Ghostnet, Stuxnet, What next ??

I recently attended the 18th NDSS conference in San Diego from Feb 6-9, 2011,  which was keynoted by Liam O' Murchu, a Stuxnet expert from Symantec. Though the technical details about Stuxnet have been available since long, I found the talk exciting for the larger lessons that were shared from the whole episode. Below is a mix of notes from the talk and my ramblings. Warning: experts on this topic may find it boring !

By Symantec's own admission, Stuxnet is probably the most complex piece of targetted threat seen to date. It contains seven methods to propagate:

1. Using USB drives, which contained a rootkit exploiting a vulnerability in windows explorer's handling of .LNK files. 
2. By exploiting a print spooler vuln. 
3. By exploiting MS08-067, which allowed remote code execution on a vulnerable MS Windows 2000, XP or 2003 server by sending a specially crafted RPC request. 
4. Spreading via Network shares. 
5. Using P2P sharing for updating itself and for communication between different infected machines on a network. 
6. By exploiting hard-coded passwords in WinCC (a Siemens software for SCADA process visualization). 
7. Spreading via Step 7 projects (the IDE used for programming PLCs).

In essence, Stuxnet used 4 zero-day exploits, 1 known exploit, 3 rootkits, and 2 compromised certificates (from JMicron and Realtek semiconductors) to sign the rootkits. 

Stuxnet is not a 'yet-another-worm' that randomly goes about accumulating vulnerable machines for spam/DDoS gains or brownies for its perpetrators. Its highly-targeted nature - targeting specific uranium enrichment facilities in Iran - suggests a focused military-style operation involving (a) extensive and careful intelligence gathering and planning, (b) a structured software design and development cycle and (c) an extensive test cycle involving various hardware and software. In addition, Stuxnet's highly configurable architecture (~430 different settings) gives its controllers incredible control and precision over its lethality and spread. Apart from its technical sophistication, Stuxnet convincingly demonstrates the oft-quoted "threat from targeted attacks " and acts as the quintessential bellwether of times ahead. While its predecessors, like the Chinese cyber-espionage network Ghostnet, brought to light the new face of remote-controlled espionage in the 21st century, Stuxnet ups the ante many notches by demonstrating the lethal potential of targeted cyber-power.

Stuxnet is the first known malware to target control systems hardware (PLC). PLC (Programmable Logic Controllers) are critical elements in industrial automation and are traditionally programmed from a Windows control PC which is air-gaped - disconnected from any network - for security. In my opinion, Stuxnet big achievement was in bridging the air-gap.

Key to Stuxnet's success lay in the detailed understanding of its target gathered during the intelligence gathering phase. Stuxnet had clear understanding of (a) the PLCs being used (Siemens s7-300, s7-400), (b) the detailed configuration within PLCs controlling the uranium enrichment, and (c) the software development environment (Step 7 from Siemens) and the methodology used for developing and deploying code.

It is believed that Stuxnet was delivered initially  via USB to a small number of industrial process control companies connected to the uranium enrichment plant. Contractors from such companies write the actual PLC programs (as Step 7 projects) on workstations connected to the corporate LAN. Stuxnet thus spread using zero-day network exploits to as many LAN workstations possible. Workstations containing Step 7 were then infected by hiding a dll (containing the PLC rootkit) into a Step 7 project such that the dll got loaded as soon as the project was opened.  Stuxnet then relied on the Step 7 project zip file being transferred across the air-gap to a Windows control PC via removable media like USB. Once on the control PC, Stuxnet modified the PLC as necessary, making sure to hide its modifications.

There  were 100k infections reported worldwide with more than 60% coming from Iran. It is believed that infections outside Iran were not intentional and probably spread due to infected Step 7 projects shared between contractors in various countries. Additionally, the zero-day .LNK vulnerability proved widely successful. It is believed that Stuxnet managed to finally infect the Natanz and Busheir plants in Iran and there was a reported shutdown of Natanz. An IAEA report states 1000 centrifuges in Natanz were offline in Nov 2009 which is close to the type of PLC configuration that Stuxnet was targeting. 

Stuxnet increases the bar for security professionals and system architects by derailing the commonly held belief of air-gaping critical systems for providing extraordinary security. My personal opinion is that Stuxnet,  in some way, only reinforces what Albert Einstein famously quipped, "Every day, man is making bigger and better fool-proof things, and every day, nature is making bigger and better fools. So far, I think nature is winning".  The lesson for security professionals is thus simple: Air-gaps don't exist! There will be a human (read fool) bridging the gap.

With the world racing towards making things 'smart', from smart washing-machines to smart power grids, one really wonders whether all this 'smartness' will end up making us look dumber than ever. The landscape seems to be shifting faster than we can grasp it.

The last decade witnessed has already witnessed the rise in politically motivated cyber attacks like the Titan Rain (2003 - 2005),  DDoS attacks on Estonia (May 2007),  DDoS attacks on Georgia (August 2008),  Chinese cyber-espionage network Ghostnet (May 2009), Operation Aurora (Dec 2009-Jan 2010), Stuxnet (July 2010), Operation Payback (Dec 2010). The question is: What next?

When will people learn ?

Airtel (one of India's leading cell phone providers) has recently tied up with Apple to offer the iPhone 3G in Indian market. Everything is good but is the following sort of sales pitch necessary to sell of iPhones?? Airtel is quoted here as saying :

"even the most deadly hackers on the planet won't be able to crack the
codes that support the iPhone's Airtel applications with rival company
SIMs."

My question is : WHY ???. Even if you really have provided tamper-proof security, throwing a n open challenge to the highly skilled and distributed hacker work force on the internet is nothing short of the proverbial "hitting the axe on your own leg". Such stunts may be good to test your products before entering the market but not once the products are already out there. Such stupidity has surely attracted the bees and its just a matter of time before the bees sting.

Return gifts from an internet cafe

Today, i was at an internet cafe for getting a printout as my old printer died its natural death. As usual, the cafe was running Windows XP machines in administrator mode. I never like the look of a windows machine running in administrator mode in a public place and i was quite sure that it was already pwned. Nevertheless, i plugged in my USB drive which contained just the file i wanted to print. After a few seconds, my drive was detected and i could print the file i wanted. All was well and good.

Then i took the drive home and plugged it back into my laptop which fortunately runs Ubuntu. Lo and behold, my drive now had three return gifts from the internet cafe. Doing a quick antivirus scan on the files revealed the following

neoblitz@n30:/tmp$ clamscan /media/PKBACK#\ 001/*
/media/PKBACK# 001/1.jpg: OK
/media/PKBACK# 001/2.jpg: OK
/media/PKBACK# 001/autorun.inf: OK
/media/PKBACK# 001/New Folder .exe: Trojan.Autoit.gen FOUND
/media/PKBACK# 001/regsvr.exe: Trojan.Autoit.gen FOUND

----------- SCAN SUMMARY -----------
Known viruses: 396428
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 6
Infected files: 2
Data scanned: 1.57 MB
Time: 6.231 sec (0 m 6 s)

As you can see, i had 2 trojan binaries and an autorun.inf which pointed to those binaries. For people who didnt realize, this is a worm which uses an unsuspecting user to physically propogate it from machine to machine.

It makes me wonder, how many unsuspecting folks would have got infected by this. Also, the public machine itself is probably a part of some botnet and has all types of exotic malware already installed, sniffing passwords and recording transactions of unsuspecting users. Phew !

So the moral of the story is two-fold,

• Do NOT trust public machines. Avoid using them for doing electronic transactions using your credit card, using your username/password for your email accounts and so on and so forth.
  
• If you run as administator, then very likely you are not the only administrator :)
  

I will publish results of analysis of the binaries in the next post soon.

Sound bytes could now play the devils tune !

The next time you want to download your favorite song (illegally ofcourse :)) from a p2p network or some illegal site, think twice. The latest in malware infection has just been found. According to this report from Kaspersky Lab, there is now a worm to infects your .mp3 files.

From the report, the workings of this worm are as follows:

The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension) and adds a marker with a link to an infected web page to the converted files. The marker is activated automatically during file playback. It opens an infected page in Internet Explorer where the user is asked to download and install a file which, according to the website, is a codec. If the user agrees to install the file, a Trojan known as Trojan-Proxy.Win32.Agent.arp is downloaded to the computer, giving cybercriminals control of the victim PC.

You can get directly infected by the worm or via an already infected mp3 file downloaded from some malicious site or P2P share. The simple precautions to take against this type of infection are the age-old and time tested ones:

1. Never run as administrator on your computer. I repeatedly keep hearing that its insane to not be administrator on your own machine. Please note that, if you run as administrator of your own machine, then there is probably another administrator of your machine :). This simple precaution can help mitigate tons of security issues and make attacking your system that more difficult.
   

2. Do not install stuff from websites that you do not know or trust i.e. do not randomly click install buttons unless you are absolutely sure.

3. If you are really crazy about p2p downloading as if your life depends on it, then try using a VMWare to download stuff. This way, in the event of a compromise, atleast your critical data residing on your real system is protected.
   

Testing your DNS servers for CERT VU#800113 (or Dan Kaminskys bug)

Here are 2 pointers to diagnostic tools for testing your DNS server against Dan Kaminsky's vulnerability (or CERT VU#800113). Please note that these tools use a very simple test and may not be enough to provide a foolproof assessment of the strength of your DNS server.

• DNS-AORC htps://www.dns-oarc.net/oarc/services/dnsentropy
• Dan Kaminskys Page - http://www.doxpara.com
  

[Update] There is also a simple command-line from the same folks at DNS-OARC. Just fire the following command from a command line (ofcourse you need to have dig installed).

dig +short porttest.dns-oarc.net TXT

The first gives out a real cool output. Sample shown below. If you see GREAT as the output it means you are ok against the bug (as far as the tool is concerned).

"Kaminskys DNS bug" drama

If you are reading this article and interested in computer security then you may already know about the blockbuster DNS bug and the whole drama around it. To put the long story short, a major bug in the DNS protocol was discovered around 6 months ago by Dan Kaminsky. To describe the bug simply, the bug makes DNS cache-poisoning attacks a walk in the park (details here). Kaminsky, being a white-hat researcher, responsibly informed all DNS vendors about the bug and wanted to make sure that all the DNS server implementations were patched before he disclosed the bug to the world at Blackhat'08. But, Kaminsky chose to address a press conference a month before the disclosure and hinted about the existence of the bug without giving all the details. This caused a furore in the community about Kaminsky's claims but he managed to convince people (THomas Ptacek of Matasano Chargen in particular) off-line about the importance of the bug by confiding in them with the details and encouraged ISPs to patch the bug as fast as they could before Blackhat. Thomas Ptacek, relaizing his mistake, immediately changed his pitch and started encouraging people to patch as soon as they can.

All was supposedly well, until Halvar Flake made an almost right guess at the bug. This somehow caused panic at Matasano Chargen and they released the full details of the bug before hurriedly pulling back the post. Ofcourse, with feed readers around the world caching his blog, pulling back the post did not do any real good and in their own words "the cat was out of the bag" for sure now. Dan Kaminsky diplomatically handled the disclosures and is now encouraging people to patch the bug as fast as they can. Unfortunately, the disclosure of details has already resulted in sample exploits for Metasploit to come out within the end of the day. Thomas Ptacek, ofcourse has now posted an apology on his blog !

Now, one can blame Halvar Flake and Thomas Ptacek for disclosing the bug. One can also blame Thomas Ptacek for breaking Dan Kaminskys trust. But if you are a security researcher, you know very well that you may not be the first one to discover the bug. Blackhats aka evil hackers, dont care about disclosing the bugs they find. They just use them !! So i believe that these discloures may atleast force lazy ISP's to patch their systems sooner. If that will really happen is something that remains to be seen. My guess is that inspite of all this drama, there will be DNS servers which will still never get patched and will be sitting ducks ready to be exploited. It will be interesting to see if hackers are able capitalize on this bug and use it for real damage.

If you want to test your DNS servers resilience to this attack, you can use the small "Check my DNS" widget on Dan Kaminsky's site (www.doxpara.com). It may be interesting to note that DJBDNS is not affected by this bug because of its sound design. Read Bruce Scheniers article for his praise of its design and the importance of thinking about security while development and not as an add-on.

Surfing in a hostile world !

To get a hostile view of the world we surf in, here are a few statistics about all the current day malware forms coexisting with us.

A few highlights (as of today)

1. There are around 3000 botnet command and control servers active at any time in the day.
2. There are around 100K bot machines (using a 30-day age value of each bot).
3. US has around 4500 bot C&C's (the largest in the world ). Interesting to see that China is way down the list with only 115.
4. There were around 3.5 Million unique malware binaries seen in October 2007 with the number of unique binaries being atleast 1 Million every month ever since.
5. The 0-day detection stats for Antivirus vendors is very interesting. Out of the 68000 samples of new malware that were tested against wellknown vendors in the last 24 hours, the really well known ones like Kaspersky, McAfee etc. were able to detect only 70% of them while AntiVir detected around 98% of them. Curiosly, Symantec is not on the list.

These statistics are from ShadowServer. Shadowserver's statistics are generally considered very reliable in the security community.It is not clear to me as to what percentage of the address range they monitor but the stats are nevertheless very revealing.

Security is all about breaking assumptions !

Anyone with a slight understanding of security would appreciate the fact that security is all about breaking assumptions. Any system is always built with certain assumptions because otherwise the system requirements will tend to be infinite. Hackers always target the assumptions to break the system. It thus becomes very important for system and process designers to be very careful about the assumptions they make for their system. I believe that systems which stand the test of time are the ones that have their assumptions clearly laid out and which provide their users a clear understanding of the strengths and weaknesses of the system.

While one may say that the above is clearly very logical and there is nothing surprising about it, reality indicates that not many get this simple axiom right. But there seems to be a paradoxical situation here. I said that a system cannot be built without assumptions and also that security is all about breaking assumptions. So that would imply that there is nothing called 100% secure !!! And as it turns out, that is precisely the point.
Vendors who claim that their products provide 100% security or are 100% secure are essentially trying to fool the customers or maybe even themselves.

A case in point, there was a very recent incident in the US involving the company LifeLock (read this). LifeLock is a company which guarantees protection against identity theft. Infact, its CEO advertises his own Social Security Number on the website and claims that their service guarantees complete protection against identity thefts. They do this by setting fraud alerts at the three major Credit Bureaus namely, Experian, TransUnion and Equifax. They thought that by doing this , anyone who tries to use a SSN not belonging to himself will get caught. But they made a very very big assumption here that any of the outfits like CreditCard companies, banks etc. will always run a credit check before activitating services for an individual. Guess what ! they were proved wrong in a really stupid way. Someone stole the CEO's own identity from his website and took a $500 loan in the CEO's name. The reason the fraud alerts did not get tripped was because the loan company did not bother to run a credit check at all !!

The take home message from this post is thus two-fold

1. If you are a customer, carefully evaulate the security assumptions yourself without getting sold to the vendors advertising.
2. If you are vendor, make sure that all your assumptions are clearly stated and avoid hidden ones.
   

30th Anniversary of SPAM

As per this BBC news article, 3rd May 2008 is the 30th Anniversary of email SPAM. The first spam message was sent to 400 users on the ARPANET by a DEC employee on 3rd May 1978. But, this was not yet the beginning of the commercial SPAM era. It was only in April 1994 when a group of immigration lawyers sent the first commercial spam message to more than 6000 USENET discussion groups thus,spawning a new rogue business model using the internet.

Google Scanner from cDc

The Cult of the Dead Cow (cDc) has released Goolag: a google scanner for searching website vulnerabilities and other juicy information using Google. The scanner is based on google hacking techniques developed by Johnny Long. The tool comes with its own dork database and helps in scanning fast.

As defined by JohnnyLong in his hacking database: googledorks are Inept or foolish people as revealed by Google.

Technically, dorks are search patterns that reveal sites with potential vulnerabilities. Check the hacking database for the extensive list of dorks. These search patterns are not specific to google but just that its more effective with google because of its vast index.

An example dork from the hacking database is "intitle:admin intitle:login" which gives Admin Login pages. Now, the existance of this page does not necessarily mean a server is vulnerable, but it sure is handy to let Google do the discovering for you, no? Let's face it, if you're trying to hack into a web server, this is one of the more obvious places to poke.

MS08-001 Proof-Of-Concept Exploit

Check out this cool proof-of-concept exploit developed by immunitysec for the IGMPv3 vulnerability (MS08-001).

http://immunityinc.com/documentation/ms08_001.html


The tool being used is their flagship Canvas product.

Microsoft's New Security Vulnerability Research and Defense blog

This is good news from Microsoft ! M$ has a new blog for disclosing otherwise confidential technical information about their vulnerabilities.

From their website at http://blogs.technet.com/swi/default.aspx.
"We are excited to have this outlet to share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities. ... We expect to post every “patch Tuesday” with technical information about the vulnerabilities being fixed. During our vulnerability research, we discover a lot of interesting technical information. We’re going to share as much of that information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization."

Will have wait and watch what this yields !

Powered by ScribeFire.