Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 2, Issue 12 – 22 March 2012
ThreatCon 2: Heightened
Proof of Concept code and a Metasploit
module have been released for the Remote Desktop vulnerability
identified by Microsoft earlier this month. A patch was
TOP OF THE NEWS
Symantec warns of 64-bit Windows Trojans
Symantec has warned of a new Windows
7 Trojan that can elevate the privileges of any restricted process
to administrator level, without the user's permission or knowledge.
The latest fully patched versions of Windows 7 are vulnerable to
backdoor.Conpee Trojan, warned Mircea Ciubotariu, a security
response engineer at Symantec, on a company blog.
The new Trojan targets both 32-bit
and 64-bit versions of Windows 7, adding to the growing weight of
evidence that malware writers are redesigning their software to
bypass security features in 64-bit Windows, said Ciubotariu. The
64-bit version of Windows 7 and Vista included Kernel Mode Code
Signing and Kernel Patch Protection, that were intended to make
them less vulnerable to malware.
But backdoor.Conpee and the
recently-discovered Backdoor.Hackersdoor Trojan have both been
shown to infect 64-bit operating systems, said Ciubotariu. “What
was just a theory not so long ago is now being used in-the-wild by
[these] threats,” he warned.
The Hackersdoor Trojan is able to
bypass the driver signing system used in 64-bit Windows using
stolen certificates. Symantec first detected this type of infection
in December 2011, and while the number of infections seen in the
wild since then have been modest, it appears the malware writers
have been using it as a test case, added Ciubotariu.
“It proves, once again, the length
malware creators will go to achieve their goals,” he said.
Credit Card Info Stolen From Stratfor Site Used in US
$700,000 of Fraudulent Charges
When the Antisec branch of Anonymous hacked into
security think tank Strategic Forecasting, or Stratfor, at the end
of December, one of its claims was the theft 200GB worth of data,
including e-mails and clients' credit card information. Days after
the hack, the group published 860,000 e-mail addresses and 75,000
unencrypted credit card numbers on the Web.
Now, the FBI's Milan Patel says that between
December 6, 2011, and February 2012, "at least $700,000 worth of
unauthorized charges were made to credit card accounts that were
among those stolen during the Stratfor Hack," according to Internet
security news site Security Week. Stratfor's list of clients whose
information was allegedly compromised in the hack includes the U.S.
Army, U.S. Air Force, Department of Defense, Lockheed Martin, and
Bank of America.
Patel said that the $700,000 figure "does not
reflect any of the charges that may have been incurred on cards
associated with the Stratfor Hack for which records have not yet
This information was made available during this
week's court case for Jeremy Hammond--one of the alleged hackers
arrested last week by the FBI for the Stratfor attack. According to
Security Week, Hammond is being charged with one count of computer
hacking conspiracy, one count of computer hacking, and one count of
conspiracy to commit access device fraud. Each of these counts
carries a maximum sentence of 10 years in prison.
Along with the money lost from stolen credit
cards, Security Week reports that Stratfor is claiming another $2
million in losses that it had to pay for recovery, lost business
claims, and monitoring to protect its clients who had their credit
card details exposed.
Pentagon is Fast Tracking Cyber Weaponry
The Pentagon is accelerating efforts to develop
a new generation of cyberweapons capable of disrupting enemy
military networks even when those networks are not connected to the
Internet, according to current and former U.S. officials. The
possibility of a confrontation with Iran or Syria has highlighted
for American military planners the value of cyberweapons that can
be used against an enemy whose most important targets, such as air
defence systems, do not rely on Internet-based networks. But
adapting such cyberweapons can take months or even years of arduous
When U.S. military planners were looking for
ways to disable Libya’s air defence system before NATO’s aerial
attacks last year, they discussed using cybertechnology. But the
idea was quickly dismissed because no effective option was
available, said current and former U.S. officials. They estimated
that crafting a cyberweapon would have taken about a year,
including the time needed to assess the target system for
“We weren’t ready to do that in Libya,” said a
former U.S. official, who spoke on the condition of anonymity
because of the sensitivity of the discussions. “We’re not ready to
do that now, either.”
Last year, to speed up the development of
cyberweapons, as well as defensive technology, then-Deputy Defense
Secretary William J. Lynn III and Marine Corps Gen. James
Cartwright, then vice chairman of the Joint Chiefs of Staff, placed
$500 million over five years into the budget of the Defense
Advanced Research Projects Agency, one of the Defense Department’s
premier research organizations. The agency also has launched new
cyber-development initiatives, including a “fast-track”
“We need cyber options that can be executed at
the speed, scale and pace” of other military weapons, Kaigham J.
Gabriel, DARPA deputy director, said in testimony last month to
More on this story at:
UK Man Charged for Allegedly Launching Cyber Attacks on CIA
An alleged member of hacker group LulzSec
appeared in a London court on Friday charged with conspiracy over
cyber-attacks against websites maintained by the CIA and the UK's
Serious Organised Crime Agency. Ryan Ackroyd, 25, of Oak Road,
Mexborough, Doncaster, is also charged with breaking into systems
maintained by the NHS and Sun newspaper publisher News
International, the BBC reports.
At a hearing at Westminster Magistrates' Court,
district judge Howard Riddle granted Ackroyd, who spoke only to
confirm his name and address and did not enter a plea, bail pending
a case management hearing before Southwark Crown Court on 11 May.
Unemployed Ackroyd is accused of conspiring with Jake Davis, 18,
Ryan Cleary, 19, and a 17-year-old lad to launch a string of
denial-of-service attacks against websites between 1 February and
30 September 2011.
Bail conditions imposed on Ackroyd ban him from
accessing the internet, The Guardian reports. Ackroyd, who is
accused of using the hacker label Kayla, also faces allegations in
the US that he participated in hacks against the Fox Broadcasting
Company, Sony Pictures Entertainment, and the Public Broadcasting
Anonymous revives LulzSec for new campaign of hacks and
With the arrest of its members and the
revelation that its leader was an FBI informant, one might have
thought that LulzSec would fade into history. Apparently not. A
YouTube video posted at the weekend has announced that LulzSec will
return. On April 1st the group will be back, and attack
corporations and governments, promising "epic operations and
The LulzSec video downplays the arrests and
insists that LulzSec remains a going concern. "Several days ago we
decided to swiftly bring back our humble hacking group and set sail
towards the Interwebz once again, much to the dismay of corrupt
governments and corporations across the planet," proclaims the
video's computer-generated voice. "It's ridiculous to believe that
by arresting the six prime members of LulzSec that you've stopped
us. You haven't stopped us, you have merely disrupted the active
The new LulzSec targets are as broad and
varied as the old LulzSec targets: "Lulzsec will start targeting
governments, corporations, agencies, and quite possibly the people
watching this video." The motivation is similarly nonspecific: "We
are here for the lulz, the fame, the anarchy, and the people."
An Anonymous Web site linked LulzSec's return
to "Project Mayhem," a new operation with a long and rambling
manifesto that seeks to use hacks and artwork to subvert or
undermine governments and corporations and create social change. On
December 21st of this year, Project Mayhem will, apparently,
provoke a global financial meltdown through a series of bank runs.
Critical infrastructure will also be attacked. A Web site related
to the project cites George Orwell and implies that the Proles will
rise up on this date.
More on this story at:
Cybercops traced Toulouse massacre suspect through IP
The IP address of a computer used to view a
motorbike sales ad posted by an early victim of the Toulouse gunman
played a vital role in narrowing down Mohamed Merah as the main
suspect in a series of attacks that have horrified France, it has
French soldier Imad Ibn-Ziaten posted a video
of the motorbike he wanted to sell online. The paratrooper was
killed on 11 March after he invited someone who posed as a
prospective buyer to his house.
Le Monde reports that the ad was viewed by
about 500 people. Cyber police narrowed down the list of likely
suspects to those who lived in and around Toulouse in south-west
France. This search was intensified after Ibn-Ziaten's
assassination was linked to the slaughter of three children and a
rabbi at a Jewish school in Toulouse on Monday, 19 March.
In addition, Le Monde added, a motorcycle
dealer had reported a suspicious conversation with someone who
wanted to know whether it was possible to remove an anti-theft
tracking device from a Yamaha scooter just days before the vehicle
was stolen on 6 March and before the first attacks against French
soldiers. The twin strands of evidence allowed police to compile a
shortlist of suspects.
Merah was already under surveillance by
French authorities and the use of an IP address, which was linked
to his brother's house, to view Ibn-Ziaten's motorcycle video made
him a prime suspect in the case.
In the early hours of Wednesday a French
anti-terrorist unit surrounded a block of flats where the
reportedly heavily armed Mohamed Merah lived, leading to a siege
that ended after police stormed his flat on Thursday morning. Merah
jumped out of a window while firing back at cops and was
subsequently found dead on the ground. It is as yet unclear whether
the fall or police snipers killed him.
During the firefight, Merah reportedly
proclaimed allegiance to al Qaida and admitted responsibility for
shooting dead of three French soldiers in two ambushes last week as
well as the attack on the Jewish school.
THE REST OF THE WEEK’S NEWS
New Attack Dupes Carriers To Defeat Out-Of-Band
Authentication Of Bank Customers
Among the most recent, reported by Trusteer,
a Boston-based provider of secure web access services, are two
online banking fraud schemes designed to defeat the
one-time-password (OTP) authorization systems used by many banks.
According to Trusteer, these new threats go a step beyond earlier
attacks in which criminals would change a victim's phone number to
redirect OTPs to them.
DuQu Framework Language Identified as Object Oriented
"In these new scams, the criminals are
stealing the actual mobile device SIM (subscriber identity module)
card," the company said. The first kind of attack uses the Gozi
Trojan to steal IMEI (international mobile equipment identity)
numbers from online bank account holders when they log in.
"Once they have the IMEI number, the
criminals contact the victim's wireless service provider, report
the mobile device as lost or stolen, and request a new SIM card.
With this new SIM card, all OTPs intended for the victim's phone
are sent to the fraudster-controlled device," Trusteer said.
Oren Kedem, director of product marketing for
Trusteer, said the Gozi attacks are mainly in the U.S. and that,
"the level of infection is quite significant," even though the
damage is not yet extensive. "What's happening right now is that
fraudsters are sitting on pile of information but not using it yet.
Now we have to go through the process. I'm sure they are looking
for the high-value customers first, so we expect to see a long tale
of woe," he said.
The second type of attack, which Kedem said
appears to be focused more in Europe, starts with a Man in the
Browser (MitB) or phishing attack to obtain the victim's bank
account details, including credentials, name, phone number, etc.
Trusteer says the criminal then goes to the local police station
and uses that stolen personal information to get a police report
that lists the mobile device as lost or stolen. He then calls the
victim to and says his mobile phone service will be interrupted for
the next 12 hours.
The criminal then presents the police report
at one of the wireless service provider's retail outlets. The SIM
card reported as lost or stolen is deactivated by the mobile
network operator, and the criminal gets a new SIM card that
receives all incoming calls and OTPs sent to the victim's phone
Trusteer says accounts protected by OTP
systems typically have higher transfer limits and are less
scrutinized. They are therefore more lucrative. Kedem says the best
way to defeat either threat is to be protected and be aware.
"The best practice requires three steps," he
says. "First is to have security software from the bank itself that
is designed to fight financial fraud. Second, don't play along with
any change you see in the bank's web site that is asking for
information it hasn't asked you for previously. Call the bank and
ask about it." Finally, he says, is the warning that is standard
for online transactions of any kind: Be suspicious of any
unsolicited call asking for personal information.
Kedem said it is not clear where the attacks
are originating, but said it appears to be from the U.S. or Europe.
Trusteer discovered the MitB attack on an underground forum. "The
blog was written in English -- and not even broken English," he
A group of researchers who recently asked the
public for help in figuring out a mysterious language used in the
DuQu virus have solved the puzzle, thanks to crowdsourcing help
from programmers who wrote in to offer suggestions and clues. The
language, which DuQu used to communicate with command-and-control
servers, turns out to be a special type of C code compiled with the
Microsoft Visual Studio Compiler 2008.
Researchers at Kaspersky Lab, who put out the
call for help two weeks ago after failing to figure out the
language on their own, said they received more than 200 comments to
a blog post they wrote seeking help, and more than 60 direct emails
from programmers and others who made suggestions.
DuQu, an espionage tool that followed in the
wake of the infamous Stuxnet code, had been analysed extensively
since its discovery last year. But one part of the code remained a
mystery – an essential component of the malware that communicates
with command-and-control servers and has the ability to download
additional payload modules and execute them on infected machines.
Kaspersky researchers were unable to determine the language in
which the communication module was written and published a blog
post asking programmers for help. Identification of the language
would help them build a profile of DuQu’s authors.
While other parts of DuQu were written in the
C++ programming language and were compiled with Microsoft’s Visual
C++ 2008, this part was not. Kaspersky also ruled out Objective C,
Java, Python, Ada, Lua or many other languages they knew.
Most commenters who wrote in response to
Kaspersky’s plea thought the code was a variant of LISP, but the
reader who led them in the right direction was a commenter who
identified himself as Igor Skochinsky and wrote in a thread posted
to Reddit.com that he was certain the code was generated with the
Microsoft Visual Studio Compiler and offered some cogent reasons
why he believed this. Two other people who sent Kaspersky direct
emails made crucial contributions when they suggested that the code
appeared to be generated from a custom object-oriented C dialect —
referred to as OO C — using special extensions.
This led the researchers to test various
combinations of compiler and source codes over a few days until
they found the right combination that produced binary that matched
the style in DuQu. The magic combination was C code compiled with
Microsoft Visual Studio Compiler 2008 using options 01 and Ob1 in
the compiler to keep the code small.
“Visual C can optimize for speed and it can
optimize for size, or it can do some kind of balance between the
two,” says Costin Raiu, director of Kaspersky’s Global Research and
Analysis Team. “But they wanted obviously the smallest possible
size of code” to get it onto victim machines via an exploit.
More on this story at:
Now CHINA complains of surge in cyber-attacks
China is claiming attacks on public and
private organisations from outside of its borders have rocketed in
the past year - from five million computers affected in 2010 to
8.9m in 2011. State-run newspaper China Daily reported the figures
from (deep breath) the government’s National Computer Network
Emergency Response Technical Team and Coordination Centre. They
revealed that machines behind 11,851 IP addresses from overseas
took control of 10,593 Chinese websites during 2011. Other attacks
involved the destruction of servers and stealing of personal data
from web users in the People’s Republic.
Some 1,116 sites were defaced by overseas
attackers, and just under half of those government sites, Wang
Minghua, deputy director at the centre, told a news conference on
Monday. “This shows that Chinese websites still face a serious
problem from being maliciously attacked by foreign hackers or IP
addresses," he is quoted as saying.
Surprisingly, Japan is alleged to be the
source of most attacks on China, supposedly landing 22.8 per cent,
followed by the US with 20.4 per cent and then the Republic of
Korea with 7.1 per cent. The attacks were both financially
motivated and targeted at stealing sensitive information from
government departments, according to the report, although tellingly
there is no breakdown for each.
China has swung from being a country
frequently accused of launching cyber-attacks on Western nations to
one finding itself on the business end of hackers' keyboards.
Although it has been frustratingly difficult for investigators and
politicians to prove, everyone from Hillary Clinton to William
Hague and Google’s Eric Schmidt has pointed accusing fingers at the
Asian nation as a source of malicious net traffic.
More on this story at: http://www.theregister.co.uk/2012/03/20/china_complains_hack/
Data theft: Hacktivists 'steal more than
Hacktivists stole more data from large
corporations than cybercriminals in 2011, according to a study of
significant security incidents. The annual analysis of data
breaches by Verizon uncovered a huge rise in politically motivated
attacks. Verizon found that 58% of all the data stolen during
breaches in 2011 was purloined by these groups. Hacktivists were
hard to defend against, it said, as their attack strategies were
much harder to predict.
The Verizon report catalogued 855 incidents
around the world in which 174 million records were stolen.
"Hacktivism has been around for a some time but it's mainly been
website defacements," said Wade Baker, director of research and
intelligence at Verizon. "In 2011 it was more about going to steal
a bunch of information from a company." The hacktivist attacks were
spearheaded by the Anonymous hacker group and its tech-savvy
offshoots Antisec and Lulzsec. These activists scored a significant
number of successes by knocking out websites and stealing large
amounts of data from private companies and government agencies.
"Data theft became a mechanism for political
protest," said Mr Baker. He added that it was hard to develop
specific defences against these attacks because they used tactics
and techniques crafted for each occasion. He said the attacks by
hacktivists were not very common but often netted huge amounts of
data when they did penetrate defences. In contrast to that stolen
by hacktivists, about 35% of data pilfered from large companies was
taken by organised criminal groups which wanted to sell it or use
it to commit another crime.
Mr Baker said cybercriminals continued to be
a huge threat to large companies, and constantly battered their
internet defences looking for weaknesses. These attacks, he said,
tended to be opportunistic and capitalised on any loopholes and
vulnerabilities they found. While few firms were going out of
business or suffering lasting damage because of a data breach, he
said, companies still had work to do to ensure they knew they were
safe. "The ability to detect a breach is quite poor across the
board," said Mr Baker.