Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Super-malware Stuxnet had an older sibling

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 21, 2013

Some internet security researchers are now saying that super-malware Stuxnet had an older sibling that was designed to wreck Iran's nuclear facilities albeit in a different manner.

The elder strain of the virus, dubbed Stuxnet Mark I, dates from 2007, actually three years before Stuxnet Mark II was discovered and well documented in 2010.

Writing in Foreign Policy magazine yesterday, top computer security researcher Ralph Langner claimed that the Mark I version of the weapons-grade malware would infect the computers controlling Iran's sensitive scientific equipment, and carefully ramp up the pressure within high-speed rotating centrifuges.

Those machines are vital in Iran's uranium enrichment process as they separate the uranium-235 isotope used in nuclear power plants to create atomic energy.

The malware operated by overriding gas valves attached to the equipment while hiding sensor readings of the abnormal activity from the plant's engineers and scientists.

The goal was to sabotage the cascade protection system that kept thousands of 1970s-era centrifuges operational. The 2010 version, by contrast, targeted the centrifuge drive systems-- it quietly sped up and slowed down rotors connected to centrifuges until they reached a specific breaking point, triggering an increased rate of failures as a result.

Stuxnet Mark II famously hobbled high-speed centrifuges at Iran's uranium enrichment facility at Natanz in 2009 and 2010 after infecting computers connected to SCADA industrial control systems at the plant. This flavor of Stuxnet was allegedly developed as part of a wider US-Israeli cyber-warfare effort, codenamed Operation Olympic Games, that began under the presidency of George W. Bush back in 2005.

But prior to that, Stuxnet Mark I sabotaged the protection system the Iranians hacked together to keep their obsolete and unreliable IR-1 centrifuges safe, as Langner explained in detail in his report. Once installed on computers controlling the equipment, the subtle overpressure attack ultimately damaged the machinery beyond repair, forcing engineers to replace it.

The malware took great care to closely monitor its effects, allowing its masters to carefully avoid any activity that may result in immediate, catastrophic destruction – because that would have led to a postmortem examination that could have exposed the stealthy sabotage.

Samples of the Mark I malware were submitted to online malware clearing house VirusTotal in 2007, but it was only recognized as such five years later in 2012.

For now, the immediate results of the overpressure attack are unknown, but whatever they were, Stuxnet Mark I's handlers decided to try something different in 2009, deploying the Mark II variant that became famous after it accidentally escaped into the wild in 2010.

Langner reckons Stuxnet Mark II was "much simpler and much less stealthy than its predecessor", a less complex yet more elegant Stuxnet could have proved more effective and reliable than the convoluted Mark I version.

The Mark I had to be installed on a computer connected to the industrial control system to carry out its sabotage, or otherwise infect a machine from a USB drive. It was probably installed by a human, either wittingly or unwittingly, we don't know for now.

Later, the Mark II spread over local-area networks, exploited zero-day Microsoft Windows vulnerabilities to silently install itself, and was equipped with stolen digital certificates so that its driver-level code appeared to be signed legit software. But this made Mark II easy to recognize as malign by antivirus experts once it was discovered.

Langner, well known for his earlier Stuxnet analysis, says that the Mark II escaped into the wild after it infected the Windows laptop of a sub-contractor who subsequently connected the PC to the wider internet, contrary to the myth that the malware spread itself across the web as the result of an internal software security flaw.

Having compromised several industrial control systems at Iran's nuclear centre, Stuxnet's masters "were in a position where they could have broken the victim's neck, but they chose continuous periodical choking instead", according to Langner.

In other internet security news

Internet hackers based in Russia have cooked up a set of very nasty Trojan viruses that communicate over peer-to-peer networks using an encrypted darknet protocol that's arguably even stealthier than TOR: I2P.

Dubbed the i2Ninja virus, the malware offers a similar set of capabilities to other major banking malware such as ZeuS and SpyEye, including an HTML injection and form-grabbing for all major browsers (Internet Explorer, Firefox and even Chrome), as well as an FTP grabber and a soon-to-be released VNC (Virtual Network Connection) module, which will allow remote control of compromised desktops.

Additionally, the Trojan worm also provides a PokerGrabber module targeting major online poker sites and an email grabber.

But what really sets the malware apart from the rest is its arcane communications technology, as a blog post by transaction security firm Trusteer explains.

The i2Ninja takes its name from the malware’s use of I2P-– a networking layer that uses cryptography to allow secure communication between its peer-to-peer users. While that concept is somewhat similar to TOR services, I2P was designed to maintain a true Darknet, an Internet within an Internet where secure and anonymous messaging and the use of various services can be maintained.

The I2P network also offers HTTP proxies to allow anonymous internet browsing. Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command and control servers. Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels.

The i2Ninja malware also offers users a proxy for anonymous internet browsing, promising complete online anonymity. Trusteer, which was recently acquired by IBM, came across the i2Ninja malware through posting on a Russian cybercrime forum.

Etay Maor, a fraud prevention manager at Trusteer, explains that around-the-clock support is on hand for potential customers of the cybercrime tool.

"Another feature of I2P with the i2Ninja virus is an integrated help desk via a ticketing system within the malware’s command and control," Maor explains. "A potential buyer can communicate with the authors/support team, open tickets and get answers – all while enjoying the security and anonymity provided by I2P’s encrypted messaging nature," he said.

"While some malware offerings have offered an interface with a support team in the past (Citadel and Neosploit to name two), i2Ninja’s 24/7 secure help desk channel is a first," added Maor.

The post advertising i2Ninja was actually copied from a different source and shared within the forum on a thread discussing P2P Trojans, Maor adds.

"The cybercriminal who originally made the offer commented on this thread and confirmed that indeed this malware is for sale at this time. As the thread progressed, that same cybercriminal also requested that the thread be shut down as he had received many requests for purchasing the i2Ninja malware," he adds.

Trusteer says the malware would most likely spread via the usual vectors-- drive-by-download infection, fake ads, email attachments, etc. The purchase or rental price of Trojan remains undetermined at this time.

In other internet security news

System admins that are given the task of managing JBoss application servers are advised to get busy hardening their systems, since a sudden increase in the number of attacks against the system has been reported by internet security firm Imperva.

The JBoss attacks are based on an exploit that was published last month by Andrea Micalizzi. The exploit code gave remote attackers arbitrary code execution access to HP's PCM Plus and Application Lifecycle Management systems without authentication.

The attack also works against McAfee, Symantec and IBM systems using JBoss 4.x and 5.x. Imperva's advisory states that the compay is now seeing an increasing amount of attack traffic using the exploit.

What's surprising, Imperva says, is that while the Micalizzi exploit code only hit the waiting world this year, the security vulnerability has been known since 2011.

The attack works by exploiting the HTTP invoker service in JBoss, used to provide access to Enterprise Java Beans. Imperva says the Micalizzi exploit “abuses invoker/EJBInvokerServlet to deploy a web shell code that enables the hacker to execute arbitrary Operating System commands on the victim sever’s system.”

In the HP environment, this would provide access to the PCM Plus and ALM management consoles. There are currently about 23,000 servers exposing their JBoss management interfaces to the Internet, up from 7,000 in 2011, Imperva says, with several infections spotted in the wild.

Last month, HP said that it updated its JBoss implementation, although we're still waiting for the details. We should have them soon, the company said.

In other internet security news

Internet security agency FireEye has identified specific links between 11 APT campaigns, including the utilization of the same malware tools, shared code, binaries with the same timestamps, and signed binaries with the same digital certificates.

To be sure, state-sponsored hackers are looking less like traditional hacking crews and more like well organized military units as they share infrastructure and adopt strict hierarchies, according to new data released late yesterday.

The 11 APT campaigns targeted a wide range of various industries and appeared unrelated at first, until cyber-sleuths uncovered digital evidence that clearly linked the attacks.

The shared development and logistics operation used to support several APT actors in distinct but overlapping campaigns points to the role of a digital quartermaster.

The role of this cyber organiser is different from that occupied by exploit brokers (firms and/or individuals who discovered or re-sell security vulnerabilities and exploits), according to FireEye.

"The main difference between the quartermaster that we identified and exploit-brokers is that we have no evidence to show the quartermaster also develops exploits for known or unknown vulnerabilities," said Ned Moran, a senior malware researcher from FireEye.

"We know specifically that the quartermaster develops custom remote access tools but we don't know if they also develop and supply operators with exploits," Moran added.

The emergence of a common development and logistics centre means that attackers are adopting an industrialized approach to cyber-spying, something that defenders of trade secrets and other digital assets are facing more organized and capable adversaries.

The mission of the digital quartermaster is to supply and maintain malware tools and weapons to support cyber espionage. The digital quartermaster also might be a cyber arms dealer, a common supplier of tools used to conduct attacks and establish footholds in targeted systems.

But common features in the campaigns tied together by FireEye suggest it's more likely that we're dealing with someone who works exclusively with Chinese hacking groups, rather than the hi-tech equivalent of an arms dealer.

"Based on the Chinese language user interface of the 9002 Builder, the tool used to build the 9002 remote access Trojans, we believe the digital quartermaster spoke or read Chinese," Moran added.

"It's also possible that the operators of the eleven different campaigns also spoke or read Chinese," he said. FireEye's report revealing the emergence of malware cyber arms dealer, entitled Supply Chain Analysis: From Quartermaster to Sunshop, can be found on their website.

In other internet security news

Adobe said earlier this morning that it has released a new series of scheduled security patches to better address critical issues in its Flash Player and ColdFusion software.

Adobe says the security updates are necessary, and the company will tackle a pair of additional security vulnerabilities in the two platforms which could be exploited remotely by attackers.

Adobe has had more than its share of security issues in 2013. For Flash Player, the update applies to Windows, Linux and OS X systems, and solves the issue of remote code execution flaws.

Adobe warns that if targeted, the security holes could allow a potential attacker to execute attack code on a targeted system without requiring any user notification or interaction.

To install the update, Adobe recommends that users update to the latest versions of Adobe Flash Player and, if necessary, Adobe AIR. The company noted that users running Google Chrome and Internet Explorer on Windows 8 and 8.1 will automatically receive the update when they update to the latest versions of their browser.

Additionally, Adobe has released an update to its Cold Fusion application server. The security patch addresses a security hole in the platform which could potentially allow an attacker to remotely gain read access to a targeted system, as well as another vulnerability which could potentially allow an attacker to perform a cross-site-scripting attack.

Adobe added that the security update needs to be installed for all systems running Windows, Mac OS X and Linux Cold Fusion versions 10, 9.0.2 and 9.0.1.

ColdFusion was among the platforms affected in mid-October when a major security breach on Adobe's systems lead to the mass loss of user account credentials.

An Adobe spokesperson noted that yesterday's update addresses an entirely different set of security risks which have yet to be targeted by attackers in the field.

In other internet security news

The IETF (Internet Engineering Task Force) has vowed that the U.S. NSA won't be allowed to get away with its questionable surveillance of the internet any more, as soon as about 1,100 engineers of its group can agree on a PRISM-proofing scenario.

The IETF met this week in Canada and the communiqué that it issued makes it very clear that the internet standards body is very angry about the way that the NSA carries out its online surveillance and won't allow it anymore.

“Several discussions over the past few months, including many in the more than 100 working group sessions this week, are carefully and systematically reviewing internet security and exploring several ways to improve privacy and other aspects of web security for different applications," IETF chair Jari Arkko said in the communiqué.

Stephen Farrell, an IETF security area director, added “There are many challenges isolating the specific areas of attack that IETF protocols can mitigate” but added that “all of the working groups that considered the topic have started planning to address the threat using IETF tools that can efficiently address several aspects of the issue."

Notes taken from the Vancouver meetings considered a few ways to harden the internet, including transport layer security (TLS) and “possibilities to get the TLS-secured versions more widely and consistently deployed.”

“Plans for upgrading the handling of mail, instant messaging and voice-over-IP protocols, in each case with a view to improving the resistance of the deployed base to pervasive monitoring,” also received some consideration, as did opportunistic encryption of multipath TCP/IP protocol.

So exactly what will emerge, and when if any, isn't known at this time. But the NSA can consider itself warned-- the internet standards committee has decided to make their lives very difficult for the next ten to fifteen years. The very popular (or unpopular, depending which side you're on) NSA leaker Edward Snowden must be happy.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: SICVN.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.