “lack of user control over choice of operating system,” is also incorrect. In fact, Windows has been designed so that users can clear/reset the TPM for ownership by another OS if they wish. Many TPM functions can also be used by multiple OSes (including Linux) concurrently.

Rumors about a backdoor in Windows are almost as old as Microsoft itself. In 2009, we reported on the NSA's admission that it had worked with developers on Windows 7's operating system security, forcing Microsoft to deny that there was a backdoor left open to hackers.

In other internet security news

Less than fifteen days after it was first made aware of the issue, Xerox is now rolling out a fix for a printer software glitch that caused numbers in documents scanned by certain of its WorkCentre multi-function printers (MFPs) to come up garbled and unformatted.

Xerox said late last night-- "Our engineering team has been working around the clock to deliver the patch. We have conducted extensive testing both in our labs and in the field to ensure a quality result and an easy installation for your IT staff."

The printer glitch can cause certain digits to be transposed when documents are scanned in as PDFs. For example, the number "6" might become an "8", a potential nightmare for accountants and others who rely on copies of spreadsheets and similarly number-heavy documents.

Xerox says it has determined that the bug only crops up when scanning what it terms "stress documents" – documents containing very small type, for example, or other issues that make them hard to read with the naked eye.

Initially, Xerox had believed that the copier issue could be fixed by changing certain settings. Upon further investigation, however, that turned out not to be the case, and the self-styled "Document Company" warned customers that producing a patch for the glitch could take several weeks.

It will take at least a few more days to patch all of the affected devices, but some lucky few Xerox customers could begin updating their printers today after the company issued its first round of patches late last night.

The first devices to get the fix include the Xerox ConnectKey, WorkCentre 75xx, WorkCentre 57xx and ColorQube 93xx series.

Xerox says it will release more patches for "the remainder of the affected products". The company said in early August that 14 models were affected in its next round of fixes, which it hopes to ship the week of August 26.

To further simplify the patch process, Xerox has created a one-stop website at where customers can download both the appropriate patches and support documents explaining how to apply them.

Xerox says that customers can either download and install the patches themselves or contact local service or support reps to take care of it.

In other internet security news

The Guardian’s photo of the computers it claims to have smashed in order to appease the British government over the Snowden affair has been called into question over both what it shows, and what it doesn’t.

Guardian editor Alan Rusbridger yesterday revealed that GCHQ operatives in July paid the newspaper a visit in order to vet the wrecking of one or more computers so that the encrypted contents of their hard drives could no longer be accessed and perhaps one day fall into the wrong hands.

A follow-up story featured a snap of the remains of a computer that held files leaked by Edward Snowden to the Guardian and destroyed at the request of the British government. The photo is the one you see at the left.

The photo certainly shows the remains of a MacBook all right. But Guardian photographer Roger Tooth’s photo also contains what is clearly a second MacBook laptop, along with an old graphics card. You can see the three output connectors on the backplane, and another motherboard, possibly a small desktop computer or maybe another device, given the large areas empty of circuitry.

The larger of the three motherboards seems too small to have played host to the graphics card, suggesting the Guardian picture shows the remains of at least four computers - and incomplete ones at that. The photo is actually too small to identify the graphics card and the three motherboards precisely.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: FireEye.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.