CERT-MU E-Security Newsletter
Total Page:16
File Type:pdf, Size:1020Kb
CERT-MU Quarterly | July 2012 CERTCERT--MUMU ee--SecuritySecurity NewsletterNewsletter Addressing the Need of Information Security for Intelligent Mauritius Volume 2|Issue 2|July 2012 A New Era of Cyber Warfare with Flame Transition of IPv4 to IPv6 Raises New Security Challenges ERT-MU has been affiliated to the Forum of Incident Response and Security Teams C Cyber Security Events 2012 (FIRST) at the beginning of May 2012. FIRST is the premier organization and recognized global leader in Information Security incident response and brings to- News Focus gether more than 200 computer security incident re- sponse teams from government, commercial, and educa- CERT-MU Events tional organizations from Europe, Africa, America and other countries. This affiliation will enable CERT-MU Guidelines to respond more effectively to security incidents. Information Security Tips Dear Readers, Today’s enterprise and global critical infrastructure is more vulnerable than ever due to the changing threat landscape. The typical cy- bercriminal is no longer defacing a website from a personal computer for fun and notoriety. They have more to steal. Organisations have become a rich target as more valuable information is being stored on network accessible devices and services every day. Histori- cally, enterprises have focused on securing sensitive customer data such as consumer credit card information, but now other information such as details of critical infrastructure and other records are targeted as well. This has been confirmed with the discovery of sophisti- cated cyber-attacks such as Flame, Stuxnet and Duqu. In these circumstances, our duty is to protect our critical infrastructure and valua- ble information from being attacked. One way of doing it is by educating people and making them aware of the latest threats. The third edition of CERT-MU e-security newsletter will not only help you to understand the specifics of information security and trends but also keep you up-to-date with latest information security issues, statistics, tips and events. We trust that you will find the articles interesting and enjoy reading. The e-Security Newsletter Team CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 1 CERT-MU Quarterly | July 2012 A New Era of Cyber Warfare with Flame The virus known as ‘Flame’ is the third major cyber weapon un- Flame has also the ability to replicate through local networks. It covered after the Stuxnet virus that attacked Iran’s nuclear pro- exploits printer vulnerability – (Vulnerability in Print Spooler gram in 2010 and Duqu in 2011. Flame came to light following Service Could Allow Remote Code Execution – MS10-061). This an investigation prompted by the UN’s International Telecommu- vulnerability was also exploited by Stuxnet by using a special nication Union (ITU) about a malware that was deleting sensitive Microsoft Operations Framework (MOF) file, executed on the information across the Middle East. While searching for that attacked system using Windows Management Instrumentation code, nicknamed as “Wiper”, Kaspersky Lab discovered the mal- and secondly via remote jobs tasks. ware Worm Win.32.Flame. Flame is a sophisticated attack toolkit and is a backdoor, a Trojan, and has worm-like features. This al- lows it to replicate in a local network and on removable media. The malware targets Windows computers and once the system is infected, it begins a complex set of operations. This includes sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, amongst others. The data captured is then made available to the operators through the link to the Flame’s command-and-control servers. Later, the oper- ators can choose to upload further modules, which expand Flame’s functionality. About 20 modules have been detected in Flame. Flame appears to have two modules designed for infecting USB sticks, called “Autorun Infector” and “Euphoria”. However, secu- rity experts have not detected them in action yet. This is because Flame appears to be disabled in the configuration data. But, the ability to infect USB sticks is present in the code. Two methods are used and they are as follows: 1. Autorun Infector: the “Autorun.inf” method from early Stux- net, using the “shell32.dll” “trick”. This method was only When Flame is executed by a user who has administrative rights used in Stuxnet and was not detected in any other malware. to the domain controller, it is also able to attack other machines in 2. Euphoria: spread on media using a “junction point” directory the network: it creates backdoor user accounts with a pre-defined that contains malware modules and an LNK file that trigger password that is then used to copy itself to these machines. the infection when this directory is opened. CERT-MU e-Security Newsletter | Volume 2 |Issue 2 | July 2012 2 CERT-MU Quarterly | July 2012 The Complexity of Flame mation on the operations of certain nation states in the Middle East, The virus contains about 20 times as much code as Stuxnet, which including Iran, Lebanon, Syria, Israel and others. attacked an Iranian uranium enrichment facility, causing centrifug- es to fail. It has about 100 times as much code as a typical virus The Self-Destruction of Flame designed to steal financial information, as per Kaspersky Labs. Several weeks after the detection of Flame, the malware has been Due to this complexity, it is very difficult to analyse Flame. The ordered to self-destruct. Flame has a built-in feature called SUI- malware is very big because it consists of several libraries such as CIDE that can be used to uninstall the malware from infected com- ‘zlib’, ‘libbz2’, ‘ppmd’ for compression and sqlite3 for database puters. However, late last week, Flame's creators decided to distrib- manipulation and Lua vitual machine. Lua is a scripting ute a different self-removal module to infected computers that con- (programming) language, which can very easily be extended and nected to servers still under their control, Symantec’s security re- interfaced with C code. Many parts of Flame have high order logic sponse team. According to Security firm, Symantec, its command- written in Lua - with effective attack subroutines and libraries com- and-control (C&C) servers had sent an updated directive to the piled from C++. In addition, there are internally used local data- virus, which it termed “Flamer,” designed to remove it from com- bases with nested SQL queries, multiple methods of encryption, promised computers. The commands leave no traces of the Flame various compression algorithms, usage of Windows Management infection behind. Therefore, any client receiving this file would Instrumentation scripting, batch scripting and more. have had all traces of Flame removed. How to remove Flame from infected computers International Telecommunications Union (ITU) –International Multilateral Partnership Against Cyber Threat (IMPACT) and Kaspersky Labs have developed a special edition tool to eradicate all espionage related malwares from affected systems. The tool is the Kaspersky Virus Removal Tool Special ITU Edition, which is a customised tool that removes detrimental malwares such as Flame, Stuxnet, Duqu and all other known malicious programs. The tool can be downloaded from CERT-MU website: www.cert- mu.gov.mu from security tools section. The Virus Removal Tool is aimed at curing infected computers (running under the Microsoft Windows) of malicious programs including the Flame virus. The application does not require installation and the steps below can be performed to scan computer for viruses: Start the application from any device, for example, a remova- ble drive When the application starts, a window with the License Agree- ment is displayed You must agree with the License Agreement and then click on According to cryptographic experts, Flame is the first malicious the Start button to open the main application program to use an obscure cryptographic technique known as “prefix collision attack”. This allowed the virus to fake digital cre- In the left part of the window, select on Automatic Scan tab dentials that had helped it to spread. The exact method of carrying and click the Start Scanning button out such an attack was only demonstrated in 2008 and the creators If the tool detects a threat that is currently active in the system of Flame came up with their own variant. Security experts have (for example, a malicious process in RAM or in startup ob- added that the design of this new variant required world-class jects), a notification pops up to carry out the disinfection pro- cryptanalysis. Moreover, running and debugging the malware is also not trivial as it is not a conventional executable application, cedure. but several DLL files that are loaded on system boot. Attacks on Mobile Devices The purpose of Flame According to new statistics from Symantec, the number of The discovery of complex cyber-attacks is not new. In 2010, there malicious cyber attacks have increased to 81% in 2011 was Stuxnet, a software virus that disrupted the operation of centri- fuges at nuclear facilities in Iran. In 2011, Duqu was discovered, a Mobile vulnerabilities have increased by 93% in 2011 and computer worm that was built on much of the same code as Stux- there has been a rise in threats that targeted Android de- net, but which concentrated on espionage rather than sabotage, vices. extracting data out of computers that it infected. Flame has been compared to Duqu since both appeared to target similar geograph-