watching you watching us . .

Posts tagged “Malware

Securing Freedom, What Tactics Should and Currently are Being Used to Combat Criminal Exploitation of the Internet, and is it Legal or Proportionate ?

A few recent broadcasts not too be missed..

Stephen Grey investigates the use of computer hacking by the police and security agencies to combat criminal exploitation of the internet and asks if it is legal.

“.. RIPA .. range of surveillance powers.. unspecified hardware/software, keyloggers..

software installed on suspect computers could be considered breaking section 3 of Computer Misuse Act, by altering data..

lack of clarity from authorities, Article 8 Human Rights Act, scope of states power must be disclosed and made clear what authorities will or won’t use ..

William Hague, who speaks for the government on computer security issues, said: “Any export of goods that could be used for internal repression is something we would want to stop” .. He also admitted the law governing software exports was a grey area ..”

UK firm denies ‘cyber-spy’ deal with Egypt
Stephen Grey, File on 4, BBC Radio 4, 20 September 2011
http://www.bbc.co.uk/news/technology-14981672 – (Full Broadcast) – last access 23 September 2011

~

Excellently delivered by Eliza, offering public insight into reasons behind securing freedom and perceived hypocrisy.

Her second Reith lecture of 2011, the former director-general of the British Security Service (MI5), Eliza Manningham-Buller, discusses policy priorities since 9/11. She reflects on the Arab Spring, and argues that the West’s support of authoritarian regimes did, to some extent, fuel the growth of al-Qaeda.

The Reith Lectures – Securing Freedom: 2011 : Freedom
Eliza Manningham-Buller, BBC Radio 4, 20 September 2011
http://www.bbc.co.uk/iplayer/episode/p00k4053/The_Reith_Lectures_Eliza_ManninghamBuller_Lecture_3_Freedom/ – (Full Broadcast) – last access 23 September 2011

Her first and the previous Reith Lecture:

The Reith Lectures – Securing Freedom: 2011 : Security
Eliza Manningham-Buller, BBC Radio 4, 13 September 2011
http://www.bbc.co.uk/iplayer/episode/b014fcyw/The_Reith_Lectures_Securing_Freedom_2011_Eliza_ManninghamBuller_Security/ – (Full Broadcast) – last access 23 September 2011

/cobramark3

Advertisements

Some Current Law addressing the Distribution and Creation of Malware and Viruses

“.. In the UK, the introduction of malware is covered by section 3 of the Computer Misuse Act [2]. The Act states that a crime is committed if a person “does any act which causes an unauthorized modification of the contents of any computer” and the perpetrator intends to “cause a modification of the contents of any computer” which may “impair the operation of any computer”, “prevent or hinder access to any program or data held in any computer” or “impair the operation of any such program or the reliability of any such data” ..

Malware is generally distributed unintentionally subsequent to its initial creation. Thus an ICP or an ISP would not be found criminally liable under either the Computer Fraud and Abuse Act or the Computer Misuse Act for most cases of dissemination ..”

What the Law Says about Distributing a Virus or Malware
Craig S Wright, InfoSec Island, 20 September 2011
https://www.infosecisland.com/blogview/16567-What-the-Law-Says-about-Distributing-a-Virus-or-Malware.html – last access 22 September 2011 – (Full article)

~

“.. The Japanese parliament has quietly passed legislation to make the creation or distribution of a virus or similar malware a criminal offense ..

the distribution of a virus created, for example, in the US, in Japan by a Japanese citizen, would come within the scope of the criminal law ..

what happens if the malware distribution takes place without the knowledge of the user of the computer, such as when a botnet is involved..

Legislators in Japan are less concerned about the semantics, however, as they say this is the country’s response to support the International Convention on Cybercrime, a treaty ratified by more than 30 countries and which mandates international co-operation in investigating crimes in cyberspace ..”

Creating or distributing malware in Japan is now a crime
InfoSecurity Magazine, 20 June 2011
http://www.infosecurity-magazine.com/view/18782/creating-or-distributing-malware-in-japan-is-now-a-crime/ – last access 22 September 2011 – (Full article)

/cobramark3


Skype for iPhone and iPod Touch: iOS Vulnerability allows comprimising the device address on reciveing a text message, just add JavaScript

Exploit in Skype on an iPhone or iPod touch, allows comprimise of your device’s address book simply by the attacker sending you a chat message. When the exploit code in the message is run, the victim’s iPhone will automatically make a new connection to a server, grabbing a larger payload, to execute and upload the iPhones entire address book file to the server.

“.. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book.

.. failure by Skype to sanitize potentially dangerous JavaScript commands from the text that gets sent in chat messages ..

It’s already been 48 hours since this vulnerability was first documented, and the vulnerable app is still available in the iTunes Store. It will be interesting to see how long it takes Apple and Skype to close the gaping hole ..”

“Skype for iPhone makes stealing address books a snap”
Dan Goodin, Malware, The Register UK, 20 September 2011
http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/ – last access 21 September 2011 – ( Full Article )

/cobramark3


Forging memory, a new development in Malware Rootkits

Apart from Rootkits modifying and hiding; files, registries, processes.. from detection software, some often typically modify memory. Anti-rootkit tools inspect memory areas in attempts to identify modifications and flag.

A particular rootkit also modifies a memory location to prevent actual disk access by detection software. This technique is not new, however it is the first found in the Wild and being adopted by Malware authors.

“.. a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard-coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of the hard disk.

But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks that are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break.

The reason for hooks not being reported was that the memory being read by the tools was not the actual memory ..”

“Memory Forging Attempt by a Rootkit”
Rachit Mathur, McAfee Blog Center, 21 April 2011
http://blogs.mcafee.com/mcafee-labs/memory-forging-attempt-by-a-rootkit – last access 8 June 2011 – ( Full Article )

/cobramark3


Stuxnet worm’s true origins ?

Interesting article on the possibile origins of Stuxnet… ?

“.. The worm, Stuxnet, is a Trojan horse said to have disabled Iran’s nuclear weapons program. The New York Times said late last year, “Meanwhile, the search for other clues in the Stuxnet program continues — and so do the theories about its origins.” The Times updated their take on January 15, 2011 calling Stuxnet, “the most sophisticated cyberweapon ever deployed…experts who have picked apart the computer worm describe it as far more complex — and ingenious — than anything they had imagined when it began circulating around the world, unexplained, in mid-2009 ..

– snip –

No one is looking back to a time in the mid-70s, when an obscure program called Promis first reared its head. Promis, according to sources, is at the root of Stuxnet. Promis was a computer program that promised to help US prosecutors track criminals and legal maneuverings through the system, “Prosecutor’s Management Information System.” The people-tracking software was later marketed by a firm named Inslaw, under the auspices of William Hamilton, a former NSA officer who still markets a version of the product today.

– snip –

By the late 1980s, Promis programs had been sold to Britain, Australia, South Korea and Canada. Allies harmless enough, right? But then up next was the KGB. There are multiple claims as to who sold Promis to the Russians. Several, including a source of mine, said it was newspaper mogul Robert Maxwell in assistance to Israel. Another acquaintance, former double agent David Dastych (Polish intell working for the CIA during the Cold War) said that an American intelligence officer admitted to him, “Yes, we gave Promis to the Russians and Chinese to back door their intell. Worked like a charm.” Both claims may overlap. In fact, the KGB is said to have used Promis for over 15 years. At first, there was nothing to suspect since malicious malware had not really been coined. Few back then understood the power of the computer, and so the Trojan horse entered the realms of international espionage, the microscopic spy ..”

Stuxnet worm’s true origins are exposed
PJ Wilcox, worldsecuritynetwork.com / greatreporter.com, 22 February 2011
http://greatreporter.com/mambo/content/view/2014/1/ – last access 3 March 2011 – ( Full Article )

~

Further to this article:

“.. So we start with a Windows dropper. The payload goes onto the gray box, damages the centrifuge, and the Iranian nuclear program is delayed — mission accomplished. That’s easy, huh? I want to tell you how we found that out. When we started our research on Stuxnet six months ago, it was completely unknown what the purpose of this thing was. The only thing that was known is very, very complex on the Windows part, the dropper part, used multiple zero-day vulnerabilities. And it seemed to want to do something with these gray boxes, these real-time control systems ..

this is a directed attack. It’s completely directed. The dropper is prowling actively on the gray box if a specific configuration is found, and even if the actual program that it’s trying to infect is actually running on that target. And if not, Stuxnet does nothing ..

And if you have heard that the dropper of Stuxnet is complex and high-tech, let me tell you this: the payload is rocket science. It’s way above everything that we have ever seen before. Here you see a sample of this actual attack code. We are talking about — round about 15,000 lines of code. Looks pretty much like old-style assembly language ..

The big digital warhead — we had a shot at this by looking very closely at data and data structures. So for example, the number 164 really stands out in that code; you can’t overlook it. I started to research scientific literature on how these centrifuges are actually built in Natanz and found they are structured in what is called a cascade, and each cascade holds 164 centrifuges. So that made sense, it was a match ..

And it even got better. These centrifuges in Iran are subdivided into 15, what is called, stages. And guess what we found in the attack code? An almost identical structure ..

This attack is generic. It doesn’t have anything to do, in specifics, with centrifuges, with uranium enrichment. So it would work as well, for example, in a power plant or in an automobile factory. It is generic. And you don’t have — as an attacker — you don’t have to deliver this payload by a USB stick, as we saw it in the case of Stuxnet. You could also use conventional worm technology for spreading. Just spread it as wide as possible. And if you do that, what you end up with is a cyber weapon of mass destruction. That’s the consequence that we have to face. So unfortunately, the biggest number of targets for such attacks are not in the Middle East. They’re in the United States and Europe and in Japan. So all of the green areas, these are your target-rich environments ..

My opinion is that the Mossad is involved, but that the leading force is not Israel. So the leading force behind that is the cyber superpower. There is only one, and that’s the United States — fortunately, fortunately. Because otherwise, our problems would even be bigger ..”

Cracking Stuxnet, a 21st-century cyber weapon
Ralph Langner, TED2011, March 2011
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html – Full Talk

\cobramark3