Tag Archives: malware

Flame and the DEB93D trail

In the last few weeks there has been a lot of noise about what looks like the latest State sponsored malware, Flame. You can find a lot of information about it from Kaspersky and also from the CrySyS lab who seems to have done some parallel investigation and call it differently (sKyWIper).

This malware is quite interesting for several reasons:
1) It seems to focus on stealing information rather than being directly disruptive.
2) It has been active for 5+ years and has remained undetected until now.
3) It has an option to delete itself, but in doing so leaves one file. a ~DEB93D.tmp file.
4) It is modular and can/has been used to intercept Microsoft update using fake certificates to intercept Windows updates call. (Microsoft released more information here)

There are many more interesting aspects of this malware, such as its use of LUA programming language, looking like a state sponsored cyberweapon, etc, but I find the first 4 mentioned above the most interesting right now.

First, its aim appears to be stealing information. Data collected so far indicates that it did spread more in middle eastern countries and was acting as a sophisticated discovery tool. In fact, what I read made me think of certain discovery modules you can find in commercial Data Leakage Prevention software (DLP), where you want to discover certain type of information from a very high volume of data using keywords, patterns, formulas, etc… I wonder if the companies who are analysing this malware will look at how similar (or not!) the algorithms it uses are with those DLP solutions. Also, what I learnt from those discovery tools is that you get a lot of false positives and it requires a lot of man power and time to get through it before getting any value out of it.
I therefore suspect there is a team of “data analyst” also working along side whoever is coding, supporting, providing network expertise, etc.

This brings me to the second point of interest related to this malware, its longitivtiy. Especially how long it lived undetected. 5+ years is a vey long time for a piece of software that scans your computer and sends some data back “home”. With technology such as IDS, HIPS, and port scanners you should be able to detect it.
So, understanding why it was not detected sooner would be of great value to protect against future similar malware. My guess why it was not detected is because it was a targeted malware, mainly installing itself to some computers of interest (either location or maybe based on some other intelligence). If it tried to install itself on every computers on the planet it would have been detected much earlier. It also does not appear to try to install other common backdoors, which could have give the malware away when doing a standard vulnerability scan. There is still the question about the network traffic, I am amazed this was not spotted, but then again it may be tunnelling its network data as well as using some kind of threshold limiter to hide itself.

Another odd behaviour is the Delete or kill module, which appears to be removing every signs of of the malware presence apart from one file, ~DEB93D.tmp, why would it do that? why would a piece of malware who appears to be so sophisticated implements a delete function that leaves a file behind? making it easier to find out if a computer had been infected in the past. Could it be a bug? the result of some other complex deletion processes that require a file to be left at the end (I don’t know of any)… in any case, it looks to me as an odd type of signature worth investigating.

The final point of interest I mentioned was about a recently found new functionality in the malware modules. The fact it was able to leverage a man in the middle attack against windows update indicates it could have been used for more than just discovery of information and instead to keep a targeted computer either vulnerable to some unpatched security vulnerabilities or being uploaded with further backdoor/payload.
It also shows we haven’t heard the end of what this malware was capable of.

After many years of speculation that cyberwarfare could be more than just a subject for books and movies, those recent events make it very real and indicates it has in fact started for quite some time now. It begs a question though, in every wars there is collateral damage, in this war the population is everyone and every thing connected to the Internet: your computer, mine, hospitals, TV, cars, etc.
How long before we see one of those sophisticated malware missing its targets/countries/enemies and creating havoc!? Would it also be labelled as “friendly fire”?

Turning point for Apple Products Security

There has recently been an increase in blackhat attention to Apple products.
It would seem that what has been predicted for some time is about to be tested:
that one of the main reason for Mac/OSX to be more secure than windows is because it did not get the same attention from hackers.

This had to happen, and I believe that the time is right.
Indeed, Apple products are gaining more and more market shares and their hippy/cool image is being eroded by both their very strict view of the world and exponantial user base growth.
(On a non security related note, one could wonder how long can Apple be seen as different/cool if everyone has their product!)

This gives every reasons for hackers to take their attention to Mac OSX and iOS.
Recently a fake anti virus software for MAC was discussed on the excellent Intego blog and many other sites

And a few days ago it was discovered (as expected) that the defenses Apple brought to fight back are not really working, furthermore is has also started to change name as it latest iteration is now called Mac Shield.

Another sign of increased hacking activity is the availibility, for the first time, of a hacking framework being sold on closed underground forums, the Weyland-Yutani BOT
It allows users to inject payload through Firefox exploits on MAC, but there is already a plan to extend the scope of that framework to target iOS devices and through Chrome/Safari as well

This is certainly not good news for Apple customers, but it will be interesting to see how this develops from now on and if Apple’s claim that their OS are more secure than the competition is proven true… or not!

My prediction? it isn’t true and we should be seeing much more damaging security breach/issues stories related to Apple product this year.

The inevitable rise of malware on mobile devices

Although it has been announced for quite some time that malware is growing on the mobile market, it is still not very visible.

That does not mean it isn’t already here or will be.

Below is an interesting article on a mobile developer who was contacted by a company that wanted to pay him some money as long as he included some of their “codes” into his popular game.
It was in fact, malware. It could directly call premium number without the user intervention or even eavesdrop on the microphone.
It has a happy ending as the developer decided against using that code and instead warn others. But for one good deed, how many have fallen or will fall for the money?

Websense Article on the White Hat Developer

Now the question is: Would this be possible on the iPhone with the Apps Store?

DarkReading was already warning about the smartphone malware threat increase in June 2010, here.
And recently McAfee apparently saw a rise of 46% of malware in 2010 compare to 2009, as Reuters stated in their article here.