The Cellar - Malware hits industrial equipment

The Cellar (http://cellar.org/index.php)

- Technology (http://cellar.org/forumdisplay.php?f=7)

- - Malware hits industrial equipment (http://cellar.org/showthread.php?t=23629)

Quote:

Originally Posted by classicman (Post 686697)

I thought they weren't connected to the internet. Wasn't that part of the issue? How are these USB's getting there.

It spreads to computers that are on the internet, in hopes of getting on CDs or USB drives that are transferred to the ones that aren't. Even computers that aren't on the internet generally need information transferred to or from them at some point, and there's always the vulnerability of some employee wanting to listen to their MP3s. Users are always the biggest potential vulnerability.

Quote:

Originally Posted by Happy Monkey (Post 686722)

That was the point of independent analysis. This code was designed to be spread even without network connections. Sneakernet is one potential path. Some of the likely suspects include Russian salesmen. Flash drives are only one infection path.

But again, see that ethernet card, a 'USB to ethernet', or even a keyboard. All could be 'carriers' of malware. According to analysis, this malware could be undetected until it suddenly infects a machine. And then morphs into something different so as to be undetectable again. One reason why analysts suggest this was done by more than just hackers.

These Siemens controllers are routinely sold in third party markets. Iran would be purchasing many. More places where hackers could infect machines before hardware was delivered to Iran. We do not even know what hardware is infecting controllers. Most of what is published is only informed speculation. We do not even know if the malware purpose is reconnaissance or hardware destruction due to (according to independent analysts) malware complexity.

Remember, other nations are at greater risk and more concerned about Iran's nuclear program - including Russia.

Agreed, much of what we know, is from articles that are mostly speculation.

Iran may have executed nuclear staffers over Stuxnet

Quote:

Intelligence sources report information reaching the West in the past week that Iran has put to death a number of atomic scientists and technicians suspected of helping plant the Stuxnet virus in its nuclear program. The admission by Ali Akbar Salehi, head of the Atomic Energy Organization, on Friday, Oct. 8 - the frankest yet by any Iranian official - that Western espionage had successfully penetrated its nuclear program is seen as bearing out those reports.

The Atomic Energy Organization has published booklets which Salehi said will "alert personnel to Western techniques for luring them into espionage." They "spell out precautionary measures to protect information and the life of scientists," he said.

This phrase was taken by the personnel receiving the booklet as a death threat for any who defy its directives.

From here

Dunno how valid this is, but it does offer another aspect to this.

Some interesting updates.

Apparently it was targetted at facilities with over a certain number of components manufactured by particular vendors, and set to particular configurations. Very targetted.

Another update....

Very interesting. So now it is pretty obvious where it came from.

http://www.nytimes.com/2011/01/16/wo...16stuxnet.html

That's an interesting scenario, no proof, but a lot of circumstantial evidence.

A number of "un-named sources" most likely contributed to the article. I hope they stick it to the Iranians. And how about those targeted killings of the engineers, makes you wonder.

My guess as well, if not them, their agents. More power to them. I hope we are giving them lots of intel support.

SlashGear
Chris Davies
May 28th 2012

Flame cyber-espionage discovered in vast infection net

Quote:

A new and fast spreading malware tipped to already dwarf the notorious Stuxnet has been identified,
codenamed Flame and believed to be state-run cyberespionage affecting PCs in Iran and nearby countries.

Spotted by Kaspersky Lab, “Worm.Win32.Flame” blends features from backdoor, trojan and worm malware,
and once surreptitiously loaded onto a target machine can monitor network traffic, local use,
grab screenshots and record audio, sending all that data back to its home servers.
Believed to be active from at least March 2010, Flame is tipped to be 20x more prevalent than Stuxnet.

Iran is the most common place Kaspersky have discovered Flame,
but it’s also been discovered in Israel, Palestine, the Sudan, Syria, Lebanon, Saudi Arabia and Egypt;
there are “probably thousands of victims worldwide” the researchers estimate.
Interestingly, there’s a broad spread of targeted computers, across academia,
private companies, specific individuals and others; the operators appear to be cleaning up after themselves, too,
only leaving Flame active on the most interesting machines, and deleting it from those with little worth.
<snip>

What has researchers particularly concerned is the scale of Flame’s monitoring abilities.
Rather than merely recording VoIP calls, the malware can turn on the PC’s microphone and
surreptitiously begin its own recordings, for instance, while screenshots are taken
when “interesting” apps, such as instant messaging clients, are on-screen.
Meanwhile, if the computer has Bluetooth, it can scan for nearby devices and
then use the short-range wireless technology to create secret peer-to-peer connections
while embedding details on Flame’s status in the “discoverable device” information.
<snip>

NY Times
By NICOLE PERLROTH
Published: May 30, 2012

Researchers Find Clues in Malware

Quote:

SAN FRANCISCO — Security experts have only begun examining the thousands of lines of code that make up Flame, an extensive, data-mining computer virus that has been designed to steal information from computers across the Middle East, but already digital clues point to its creators and capabilities.
<snip>

Flame, these researchers say, shares several notable features with two other major programs that targeted Iran in recent years. The first virus, Duqu, was a reconnaissance tool that researchers say was used to copy blueprints of Iran’s nuclear program. The second, Stuxnet, was designed to attack industrial control systems and specifically calibrated to spin Iranian centrifuges out of control.

Because Stuxnet and Duqu were written on the same platform and share many of the same fingerprints in their source code, researchers believe both were developed by the same group of programmers. Those developers have never been identified, but researchers have cited intriguing bits of digital evidence that point to a joint American-Israeli effort to undermine Iran’s efforts to build a nuclear bomb.

For example, researchers at Kaspersky Lab tracked the working hours of Duqu’s operators and found they coincided with Jerusalem local time. They also noted that Duqu’s programmers were not active between sundown on Fridays and sundown on Saturdays, a time that coincides with the Sabbath when observant Jews typically refrain from secular work.<snip>

Unlike Duqu and Stuxnet, security researchers say, Flame is remarkable in that it has been able to evade discovery for five years — which was impressive given its size. Most malware is a couple hundred kilobytes in size. Flame is 20 megabytes. “It was hiding in plain sight,” said Mr. Schouwenberg. “It was designed in such a way that it was nearly impossible to track down.”
Researchers noted that Flame spreads through more conservative means. Researchers say that while Stuxnet had the ability to replicate autonomously, Flame can spread from machine to machine only when prompted by the attacker.

As much a pain as it can be, it's stuff like this that makes me glad I routinely unplug my webcam, mic and headset when I'm not actively using them.

Not that my computer has anything of interest on it... and anyone spying on me would get mostly me singing and good shots of my more lived-in T-shirts...

And the beat goes on....

NY Times
NICOLE PERLROTH
8/19/12

Virus Seeking Bank Data Is Tied to Attack on Iran

Quote:

A security firm said Thursday that it had discovered what it believed
was the fourth state-sponsored computer virus to surface in the Middle East
in the last three years, apparently aimed at computers in Lebanon.

The firm, Kaspersky Lab, said that the virus appeared to have been written
by the same programmers who created Flame, the data-mining computer virus
that was found to be spying on computers in Iran in May,
and that it might be linked to Stuxnet, the virus that disrupted
uranium enrichment work in Iran in 2010.

The latest virus, nicknamed Gauss after a name found in its code,
has been detected on 2,500 computers, most in Lebanon, the firm said.
Its purpose appeared to be to acquire logins for e-mail and instant messaging accounts,
social networks and, notably, accounts at certain banks — a function more typically found
in malicious programs used by profit-seeking cybercriminals.
<snip>

Kaspersky researchers said Gauss contained a “warhead” that seeks
a very specific computer system with no Internet connection and installs itself only if it finds one.
“It’s done in such a clever way that security researchers cannot analyze it,
because they don’t know the decryption key that unlocks the true purpose of that program,” Mr. Raiu said.