Tag Archives: conficker

Fighting the Flames

The most sophisticated malware, since last time.

I work closely with the Marketing and PR folks here at Trend Micro and I know that whenever we have a significant or noteworthy piece of research to break, their first question will be, “Can we say is the first, biggest, worst, etc?“. In almost every case, the answer is “No“, in fact I can only think of one exception in recent years.
I’m sure the situation is similar at the other global security vendors, but it appears that some are less stoic in their resistance of the headline lure. Eugene Kaspersky, who appeared to relish being called a “glorious global megatroll” last week, is certainly renowned for courting controversy.
Last weekend, the news began to break about a complex piece of malware known variously as Flame/Flamer/SkyWiper which was immediately being touted as the most sophisticated malware ever. The ITU at the UN released what they describe asthe most serious warning we have ever put out”, (although not apparently serious enough to feature on their web site). This claim was supported by statements that Flame is “20 times more complicated [than Stuxnet]. It will take us 10 years to fully understand everything“, a top-of-the-head metric that seems a little shaky to me. Symantec have even likened it to “an atomic weapon.
I was called by a journalist yesterday whose first question to me was “So what makes this threat so unique?“, and honestly it was tough to find an answer with which I was comfortable. That, combined with the global hyperbole-fest meant that I woke up this morning compelled to write this post.
The functionalities and characteristics that are reported about Flame are things such as its precise geographical targeting, the modular nature of the code (different functional modules can be “plugged in” to an infected device as required), its ability to use local hardware such as microphones, log keystrokes and record on screen activity. The fact that it is targeted in the Middle East and that it uses a specific autorun vulnerability are apparently enough to justify making links between Flame and Stuxnet!
Espionage attacks aimed at specific geographies or industries are nothing new; look at LuckyCat, IXESHE or any of the hundreds of others recently. Modular architecture for malware has been around for many years, with developers offering custom written modules to customer specification for tools such as ZeuS or SpyEye, Carberp is another great example of modular information stealing Trojan. In fact a recent variant of SpyEye was found to use local hardware such as camera and microphones to record the victim, just like Flamer and just like the DarkComet RAT. Malicious distribution infrastructures such as the Smoke Malware Loader promise sequential loading of executables and geo-targeting (among many other things). Key logging is of course nothing new and neither is performing capture of network traffic or exfiltrating stolen information. Complexity of code is also nothing new, have a look at TDL4, consider Conficker’s rapid adoption of MD6 or its domain generation tactics.
So what are we left with? A big (up to 20MB) chunk of code, that’s unique in malware terms certainly, but not impressive in and of itself. The malware uses Lua, that’s unique in malware terms I guess but not something that elevates the inherent risk. Flame does have Bluetooth functionality though… Oh and in the interest of semantics, it’s not a weapon, it’s a tool.
Interestingly, just before the news about Flame hit the wires, the ITU at the UN had a press release that they have teamed up with a security vendor for their Telecom World 2012 event, incredible timing huh?

Conficker, Duqu, Stuxnet, Aliens, Confuxnet!

I have just read a Reuters news story where respected “cyber warfare expert” John Bumgarner is reported to claim that Conficker was devised and released to act as a global smokescreen for the surgical attack, using Stuxnet on nuclear facilities in Iran.
Bumgarner claims that initial reconnaissance work was carried out using Duqu in 2007 to identify targets relevant to a later attack by Stuxnet. In November 2008 Conficker was released globally to infect as many machines as possible. When a Conficker infection phoned home, if the victim machine was found to be in a apposite location (Iran) it was flagged as a later target for Stuxnet. He further states that Conficker did no damage to machines outside Iran and that on the infamous April 1st “activation date” (of the third variant from March 2009) it was used to pull down Stuxnet to those machines located in interesting locations in Iran.
Here is the evidence, all of it unsubstantiated as far as I can ascertain, that Bumgarner presents to support his claim:
1- Both Stuxnet and Conficker show evidence of “unprecedented sophistication” leading him to believe that they are related.
2- Both Stuxnet and Conficker use the same vulnerability to infect machines (MS08-67)
3 – Unspecified “key dates” in timestamps of unspecified “different versions” of Conficker and Stuxnet overlap and also “helped him to identify April 1 2009 as the launch date for the attack“.
4 – April 1st 2009 was the 30th anniversary of the declaration of an Islamic Republic in Iran. Other unspecified dates also corresponded with days when “Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York“.
As regards the end-game, the eventual infection of machines physically located in the right place inside nuclear facilities, Bumgarner concedes that at this point the malware wasn’t yet “in the target“. So to make that final crucial leap, Stuxnet was designed to infect USB drives, in the hope that someone would later take the same USB drive from a Conficker/Stuxnet infected machine and plug it into a machine located in an air-gapped network in nuclear facility. At that point, Bumgarner states, “it was checkmate“.
Phew, what a ride! You’ll forgive me I hope if I say that this account stretches my credulity to breaking point. Let me list a few reasons why.
1 – If targets outside of Iran were surplus to requirements, why did the first iteration of Conficker only exclude computers based in the Ukraine? Why was that restriction later removed? Why not only infect machines in Iran in the first place? It is also not true to say that machines infected with Conficker were all unharmed, Conficker was used to deliver Fake AV and had a functional relationship with Waledac botnet C&C
2 – The levels of sophistication in Conficker and Stuxnet are in different leagues. The original version of Conficker used a single already patched Windows vulnerability to spread, the second variant added the capability to spread via removable drives and by brute forcing passwords against a list of common password variants, neither method sophisticated. There was a level of sophistication in the scale of pseudo-random domains that were generated by the malware as potential C&C locations, but nothing that wasn’t quickly reverse engineered and understood. In the third variant of Conficker the propagation methods were actually removed, only to reappear again in the fourth significant variant. Stuxnet was a far more sophisticated animal, taking advantage of zero-day vulnerabilities and requiring specialist knowledge of SCADA systems and nuclear facilities.
3 – I would theorise that the creators of Stuxnet chose to also use the MS08-67 vulnerability because its effectiveness is demonstrated by the fact that Conficker is still one of the most prevalent infections in enterprise networks, three years after its initial appearance. Why would you make two pieces of malware that propagate using the same vulnerability and yet rely on one to download the other?
4 – The “activation date” of April 1 was coded into the third variant of Conficker. You don’t need unspecified time-stamps on unspecified files to tell you that.
5 – April 1st is also April Fool’s day in many countries around the world, it’s also the anniversary of the founding of Apple Inc., the founding of the Serious Organised Crime Agency (SOCA) in the UK, the birth of the Republic of Ireland and the land blockade of West Berlin by the East German military. Get my point? As regards President Mahmoud Ahmadinejad saying that his country would continue to pursue it’s nuclear program, well surely, pick a day, pick any day…
Then of course there’s the difficult conclusion, relying on persons unknown to plug a USB device into a Confuxnet infected machine, then unknowingly taking that same USB drive and plugging it into a PLC in a nuclear facility. Given the “unprecedented sophistication” of everything that has gone before, it’s this one just a tiny bit of a shot in the dark? A little bit “hit and hope”?
Sorry Mr. Bumgarner, it could be true, of course it could, and it could be that you have been misreported, but on the evidence you present so far, I just don’t buy it.
If I were a government with this kind of resource at my disposal, wouldn’t it make sense for one of my operatives in the target facility to simply take the USB containing Stuxnet right there for me?
I know, there weren’t any aliens.

Look Out, Licat!

UPDATE: Further research has confirmed that LICAT appears to be very strongly linked to ZeuS possibly in an effort to rebuild or strengthen botnets after recent law enforcement activities

Researchers at TrendLabs have blogged this morning about a new file infector virus known as Licat.a which appears to be be geographically and numerically widespread. Research into the malicious code is ongoing.

Licat Distribution

A file infector is malware which could be considered the most “classic” form of virus, one that seeks out other file types and injects its own code into these victim files. Whenever one of the infected files is opened this causes the malicious code to execute.
Licat seeks out .EXE files on infected system and modifies those files, adding its malicious routines.
When an infected file is opened, Licat will generate a series of 800 internet addresses in the format below. The pseudorandom alpha characters are generated using a randomizing function, which is computed from the current UTC system date and time.
http://{pseudorandom alpha characters}.biz/forum/

http://{pseudorandom alpha characters}.org/forum/

http://{pseudorandom alpha characters}.info/forum/

http://{pseudorandom alpha characters}.net/forum/

http://{pseudorandom alpha characters}.com/forum/.
It will then attempt to connect to each of these destinations to download and execute further components or other payloads. The last time similar behaviour to this was seen was in the infamous Conficker botnet
Analysis of the mother infector file is ongoing and further details will be posted on the TrendLabs blog.