Multiple servers used to maintain and distribute the Linux operating system were infected with malware that gained root access, modified system software, and logged passwords and transactions of the people who used them, the official Linux Kernel Organization has confirmed.

The infection occurred no later than August 12 and wasn’t detected for another 17 days, according to an email John “‘Warthog9″ Hawley, the chief administrator of kernel.org, sent to developers on Monday. It said a trojan was found on the personal machine of kernel developer H Peter Anvin and later on the kernel.org servers known as Hera and Odin1. A secure shell client used to remotely access servers was modified, and passwords and user interactions were logged during the compromise.

For the full article, see here.

Security firm F-Secure has discovered a bot that compromises Twitter accounts to help in the generation of Bitcoins.

Bitcoin is a decentralized virtual currency that was formed by programmers in 2009, and is generated by programming computers to calculate highly complex math problems. The more computing power you have, the faster you can create Bitcoins; this is why Bitcoin rigs often look like massive sculptures of connected servers.

According to an F-Secure blog post, the Twitter-based command generates a bot that can control the Twitter user’s computer and add it to a bitcoin mining rig.

For the full article, see here.

The media are in a frenzy today, excitedly reporting the “biggest ever cyber-attack”.

The reason? A report published today by McAfee called “Revealed: Operation Shady RAT”, explains that the security firm stumbled across logs on a server used by hackers, and ascertained that organisations and governments around the world had been targeted by malware that could have stolen information from their systems.

The report names the governments of the United States, Taiwan, India, South Korea, Vietnam and Canada, the United Nations, the International Olympic Committee (IOC), and assorted companies amongst the victims.

To be honest, there’s nothing particularly surprising in McAfee’s report to those of us who have an interest in computer security.

For the full article, see here.

The operators of malicious networks are continuously monetizing their activities by propagating rogue security software that use scare tactics to trick unsuspecting users into installing and purchasing fake antivirus software, aka FAKEAV.

Although there has been a decline in the FAKEAV volume as a result of the increasing pressure on payment processors that handle credit card transactions for FAKEAV providers, FAKEAV distribution is likely to increase once new connections are made to cooperative payment processors. The money generated through this malicious activity is enormous and those behind the distribution of FAKEAV are continually trying to stay one step ahead of law enforcers and of the security community.

Today, Trend Micro released a research paper that focuses on how FAKEAV affiliate networks operate, what propagation strategies they use, and how much they earn from their malicious activities.

For the full article, see here.

Cuckoo Sandbox is a malware analysis system capable to outline the behavior of a malware during its execution. In order to generate such results, Cuckoo performs hooking of a number of selected Windows functions, intercept their calls and after storing the relevant informations and eventually performing additional actions, returns the exection to the original code.

Until now it made use of latest Microsoft Detours Express. Part of the work of this Google Summer of Code was to implement a custom hooking engine to completely replace the old one.

For the full article, see here.

The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Joe Stewart, director of malware research for Dell SecureWorks’ counter threat unit research team, has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks. He recently discovered a pattern in which many of these attackers use HTran, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on the tool’s use today in APT malware, says the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee today unmasked an APT-type attack campaign that has been ongoing worldwide for five years; the attack has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries.

For the full article, see here.

Targeted malware attacks as a result of advanced persistent threats (APTs) are not new, especially for human rights organizations. One aspect of targeted malware that is becoming much more common is a greater level of research by attackers about their intended targets. While this research, in general, requires more human interaction, there are ways of automating some steps in the process of information gathering, sometimes by using the same techniques as the targeted malware itself.

A Tibetan human rights organization recently received an email claiming to be from a person working for the International Campaign for Tibet, sharing a link about the Dalai Lama’s recent visit to the United States. As the message was unsolicited, and has a few suspicious features, the organization forwarded the email to us for analysis.

The page in the link is a redirect to the legitimate site:

Once the script has collected all of this information, it sends it via another PHP script:

This information can be used in developing and personalizing targeted attacks. By profiling the versions of document readers and the browser version, an attacker would be able to craft a targeted attack that is almost guaranteed to succeed on the first try. The ‘id’ field in the original link can be used to connect the information back to the email address to which the link was sent. As it is very likely that the emails were generated and sent with a script, the attacker could now have a large database of targets and their vulnerabilities. It is interesting to see this sort of information gathering without any exploits; it is a sign that the attacker is more interested in stealth and long-term benefit than immediate compromise.

Human rights and civil society organizations face a growing spectrum of online threats, including Internet filtering, website defacements, denial of service attacks, and targeted malware (malicious software) attacks. Such organizations can be particularly vulnerable to these threats due to limited resources and lack of computer network security support.

Malware attacks in particular are becoming an increasing problem for human rights and civil society groups. Past Information Warfare Monitor research has documented targeted email-based malware attacks on human rights groups  and the use of compromised organizational websites to deliver malware to site visitors (See Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, Nobel Peace Prize, Amensty International HK and Malware).  In this blog post we document another instance of a human rights related website being compromised and used to disseminate malware.

While conducting analysis of OpenNet Initiative¹ Internet filtering test results, we found one site² covering Chinese human rights issues that triggered an anti-virus alert. The AV program identified a file from the website as Trojan.Swifi. Looking into this issue, we were able to determine that the site had been compromised and was being used to distribute malware to its visitors.

Tracing our browsing history, we first found that one of the site’s pages had an embedded IFrame that looks out of place:

The frame points to a HTML file on another site, which loaded a Flash file (SWF):

The Flash file uses CVE-2011-2110 (also described in APSB11-18) to download and run another program hosted on the same website, without the knowledge or consent of the user. Trojan.Swifi is the name that Symantec gives to this threat. Shadowserver has a good writeup on the first appearance of these Flash files being used in the wild, and gives some examples of sites they have found hosting this malware.

The URL of the file to download and run is encoded in the parameter passed to the SWF file in the link:

The file itself is compressed using zlib and XOR encrypted with a one byte key. (The key is easy to determine: look for the zlib two byte header.)

The day after we discovered this issue, the link in the IFrame had been changed. The core of the attack, the Flash file, was still the same. However, the Flash file was hosted on a different server and loaded a slightly different executable program: same functionality, different filename and metadata. The first site was one of the examples listed in the Shadowserver report, which may be the reason why the frame was changed to point to a new location with a new payload.

In both cases, the downloaded program installs Poison Ivy, a remote administration tool (RAT).

The Flash file is the same in both cases, as the two payloads have the same encryption and compression format. The URL of the payload is passed as a parameter outside of the Flash program. The MD5 hashes of the two programs and the Flash file are:

b0b33a68bc9b410b8e58979b0409d466   Flash file

First sample:
 c9c58cab8441c07816727a7d9bb77cda  Encrypted + compressed payload
 8ea8b81afa8928da7a12610dfebc57b2  Payload

Second sample:
 c99129da6460dc27b0c92f84c8e0c3ed  Encrypted + compressed payload
 baff5ea74cb2b55ea124a20dc6037f19  Payload

The two downloaded files are slightly different, and have different icons and program information.

Each program contacts a command and control (C2) server using a different dynamic DNS hostname provided by changeip.org (the first using epac.to, the second jetos.com). Both DNS names stopped working within a day, resolving to 0.0.0.0, while the server continues to operate on an ISP in Singapore. The way both were shut down so quickly suggests that this malware has been sent out by more sites than just the Chinese news site on which we discovered it.

Metadata in the first program identifies it as “s1.exe”, while the second is “s3.exe”. Both use “aaaa” as the company name, and “Chinese (PRC)” as the language. The first uses an information bubble as an icon, the second uses a printer icon. s3 also calls itself “flash2” internally, and uses that reference as the dynamic DNS hostname.

It is likely that this C2 server will continue to operate using different dynamic DNS hostnames until it is taken offline by the ISP (assuming the ISP is able and willing to shut it down. So far, the ISP has not responded to the IWM’s abuse reports beyond automated replies from their support ticketing system.) Searching records of previously reported malware activity does not show anything specific to the IP that these programs are connecting to, although it does show many connections to IPs in the same netblock. From our initial examination, the network that is hosting this C2 server seems to be ripe for abuse.

Despite being a legitimate news site, any user who had not made the recent Flash APSB11-18 update would be infected with the Poison Ivy remote administration tool, allowing an attacker full access to the victim’s computer. Due to the location of the hosting provider and dynamic DNS services, it is likely that the command and control server will remain active and this specific threat will persist. Only one line of the legitimate web page needed to be changed in order to compromise every single visitor to the site.

Just as former IWM researcher Nart Villeneuve mentioned last November, we can expect attacks to continue against the visitors of human rights websites via the legitimate but compromised websites themselves. In this case, the attack was patched very quickly and was not a 0day when discovered. However, the time it takes in general for vulnerabilities such as CVE-2011-2110 to be patched versus the rate of these exploits becoming weaponized and actively deployed is troublesome. This threat is especially a problem for smaller organizations that do not have dedicated IT staff with an extensive security budget.

The Indian government is teaming up with Chinese tech giant Huawei to search imported smartphones and communications devices for signs of malware and spyware. However, some Indians are nervous because of Huawei’s close ties to the People’s Liberation Army and fear that the firm could be complicit in cyberattacks.

One journalist, Joji Thomas Philip of India’s Economic Times, calls it “rather like letting the fox in to guard the henhouse.”

Huawei recently opened a research lab at Bangalore’s Indian Institute of Science that will be expanded shortly. But opening a joint Indian-Chinese cybersecurity lab also presents problems for Huawei. The mobile-phone provider, which was named one of Fast Company’s Most Innovative Companies of 2010, will be operating in an environment where it will be easy for Indians to observe Huawei’s techniques and corporate goings-on.

The lab was reportedly opened by request of Indian intelligence services, who fear that foreign governments and corporations could use mobile-phone technology for espionage purposes. The lab’s tender requires it to test all imported mobile phones and handsets and equipment for built-in spyware and malware. It is not clear if the laboratory will also be involved in the testing of smartphone applications and for-purchase software for conventional mobile phones.

…

For full original article, see here

The Oak Ridge National Laboratory, home to one of the world’s most powerful supercomputers , has been forced to shut down its email systems and all Internet access for employees since late last Friday, following a sophisticated cyberattack.

The restrictions on Internet access will remain in place until those investigating the attack know for sure that it has been completely contained, said Barbara Penland, ORNL’s director of communications.

The lab is expected to restore external email service sometime on Wednesday, however no attachments will be allowed for the time being.

Penland said several other national laboratories and government organizations were targeted in the same attacks, which appear to have been launched earlier this month.

Data breaches
Georgia man pleads guilty to $36.6M in ID theft
Epsilon pledges to build ‘Fort Knox’ around breached system
Texas fires two tech chiefs over breach
Phishing emerges as major corporate security threat
Oak Ridge National Lab shuts down Internet, email after cyberattack
Hackers gain root access to WordPress servers
Security fragmentation needs to end
Epsilon breach: When should almost public info be private?
Epsilon: A watershed for an industry under siege
UK police arrest three men over ‘SpyEye’ malware
More in Data Security
The measures at Oak Ridge were implemented late on Friday night after initial investigations showed that those behind the attacks were attempting to steal technical data from lab’s systems and send it to an external system, Penland said.

So far, though, it appears that no significant amount of data has been stolen. Penland said investigators believe that whoever was behind the attacks managed to steal less than 1GB of data.

Penland said that there is nothing to show yet where the attacks originated from, or who might have been behind them.

The attacks were launched through phishing emails that were sent to about 573 lab employees. The emails were disguised to appear like it came from the lab’s HR department and purported to inform employees of some benefits related changes.

The emails contained a link that employees were asked to click on for further information.

Some employees appear to have clicked on the link resulting in an information-stealing malware program being downloaded on their systems.

Penland did not offer any more details on the malware itself. But a story in Knoxnews.com quoted ORNL director Thom Mason as saying the malware program exploited a zero-day vulnerability in Internet Explorer.

The story quoted Mason as describing the attack as a sophisticated Advanced Persistent Threat (APT), designed to gain a foothold on the lab’s networks and then to quietly look for and steal specific types of information.

“If you look at this APT, it is much more sophisticated than what was being used a few years ago,” Mason told Knoxnews.com. “Certainly what we’ve seen is very consistent with the RSA attack,” he said referring to an attack on RSA a few weeks ago that resulted in data relating to the company’s SecurID two-factor authentication technology being stolen.

Almost all of the lab’s 200 IT staff are currently engaged in either investigating the attacks or ensuring that other systems remain available, Penland said. Staff from other national laboratories, are also helping in the investigations, she said. At the moment, the attacks are the subject of an IT investigation only and not a criminal one.

Penland said that the attacks appear to have been directed at Oak Ridge’s business systems. The lab’s supercomputers, including the world’s most powerful system, the 1.75-petaflop Jaguar, have been unaffected by the attacks and continue to operate normally.

As of this afternoon, the attacks appear to have been contained, she added. “Keeping the Internet down is a precaution to make sure that nothing gets out as we investigate further.”

The email and Internet shutdown has forced employees to rely on fax machines and phone calls to communicate with the outside world since last Friday, she said.

APTs of the sort described by Mason are highly targeted, low intensity attacks designed to conduct espionage and to steal information from high-value targets. The attacks, many of which are believed to originate in China, were initially targeted at U.S. Air Force and government networks.

Over the last 18 months or so, a growing number of private companies have reported being victims of APTs as well. The most notable was Google, which last year accused China of launch APT attacks against it to steal its IP.

The security vendor RSA claimed recently that it was the victim of an APT attack after intruders broke into its networks and stole data on its SecurID technology.

Oak Ridge National Laboratory’s status as a Department of Energy-funded lab, and the work it is doing especially in the area of supercomputers, makes it a prime target for an APT attack, said Rich Mogull, an analyst with Securosis.

The breach described by Oak Ridge certainly appears to fit into the classic mold of an APT attack in which attackers first try to compromise systems using highly targeted phishing mails and then drop zero-day malware to snoop on and steal data, Mogull said

But until more details are released it is hard to know for sure, other analysts said.

“The term ‘Advanced Persistent Threat’ is definitely being overhyped and used as an excuse way too often, as in ‘Well, it wasn’t really our fault it was an Advanced Persistent Threat’,” said John Pescatore an analyst at Gartner. “Advanced simply means it got past your defenses and persistent means it took you too long to detect it once it got in.”

Pete Lindstrom, an analyst with Spire Security, said the tern APT is often used these days as a face saving measure. “The definition of APT is so sufficiently muddled that anyone can claim APT and be right in some sense and wrong in another,” he said. “The proof is in the defenses that could have prevented it — if they are fundamental security measures then the notion of APT has no meaning.”

This is the second time that Oak Ridge has fallen victim to a phishing attack. In 2007, hackers gained access to a non-classified database after infecting internal systems via phishing emails.

That compromise resulted in the personal data, including Social Security numbers of visitors to the laboratory, being compromised.