Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Iran: spy agencies are developing a new worm more powerful than Stuxnet

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

December 3, 2013

Click here to order the best dedicated server and at a great price.

Iran claims that Saudi Arabian and Israeli spy agencies are now developing a new worm more powerful than Stuxnet in an effort to derail Iran’s nuclear program one more time, after country officials met in Vienna last week.

And if this seems like a rather bold statement, stranger things have happened before in Iran, and this particular claim comes from Iran’s FARS news agency, thought to have strong ties to the country’s Revolutionary Guard, so a healthy dose of scepticism is probably advised, although not everybody may agree.

Citing “an informed source close to the Saudi secret service”, the agency claims that the November 24 meeting was held to “increase the two sides' cooperation in intelligence and sabotage operations against Iran’s nuclear program”.

“One of the proposals raised in the meeting was the production of a malware worse than the Stuxnet to spy on and destroy the software structure of Iran’s nuclear program,” the source told FARS, adding that the $1 million plan was welcomed by the Saudis.

The two sides had apparently set off on this hardline course after being frustrated by a warming of relations between the United States and Iran, and after a deal was finally worked out between the Islamic Republic, the U.S., Britain, Russia, China, France and Germany.

The November 24 deal, branded a “historic mistake” by Israel, will see Iran agree to halt some of its nuclear activities in return for around £4 billion in sanctions relief.

The claim certainly plays to the paranoia so often present in coverage of the Middle East, but it’s unlikely that Israel would want to anger its allies in Washington by jeopardizing the recent warming up in relations with Iran.

Unless the idea is to have the malware all ready to go in case there’s a sudden breakdown in talks. A final thought-- FARS lifted almost word-for-word an entire story last year claiming most rural U.S. voters would rather hang out with former Iranian president Mahmoud Ahmadinejad than Barack Obama.

The agency’s editorial judgement was called into question again this year after it posted a story claiming an Iranian scientist had invented a time machine.

In other internet security news

Overall, about 39 percent of all personal computers submitted for testing to a browser security test from Qualys were inflicted by critical security vulnerabilities that are mostly related to browser plug-ins.

The findings are based on 1.4 million Browser Check computer scans, and they paint a picture of eCommerce buyers left wide open to potential attacks by cybercriminals just before the busiest online shopping period of the year.

Overall, browser security vulnerabilities are routinely used to push malware at victims from compromised (often otherwise legitimate) websites through drive-by download attacks.

For instance, Google's Chrome browser has close to 40 percent of its instances afflicted with a critical security vulnerability. And similar numbers also apply to Firefox and especially Internet Explorer, which have 35 percent and 41 percent of their instances vulnerable to attacks.

Safari (at 29 percent) and Opera (at 34 percent) came in as the best of a bad bunch, according to the numbers from Qualys.

The overall net population might be somewhat more secure simply because Qualys is looking at a sample of users who have taken the trouble to check their browser security in the first place.

Qualys CTO Wolfgang Kandek says that browser plug-ins were a bigger part of the issue than core security software, and that the trend appears to be growing.

"The browsers themselves are only part of the issue. More and more, we see most of them quite up-to-date, with Chrome leading the pack with 90 percent, Firefox at 85 percent and Internet Explorer trailing with 75 percent," Kandek explained.

"The larger part of the puzzle is contributed by the plug-ins that we use to extend the capabilities of our browsers, led by Adobe Shockwave and followed by Oracle Java and Apple Quicktime," Kandek added.

The overall message is very simple-- PC users should patch their computers, and particularly their browser plugins if they don't want to run a higher risk of getting victimized by banking trojans, spyware or similar annoyances.

There are various tools available. Kandek has published further commentary on his findings, alongside a chart depicting the distribution of security vulnerabilities between browsers on the Qualys website.

In other internet security news

Symantec said this morning that it has discovered a new worm that exploits various security vulnerabilities in PHP to infect Intel x86-powered Linux devices.

Symantec added that the malware threatens to compromise home broadband routers as well as other, similar equipment.

But home internet equipment with x86 chips are few and far between. Most network-connected embedded devices are powered by ARM or MIPS processors, so the threat seems almost non-existent, at least to a certain degree.

However, the security company claims that ARM and MIPS flavors of the Linux worm may be available anyway, which could compromise broadband routers, TV set-top boxes and similar gadgets.

The software appears to exhibit some nasty attempts to use username and password pairs commonly used to log into home internet gear while still compromising a device.

Specifically, the software nasty Linux.Darlloz takes advantage of web servers running PHP that can't follow query strings safely, allowing a hacker to execute arbitrary commands.

Once a system is infected, the virus scans the network for other systems running a similar web server and PHP. It then tries to compromise those devices by exploiting PHP to download and run an ELF x86 binary, if necessary, logging in with trivial username-password pairs such as admin-admin, as found in poorly secured broadband routers and similar equipment.

Once running on the newly infiltrated gadget, the worm kills off access to any telnet services running on it. The malware does not appear to perform any malicious activity other than silently spreading itself and wiping a load of system files.

But again, this software is built for x86 processors, which aren't really used widely in embedded devices anymore, but ARM, PPC and MIPS versions may be available to download that could be more effective at targeting vulnerable equipment present in millions of homes today.

"Overall, many users may not be aware that they are using vulnerable devices in their homes or offices, at least not now anyway" Symantec's Kaoru Hayashi wrote in a report about the malicious code.

"Another nasty issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software," he added.

To protect devices from potential attacks, Symantec recommends users and administrators place basic security protections in place, such as changing device passwords from default settings, updating the software and its firmware on their devices, and monitoring network connections and architecture to make sure that everything is safe.

In other internet security news

Internet hackers based in Russia have cooked up a set of very nasty Trojan viruses that communicate over peer-to-peer networks using an encrypted darknet protocol that's arguably even stealthier than TOR: I2P.

Dubbed the i2Ninja virus, the malware offers a similar set of capabilities to other major banking malware such as ZeuS and SpyEye, including an HTML injection and form-grabbing for all major browsers (Internet Explorer, Firefox and even Chrome), as well as an FTP grabber and a soon-to-be released VNC (Virtual Network Connection) module, which will allow remote control of compromised desktops.

Additionally, the Trojan worm also provides a PokerGrabber module targeting major online poker sites and an email grabber.

But what really sets the malware apart from the rest is its arcane communications technology, as a blog post by transaction security firm Trusteer explains.

The i2Ninja takes its name from the malware’s use of I2P-– a networking layer that uses cryptography to allow secure communication between its peer-to-peer users. While that concept is somewhat similar to TOR services, I2P was designed to maintain a true Darknet, an Internet within an Internet where secure and anonymous messaging and the use of various services can be maintained.

The I2P network also offers HTTP proxies to allow anonymous internet browsing. Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command and control servers. Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels.

The i2Ninja malware also offers users a proxy for anonymous internet browsing, promising complete online anonymity. Trusteer, which was recently acquired by IBM, came across the i2Ninja malware through posting on a Russian cybercrime forum.

Etay Maor, a fraud prevention manager at Trusteer, explains that around-the-clock support is on hand for potential customers of the cybercrime tool.

"Another feature of I2P with the i2Ninja virus is an integrated help desk via a ticketing system within the malware’s command and control," Maor explains. "A potential buyer can communicate with the authors/support team, open tickets and get answers – all while enjoying the security and anonymity provided by I2P’s encrypted messaging nature," he said.

"While some malware offerings have offered an interface with a support team in the past (Citadel and Neosploit to name two), i2Ninja’s 24/7 secure help desk channel is a first," added Maor.

The post advertising i2Ninja was actually copied from a different source and shared within the forum on a thread discussing P2P Trojans, Maor adds.

"The cybercriminal who originally made the offer commented on this thread and confirmed that indeed this malware is for sale at this time. As the thread progressed, that same cybercriminal also requested that the thread be shut down as he had received many requests for purchasing the i2Ninja malware," he adds.

Trusteer says the malware would most likely spread via the usual vectors-- drive-by-download infection, fake ads, email attachments, etc. The purchase or rental price of Trojan remains undetermined at this time.

In other internet security news

System admins that are given the task of managing JBoss application servers are advised to get busy hardening their systems, since a sudden increase in the number of attacks against the system has been reported by internet security firm Imperva.

The JBoss attacks are based on an exploit that was published last month by Andrea Micalizzi. The exploit code gave remote attackers arbitrary code execution access to HP's PCM Plus and Application Lifecycle Management systems without authentication.

The attack also works against McAfee, Symantec and IBM systems using JBoss 4.x and 5.x. Imperva's advisory states that the compay is now seeing an increasing amount of attack traffic using the exploit.

What's surprising, Imperva says, is that while the Micalizzi exploit code only hit the waiting world this year, the security vulnerability has been known since 2011.

The attack works by exploiting the HTTP invoker service in JBoss, used to provide access to Enterprise Java Beans. Imperva says the Micalizzi exploit “abuses invoker/EJBInvokerServlet to deploy a web shell code that enables the hacker to execute arbitrary Operating System commands on the victim sever’s system.”

In the HP environment, this would provide access to the PCM Plus and ALM management consoles. There are currently about 23,000 servers exposing their JBoss management interfaces to the Internet, up from 7,000 in 2011, Imperva says, with several infections spotted in the wild.

Last month, HP said that it updated its JBoss implementation, although we're still waiting for the details. We should have them soon, the company said.

In other internet security news

Internet security agency FireEye has identified specific links between 11 APT campaigns, including the utilization of the same malware tools, shared code, binaries with the same timestamps, and signed binaries with the same digital certificates.

To be sure, state-sponsored hackers are looking less like traditional hacking crews and more like well organized military units as they share infrastructure and adopt strict hierarchies, according to new data released late yesterday.

The 11 APT campaigns targeted a wide range of various industries and appeared unrelated at first, until cyber-sleuths uncovered digital evidence that clearly linked the attacks.

The shared development and logistics operation used to support several APT actors in distinct but overlapping campaigns points to the role of a digital quartermaster.

The role of this cyber organiser is different from that occupied by exploit brokers (firms and/or individuals who discovered or re-sell security vulnerabilities and exploits), according to FireEye.

"The main difference between the quartermaster that we identified and exploit-brokers is that we have no evidence to show the quartermaster also develops exploits for known or unknown vulnerabilities," said Ned Moran, a senior malware researcher from FireEye.

"We know specifically that the quartermaster develops custom remote access tools but we don't know if they also develop and supply operators with exploits," Moran added.

The emergence of a common development and logistics centre means that attackers are adopting an industrialized approach to cyber-spying, something that defenders of trade secrets and other digital assets are facing more organized and capable adversaries.

The mission of the digital quartermaster is to supply and maintain malware tools and weapons to support cyber espionage. The digital quartermaster also might be a cyber arms dealer, a common supplier of tools used to conduct attacks and establish footholds in targeted systems.

But common features in the campaigns tied together by FireEye suggest it's more likely that we're dealing with someone who works exclusively with Chinese hacking groups, rather than the hi-tech equivalent of an arms dealer.

"Based on the Chinese language user interface of the 9002 Builder, the tool used to build the 9002 remote access Trojans, we believe the digital quartermaster spoke or read Chinese," Moran added.

"It's also possible that the operators of the eleven different campaigns also spoke or read Chinese," he said. FireEye's report revealing the emergence of malware cyber arms dealer, entitled Supply Chain Analysis: From Quartermaster to Sunshop, can be found on their website.

In other internet security news

Adobe said earlier this morning that it has released a new series of scheduled security patches to better address critical issues in its Flash Player and ColdFusion software.

Adobe says the security updates are necessary, and the company will tackle a pair of additional security vulnerabilities in the two platforms which could be exploited remotely by attackers.

Adobe has had more than its share of security issues in 2013. For Flash Player, the update applies to Windows, Linux and OS X systems, and solves the issue of remote code execution flaws.

Adobe warns that if targeted, the security holes could allow a potential attacker to execute attack code on a targeted system without requiring any user notification or interaction.

To install the update, Adobe recommends that users update to the latest versions of Adobe Flash Player and, if necessary, Adobe AIR. The company noted that users running Google Chrome and Internet Explorer on Windows 8 and 8.1 will automatically receive the update when they update to the latest versions of their browser.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: The Islamic Republic.

Click here to order the best dedicated server and at a great price.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.












Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer









Click here to order our special clearance dedicated servers.


Get your Linux or Windows dedicated server today.





Click here to order our special clearance dedicated servers.