Exploit in Skype on an iPhone or iPod touch, allows comprimise of your device’s address book simply by the attacker sending you a chat message. When the exploit code in the message is run, the victim’s iPhone will automatically make a new connection to a server, grabbing a larger payload, to execute and upload the iPhones entire address book file to the server.
It’s already been 48 hours since this vulnerability was first documented, and the vulnerable app is still available in the iTunes Store. It will be interesting to see how long it takes Apple and Skype to close the gaping hole ..”
“Skype for iPhone makes stealing address books a snap”
Dan Goodin, Malware, The Register UK, 20 September 2011
http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/ – last access 21 September 2011 – ( Full Article )
Apart from Rootkits modifying and hiding; files, registries, processes.. from detection software, some often typically modify memory. Anti-rootkit tools inspect memory areas in attempts to identify modifications and flag.
A particular rootkit also modifies a memory location to prevent actual disk access by detection software. This technique is not new, however it is the first found in the Wild and being adopted by Malware authors.
“.. a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard-coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of the hard disk.
But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks that are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break.
The reason for hooks not being reported was that the memory being read by the tools was not the actual memory ..”
“Memory Forging Attempt by a Rootkit”
Rachit Mathur, McAfee Blog Center, 21 April 2011
http://blogs.mcafee.com/mcafee-labs/memory-forging-attempt-by-a-rootkit – last access 8 June 2011 – ( Full Article )
Interesting article on the possibile origins of Stuxnet… ?
“.. The worm, Stuxnet, is a Trojan horse said to have disabled Iran’s nuclear weapons program. The New York Times said late last year, “Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.” The Times updated their take on January 15, 2011 calling Stuxnet, “the most sophisticated cyberweapon ever deployed…experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009 ..
– snip –
No one is looking back to a time in the mid-70s, when an obscure program called Promis first reared its head. Promis, according to sources, is at the root of Stuxnet. Promis was a computer program that promised to help US prosecutors track criminals and legal maneuverings through the system, “Prosecutor’s Management Information System.” The people-tracking software was later marketed by a firm named Inslaw, under the auspices of William Hamilton, a former NSA officer who still markets a version of the product today.
– snip –
By the late 1980s, Promis programs had been sold to Britain, Australia, South Korea and Canada. Allies harmless enough, right? But then up next was the KGB. There are multiple claims as to who sold Promis to the Russians. Several, including a source of mine, said it was newspaper mogul Robert Maxwell in assistance to Israel. Another acquaintance, former double agent David Dastych (Polish intell working for the CIA during the Cold War) said that an American intelligence officer admitted to him, “Yes, we gave Promis to the Russians and Chinese to back door their intell. Worked like a charm.” Both claims may overlap. In fact, the KGB is said to have used Promis for over 15 years. At first, there was nothing to suspect since malicious malware had not really been coined. Few back then understood the power of the computer, and so the Trojan horse entered the realms of international espionage, the microscopic spy ..”
Stuxnet worm’s true origins are exposed
PJ Wilcox, worldsecuritynetwork.com / greatreporter.com, 22 February 2011
http://greatreporter.com/mambo/content/view/2014/1/ – last access 3 March 2011 – ( Full Article )
Further to this article:
“.. So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed — mission accomplished. That’s easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems ..
this is a directed attack. It’s completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it’s trying to infect is actually running on that target. And if not, Stuxnet does nothing ..
And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It’s way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about — round about 15,000 lines of code. Looks pretty much like old-style assembly language ..
The big digital warhead — we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can’t overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, it was a match ..
And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure ..
This attack is generic. It doesn’t have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don’t have — as an attacker — you don’t have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That’s the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They’re in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments ..
My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that’s the United States — fortunately, fortunately. Because otherwise, our problems would even be bigger ..”
Cracking Stuxnet, a 21st-century cyber weapon
Ralph Langner, TED2011, March 2011
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html – Full Talk