Web Concepts

Posts Tagged ‘cybersecurity’

An elusive malware program has quietly co-opted more than four million PCs, and no one seems to know how to stop it.

There’s no question that Golovanov and Soumenkov know their stuff, and their analysis of the emerging TDL-4 threat is thorough. But can a malicious program really be indestructible?

What is TDL-4?

TDL-4 is the fourth generation of the TDL malware (Kapersky also identifies the family as TDSS), and Golovanov and Soumenkov call it “the most sophisticated threat today.” In that, we can likely agree with them. TDL-4 packs all kinds of neat/scary tricks to conceal itself deep within hard drives, evading most virus scanning software as well as more proactive detection methods. It communicates in encrypted code, and contains a serious rootkit component--a rootkit being a program that allows an operator access to a computer even while hiding itself from the user, network administrators and automated security measures.

TDL-4 isn't one itself, but it's malicious because it facilitates the creation of a botnet--a network of infected computers that can be used in concert to carry out tasks like distributed denial-of-service attacks (which have been used to take down many major servers, including The Pirate Bay, Twitter, Facebook, and MasterCard.com), the installation of adware and spyware, or spamming. It currently has 4.5 million machines under its control and counting. The infecting file is usually found lurking around adult sites, pirated media hubs, and video and media storage sites.

What Makes It “Indestructible?”

Golovanov and Soumenkov summarize this nicely: "The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and antivirus companies."

First things first: location, location, location. Once inside, TDL-4 takes up residence in the master boot record (MBR), which means it can run before the computer is actually booted up. The MBR is also rarely combed over by a standard anti-virus scanner, giving TDL added invisibility.

Then, TDL-4 does something else quite clever: it runs its own anti-virus program. The software contains code to remove around 20 of the most common malicious programs, wiping an infected machine clean of everyday malware that might draw a user’s attention or cause an administrator to take a closer look. It can then download whatever malicious software it wants to in the place of the deleted programs. This version of TDL-4 also has added modules, like one that “fraudulently manipulates advertising systems and search engines” and another that establishes proxy servers on infected machines, which can be used to facilitate and hide other malicious cyber actions.

But critical to TDL-4’s indestructibility is the way it communicates between bots. There are a few things at play here. First, and perhaps most central, is a clever algorithm that encrypts the communication protocol between bots and the botnet command. This makes it virtually pointless to monitor traffic between the command server and infected machines.

But couldn’t you trace those commands, encrypted though they may be, back to the source to catch the bad guys? TDL-4 has a trick up its sleeve here as well, this time in the form of a public peer-to-peer file sharing network called Kad. TDL-4’s creators can issue several commands to their bot machines over this P2P network. This is key, because it means that if TDL-4’s command servers get shut down, the program’s creators can still access all the infected machines out there. In essence, command servers aren’t really necessary at all. Destroying TDL-4 at the source is more or less impossible, because the source is distributed across the botnet network. There really is no single source.

But Is It Really “Indestructible?”

Writing for Infoworld today, Roger Grimes makes a valid point: “As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right.”

Grimes’ approach is the level-headed one. At one point Conficker was going to destroy the entire Internet as we knew it, but here we are today getting our daily dose of carefree lulz on the Web. TDL-4 will continue to confound and frustrate security experts for years most likely. But this too shall pass.

But that doesn’t mean Golovanov and Soumenkov are necessarily wrong to call TDL-4 “indestructible.” Perhaps the most noteworthy part of its title is the “4.” It’s just one bad seed in a malicious multigenerational family.

“We have reason to believe that TDSS will continue to evolve,” they write. “The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware.”

That is, until TDL-5.

For the unfamiliar: botnets are networks of computers that have been infiltrated by a malicious program that allows the machines to be manipulated remotely by the program’s owner, often in concert to carry out cyber attacks or to do large-scale spamming. Security firms around the world have been cracking down on botnets lately, and their success has been fairly remarkable.

But in eradicating a lot of simpler botnets, security experts may have tipped their hands. TDL-4 hides in places other botnets generally don’t, deep within systems where most virus scanning software doesn’t look. And it communicates in ways that are new to most cyber-cops, talking in what appears to be a novel encryption scheme conjured by TDL’s overseers.

Cyber security firms can’t crack it, and so monitoring traffic between the handlers and their network of infected machines doesn’t help much. Further, the botnet communicates over a public peer-to-peer network, so there’s no centralized server doling out commands that investigators can trace.

To quote Kaspersky Labs security researchers Sergey Golovanov and Igor Soumenkov at the conclusion of their detailed analysis of TDL-4, “the decentralized, server-less botnet is practically indestructible.”

[BBC]

The attack was sophisticated, ORNL’s deputy director said, akin to the attacks that hit Google last year and security firm RSA just last month. The malware got inside through a pretty standard spear-phishing scheme in which an email posing as a note from human resources linked users to a malicious Web page that installed malware to their terminals.

Of 530 emails sent (out of about 5,000 total workers) only 57 users clicked through. From those, only two machines were actually compromised. But that was enough. On April 11 admins noticed a server was breached when data began flowing outward, but they were able to quickly head that attack off and disinfect the server. But apparently another set of code was laying dormant elsewhere in the system, and on Friday evening it began exfiltrating data from a number of servers.

That’s when ORNL security pulled the plug on the Internet. As of yesterday, limited email has been restored for ORNL workers, but the investigation is ongoing. Given that cybersecurity is one of ORNL’s research foci, the attack could be construed as ironic. Or it could be construed as a security success, given that very little data actually made it off the ORNL servers before the breach was detected and the plug pulled.

Still, someone--and investigators, at least publicly, say they have no idea who--got inside. Considering ORNL also researches nuclear technology and dabbles in other classified areas alongside its better-known unclassified work, that’s more than a little worrisome.

[Threat Level]

We already knew Stuxnet was unprecedented, but it’s what is unknown about it that makes it so unsettling. The code can enter systems undetected, steal information or alter processes, and basically live there causing a mess of things while the system appears to security software to be working properly. But authorities don’t know where the Stuxnet worm came from, or what it was specifically designed to attack, McGurk told Senators.

That last part is debatable. While there is still a degree of uncertainty about Stuxnet’s aims, cybersecurity firm Symantec released a report Friday saying that all evidence points to Iran as the target of the worm. “Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant,” the report reads. “The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.”

Symantec researchers were able to deduce this from the fact that Stuxnet requires specific industrial control systems from very specific vendors (one in Finalnd, the other in Tehran) to work, and more than 60 percent of infections have been reported in Iran (there have been approximately 44,000 unique infections reported; just 1,600 are in the United States). That has led to speculation that Stuxnet was designed to sabotage Tehran’s controversial uranium enrichment program.

Still, global security experts appear co closer to pinpointing a source of the attack, which is a serious threat to systems that control infrastructure like power grids and pipelines around the globe. That’s more than a little unsettling in a wired world. According to one cybersecuiry expert quoted by CNN, “we’re not only susceptible, but we’re not very well prepared.”

[CNN, Symantec]

NASA, DOD, Senate traffic re-routed through Chinese servers last spring, study finds

We don’t yet know what this means — the U.S.-China Economic and Security Review Commission, which released report on the incident today, says it is unclear whether it was intentional or just an accident — but at the very least, it’s one more piece of disturbing evidence showing the U.S. is vulnerable to cyberattack.

The hijacking was reported when it first happened, but this is the first acknowledgement that American government sites were affected. Along with the military and organizations like NASA and NOAA, the redirect affected commercial websites like Dell, Yahoo, Microsoft and IBM, according to ABC News, which broke the story this morning.

It’s not clear what happened to the data once it was rerouted through China Telecom, which is denying any hijack of Internet traffic. It could have been a pure technical error that “advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers,” as the report puts it.

Whether or not this was an innocent mistake, it’s clear the capability to reroute huge streams of data could enable malicious activities. Given Chinese entities’ Internet history, this is not good news. Remember last January’s attack on Google, intended to get human rights activists’ e-mail addresses?

From the report: “This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend.”

Government officials are claiming their traffic was encrypted. so they have nothing to fear. But when members of Congress are “100 percent certain” the U.S. will suffer a cyberattack, incidents like this should sound the alarm.

And the culprit is likely a nation-state

Researchers studying the worm say it was built by an advanced attacker with plentiful resources — possibly a nation-state. Initially, experts thought it was designed for industrial espionage, but upon examining its code, they now think it was built for sabotage.

Ralph Langner, an expert on industrial systems security, has been studying Stuxnet since it was first discovered at a Belarus-based security firm in June. In a blog post last week, he said the worm was most likely assembled by a team of experts with heavy insider knowledge: “This is not some hacker sitting in the basement of his parents’ house. To me, it seems that the resources needed to stage this attack point to a nation state,” he wrote.

He speculates that the target is Iran’s Bushehr reactor, currently under construction. To reach this conclusion, he partly relied upon a UPI picture of the reactor’s operations plant, showing Siemens PLC software.

Stuxnet has targeted Siemens-operated industrial facilities like power plants and chemical factories. It has spread via USB flash drives and through copying itself to new networks protected by weak passwords, according to a news release from Norman ASA, a network security firm.

As PCWorld explains, once Stuxnet identifies a target, it changes a specific piece of Siemens code that monitors critical operations — “things that need a response within 100 milliseconds.” By changing this crucial piece of code, Stuxnet could cause equipment to malfunction, sabotaging a refinery or factory.

So far, no one has ventured to guess which nation might have built Stuxnet. But PCWorld recalled speculation from last summer that Israeli officials were contemplating a cyber attack on Iran.

Langner wrote that whoever built the worm is going to get caught, because cyber-forensics will eventually smoke them out. They must not care about going to jail, he wrote.

If they represent a nation-state, there might be much bigger things to worry about — could Stuxnet represent an opening salvo in a cyber war?

To quote DARPA’s request for industry solicitations: “The goal of CINDER will be to greatly increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks.”

The philosophy driving CINDER is the idea that singular actions by an insider with malicious intent aren’t noticeable as malicious – say, the downloading of a sensitive document from a DoD server or the searching for information on a particular topic. But the larger adversary mission should be noticeable when compared to normal mission activities. By monitoring strings of actions rather than isolated events, CINDER is expected to pinpoint system users who may be up to something malicious.

CINDER assumes that insiders are operating within the Pentagon’s most sensitive networks, so rather than focus on keeping outside threats out, it will be designed to weed out those already inside. As Danger Room points out, it seems like a recipe for false positives, but DARPA seems to think a properly-designed CINDER will be able to distinguish between normal and malicious mission contexts.

We’ll see. In the meantime, while DARPA works CINDER into serviceable shape, the DoD is expected to roll out a new cyber strategy by year’s end to hopefully curtail the kinds of massive leaks and cyber breaches that have been the embarrassment of the Pentagon lately.

[FedBizOpps via Danger Room]