Category Archive 'Malware'

19 Jan 2011

Stuxnet Was a Joint US-Israeli Project

, , , , , , , , , , , ,

Anonymous official sources have spilled enough to the New York Times to allow it to put the pieces together (and to give an opportunity to US and Israeli Intelligence to take a few public bows and indulge in a bit of gloating at Iran’s expense). And, what do you know! it was another of those George W. Bush policies that Barack Obama decided to continue, just like detentions at Guantanamo.

The Dimona complex in the Negev desert is famous as the heavily guarded heart of Israel’s never-acknowledged nuclear arms program, where neat rows of factories make atomic fuel for the arsenal.

Over the past two years, according to intelligence and military experts familiar with its operations, Dimona has taken on a new, equally secret role — as a critical testing ground in a joint American and Israeli effort to undermine Iran’s efforts to make a bomb of its own.

Behind Dimona’s barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran’s at Natanz, where Iranian scientists are struggling to enrich uranium. They say Dimona tested the effectiveness of the Stuxnet computer worm, a destructive program that appears to have wiped out roughly a fifth of Iran’s nuclear centrifuges and helped delay, though not destroy, Tehran’s ability to make its first nuclear arms.

“To check out the worm, you have to know the machines,” said an American expert on nuclear intelligence. “The reason the worm has been effective is that the Israelis tried it out.”

Though American and Israeli officials refuse to talk publicly about what goes on at Dimona, the operations there, as well as related efforts in the United States, are among the newest and strongest clues suggesting that the virus was designed as an American-Israeli project to sabotage the Iranian program. …

Many mysteries remain, chief among them, exactly who constructed a computer worm that appears to have several authors on several continents. But the digital trail is littered with intriguing bits of evidence.

In early 2008 the German company Siemens cooperated with one of the United States’ premier national laboratories, in Idaho, to identify the vulnerabilities of computer controllers that the company sells to operate industrial machinery around the world — and that American intelligence agencies have identified as key equipment in Iran’s enrichment facilities.

Siemens says that program was part of routine efforts to secure its products against cyberattacks. Nonetheless, it gave the Idaho National Laboratory — which is part of the Energy Department, responsible for America’s nuclear arms — the chance to identify well-hidden holes in the Siemens systems that were exploited the next year by Stuxnet.

The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

The attacks were not fully successful: Some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. Nor is it clear the attacks are over: Some experts who have examined the code believe it contains the seeds for yet more versions and assaults. …

Israeli officials grin widely when asked about its effects. Mr. Obama’s chief strategist for combating weapons of mass destruction, Gary Samore, sidestepped a Stuxnet question at a recent conference about Iran, but added with a smile: “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”

In recent days, American officials who spoke on the condition of anonymity have said in interviews that they believe Iran’s setbacks have been underreported. That may explain why Mrs. Clinton provided her public assessment while traveling in the Middle East last week.

By the accounts of a number of computer scientists, nuclear enrichment experts and former officials, the covert race to create Stuxnet was a joint project between the Americans and the Israelis, with some help, knowing or unknowing, from the Germans and the British.

The project’s political origins can be found in the last months of the Bush administration. In January 2009, The New York Times reported that Mr. Bush authorized a covert program to undermine the electrical and computer systems around Natanz, Iran’s major enrichment center. President Obama, first briefed on the program even before taking office, sped it up, according to officials familiar with the administration’s Iran strategy. So did the Israelis, other officials said.

You can hear the champagne corks popping at Langley all the way out here in Fauquier County.

Read the whole thing.

15 Dec 2010

“Stuxnet Virus Set Back Iranian Nuclear Program Two Years”

, , , , ,

The Jerusalem Post, via an interview with an IT professional, provides an expert assessment on who was responsible for creating the Stuxnet virus and a knowledgeable estimate of just how effective it was in shutting down Iran’s nuclear weapons program.

The Stuxnet virus, which has attacked Iran’s nuclear facilities and which Israel is suspected of creating, has set back the Islamic Republic’s nuclear program by two years, a top German computer consultant who was one of the first experts to analyze the program’s code told The Jerusalem Post on Tuesday.

“It will take two years for Iran to get back on track,” Langer said in a telephone interview from his office in Hamburg, Germany. “This was nearly as effective as a military strike, but even better since there are no fatalities and no full-blown war. From a military perspective, this was a huge success.”

Last month, the International Atomic Energy Agency (IAEA), the United Nation’s nuclear watchdog, said that Iran had suspended work at its nuclear-field production facilities, likely a result of the Stuxnet virus.

According to Langer, Iran’s best move would be to throw out all of the computers that have been infected by the worm, which he said was the most “advanced and aggressive malware in history.” But, he said, even once all of the computers were thrown out, Iran would have to ensure that computers used by outside contractors were also clean of Stuxnet.

“It is extremely difficult to clean up installations from Stuxnet, and we know that Iran is no good in IT [information technology] security, and they are just beginning to learn what this all means,” he said. “Just to get their systems running again they have to get rid of the virus, and this will take time, and then they need to replace the equipment, and they have to rebuild the centrifuges at Natanz and possibly buy a new turbine for Bushehr.”

Widespread speculation has named Israel’s Military Intelligence Unit 8200, known for its advanced Signal Intelligence (SIGINT) capabilities, as the possible creator of the software, as well as the United States.

Langer said that in his opinion at least two countries – possibly Israel and the United States – were behind Stuxnet.

Israel has traditionally declined comment on its suspected involvement in the Stuxnet virus, but senior IDF officers recently confirmed that Iran had encountered significant technological difficulties with its centrifuges at the Natanz enrichment facility.

“We can say that it must have taken several years to develop, and we arrived at this conclusion through code analysis, since the code on the control systems is 15,000 lines of code, and this is a huge amount,” Langer said.

“This piece of evidence led us to conclude that this is not by a hacker,” he continued. “It had to be a country, and we can also conclude that even one nation-state would not have been able to do this on its own.”

Eric Byres, a computer security expert who runs a website called Tofino Security, which provides solutions for industrial companies with Stuxnet-related problems, told the Post on Tuesday that the number of Iranians visiting his site had jumped tremendously in recent weeks – a likely indication that the virus is still causing great disarray at Iranian nuclear facilities.

“What caught our attention was that last year we maybe had one or two people from Iran trying to access the secure areas on our site,” Byres said. “Iran was never on the map for us, and all of a sudden we are now getting massive numbers of people going to our website, and people who we can identify as being from Iran.”

29 Mar 2009

China’s GhostNet

, , , , , , , , ,

The Telegraph reports that a Canadian study produced by researchers asked to investigate cyberattacks on the office of the Dalai Lama reveals large-scale world-wide cyberattacks, all originating from China.

A vast Chinese cyber-espionage network, codenamed GhostNet, has penetrated sensitive ministries and embassies across 103 countries and infects at least a dozen new computers every week. …

The discovery of GhostNet is the latest sign of China’s determination to win a future “information war”. A ten-month investigation by the Munk Centre for International Studies in Toronto has revealed that GhostNet not only searches computers for information and taps their emails, but also turns them into giant listening devices.

Once a computer has been infected, hackers can turn on its web camera and microphones and record any conversations within range.

The study revealed that almost a third of the targets infected by GhostNet are “considered high-value and include computers located at ministries of foreign affairs, embassies, international organisations, news media and NGOs”. This global web of espionage has been constructed in the last two years.

Another report from Cambridge University said the sophisticated computer attacks had been “devastatingly effective” and that “few organisations, outside the defence and intelligence sector, could withstand such an attack”.

The report stopped short of accusing the Beijing government of responsibility for the network, but said the vast majority of cyber attacks originated from inside China.

—————————————-

The New York Times also headlined the report in its Technology section.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.

The newly reported spying operation is by far the largest to come to light in terms of countries affected.

This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude.

Still going strong, the operation continues to invade and monitor more than a dozen new computers a week, the researchers said in their report, “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network.” They said they had found no evidence that United States government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated.

The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room. The investigators say they do not know if this facet has been employed.

The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization.

The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.

The Toronto researchers said they had notified international law enforcement agencies of the spying operation, which in their view exposed basic shortcomings in the legal structure of cyberspace.

By some curious coincidence, the web-site offering the actual report as inaccessible today.

19 Mar 2009

Conficker C to Strike April 1st

, , , , , , , ,

The Conficker worm (also known as Downadup.AD) appeared last October targeting (surprise! surprise!) Microsoft Windows vulnerabilities common to 2000, XP, Vista, et al.

It has contaminated more than 9 million PCs worldwide, hitting 1.1 million on a single day last January. Conficker has shut down the operations of the French Air Force, 24 RAF air bases, and 75% of the Royal Navy, and infected hundreds of computers serving Germany’s Bundeswehr and Defense Ministry.

New York Times
:

The program grabbed global attention when it began spreading late last year and quickly infected millions of computers with software code that is intended to lash together the infected machines it controls into a powerful computer known as a botnet.

Since then, the program’s author has repeatedly updated its software in a cat-and-mouse game being fought with an informal international alliance of computer security firms and a network governance group known as the Internet Corporation for Assigned Names and Numbers. Members refer to the alliance as the Conficker Cabal. …

An examination of the program reveals that the zombie computers are programmed to try to contact a control system for instructions on April 1. There has been a range of speculation about the nature of the threat posed by the botnet, from a wake-up call to a devastating attack.

Researchers who have been painstakingly disassembling the Conficker code have not been able to determine where the author, or authors, is located, or whether the program is being maintained by one person or a group of hackers. The growing suspicion is that Conficker will ultimately be a computing-for-hire scheme. Researchers expect it will imitate the hottest fad in the computer industry, called cloud computing, in which companies like Amazon, Microsoft and Sun Microsystems sell computing as a service over the Internet. …

Several people who have analyzed various versions of the program said Conficker’s authors were obviously monitoring the efforts to restrict the malicious program and had repeatedly demonstrated that their skills were at the leading edge of computer technology.

For example, the Conficker worm already had been through several versions when the alliance of computer security experts seized control of 250 Internet domain names the system was planning to use to forward instructions to millions of infected computers.

Shortly thereafter, in the first week of March, the fourth known version of the program, Conficker C, expanded the number of the sites it could use to 50,000. That step made it virtually impossible to stop the Conficker authors from communicating with their botnet. …

A report scheduled to be released Thursday by SRI International, a nonprofit research institute in Menlo Park, Calif., says that Conficker C constitutes a major rewrite of the software. Not only does it make it far more difficult to block communication with the program, but it gives the program added powers to disable many commercial antivirus programs as well as Microsoft’s security update features.

“Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm,” said Phillip Porras, a research director at SRI International and one of the authors of the report. “Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.”

“In the worst case,” Mr. Porras said, “Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.”

The researchers, noting that the Conficker authors were using the most advanced computer security techniques, said the original version of the program contained a recent security feature developed by an M.I.T. computer scientist, Ron Rivest, that had been made public only weeks before. And when a revision was issued by Dr. Rivest’s group to correct a flaw, the Conficker authors revised their program to add the correction.

Although there have been clues that the Conficker authors may be located in Eastern Europe, evidence has not been conclusive.


Information Week
links this removal tool.

Alarmingly, TrendMicro’s virus encyclopedia entry is “temporarily unavailable.”

10 Apr 2007

Volokh Address Working Again

, , ,

Yesterday, I followed up a link from Glenn Reynolds and discovered that the conventional Volokh Conspiracy url: www.volokh.com was working just fine again.

Last month, it was impossible to access that eminent legal blog using that address from several East Coast computers. My theory was that someone with a grudge against that blog had distributed a Trojan which overwrote that address in the Hosts File. I was planning to edit my Registry one of these days to fix the problem, but then Glenn Reynolds mentioned hearing about the problem, and identified an alternative working URL: www.Volokh.Powerblogs.com, eliminating the need to go to all that trouble.

I’m glad the issue is gone, but I wish I knew what really happened.

19 Mar 2007

Volokh Conspiracy Access Problem

, , , , , ,

On March 14 I reported finding it impossible for several days, since around March 10 or 11, to access the Volokh Conspiracy Blog at its conventional address: www.volokh.com.

Clearly, my experience with this problem is not unique, since Glenn Reynolds blogged about this yesterday (March 18).

Professor Reynolds kindly supplies a solution which saves all of us affected the necessity of logging into our computers in Safe Mode and searching the Registry for a corrupted Host file.

All one needs to do is use Volokh.Powerblogs.Com instead.

Hat tip to Walter Olson.

14 Mar 2007

Volokh Conspiracy Hijacked by Trojan

, , , , , , ,

Last Saturday, I clicked on an Instapundit link to a Volokh posting, and got the traditional MS Explorer negative page-not-found response.

The page cannot be displayed

The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

Even important blogs have technical difficulties, so I simply shrugged and made a mental note to try again later.

But when the problem was still there on Monday, I concluded there was more to this than meets the eye.

About a year ago, my personal computer was infected by a Trojan, which exploited one of those only-too-numerous Microsoft vulnerabilities. It was the sort of thing which hijacks your computer to send out thousands of replications of itself covertly, degrading system performance significantly in the process.

I would never have known it was there, but for the fact that I could no longer log into Norton to update my antivirus software. The Trojan wrote to my Host file instructions directing all prominent antivirus website addresses to a dead address.

Wikipedia discusses this kind of hijacking technique in its Host file entry.

Further investigation established that my wife’s notebook was blocked from Volokh Conspiracy by the same malware. But a friend in California last night was not impacted by this problem.

I don’t recall exactly which file needs to be edited, but I can tell you that correcting this kind of problem is a lot of work. One has to turn off System Restore, reboot the computer in Safe mode, then edit the Registry to get rid of the illicit Host file entry. Entering Safe Mode is a bummer for me, because it will mess up all the icons on desk top, producing even more work sorting them all out again.

Would readers please check to see if they can link to Volokh Conspiracy, and tell me via email, or in Comments here, if they are also experiencing the same problem?


Your are browsing
the Archives of Never Yet Melted in the 'Malware' Category.

















Feeds
Entries (RSS)
Comments (RSS)
Feed Shark