Archive for November, 2010

Symantec has finally understood Stuxnet

Posted in IT Security on November 21, 2010 by cobra

Security firm Symantec says it has discovered that the Stuxnet worm targeted specific motors used, for instance, in uranium enrichment processes. With the support of a Dutch Profibus expert, Symantec says, in a blog posting, that it has now managed to fully interpret the purpose of the Stuxnet code. Apparently, Stuxnet is designed to manipulate frequency converters which determine motor speed.

Symantec’s findings indicate that Stuxnet targeted industrial plants with a specific combination of components and characteristics: The target computer must have a type S7-300 CPU and is designed to control up to six type CP-342-5 Profibus communications modules that can each connect to up to 31 frequency converters. Symantec said Stuxnet only attacks converter drives made by two specific vendors, one in Finland and the other in the Iranian capital of Tehran. The malware reportedly requires the frequency converter drives to be operating between 807 Hz and 1210 Hz. By changing the output frequency, and with it the working speed, of the motors for short intervals over periods of months, Stuxnet reportedly sabotages the industrial control process the motors are used for.

( Please click here to read the full article on Stuxnet )


Carberp: Quietly replacing Zeus as financial malware of choice

Posted in IT Security on November 5, 2010 by cobra

What is financial malware?
Automated Clearing House (ACH) transactions and Electronic Fund Transfers (EFT) are the main focus of financial malware. The malcode tries to steal login and accounting information, allowing it to transfer the victim’s money to bank accounts of the attacker’s choice through the use of EFT.

Security experts focused on financial malware explain there are two types of attacks.

[Please read about the 2 types of financial malware attacks below before Reading the full report on the making of Carberp (new financial malware) . It will give you a better understanding of what financial malwares are all about.]

General attacks: This class of malware is designed to steal user-login information for any SSL session, not just banking sites. For example, attackers also gather credentials for Web-based email and social-network sites like Facebook, using the following steps:

The user browses to the Web site’s login page.
The user next inserts the appropriate login information and hits enter.
The financial malware intercepts the login POST request, obtaining the login username and password before it’s encrypted.
The malware sends the stolen information back to the attacker’s command and control server, usually over HTTP.
The user, none the wiser, is then logged into the account.
The attacker then can gain access to the account and transfer money at will.
General attacks are used against financial institutions that do not use multi-factor authentication.

Targeted attack: This type of attack made Zeus famous. The attacker builds configurations files for specific online-financial institutions. These files are used to instigate what is called a Man-in-the-Browser (MitB) attack, a method where the configuration file delivers a fake Web page to the Web browser. Here are the steps:

The victim enters the URL for the bank’s Web site.
The bank’s Web server attempts to download the login Web page.
At the same time, the malcode is checking its configuration files for a matching URL. If it’s found, the attacker’s replica Web page is injected.
The victim then enters the appropriate login credentials, which are sent to the attacker’s command and control server.
If sophisticated enough, the targeted attack could also manipulate the victim’s transactions, sending money to one of the attacker’s bank accounts.

Please read the report on Carberp for your own knowledge and safety.