Monthly Archives - October of 2010
 

Saturday, October 30, 2010

 
What phone was connected to the Yemen bombs? Posted by Mikko @ 10:25 GMT

Two PETN bombs were found last night. One was hidden inside a laser printer toner cartridge. The bombs were reportedly sent from Yemen to USA on board regular freight planes.

CNN

The bombs were equipped with a detonator connected to a mainboard and a battery taken from a regular mobile phone. Apparently the bombs would have been detonated by calling the phone, triggering the ring vibrating motor, which would detonate the PETN inside the cartridge. Alternatively, a calendar alert set in the phone would trigger the vibrator as well.

So, which phone was it?

Based on the picture of the board, it's most likely a Nokia 6120 Classic.

Compare the image of the PCB connected to the bomb (top) to an image of a spare part 6120c mainboard (bottom):

Nokia 6120c

Nokia 6120 Classic is a smartphone, running Symbian OS 9.2 as the operating system.

Nokia 6120c, image from Wikipedia

IED bombs connected to different kinds of phones are regularly found in Iraq and other crisis zones in the world.

Image credits: Wikipedia, New York Times and IPMart.

Thanks to Pena Sarajärvi.

 
 

 
 
Tuesday, October 26, 2010

 
Bredolab Botnet Shut Down Posted by Mikko @ 06:06 GMT

Year 2010 is becoming a good year in shutting down big botnets.

Latest case: Bredolab.

Example of an e-mail distributing Bredolab variantThe Dutch National Crime Squad has announced a major take-down. The people behind the botnet have not been caught, but the servers (hosted in LeaseWeb IP space) have been taken over, effectively shutting down the botnet.

Bredolab is a large family of complicated, polymorphic trojans. They have been distributed via drive-by-downloads and e-mail. Bredolab is known to be connected to e-mail spam campaigns and rogue security products. And the size of the botnet was massive: over 30 million infected computers and close to 150 command & control servers.

Interestingly, the crime squad has announced that they will be sending a warning to infected PCs: "Users of computers with viruses from this network will receive a notice of at the time of next login with information on the degree of infection."

So they will probably use the existing botnet infrastructure to send a program to all infected machines, showing them a warning.

This is rarely done because running code on somebody else's computer might be seen as "unauthorized use", possibly making it illegal — although the intentions are obviously good.

Here's a video with more information (Severe warning! It is in Dutch).

Updated to add: The Dutch police are redirecting Bredolab-infected computers to this help page.

Updated to add: A 27-year old man has been arrested in Armenia. He is under investigation for being one of the operators behind Bredolab.

 
 

 
 
Monday, October 25, 2010

 
Firesheep: Making the Complicated Trivial Posted by Mikko @ 14:12 GMT

Surfing the web with an unencrypted HTTP connection is not safe, especially if you're doing it over an unencrypted Wi-Fi connection: anybody else at the same hotspot can use special tools to monitor your traffic.

Surfing the web with an encrypted HTTPS connection is much better. Using Wi-Fi with strong encryption is also safe. However, these options are usually not up to the end user to decide. Most open hotspots have no encryption at all, and many popular sites only use HTTPS for the login procedure, if at all.

And even if the login session is encrypted, many popular sites (such as Facebook, Twitter, Amazon) will simply give your browser a cookie which is used for all subsequent requests. If somebody can steal the cookie, they can steal your session in the service.

People have been living under the impression that capturing a session by stealing a cookie can only be done by skilled hackers with special tools.
Firesheep
This has now changed.

A paper called Hey Web 2.0: Start protecting user privacy instead of pretending to was presented in Toorcon last weekend by Ian Gallagher and Eric Butler. Their slides are available here.

They also released a tool called Firesheep.

Firesheep is a Firefox browser extension designed to demonstrate this problem.

Firesheep will scan local Wi-Fi networks. It will locate users who are logged into Facebook, Twitter, Google, Amazon, Dropbox, Evernote, Wordpress, Flickr, bit.ly and other services. It will show you their icon, and it will allow you to become them. You can continue their open session, post things, delete stuff. You can do anything they could do themselves.

This is pretty serious stuff. Suddenly something that has been hard to do is trivial to do.

Do note that using Firesheep under Windows still requires some skill — namely, to install WinPcap packet capture software.

Will Firesheep be misused? Absolutely.

Will it cause some of the above sites to go fully SSL? We hope so. Gmail did it earlier this year.

What can users do right now? Force SSL on if you can. Don't use Wi-Fis without encryption. Or, use a VPN.

Most corporate laptops come with a corporate VPN installed on it. But many of the users only turn it on when they need it. This is a bad idea. If you have a VPN, always turn it on when you are on a hotspot, even if you're not "working" but just surfing Facebook. All good VPN products will encrypt all of the traffic, even to Facebook.

Obviously home users don't have a corporate VPN on their laptops. Which VPN Service should they use then? We actually are not sure as we haven't really investigated this market. We're interested to hear your opinions. Leave us feedback via comments.

Updated to add: TechCrunch's take on Firefox extension Force-TLS; How To Protect Your Login Information From Firesheep.

 
 

 
 
Friday, October 22, 2010

 
Mr. Anderson Pleads Guilty Posted by Mikko @ 19:16 GMT

m00p"Warpigs" from group "m00p" pleaded guilty today at the Southwark Crown Court in London.

We here at F-Secure are happy to get some closure on this long case, with which we've been working for a number of years.

This malware group produced several different malware families over several years. They were created for financial gain.

Our best regards to Scotland Yard, Police of Pori, and Central Criminal Police Finland.

Full statement from The Metropolitan Police follows.





An international operation into a network of computer virus writers has led to a Scottish man pleading guilty today (Friday 22 October).

A complex e-crime investigation by Metropolitan Police and the Finnish authorities was launched in 2006 into a highly organised group who were writing new computer viruses in order to avoid detection by anti-virus products.

They had been primarily targeting hundreds of UK businesses since 2005, and during this time tens of thousands of computers were infected across the globe.

The international conspiracy by members of the online m00p group (M - zero - zero - P) was to infect computers using viruses attached to unsolicited commercial e-mail (spam). Matthew Anderson was a key player in this, distributing millions of spam messages.

An operation was mounted by the MPS Police Central e-Crime Unit together with the Finnish National Bureau of Investigation (NBI Finland) and the Finnish Pori Police Department resulting in the arrest of three men on the 27 June 2006 in Suffolk, Scotland and Finland.

One of these men was Matthew Anderson, 33 years (DOB 17.10.77), a franchise manager, from Drummuir, Aberdeenshire. His role in the conspiracy was to manage the operation by composing the emails and distributing them with virus attachments.

A number of computers were seized at residential addresses in both countries in addition to the suspects' servers as part of the investigation.

The computer viruses were found to run in the background on an infected computer without the knowledge of the computer's owner, but allowed
Anderson to access private and commercial data stored on the computers.

DC Bob Burls, from the Police Central e-Crime Unit, said:

"This organised online criminal network infected huge numbers of computers around the world, especially targeting UK businesses and individuals. Matthew Anderson methodically exploited computer users not only for his own financial gain but also violating their privacy. They used sophisticated computer code to commit their crimes.

"The internet means criminals have increased opportunities to commit crime internationally, however I'd like to reassure the public that the international law enforcement and anti-virus companies response is increasingly sophisticated. As this case shows, criminals can't hide online and are being held to account for their actions. A complex investigation like this demonstrates what international cooperation can achieve."

Anderson was able to use the control he had on his victims' computers to activate their webcams, effectively spying on them in their home environment, normally without their knowledge. Police established this during the investigation when they found screen grabs on Anderson's computers taken from other people's webcams as well as copies of private documents such as wills, medical reports, CVs, password lists and private photographs.

Online Anderson used the profile names of aobuluz and warpigs. He operated his illegal enterprise behind the front of an online business offering computer security software called Optom Security.

Anderson pleaded guilty at Southwark Crown Court to:

Causing unauthorised modification to the content of computers, contrary to section 3 of the Computer Misuse Act 1990.

Specifically that:

Matthew ANDERSON between the 1st day of September 2005 and the 27th day of June 2006, together with Artturi Alm and other persons, caused unauthorised modifications to the contents of computers, with intent to cause such modifications, and by so doing to impair their operation and/or to impair the operation of any computer programs or the reliability of computer data.

+ Counts of acquiring criminal property and money laundering were left to lie on file.

He will be sentenced on 22 November.

Two other men were previously arrested as part of the investigation. One was released with no further action. The other Artturi Alm pleaded guilty in Finland in 2008 and received a custodial sentence (18 days) and a community service order.








 
 

 
 
Microsoft Security Essentials is Fake Posted by Mikko @ 07:32 GMT

Actually, Microsoft Security Essentials is not fake. It's a real antivirus product from Microsoft.

However, there's a rogue security product out there that claims to be "Microsoft Security Essentials". It has nothing to do with Microsoft.

This malware is distributed via drive-by-download attacks as hotfix.exe or mstsc.exe (md5: 0a2582f71b1aab672ada496074f9ce46)

Here's what it looks like:



And not only does this fake tool steal Microsoft's brand, it also features a bizarre matrix display of 32 antivirus products, offering to locate you a tool that would be capable of fixing your machine as "Microsoft Security Essentials" can't clean the malware it found. In reality, this is all fake, and the tool has not found an infection in the fail it claims.



Surprisingly, the only products that seem to be capable of handling the infection are AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross. Never heard of these? No wonder. They are all fake products.

"Microsoft Security Essentials" will try to scare you into purchasing a product you don't need. Don't fall for it.

Hopefully Microsoft's lawyers will find the clown behind this one. They would have a field day with him.

We detect this one as Trojan.Generic.KDV.47643.

 
 

 
 
Thursday, October 21, 2010

 
Are You Smarter Than John? Posted by Sean @ 12:55 GMT

How not to manage your passwords…



John, and his unique approach to security is part of an F-Secure Internet Security 2011 campaign.

You can find more at besmarterthanjohn.com.

 
 

 
 
Wednesday, October 20, 2010

 
Reported Attack Site! - Security Tool's Latest Trick Posted by Response @ 06:38 GMT

Riding on Firefox's ability to block attack sites, Security Tool, a rogue antivirus application, is attempting a new trick. It wasn't too long ago when it utilized the Firefox Update Flash feature to push its wares.

This time, when an unsuspecting user visits the page, it gets a very authentic-looking Firefox block page.

Reported Attack Page

But, this is no ordinary block page. It is special in the sense that it offers a download that you can install to update your browser!

Reported Attack Page

Brilliant right? So yeah, an unsuspecting user may end up downloading the ff_secure_upd.exe file and installing the rogue AV.

Actually… If scripts are enabled in your browser, you don't even need to click on the "Download Updates!" button. It will just offer the Rogue to you:

Reported Attack Page

And will refuse to let you go if you click "Cancel".

Reported Attack Page

After all you should update your Firefox, right? And it is forgiving in giving you a second chance to download again.

The ironic thing is, the page contains the clause "Some attack pages intentionally distribute harmful software". It might as well have added… "Which you can get by clicking on the button below".

Neat new trick and pretty sneaky. It also might just work. So do be careful when you see a "Firefox" block page, the clean one doesn't ask you to download anything. Here is a reminder of what a clean Firefox block page looks like:

Reported Attack Page

It kinda reminds one of an Alanis Morissette song…

Updated to add: Aiming for maximum distribution, the website apparently also has a block page for Google Chrome:

Malware Detected!

This time, it uses the filename chrome_secure_upd.exe for the rogue AV file.

Finally, there is an iframe within the page that loads a Phoenix exploit kit from a different site.

(Credit goes to Patrik Runald of Websense for this additional information. Thanks Patrik! :) )

Response post by — Christine & Mina







 
 

 
 
Hack In The Box 2010 Malaysia Panel Discussion Posted by Alia @ 02:45 GMT

Mikko was one of the participants in the special keynote panel discussion on "The Future of Mobile Malware & Cloud Computing" at last week's Hack In The Box 2010 Malaysia conference:

Mikko at HitB2011

Some of the points discussed included: the potential effect of having so many phone operating systems; quite a bit about Apple's App Store and how well the filtering is functioning (and also how it's unlikely anyone but Apple could pull it off); the possibility of filtering by the telecommunications providers; and a bit about problems involved in effectively blocking mobile malware.

Oh, and a bit about how Stuxnet is getting more media coverage than its actual threat potential warrants.

A live stream of the discussion was available at the HitB website during the event, but unfortunately it's no longer available. Hopefully, a recording of the discussion might be available later on.

 
 

 
 
Tuesday, October 19, 2010

 
iPhone Spy Tool Available For Sale in Cydia Store Posted by Mikko @ 18:16 GMT

Cydia Store is similar to Apple's App Store, except it's for jailbroken iPhones.

There's a wide variety of free apps on Cydia and dozens of commercial applications on Cydia Store.

By browsing the available applications in Cydia, you'll find gems like these:

OwnSpy

OwnSpy? Remote iPhone Spy?

Let's take a closer look.

iPhone OwnSpy 01

iPhone OwnSpy 02

The website of the vendor behind Ownspy:

OwnSpy

The site describes the features of the Spy tool in detail, complete with demos.

OwnSpy Demo

FAQ entry:

OwnSpy FAQ

Price chart:

OwnSpy Pricing

This is not the first Spy tool for jailbroken iPhones we've seen. But it is weird to see these for sale on Cydia.

 
 

 
 
Monday, October 18, 2010

 
Vote in the Computer Weekly IT Blog Awards 2010 Posted by Sean @ 16:04 GMT

The winners of Computer Weekly's Blog Awards 2010 will be announced on the 18th of November.

That means you have one month (plenty of time) to head on over to Computer Weekly and vote.

F-Secure Labs is eligible in two categories.

News from the Lab is in the IT security category:

Computer Weekly Blog Awards 2010, IT security

And Mikko is in the Twitter category:

Computer Weekly Blog Awards 2010, Twitter

Thanks for your consideration!

 
 

 
 
Friday, October 15, 2010

 
Espionage Suite: Phone Creeper v0.95 Posted by Sean @ 11:27 GMT

XDA-Developers member Chet Striker recently tweeted about his mobile espionage suite called Phone Creeper.

Version 0.95 was released today.

Phone Creeper is a Windows Mobile application (also being developed for Android).

Phone Creeper v0.95

"This is a phone espionage suite. It can be silently installed by just inserting an [SD] card with the files below on it. The program does not show up under installed programs or running programs and allows for a useful array or features. Phones running this software can be remotely [controlled] by [SMS] text messages."

Silent installation, doesn't show up under installed programs, and allows for remote control.

Here are some of the commands:

  •  View sent call logs (even deleted)
  •  View received SMS logs (even deleted)
  •  Get contacts
  •  Get appointments
  •  Get tasks
  •  Get GPS location and Google Maps link

Sounds like a fully featured spy-tool, right?

So why does Striker develop Phone Creeper? After all, he doesn't sell it, and there's no money involved.

From his Ethical Statement:

"[The] main reason i've created this is just because I could and because it seemed challenging and different and fun. I don't actually have anybody to spy on, nor would I want to."

"I don't condone mal-intented use of my program, as I said before it's because I can and it's fun."

Okay, so, he's a guy that wants to develop some cool James Bond-like software. And Phone Creeper does boast an impressive set of features. But still, this could be used to do real harm in the wrong hands. Striker even acknowledges this in his ethical statement. His most recent post also includes his RemoveCreeper.zip.

We've added detection for Phone Creeper as a backdoor and our Mobile Security will block its installation.

Striker doesn't seem like a bad guy in our book, but a silently installing espionage suite should be detected by a security suite, the author's motives aren't as important as what the tool actually does.

But decide for yourself, read his statement and then leave us a comment.

 
 

 
 
Tuesday, October 12, 2010

 
Mobile Security Review Posted by Sean @ 12:47 GMT

Mikko recently filmed a mobile security summary, from May to September.

The video is on our FSecureNews YouTube channel and can be viewed here:

http://www.youtube.com/watch?v=fJMLr8BDQq8

You can find January to May's summary here.

 
 

 
 
Monday, October 11, 2010

 
PayPal 2.7 for iOS: Catch Me If You Can Posted by Sean @ 13:25 GMT

More and more banking services are being outsourced to mobile devices. Example: PayPal version 2.7 for iOS now includes a check capture feature that lets you snap a photo of a check for deposit in your PayPal account.

iTunes, PayPal 2.7

For our European readers, yes, many Americans still use checks. Hopefully there isn't a 21st century version of Frank Abagnale just waiting to take advantage of this new feature.

You can read more about PayPal's mobile (iPhone/Android/BlackBerry) applications here.

 
 

 
 
Thursday, October 7, 2010

 
Facebook: Giving You More Control? Posted by Sean @ 13:43 GMT

Facebook CEO, Mark Zuckerberg, has announced on their blog that the site will soon be offering new features and controls. The features include New Facebook Groups, a Dashboard for Applications, and the ability to Download Your Information.

#1 — Why the "new" Groups? According to Zuckerberg, people frequently tell them:

"I'd share this thing, but I don't want to bother 250 people. Or my grandmother. Or my boss."

Now we thought that's what Friends Lists are for… but then, even Zuckerberg has admitted that Friends Lists are too difficult for most people to effectively manage. So this "completely overhauled, brand new version of Groups" is really mostly the same old Groups that we've been using since early 2009, with some PR spin.

While we kind of like the idea of simplified Groups, we don't expect they'll be any easier to manage.

#2 — Dashboard for Applications. This looks promising. We look forward to testing it out. The application settings has been needing a dashboard for quite some time.

#3 — Download Your Information. Privacy advocates have been asking for this feature for a long time. They want Facebook users to have the power to migrate if they choose to do so.

But there is one significant concern in our minds… the verification process.

Step 1 is to request the download from your Account Settings:

Download Your Information

You'll get an e-mail when the information has been collected:

Download Your Information

There will be a verification link in the e-mail notification:

Download Your Information

And the verification link opens a page that prompts for your Facebook password

Download Your Information

So, what's our concern?

PHISHING

Far too many people reuse passwords on multiple sites. If their e-mail accounts are phished, the attacker might just as well try logging onto Facebook with the same credentials.

Facebook isn't to blame. People want this feature. In fact, many, such as the EFF, have been demanding data potability for quite some time.

Before anybody goes all chicken little and starts crying about identity theft… stop. The real problem here is much closer to home. This feature is most likely to be abused by your spouse! (And you know why. She wants to use it against you in court.)

So it seems to us that Facebook should provide the option for SMS notification each time a Download Your Information request is made. And log details. If Facebook is providing an Dashboard for Applications, shouldn't they provide one for their own applications?

We think so.

Updated to add on October 13th: We've now tested the Download Your Information feature.

The e-mail is only notification of availability and adds nothing to the verification process. Returning to the download request page after waiting a sufficient amount of time also results in a password prompt. The zip file can be downloaded multiple times.

Only the Facebook account password is required and there's no additional e-mail notification generated for subsequent downloads.

Facebook's Help Center provides no details on the zip file's length of availability or how often the file is recompiled.

 
 

 
 
Wednesday, October 6, 2010

 
Nobody Does It Better Posted by Sean @ 14:42 GMT

Mikko Hypponen, our Chief Research Officer, was given an award last week at the Virus Bulletin 2010 conference in Vancouver.

There were six different Virus Bulletin awards given out. They are presented every ten years.

Mikko won the the award for the Best educator in the industry.

Congratulations to Mikko!

VB2010
Helen Martin, Andrew Lee and Mikko Hypponen

VB2010
Images by John Hawes of Virus Bulletin







 
 

 
 
Can you spot what's odd in this image? Posted by Response @ 07:02 GMT

Phishing

Congratulations, you noticed the mismatch between the page contents — clearly for a bank — and its dubious URL! Another extra point if you suspected something is off in Step 1. That is because on the actual log in page, users are reminded to verify that they are at the correct URL address. Other than these two differences, both pages look identical.

It all started with an e-mail from apparently the Indian Income Tax Department, notifying that you are eligible for a tax refund. The "From" address was spoofed to make it more believable.

Income Tax Department e-mail

Then, you know how the story goes — you click on a link, are tricked into entering credentials, and the bad guys suddenly have the access to your bank account.

Always keep in mind that no authority would ask you to perform confidential action or reveal sensitive data via e-mail. In this case, all needed information has been collected when you do the tax filing. On its website, the Indian Income Tax Department warns users of this phishing attempt, and advises people to ignore such e-mails.

To our Indian readers, don't forget to file your income tax (if you haven't done so already).

Thanks to Kandru and Venu for the tips.

—————

Updated to add: post edited to highlight the phishing elements.

 
 

 
 
Monday, October 4, 2010

 
Voi Paska, Facebook Spam Localized in Finnish Posted by Sean @ 17:57 GMT

Say you're a social media spammer that drives traffic towards CPAlead.com surveys…

What do you do when English speakers are increasing desensitized towards Facebook spam?

Language localization!

We're currently seeing a run of Facebook spam that uses the following subject:

"Voi paska, katso miten kävi kun isä näki tyttärensä webcam-esityksen"

Facebook Search: Voi paska

It's a Finnish translation of the popular English spam subject:

"OMG, dad catches daughter on webcam"

The spam links to this Page:

Varoitus

After clicking on the confirm button, the user will be asked to click a series of numbered buttons:

Seuraa allaolevia ohjeita jatkaaksesi

This is a form of clickjacking that will result in the link automatically being liked and shared to the user's profile, thus spreading to friends via the News Feed.

Firefox Add-on NoScript provides protection against this type of threat:

NoScript, ClearClick Warning

Here you can see NoScript's ClearClick Warning that the "1" button is actually a hidden "share" button.

NoScript, ClearClick Warning

If the user clicks the submit button, he'll be directed to a website which prompts him to sign up for a promotion in order to prove that he's human (as an antispam measure).

This is the promotion, hosted in the Netherlands:

Voita

Here's the fine print:

Voi_paska_19Euroa

It's a 19€ SMS based subscription. Ouch.

And finally, what do you get if you provide your phone number and continue?

Nothing more than a video that you can easily search for on YouTube on your own.

Voi_paska_YouTube

We've reported the Page as spam.

Facebook_Report_Page_Spam

At 17:00 there were 76,000 Page likes. At 20:45 there are 94,000.

Non-native English speakers often feel a sense of security from spam and scams because language localization is rather rare via e-mail. (Especially for an obscure little language such as Finnish.) But it isn't as difficult to localize social media content.

Don't feel a false sense of security. 19€ per lead provides spammers a lot of motivation.

Updated to add: 107,000 people clicked on this spam link before Facebook disabled the Page. That is equal to 2 percent of Finland's population! E-mail spam gets no where close to this type of conversion rate.

We're edited the post and have added an image. See this post's comments for additional information.

 
 

 
 
Friday, October 1, 2010

 
Stuxnet Questions and Answers Posted by Mikko @ 02:55 GMT

Updated to add on November 23rd: Additional Questions & Answers: Stuxnet Redux

Stuxnet continues to be a hot topic. Here are answers to some of the questions we've received.

Q: What is Stuxnet?
A: It's a Windows worm, spreading via USB sticks. Once inside an organization, it can also spread by copying itself to network shares if they have weak passwords.

Q: Can it spread via other USB devices?
A: Sure, it can spread anything that you can mount as a drive. Like a USB hard drive, mobile phone, picture frame and so on.

Q: What does it do then?
A: It infects the system, hides itself with a rootkit and sees if the infected computer is connected to a Siemens Simatic (Step7) factory system.

Q: What does it do with Simatic?
A: It modifies commands sent from the Windows computer to the PLC. Once running on the PLC, it looks for a specific factory environment. If this is not found, it does nothing.

Simatic

Q: Which factory is it looking for?
A: We don't know.

Q: Has it found the factory it's looking for?
A: We don't know.

Q: What would it do if it finds it?
A: It makes complex modifications to the system. Results of those modifications can not be detected without seeing the actual environment. So we don't know.

Q: Ok, in theory: what could it do?
A: It could adjust motors, conveyor belts, pumps. It could stop a factory. With right modifications, it could cause things to explode.

Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.

Q: How can it install its own driver? Shouldn't drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: Has the stolen certificate been revoked?
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.

Q: What's the relation between Realtek and Jmicron?
A: Nothing. But these companies have their HQs in the same office park in Taiwan. Which is weird.

Q: What vulnerabilities does Stuxnet exploit?
A: Overall, Stuxnet exploits five different vulnerabilities, four of which were 0-days:

LNK (MS10-046)
Print Spooler (MS10-061)
Server Service (MS08-067)
Privilege escalation via Keyboard layout file
Privilege escalation via Task Scheduler

Q: And these have been patched by Microsoft?
A: The two Privilege escalations have not yet been patched.

Q: Why was it so slow to analyze Stuxnet in detail?
A: It's unusually complex and unusually big. Stuxnet is over 1.5MB in size.

Q: When did Stuxnet start spreading?
A: In June 2009, or maybe even earlier. One of the components has a compile date in January 2009.

Q: When was it discovered?
A: A year later, in June 2010.

Q: How is that possible?
A: Good question.

Q: Was Stuxnet written by a government?
A: That's what it would look like, yes.

Q: How could governments get something so complex right?
A: Trick question. Nice. Next question.

Q: Was it Israel?
A: We don't know.

Q: Was it Egypt? Saudi Arabia? USA?
A: We don't know.

Q: Was the target Iran?
A: We don't know.

Q: Is it true that there's are biblical references inside Stuxnet?
A: There is a reference to "Myrtus" (which is a myrtle plant). However, this is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is "Myrtus" a biblical reference?
A: Uhh… we don't know, really.

Q: Could it mean something else?
A: Yeah: it could mean "My RTUs", not "Myrtus". RTU is an abbreviation for Remote Terminal Units, used in factory systems.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value "19790509" as an infection marker.

Q: What's the significance of "19790509"?
A: It's a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it's the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Q: Is there a link between Stuxnet and Conficker?
A: It's possible. Conficker variants were found between November 2008 and April 2009. First variants of Stuxnet were found shortly after that. Both exploit the MS08-067 vulnerability. Both use USB sticks to spread. Both use weak network passwords to spread. And, of course, both are unusually complex.

Q: Is there a link to any other malware?
A: Some Zlob variants were the first to use the LNK vulnerability.

Q: Disabling AutoRun in Windows will stop USB worms, right?
A: Wrong. There are several other spreading mechanisms USB worms use. The LNK vulnerability used by Stuxnet would infect you even if AutoRun and AutoPlay were disabled.

Q: Will Stuxnet spread forever?
A: The current versions have a "kill date" of June 24, 2012. It will stop spreading on this date.

Q: How many computers did it infect?
A: Hundreds of thousands.

Q: But Siemens has announced that only 15 factories have been infected.
A: They are talking about factories. Most of the infected machines are collateral infections, i.e. normal home and office computers that are not connected to SCADA systems.

Q: How could the attackers get a trojan like this into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.

Q: Anything else it could do, in theory?
A: Siemens announced last year that Simatic can now also control alarm systems, access controls and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and Mission Impossible.

Image Copyright (c) Paramount Pictures
Image Copyright (c) Paramount Pictures

Q: Did Stuxnet sink Deepwater Horizon and cause the Mexican oil spill?
A: No, we do not think so. Although it does seem Deepwater Horizon indeed did have some Siemens PLC systems on it.

Q: Does F-Secure detect Stuxnet?
A: Yes.

Note: We have learned many of the details mentioned in this Q&A in discussions with researchers from Microsoft, Kaspersky, Symantec and other vendors.


Video from Virus Bulletin 2010 where Symantec researcher Liam O'Murchu demonstrates a proof of concept Stuxnet-like SCADA modification that changes the operation of an air pump.