Malware

SPOTLIGHT ON SECURITY

Stuxnet Is Dead, Long Live Stuxnet

Those who follow the exploits of Stuxnet will remember June 24, 2012, as Big Sleep day for the infamous malware. On that day, it stopped replicating.

“It’s more like neutered, rather than dead,” Eric Byres, CTO and vice president for engineering at Tofino Security Products, told TechNewsWorld. “The June 24 date stops it from replicating, but if it has infected your uranium centrifuge, it will still be doing its destructive work in the PLCs and the drive controllers.

“Stuxnet was pretty much dead as a spreading worm a month after it was discovered,” he added. “Every antivirus company worth its salt had Stuxnet detection signatures out quickly. It was a worm designed to never be found in the first place. Once it was uncovered, it was defenseless.”

On the 24th, which happens to be the seventh anniversary of Mahmoud Ahmadinejad’s election as president of Iran, Iranian officials declared that Stuxnet was a failure, an assessment not shared by everyone.

“Stuxnet wasn’t a failure,” John Bumgarner, CTO of the U.S. Cyber Consequences Unit, told TechNewsWorld. “Stuxnet was able to continuously penetrate a supposedly impenetrable network and sabotage highly critical equipment used by the Iranians to enrich uranium, which could be used to build a nuclear weapon.”

The Stuxnet story doesn’t end in Iran, added Dan Brown, a senior researcher with Bit9. “There is collateral damage and unintended consequences,” he told TechNewsWorld. “Cyberweapons that come to light are inevitably repurposed in ways not anticipated by their creators.”

And while the malware may not be replicating, its code is destined to live on. “It will live on as a zombie since it provides a blueprint for highly sophisticated attacks that can now be copied reliably,” Ralph Langner of Langner Communications, who is credited with discovering Stuxnet, told TechNewsWorld.

“It would be foolish to assume that the usual suspects — anywhere from China to North Korea — would let such an opportunity to dissect and reuse components of the superweapon pass,” he added.

Turn Off the Lights, DNSChanger Is Over

More than 300,000 computers may lose their Internet connections Monday as the FBI turns off the command and control proxy servers it’s been running for the DNSChanger botnet since November.

The malware planted on the zombie computers in the botnet redirects their DNS searches. DNS is used to convert a Web address like Google.com into an IP address like 64.233.167.10. The malware intercepts your request to go to Google, sends you briefly someplace else, then sends you where you wanted to go in the first place.

Why the diversion? Typically it’s to perpetrate “click fraud”– collecting money for sending traffic to a website. It was quite a lucrative business for DNSChanger’s authors. It’s estimated that they cleared some US$15.4 million before law enforcement cracked down on them.

Once the FBI seized the botnet’s main server, though, they didn’t want to shut it down because that would mean thousands of computers wouldn’t be able to find their way on the Internet. However, all good things must come to an end, so on Monday the FBI is cutting the cord, even though 12 percent of the companies on the Fortune 500 and 4 percent of major government agencies still have the botnet malware on some of their computers.

Android Botnet

Is it a botnet or some clever spoofing?

That was the question botnet fighters tried to answer after Microsoft security hotshot Terry Zink claimed to have found evidence of a spam-spewing botnet made up of Android phones and using Yahoo mail as a conduit for their electronic junk.

“We’ve all heard the rumors, but this is the first time I have seen it — a spammer has control of a botnet that lives on Android devices,” he wrote in his security blog. “These devices login to the user’s Yahoo Mail account and send spam.”

However, the custodian of Android, Google, cast doubt on Zink’s findings. It issued a statement asserting that the spam mails analyzed by Zink were actually created by desktop malware and their headers spoofed to appear to have originated from a mobile device in order to slip by an email system’s anti-spam defenses.

While acknowledging that nothing definitive about the botnet can be determined until the malware creating it can be captured, Chester Wisniewski of Sophos discounted Google’s spoofing theory. “While it is true in traditional email transactions that headers can be forged, I am not aware of any method to do this using Yahoo’s API or Web interfaces,” he wrote in the company’s Naked Security blog.

Breach Diary

  • June 28: Strategic Forecasting (Stratfor) settled a class action lawsuit resulting from a cyberattack on the company by Anonymous that exposed on the Internet hundreds of thousands of email addresses and thousands of credit card numbers, including information on high-profile figures such as former U.S. Vice President Dan Quayle, former Secretary of State Henry Kissinger and former CIA Director James Woolsey. The settlement, plus attorneys and court fees, will cost the firm more than $2.1 million.
  • July 5: UK regulators fined Welcome Financial Services $232,620 for a data breach last November in which half a million customer records were lost and never recovered from two backup tapes. The fine was one of just a handful levied against private companies for information law violations.
  • July 5: A Freedom of Information Request revealed that Stephen McCartney, now Google’s privacy policy manager in the United Kingdom, held a senior position with the country’s data privacy watchdog agency, the Information Commissioner’s Office (ICO), while that agency was investigating Google Street View for breaching the privacy of UK citizens. The ICO said McCartney played no part in the Google probe. Documents in the request also revealed that McCartney corresponded with ICO officials about the investigation after assuming his position at Google.
  • July 5: Vancouver, BC-based BCIT issued a warning to students that a server containing personal information of more than 12,680 students was hacked. It appears that the intruder used the server to upload and download movies and not to compromise any of the information on the server, the school said.
  • July 5: Geoff Huston, chief scientist of the Asia-Pacific Network Information Center and a former employee of telecommunications company Telstra, accused Telstra of violating Australian law by sending URLs of sites visited by its smartphone users to a third party through a new Web filtering product.
  • July 6: Canada-based BC Hydro warned customers who paid their utility bills online by credit card in June to watch their credit card statements for fraudulent charges. It said that security breach involving improperly encrypted credit card numbers occurred in June, although it has not discovered any breach of customer information to date.

Calendar

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels