Cyber Weapon : Duqu

Cyber Weapon : Duqu

I have been analyzing an  malware threat identified as the Duqu trojan. This Trojan horse has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010. I had put countermeasures in place  to detect Duqu C2 traffic, and they continue to monitor for new Duqu samples and update protections as needed.

What is Duqu?

The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

In addition to the RAT, another piece of malware was recovered with Duqu in one instance. This malware is an information stealer designed to log user keystrokes and other information about the infected system. This piece of malware is believed to be related due to programming similarities with the main Duqu executables.

What is the relationship to Stuxnet?

There has been much speculation that Duqu is a new version of Stuxnet or that it was written by the same authors. There are several factors that could influence these speculations:

• Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
• Encrypted DLL files are stored using the .PNF extension. This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.
• The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
• Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate. One variant of the Duqu kernel driver was signed by a certificate from C-Media Electronics Incorporation. An unsigned Duqu kernel driver claimed to be a driver from the JMicron Technology Company, which was the same company whose software signing certificate was used to sign one of the Stuxnet kernel driver files. The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.

Attribute	Duqu	Stuxnet
Infection Methods	Unknown	USB (Universal Serial Bus) PDF (Portable Document Format)
Dropper Characteristics	Installs signed kernel drivers to decrypt and load DLL files	Installs signed kernel drivers to decrypt and load DLL files
Zero-days used	None yet identified	Four
Command and Control	HTTP, HTTPS, Custom	HTTP
Self propagation	None yet identified	P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens)
Data exfiltration	Add-on, keystroke logger for user and system info stealing	Built-in, used for versioning and updates of the malware
Date triggers to infect or exit	Uninstalls self after 36 days	Hard coded, must be in the following range: 19790509 => 20120624
Interaction with control systems	None	Highly sophisticated interaction with Siemens SCADA control systems

Table 1. Comparison of Duqu and Stuxnet.

Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the "injection" component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Does Duqu target industrial control systems?

Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu's primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.

Is there any evidence in the code indicating specific targets?

Duqu facilitates an adversary's ability to gather intelligence from an infected computer and the network. I have not identified any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware.

What are indicators of a Duqu infection?

The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.

Duqu uses multiple protocols to communicate with its C2 server, including standard HTTP on TCP port 80 and a custom protocol on TCP port 443. Some of Duqu's communications that use TCP port 443 do not use the HTTPS protocol. Organizations may be able to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.

I am aware of the following files that may be installed by the Duqu trojan. The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.

Name	File Size	MD5
jminet7.sys	24,960 bytes	0eecd17c6c215b358b7b872b74bfd800
netp191.pnf	232,448 bytes	b4ac366e24204d821376653279cbad86
netp192.pnf	6,750 bytes	94c4ef91dfcd0c53a96fdc387f9f9c35
cmi4432.sys	29,568 bytes	4541e850a228eb69fd0f0e924624b245
cmi4432.pnf	192,512 bytes	0a566b1616c8afeef214372b1a0580c7
cmi4464.pnf	6,750 bytes	e8d6b4dadb96ddb58775e6c85b10b6cc
<unknown> (sometimes referred to as keylogger.exe)	85,504 bytes	9749d38ae9b9ddd81b50aad679ee87ec
nfred965.sys	24,960 bytes	c9a31ea148232b201fe7cb7db5c75f5e
nred961.sys	unknown	f60968908f03372d586e71d87fe795cd
adpu321.sys	24,960 bytes	3d83b077d32c422d6c7016b5083b9fc2
iaStor451.sys	24,960 bytes	bdb562994724a35a1ec5b9e85b8e054f

Table 2. Byproducts of Duqu.

The name "Duqu" was assigned to this malware because the keylogger program creates temporary files that begin with the prefix "~DQ". A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.

How do Duqu infections occur?

The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could. In addition, all of the Duqu files  I have analyzed would likely have been installed by an initial installer or "dropper" malware. None of the original installers have been recovered. The recovery of one of these installers may help provide clues to how Duqu infections occurred.

Is Duqu an advanced persistent threat (APT)?

I don’t identify individual tools as APT. APT is a threat actor or actors targeting an organization for assets of interest. An APT involves planning by the adversary, teams with specialized roles, multiple tools, patience and persistence. While Duqu does provide capabilities used by other tools observed in APT-related intrusions, an assessment of the particular threat requires knowledge of the adversary, targeted organization and assets and the scope of attacks.

Is antiVirus and antiMalware protection sufficient for detecting Duqu?

Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.

What can I do to protect my organization from Duqu?

• Administrators should use host-based protection measures, including antivirus and antimalware, as part of a holistic security process that includes network-based monitoring and controls, network segmentation and policies, user access, and controls to help mitigate the threat of malware like Duqu.
• A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.
• Organizations may want to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.
• Administrators should monitor their network for systems attempting to resolve Duqu-related domains or connect to Duqu C2 IP addresses for possible infection.

Cyber Security Strategy with focus on DDoS & APT’s

Evaluate Your Cyber Security Strategy with focus on DDoS & APT’s

The Cyber Law Consulting Team(CLC) has observed cyber threats becoming more advanced as hackers seek new ways to breach information security or disrupt operations. Distributed Denial of Service (DDoS) attacks and Advanced Persistent Threats (APTs) are a big concern. Organizations must evaluate and develop their IT security controls to protect themselves from these sophisticated and unpredictable cyber-attacks.

DDoS Attacks and DoS Attacks

In a Denial of Service attack, hackers try to disrupt a website, network or machine. The goal may be solely to prevent people from connecting to the website that is being attacked, but a Distributed Denial of Service (DDoS) attack is often used to distract a business so attackers can conduct other attacks behind the scenes while the business is focused on getting its website back up. Many times, hackers conduct a DDoS test-run on an organization to see whether it is susceptible to DDoS attacks. If the hackers discover they can take down the targeted website, the hackers then return to launch a full-scale DDoS attack that could take a site down for days or weeks. Often DDoS attacks coincide with other malicious activity. For example, in the banking industry attackers may send a DDoS attack to a bank. Once the website is down and the IT team is working to get it back up and running, the cyber attackers are making unauthorized wire transfers from banking customer accounts into the attackers’ accounts overseas.

The CLC team has seen many DDOS Attacks using DNS amplification techniques. This occurs when a botnet is not large enough to launch an effective cyber-attack, so botnets send out a relatively small amount of traffic to other computers that in turn send more traffic toward the actual target. For the victim, such attacks can saturate networks very easily and cripple Web servers so they can’t function. In order to combat DDoS attacks, an organization must understand how exposed it is to an attack and how well it can respond to thwart an attack. A CLC Denial-of-Service Preparedness Assessment will pinpoint how prepared an organization is to mitigate a DDoS attack.

Advanced Persistent Threats (APTs)

APT: Advanced, Persistent, Threat. An Advanced Persistent Threat refers to a group that persistently attacks a target in order to obtain an objective, which could be to obtain information or to hinder the target’s activity. Organizations should discover how well protected they are from a persistent and dedicated attacker, or cyber threat actor, who wants something from it. Consider what attackers might want such as intellectual property, commercial information, personal data and customer data. Consider the IT security controls you need to protect such data. APTs are a big threat to an organization’s intellectual property, financial assets and reputation.

CLC constantly monitors cyber threats and sees millions of information security events worldwide every day. Although malware attackers have become more sophisticated, there are several steps organizations can take to defend themselves, detect attacks and respond fully. Tactics for preparing a security strategy include the following:

• Complete thorough staff training: educate the end user
• Regularly assess preparedness for cyber-attacks
• Look at what is “usual” security activity so it’s easier to spot “unusual” activity
• Create an incident response plan just in case the worst situation happens

It’s important to frequently reassess information security strategies in light of DDoS attacks and Advanced Persistent Threats (APTs) to build expertise and implement robust defense strategies. Contact an Cyber Law Consulting Consultant 

WordPress Blogging Site Vulnerabilities

WordPress Vulnerabilities

WordPress is an open-source blogging platform and content management system (CMS). Since its inception in 2003, WordPress has become widely used and is very active. It is made up of more than 200,000 lines of code (written mostly in the PHP scripting language) and is used by more than 64 million websites on the Internet. Although WordPress is considered a mature platform, regular updates address serious security vulnerabilities that may be used by an attacker targeting a WordPress site.

WordPress vulnerabilities are even more of a threat when combined with recent large-scale brute-force attacks targeting WordPress websites. These threats are important considerations if you host a website on wordpress.com or use the platform on a different host. If you use WordPress, have you taken steps to secure your installation? Basic security precautions, a strong password policy, and a regular update schedule can have multiple benefits:

• Helps ensure your system isn’t compromised.
• Minimizes damage if a compromise does occur.
• Prevents your server from becoming part of a botnet used to launch further scans or attacks.

Vulnerabilities may be in WordPress core and plugins

Attackers commonly abuse third-party WordPress plugins containing vulnerabilities, as they may introduce additional security flaws into a WordPress installation. During the last weeks of April 2013, vulnerabilities affecting the WP Super Cache and W3TC WordPress plugins (related to caching and website optimization) gained attention. Successful exploitation of these critical flaws may allow an attacker to execute arbitrary PHP code on a vulnerable system. Updated versions of both plugins have been released and should be applied as soon as possible. Users should vet WordPress plugins carefully, and completely remove unwanted or unnecessary plugins.

Several exploits targeting WordPress are also included in the Metasploit exploitation framework. The existence of these exploit modules makes it easier for an unskilled attacker to launch attacks and underscores the importance of keeping WordPress up to date. Even without the use of plugins, the WordPress core has suffered from serious vulnerabilities. The following security vulnerabilities have been addressed by recent WordPress updates:

WordPress 3.5.1:

• Server-side request forgery (SSRF) and remote port scanning via pingbacks.
• Cross-site scripting (XSS) via shortcodes and post content.
• Cross-site scripting (XSS) in the external library Plupload.

WordPress 3.4.2:

• Fix unfiltered HTML capabilities in multisite.
• Fix possible privilege escalation in the Atom Publishing Protocol endpoint.
• Allow operations on network plugins only through the network admin.
• Hardening: Simplify error messages when uploads fail.
• Hardening: Validate a parameter passed to wp_get_object_terms().

WordPress 3.4.1:

• Privilege Escalation/XSS. Critical. Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0.
• CSRF. Additional CSRF protection in the customizer.
• Information Disclosure: Disclosure of post contents to authors and contributors (such as private or draft posts).
• Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
• Hardening: Require a child theme to be activated with its intended parent only.

WordPress 3.3.3:

• Cross-Site Scripting: Fix persistent XSS via editable slug fields. (Also fixed in 3.4.0.)
• Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information. (Also fixed in 3.4.1.)
• Hardening: Require a child theme to be activated with its intended parent only. (Also fixed in 3.4.1.)
• Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn’t have privileges to). (Also fixed in 3.4.0.)
• Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g., a contributor can’t read someone else’s draft beyond the title). (Also fixed in 3.4.0.)
• XSS Hardening: Escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement. (Also fixed in 3.4.0.)
• CSRF Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e., when the front-end of the site is loaded in a frame). (Also fixed in 3.4.0.)

WordPress 3.3.2:

• Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
• Cross-site scripting vulnerability when making URLs clickable.
• Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.

WordPress 3.3.1:

• Cross-site scripting (XSS).

To limit exposure to attacks, updated versions of WordPress should be tested and deployed as soon as possible. Without additional security controls, unpatched flaws may affect any WordPress site, regardless of which plugins may be installed.

Updating is important

A major WordPress version update is usually available every six months. Third-party plugins may be updated at any time. WordPress has the option to update itself automatically, but this functionality may not always work. It may fail for a variety of reasons, such as plugin or database issues. Many organizations opt-out of automatic updates and manually deploy updated versions to perform additional testing. This patch and update schedule is virtually continuous and difficult to maintain, but it is necessary to maintain an acceptable level of security.

Brute-force attacks

In April 2013, a large brute-force campaign targeting WordPress websites was observed. It is reported that a botnet consisting of more than 90,000 servers is being used to scan the Internet for WordPress websites and is attempting to log in to the Administrator’s account using a list of commonly used passwords. Servers using simple passwords such as “123456″ or “qwerty” would quickly fall victim to this attack. If an attacker successfully logs in, a backdoor is installed for future use. Compromised websites may then be used for other activities, such as scanning for more WordPress sites and participating in distributed denial of service (DDoS) attacks.

To protect against brute force attacks, use long passwords that include a combination of uppercase and lowercase characters as well as symbols (#$%^&@), and rename the Administrator’s account to something other than “admin”. By default, WordPress does not limit incorrect logins, which allows an attacker to make a large number of attempts in rapid succession. This ability increases the odds that an attacker will correctly guess the password. Several WordPress plugins limit the number of login attempts, but plugins themselves generally increase the attack surface an attacker has at his or her disposal, and may inadvertently allow access via other means.

WordPress users should follow the steps outlined in the Hardening WordPress guide for additional protections. Securing access to /wp-admin/ (Administrator’s login area), using alternate database prefixes, securing wp-config.php and disabling file editing are recommended to mitigate effects of a potential attack.

Many hosting providers may supply customers with pre-installed versions of WordPress or similar software, which can quickly become outdated. Given the potential for harm in using outdated software, look for WordPress exploits to become more of an issue in the future, especially for shared hosting providers.

CYBER CRIME STATISTICS FOR 2013 & 2020

Every second at least 12 internet users in the WORLD fall victim to cyber criminals and the number keeps increasing every year, it has been revealed. A surge in viruses targeting mobile apps is a new disturbing trend in cyber-attacks. 

A significant number attacks – 19 percent – target financial assets, while the number of cybercrimes organized with the purpose of mere mischief-making is now extremely low. 

According to one of the recent surveys by computer security firm Kaspersky Labs and B2B International, 62 percent of respondents had at least one incident of cybercriminals attempting to steal financial information. 

The convenience of online shopping and banking services are among the major risk factors for end users

According to experts at RSA security, cybercrime continues to improve its techniques and the way it organizes and targets victims. The RSA Anti-Fraud Command Center (AFCC) has developed the following list of the top cybercrime trends it expects to see evolve:

• As the world goes mobile, cybercrime will follow
• The privatization of banking, trojans and other malware
• Hacktivism and the ever-targeted enterprise
• Account takeover and increased use of manually-assisted cyber attacks
• Cybercriminals will leverage Big Data principles to increase the effectiveness of attacks

Cybercrime activities are globally diffused, financially-driven acts. Such computer-related fraud is prevalent, and makes up around one third of acts around the world.

Another conspicuous portion of cybercrime acts are represented by computer content, including child pornography, content related to terrorism offenses, and piracy. Another significant portion of crime relates to acts against confidentiality, integrity and accessibility of computer systems. That includes illegal access to a computer system, which accounts for another one third of all acts.

The McAfee security firm estimated that cybercrime and cyber espionage are costing the US economy $100 billion per year, and the global impact is nearly $300 billion annually. Considering that the World Bank estimated that global GDP was about $70,000 billion in 2011, the overall impact of cybercrime is 0.04 percent of global income, an amazing figure.

Cyber criminals are improving ways to be non-traceable and to be more resistant in their malicious structures to take down operations by law enforcement. Hackers are improving their infrastructure, for example adopting peer-to-peer protocols, or hiding command and control infrastructures in anonymizing environments, such as the Tor Network.

What’s the end user impact of cybercrime? What’s the perception of the risks related to principal cyber threats?

The Symantec security firm has just released the 2013 Norton Report, the annual research study which examines the consumers’ online behaviors, the dangers and financial cost of cyber crime.

Also, their data confirms the concerning results of other analysis. Cyber criminal activities and related profit are in constant growth, the cost per cybercrime victim is up 50 percent, and the global price tag of consumer cyber crime is $113 billion annually. That’s a result of the concerns security analysts consider. It also effects the actual global economic scenario and the difficulties faced by enterprises.

This data was reported in the Norton Report, a document considered one of the world’s “largest consumer cyber crime studies, based on self-reported experiences of more than 13,000 adults across 24 countries, aimed at understanding how cybercrime affects consumers, and how the adoption and evolution of new technologies impacts consumers’ security.”

CYBER CRIME SCENARIO BY 2020

What will the cybercrime landscape look like in 2020? It’s difficult to predict the evolution of such a complex ecosystem. Technologies evolve at impressive speed, and with them, opportunities for cyber crime.

The European Cybercrime Centre (EC3) at Europol, and the International Cyber Security Protection Alliance (ICSPA) presented in a study titled Project 2020: Scenarios for the Future of Cybercrime – White Paper for Decision Makers, an overall predictable scenario of cyber crime in 2020. They evaluated a scenario under three different perspectives, from an individual, company and government point of view.

The document proposed worst-case scenarios, highlighting:

• Increased abuse for cloud infrastructures. Cyber criminals will increase the use of cloud technology to launch DDOS attacks, or host botnets. Underground market offerings will mature to support cyber gangs in the organization of sophisticated cyber attacks.
• It will be very difficult to distinguish between legal and illegal activity.
• Data protection is already a challenge in relation to the internet. The future reality of large scale Radio Frequency Identification (RFID) deployment, global sensor proliferation, aggregation of data and highly personalized, augmented services will require the legal frameworks for privacy and security to further adapt.
• Increased need for identity protection due the enlargement of individuals’ online experiences.
• Regarding privacy; as governments establish more privacy laws, the risk of incompatibility between countries increases, creating more roadblocks for responding to cyber crime.
• The heterogeneous legal framework will allow criminals to choose optimal target countries for illegal activities, and the best sources to engage attacks.
• A lack of unity in internet governance means a lack of unity in cyber security. Regardless of the precise number of governance authorities operating in 2020, there’ll need to be broad consensus on standards, to ensure interoperability of emerging internet mediated technologies, including augmented reality and “the Internet of Things.”
• A consolidation of user encryption management to avoid surveillance activities operated by governments could give cyber criminals an advantage.
• Threats will continue to blur the distinction between cyber and physical attacks (such as human implants, SCADA systems, etc.) Virtual reality technologies may lead to psychological attacks.
• Conventional thinking of protected and absolute control of intellectual property may lead to conditional control, as some governments may become dovish in responding to the increasingly prevalent (legal and illegal) access to IP. (However unlikely governments are to shift traditional thinking, they may enact policies that move with the punches of an increasing risk of IP theft, rather than put up a fight.)
• Data protection tools and laws will have to meet the increasing accessibility and proliferation of data.

The principal threats related to cyber crime activities could be grouped into the following categories:

• Intrusion for monetary or other benefits
• Interception for espionage
• Manipulation of information or networks
• Data destruction
• Misuse of processing power
• Counterfeit items
• Evasion tools and techniques

In the next year, almost all these cyber menaces will continue to concern authorities. The principal losses will be attributable to cyber espionage and sabotage activities. SMBs will be most impacted by cyber crime. That’s why it’s necessary that cyber strategies of governments include a series of mitigation countermeasures for principal cyber threats. Critical infrastructure and defense systems will represent privileged targets for cyber criminals and state sponsored hackers. The two categories of attackers will be difficult to distinguish in chaotic cyberspace.

“Evolved threats to critical infrastructure and human implants will increasingly blur the distinction between cyber and physical attack, resulting in offline destruction and physical injury.”

I predict That ..Attacks on Satellite in Space or infecting them and Worms infecting Devices used in Human Body and the new breed of Doctors fixing infection to devices fitted in Human Body called the "Cyber Doctors would evolve.