Micorosft’s Terry Zink sums up his “20 minutes of research“ on Duqu:
On page 18 of that report, they list similarities between Stuxnet and Duqu. But how many generic pieces of malware have those same similarities as Stuxnet? Is this just an example of the Barnum effect (like that one South Park episode where Stan Marsh talked to the dead and John Edward won the BDIU award)? For all I know, half the malware out there can be classified as similar to Stuxnet.
…
Are Stuxnet and Duqu related? I don’t know.
Symantec calls the malware “The precursor to the next Stuxnet“. Good malware analysis marketing.
Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Chaos Computer Club published an analysis and the binaries of the German lawful interception malware intended to intercept computer-based phone calls.
They discovered some unlawful feature bloat, potentially turning the legal eavesdropping malware into an extra-legal full-blown surveillance tool:
The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. (…) [I]t is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.
As so often with malware out there, communication between the malware and the command layer is poorly designed and leaves opportunities for third parties to take over the malware.
The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.
CCC’s 20-pages analysis concludes (translated, orig. German):
“We are highly delighted that no apt expert could be won over for this morally questionable operation…”
Merkel might want to ask Putin next time.
—
FAZ, “Der deutsche Staatstrojaner wurde geknackt”
CCC, “Analyse einer Regierungs-Malware”
Frank Rieger, FAZ, “Anatomie eines digitalen Ungeziefers“
Microsoft’s Trustworthy Computing product manager, Tim Rains, observed that a number of countries had been doing particularly well in Microsoft’s annual Security Intelligence Report. So they asked their local teams for potential reasons behind the stats.
Answer from Austria by Leon Aaron Kaplan, CERT.at:
“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”
Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:
There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers
Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.
Lessons from Germany and Japan.
Summing up:
1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low
Cleaning my RSS-feeds inboxes, I found this little gem called “The Reign of Zeus”, written back in May, ages ago on the internet security time scale, by Anup Ghosh:
Zeus is a game changer virus for the financial services industry, and perhaps its most pernicious computer-related threat. It specifically targets banking information by users and will defeat strong multi-factor authentication (MFA) methods used by banks including hardware tokens with one-time random passwords. A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus.
Zeus is an example of the sophisticated crimeware now available to crime syndicates that are focused on illicit financial gains by capturing banking credentials. The toolkit is available for sale in underground markets and the Zeus author has even implemented sophisticated hardware licensing schemes to prevent piracy.
Not sure whether the “DRM is bad for the customer” mantra applies here.
Threat Level has an update on spear-phishing, based on data issued in Symantec’s MessageLabs Intelligence reports.