Forum Statistics

Threads
27,576
Posts
541,648
Members
28,555
Latest Member
Kiddorism

Duqu 2.0 - The newest cyber espionage threat proving governments are interested

hoodlum

hoodlum

MuscleHead
Jan 3, 2012
903
172
Duqu 2.0 (originally written by Schneier)
Kaspersky Labs has discovered and publicized details of a new nation-state surveillance malware system, called Duqu 2.0. It's being attributed to Israel.
There's a lot of details, and I recommend reading them. There was probably a Kerberos zero-day vulnerability involved, allowing the attackers to send updates to Kaspersky's clients. There's code specifically targeting anti-virus software, both Kaspersky and others. The system includes anti-sniffer defense, and packet-injection code. It's designed to reside in RAM so that it better avoids detection. This is all very sophisticated.
Eugene Kaspersky wrote an op-ed condemning the attack -- and making his company look good -- and almost, but not quite, comparing attacking his company to attacking the Red Cross:
Historically companies like mine have always played an important role in the development of IT. When the number of Internet users exploded, cybercrime skyrocketed and became a serious threat to the security of billions of Internet users and connected devices. Law enforcement agencies were not prepared for the advent of the digital era, and private security companies were alone in providing protection against cybercrime ­ both to individuals and to businesses. The security community has been something like a group of doctors for the Internet; we even share some vocabulary with the medical profession: we talk about 'viruses', 'disinfection', etc. And obviously we're helping law enforcement develop its skills to fight cybercrime more effectively.
One thing that struck me from a very good Wired article on Duqu 2.0:

Raiu says each of the infections began within three weeks before the P5+1 meetings occurred at that particular location. "It cannot be coincidental," he says. "Obviously the intention was to spy on these meetings." Initially Kaspersky was unsure all of these infections were related, because one of the victims appeared not to be part of the nuclear negotiations. But three weeks after discovering the infection, Raiu says, news outlets began reporting that negotiations were already taking place at the site. "Somehow the attackers knew in advance that this was one of the [negotiation] locations," Raiu says.
Exactly how the attackers spied on the negotiations is unclear, but the malware contained modules for sniffing WiFi networks and hijacking email communications. But Raiu believes the attackers were more sophisticated than this. "I don't think their style is to infect people connecting to the WiFi. I think they were after some kind of room surveillance -- to hijack the audio through the teleconference or hotel phone systems."
Those meetings are talks about Iran's nuclear program, which we previously believed Israel spied on. Look at the details of the attack, though: hack the hotel's Internet, get into the phone system, and turn the hotel phones into room bugs. Very clever.

Schneier - https://www.schneier.com/
 
hoodlum

hoodlum

MuscleHead
Jan 3, 2012
903
172
Details from Symantec - http://www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-cyberespionage-threat

Duqu 2.0, the cyberespionage tool that was used to compromise security firm Kaspersky Lab, has also been used in a number of other attack campaigns against a range of targets, including several telecoms firms. Analysis by Symantec concurs with Kaspersky’s assessment today that Duqu 2.0 (detected by Symantec as W32.Duqu.B) is an evolution of the older Duqu worm, which was used in a number of intelligence-gathering attacks against a range of industrial targets before it was exposed in 2011. Although their functionalities were different, the original Duqu worm had many similarities with the Stuxnet worm used to sabotage the Iranian nuclear development program.
New attacks
Symantec has found evidence that Duqu has been used in a number of different attack campaigns against a small number of selected targets. Among the organizations targeted were a European telecoms operator, a North African telecoms operator, and a South East Asian electronic equipment manufacturer. Infections were also found on computers located in the US, UK, Sweden, India, and Hong Kong.
In addition to the attack against itself, Kaspersky believes Duqu was used to target countries involved in international negotiations surrounding Iran’s nuclear program. Given the diversity of targets, Symantec believes that the Duqu attackers have been involved in multiple cyberespionage campaigns. Some organizations may not be the ultimate targets of the group’s operations, but rather stepping stones towards the final target. The group’s interest in telecoms operators could be related to attempts to monitor communications by individuals using their networks.
Symantec has found no evidence to suggest that it has been affected by attacks using this malware.
Duqu 2.0 in operation
This new version of Duqu is stealthy and resides solely in the computer’s memory, with no files written to disk. It comes in two variants. The first is a basic back door that appears to be used to gain a persistent foothold inside the targeted entity by infecting multiple computers.
The second variant is more complex. It has the same structure as the first, but contains several modules that provide a range of functionality to the malware, such as gathering information on the infected computer, stealing data, network discovery, network infection, and communication with command-and-control (C&C) servers. This variant appears to be deployed to computers deemed to be targets of interest by the attackers.
Common code and code flow
Duqu and Duqu 2.0 share large amounts of code, in addition to similarities in how that code is organized. The shared code includes a number of helper functions. For example, as shown in Figure 1, there is a “gen_random” function (as labelled by an engineer) that is shared between Duqu and Duqu 2.0.
Not only is that gen_random code shared, but the code that calls that function is also organized almost identically. Such similarities in how code is called is repeated in several other locations throughout Duqu 2.0, including in how C&C IP addresses are formatted, how network messages are generated, and how files are encrypted and decrypted.

URL]


Figure 1. Duqu vs Duqu 2.0 code flowWhen a program needs to store data, the program author will design structures to store that data in a logical and easily accessible manner. Duqu and Duqu 2.0 share a number of these data structures.
Network communications
Another shared feature between the two variants, as shown in Figure 1, is the use of a cookie header with a hardcoded string and a random string when sending messages to a C&C server. For example:

  • Duqu: Cookie: PHPSESSID=<random_str_0x1A_size>
  • Duqu 2.0: Cookie: COUNTRY=<random_str_0x1A_size>
A second shared feature in the network communications code is to connect to a number of Microsoft URLs to retrieve a proxy address, as shown in Figure 2.

URL]


Figure 2. Duqu vs Duqu 2.0 network code
The list of Microsoft URLs connected to, by both variants, is identical.
Finally, for network communications, when Duqu uses HTTP, it will use image names in the “Content-Disposition” header. For Duqu, the value “DSC00001.jpg” was used, whereas for Duqu 2.0, the value “%05d.gif” is used.
Conclusion
Based on our analysis, Symantec believes that Duqu 2.0 is an evolution of the original threat, created by the same group of attackers. Duqu 2.0 is a fully featured information-stealing tool that is designed to maintain a long term, low profile presence on the target’s network. Its creators have likely used it as one of their main tools in multiple intelligence gathering campaigns.
Given that activity surrounding the original version of Duqu dropped off following its discovery, it is likely that the group may now retreat before re-emerging with new malware.
Protection
Symantec and Norton products detect this threat as:

 
monsoon

monsoon

Senior Bacon VIP
Nov 1, 2010
5,007
1,670
Aha! Now my business in pre 90's computers will finally take off.
 
Titan

Titan

VIP Member
Dec 28, 2010
350
124
Buy an iMac and don't worry about all the problems with a Windows OS.
 
FlyingDragon

FlyingDragon

VIP Member
Nov 4, 2010
4,049
2,403
U can keep your iMac, my Commodore 128 works just fine for me....Thanks monsoon for taking the time to restore my Commodore to the original factory settings...
 
P

pumpingiron22

Senior Member
Mar 2, 2014
221
39
great article.
also
Microsoft's Software is Malware

Other examples of proprietary malware

Malware means software designed to function in ways that mistreat or harm the user. (This does not include accidental errors.) This page explains how Microsoft software is malware.

Malware and nonfree software are two different issues. The difference between free software and nonfree software is in whether the users have control of the program or vice versa. It's not directly a question of what the program does when it runs. However, in practice nonfree software is often malware, because the developer's awareness that the users would be powerless to fix any malicious functionalities tempts the developer to impose some.

Type of malware
Back doors
Sabotage
Surveillance
Digital restrictions management or “DRM” means functionalities designed to restrict what users can do with the data in their computers.
Jails—systems that impose censorship on application programs.
Tyrants—systems that reject any operating system not “authorized” by the manufacturer.
Microsoft Back Doors

Microsoft Windows has a universal back door through which any change whatsoever can be imposed on the users.

More information on when this was used.

In Windows 10, the universal back door is no longer hidden; all “upgrades” will be forcibly and immediately imposed.

Windows 8 also has a back door for remotely deleting apps.

You might well decide to let a security service that you trust remotely deactivate programs that it considers malicious. But there is no excuse for deleting the programs, and you should have the right to decide who (if anyone) to trust in this way.

Windows 8's back doors are so gaping that the German government has decided it can't be trusted.

Microsoft Sabotage

The wrongs in this section are not precisely malware, since they do not involve making the program that runs in a way that hurts the user. But they are a lot like malware, since they are technical Microsoft actions that harm to the users of specific Microsoft software.

Microsoft is repeatedly nagging many users to install Windows 10.

Microsoft informs the NSA of bugs in Windows before fixing them.

Microsoft cut off security fixes for Windows XP, except to some big users that pay exorbitantly.

Microsoft is going to cut off support for some Internet Explorer versions in the same way.

A person or company has the right to cease to work on a particular program; the wrong here is Microsoft does this after having made the users dependent on Microsoft, because they are not free to ask anyone else to work on the program for them.

Microsoft Surveillance

Windows 10 ships with default settings that show no regard for the privacy of its users, giving Microsoft the “right” to snoop on the users' files, text input, voice input, location info, contacts, calendar records and web browsing history, as well as automatically connecting the machines to open hotspots and showing targeted ads.

Windows 10 sends identifiable information to Microsoft, even if a user turns off its Bing search and Cortana features, and activates the privacy-protection settings.

Microsoft uses Windows 10's “privacy policy” to overtly impose a “right” to look at users' files at any time. Windows 10 full disk encryption gives Microsoft a key.

Thus, Windows is overt malware in regard to surveillance, as in other issues.

We can suppose Microsoft look at users' files for the US government on demand, though the “privacy policy” does not explicit say so. Will it look at users' files for the Chinese government on demand?

The unique “advertising ID” for each user enables other companies to track the browsing of each specific user.

It's as if Microsoft has deliberately chosen to make Windows 10 maximally evil on every dimension; to make a grab for total power over anyone that doesn't drop Windows now.

Windows 10 requires users to give permission for total snooping, including their files, their commands, their text input, and their voice input.

Spyware in Windows: Windows Update snoops on the user. Windows 8.1 snoops on local searches. And there's a secret NSA key in Windows, whose functions we don't know.
Microsoft SkyDrive allows the NSA to directly examine users' data.

Microsoft DRM

DRM (digital restrictions mechanisms) in Windows, introduced to cater to Bluray disks. (The article also talks about how the same malware would later be introduced in MacOS.)

Microsoft Jails

Windows 8 on “mobile devices” is a jail: it censors the user's choice of application programs.

Microsoft Tyrants

Mobile devices that come with Windows 8 are tyrants: they block users from installing other or modified operating systems.

As this page shows, if you do want to clean your computer of malware, the first software to delete is Windows.
 
T

TBJ

New Member
Dec 26, 2015
4
1
U can keep your iMac, my Commodore 128 works just fine for me....Thanks monsoon for taking the time to restore my Commodore to the original factory settings...

You think buying an IMac all of the sudden solves this problem? ;)

Awesome read. I'm going to have to check out all of these external links
 
Who is viewing this thread?

There are currently 0 members watching this topic

Top