Tag Archives: Computer worm

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

KL’s Airport Gets Infected

image

If there’s one place you hope you won’t get infected by a computer virus, it’s an airport.

It’s not just that the virus may fiddle with your departure times; it’s the wider possibility that the virus may have infected more sensitive parts of the airport: ticketing, say, or—heaven forbid—flight control.

Kuala Lumpur International Airport—Malaysia’s main international airport—was on Friday infected by the W32.Downadup worm, which exploits a vulnerability in Windows Microsoft patched back in October. The worm, according to Symantec, does a number of things, creating an http server on the compromised computer, deletes restore points, downloads other file and then starts spreading itself to other computers.

image

Enlargement of the photo above. The notification says Symantec Antivirus has found the worm, but has not been able to clean or quarantine the file.

KL airport clearly isn’t keeping a tight rein on its security. The virus alert pictured above is at least 12 hours old and the vulnerability it exploits had been patched up a month before. Says Graham Cluley of UK-based security software company Sophos: “What’s disturbing to me is that over a month later, the airport hasn’t applied what was declared to be an extremely critical patch, and one which is being exploited by malware in the wild.”

What’s more worrying is that this isn’t the first time. It’s the first time I’ve noticed an infection on their departures/arrivals board, but one traveller spotted something similar a year and a half ago, with a Symantec Antivirus message popping up on one of the monitors. I saw a Symantec Antivirus message on one monitor that said it had “encountered a problem and needs to close”, suggesting that the worm had succeeded in disabling the airport’s own antivirus defences:

image

So how serious is all this? Cluely says: “Well, it’s obviously a nuisance to many people, and maybe could cause some disruption.. but I think this is just the most “visible” sign of what may be a more widespread infection inside the airport.  I would be more concerned if ticketing and other computer systems were affected by the same attack.”

He points to computer viruses affecting other airports in recent years: In 2003, Continental Airlines checkin desks were knocked out by the Slammer worm. A year later, Sasser was blamed for leaving 300,000 Australian commuters stranded, and BA flights were also delayed.

For me, the bottom line about airports and air travel is confidence. As a traveler I need to feel confident that the people deciding which planes I fly and when are on top of basic security issues. And that doesn’t mean just frisking me at the gate. It also means keeping the computer systems that run the airport safe. This is probably just sloppy computer habits but what if it wasn’t? What if it was a worm preparing for a much more targeted threat, aimed specifically at air traffic?

(I’ve asked KL International Airport and Symantec for comment.)

Do Viruses Really Cost This Much?

Mi2g, the British-based security consultancy that seems to court controversy and a fair amount of ridicule, has issued a press release (it doesn’t seem to be up yet) that is likely to prompt similar reactions: “USD 166 billion malware damage in 2004”, the headline reads:

The total economic damage from malware – viruses, worms and trojans – in 2004 is estimated to lie between USD 169 billion and USD 204 billion, making 2004 the worst year on record by a wide margin according to the mi2g Intelligence Unit, the world leader in digital risk. 2003 did not log even half of the malware economic damage figures attributable to 2004. With an installed base of around 600 million Windows based computers worldwide, this works out roughly as average damage per installed machine of between USD 281 and USD 340.

Certainly viruses and worms are damaging computers, business and nerves but I’m not sure it stretches to $300 billion. That is the same as(from a quick search of recent news articles):

So I guess it’s not impossible. But it seems to be a bit over the top. Mi2g says it calculates damages “on the basis of helpdesk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. When available, Intellectual Property Rights (IPR) violations as well as customer and supplier liability costs have also been included in the estimates.” You could pretty much throw any old figures in there.

I would agree with them, however, when they point to the recent “proliferation of Bagle malware variants worldwide” as a sign that, like last year, “there could be a choppy cyber-sea ahead, made all the more complex by new and more dangerous malware families that are yet to emerge.” It may not be costing quite the equivalent of a major war, eradicating global poverty or how much Americans spend on sneakers and baseball games, but a virus sure can muck up your day.

More On The New Bagle

Here’s some more stuff from The Inquirer about the new Bagle worm (AV firm warns of fresh Bagle variant), which quotes F-Secure as saying it has issued a level two alert for a variant of Bagle which it said is propagating like crazy across the world. Some details:

The firm said Bagle.AT is a polymorphic worm arriving in emails and with a number of different headers. It’s similar to the other Bagles around, and attaches itself to emails as a .EXE file with .com, .exe, .scr and .cpl extensions. Typical text strings include “delivery service mail”, “delivery by mail”, “registration is accepted”, “is delivered mail” and “you are made active”. Bagle.AT also open a back door to PCs that listens on port 81, and is password encrypted. That allows the author of the worm to connect to PCs and let him or her execute programs. The infected machines are reported to the worm’s author.

Always hard to know at the time how much of this is hype, but I guess it’s worth knowing about it in case it isn’t.

MyDoom Anniversary: Another Big Attack In The Offing?

Today’s the first anniversary of the MyDoom.A worm. According to an email I received earlier today from MessageLabs, ‘the world’s leading provider of email security services to business’, it was a day that “changed the virus landscape forever”:

27 January 2005 – At 13.26pm on 26 January 2004, MessageLabs,  intercepted its first copy of W32/MyDoom.A. Within the first twenty-four hours, the company had stopped over 1.2 million copies. MyDoom.A, which achieved a peak infection rate of 1 in 12 emails, has proved to represent a landmark in the history of computer viruses, and the legacy lives on..

I’m not sure whether this is just a coincidence, but I’m told by folks at Network Box of a fresh attack by Bagle: “Depending on the next few hours, this could be a large attack,” says Network Box’s Quentin Heron:

Network Box Security Response is tracking several new variants of the Bagle Internet worm… We are seeing thousands of blocks on these variants, from dozens of sites in Hong Kong. We are checking worldwide infection rates at the moment, but this looks extensive.

For those of you who follow these things, the worm matches signatures from Kaspersky Labs of Email-Worm.Win32.Bagle.ax and Email-Worm.Win32.Bagle.ay.

I’ll keep you posted.

Russia Gets Serious About Its Virus Writers?

Is Russia finally getting serious about its virus writers?

Kaspersky Labs and F-Secure, two anti-virus manufacturers, report that Evgenii Suchkov (or Eugene Suchkov, sometimes known as Whale or Cityhawk) has been found guilty of writing two viruses, Stepar and Gastropod. Suchkov was sentenced in the Russian republic of Udmurtia, and while he was only fined 3,000 rubles ($100) — a sentence which has attracted some derision — Kaspersky’s analyst reckons now “Russian virus writers know that they are not always going to be able to hide from the law. And the world knows that Russia is doing something about virus writing”.

Suchkov, it appears, is no small fish. He’s believed to be a member of 29A, a notorious virus writing group, according to Kaspersky, which also believes he’s a member of the HangUp Team, a group I’ve tried to look more carefully at for their alleged role in phishing. Interestingly, a Czech member of 29A was recently recruited by a Czech software company, a move which has ignited some controversy, not least because it would appear to make virus writing a good way to prepare a CV for more legitimate work.

I tend to agree that hiring these guys might not be the best idea. Beyond the moral hazard issue — why should virus writers care about getting caught if they know it will lead to a job anyway? — there’s the issue of where this guy’s loyalties may lie. Is he going to try to stop his old buddies from doing their thing? Or tracking them down? And even if he did want to do good work for his new employer, he’s going to be a marked man for his former buddies who it’s believed, have active links to the Russian mafia.

The point to remember is that virus writing is now an industry, or sub-industry, of the criminal underworld. So no longer could one argue that these guys are just lonely geeks trying to get some attention. They do what they do for money, which means a virus, worm or trojan is a piece of code designed to do something specific. It’s probably done to order. If one of these virus writers is now working for the other side, I would hope his new employers take a good hard look at his motives: If he’s a good virus writer he could probably command significant amounts of money. Is he going to say goodbye to all that?

Finally, Mikko Hypponen of F-Secure suggests that there may also be traffic the other way. “F-Secure also has evidence which suggest that spammers have succesfully recruited anti-spam software developers to their side,” Hypponen says in a recent email. He points out that “spammers make money from their efforts; that’s why they can actually afford to invest in making their attacks better.” Anti-spammers going to the dark side? There must still be good money in it somewhere. I’ll try to find out more.

This week’s column – Beat the bugs

This week’s Loose Wire column is about cleaning viruses:

IF YOUR COMPUTER is infected by a virus, Trojan, worm or some other nasty slice of code, never fear: Worst comes to worst, you can call on a 60-year-old retired Australian lab technician who goes by the on-line nickname of Pancake.

Though he wouldn’t put it this way himself, Ed Figg (his real name) is living proof of the failure of anti-virus companies, firewall manufacturers and Microsoft to keep us safe from viruses. Given that we each spend about $100 a year for software to protect our computers, you’d think that would leave us safe. But no. Ed the Pancake, and dozens like him, spend up to eight hours a day on-line as unpaid experts helping other users with problems–most of them viruses that have slipped past their computer’s defences. So what should you do if you think it’s happened to you?

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription also required). Old columns at feer.com here.

A Directory of Virus Removal Tools

Some sites offering free tools for removing viruses, trojans and worms. Any additions/changes welcome.

Beware Evaman

The Sydney Morning Herald is warning of a new Doomsday with ”a new internet virus is expected to clog mail servers, cause severe slowdown and wreak financial damage as it spreads rapidly around the world when businesses return to work today”.

It is a mass-mailer worm called Evaman, and Symantec is likening it to MyDoom, using a false email address to generate messages with an attachment that carries the virus. By opening the attachment, recipients “unleash the virus onto their computer, where it automatically starts sending out dozens of new messages”.

As with an increasing number of these viruses, the worry is that the infection rate will be worsened because of the weekend factor: Tim Hartman, senior technical director at the security firm Symantec, “estimated the virus would spread at an uncontrollable rate as people returned to work”. He’s quoted as saying: “There’s so many unprotected machines out there that the likelihood that this will spread significantly is quite high. We have to wait until everyone gets back to work from their weekend around the world.”

What’s not quite clear to me is how exactly this works, and for what purpose. Symantec says the worm “generates random queries to email.people.yahoo.com (an email search engine), and collects email addresses from the search results”. It then sends copies of itself to the addresses that it finds with a spoofed From address”. But why?

I can only assume it is trying to verify email addresses in bulk. If so, it’s proof, if it were needed, that spamming and virus writing is all pretty much the same business these days.