About these ads

Archive

Posts Tagged ‘Source code’

Fake Leaked Memos And Closed BackDoors

January 15, 2012 Leave a comment

From an Information Security perspective this 2012 has begun with (too) many meaningful events, among which the most resounding so far, has been the alleged leak of portions of the source code belonging to several consumer and enterprise product by Symantec, a leading security vendor.

@YamaTough, a member of a hacking collective called “The Lords of Dharmaraja” (Dharmaraja is the Lord of Death and Justice in Hinduism) claimed paternity for an attack that, immediately after its execution, has unleashed a complicated story of Cyber Espionage full of twists and mysteries which has raised (and keeps on rising) many (un)resolved questions.

The Indian Mystery

Date

Event

Jan 5

@YamaTough, a member of an hacking group called, the Lords of Dharmaraja, leaks the source code of Symantec Endpoint Protection Enterprise Suite (SAVCE 10.2 and SEP11), approximately 5 years old. The source code was allegedly obtained from The hacking of Indian Military Servers.Symantec has admitted that “a segment of its source code used in two of our older enterprise products has been accessed”.

During the same operation the same hackers also leaked some other documents according to which:

  1. The Indian government has source code for Symantec’s AV software, albeit of 2006 vintage.
  2. The Indian government is strong arming cell phone manufacturers to provide back doors into their handsets (defined RINOA: RIM, Nokia and Apple).
  3. The Indian government is in possession of confidential internal communications from the US-China Economic and Security Review Commission (USCC).
  4. The Indian government is actively engaged in espionage efforts targeting not only the USCC, but potentially thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.

Jan 12

In any case, although the leaked source code is real, it looks like the Lords of Dharmaraja faked the government memo (in order to attract more attention) since some emails there contained (and purportedly obtained by the RINOA backdoors) were allegedly stolen from the Indian Embassy on Paris and appear to have already been leaked on pastebin in December by the same hacker @YamaTough. There are also several doubts on the fact that activities of the USCC could be of any interest to Indian intelligence.

Jan 13

As an announced trail of the controversial Cyber Espionage affair, @YamaTough releases the source code of Norton Utilities. The author claims the leak is in support of the lawsuit between Symantec and Jame Gross, a US resident who is taking the company to court for spreading scareware. The full Source Code of Norton Antivirus is announced for Tuesday, Jan the 17th.

Not only, according to the hackers, the source code has been found on a server belonging to India Military Intelligence, but also, together with the links to the Source Code, the hackers posted an Internal Memo of India Military Intelligence entitled “Tactical Network For Cellular Surveillance”, containing potentially explosive information. According to this controversial memo “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices. Moreover it looks like the a CYCADA Team used the backdoors for espionage actions against the  U.S.-China Economic and Security Review Commission (USCC) and potentially against thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.

Although the implicated manufacturers firmly denied any connection, at first glance the hypothesis of a backdoor on our mobile companions seemed possible, also because it came immediately after another controversial event concerning mobile privacy, the infamous Carrier IQ rootkit found on many mobile devices.

A giant case of Cyber Espionage? Not actually! It looks like the whole story is showing an unpredictable conclusion (?). In the last days evidences are emerging that the Lords Of Dharmaraja faked the memo, maybe in order to obtain a greater attention on their operations. Although, as previously stated, Symantec has recognized parts of the source code on the leaked data, there are too many inconsistencies and incorrect information inside the memo, and also several of the emails allegedly obtained by mean of the RINOA backdoor had already been posted on December after the original attack made by the collective at the Indian Embassy in Paris (where the memo was leaked). Moreover, the letterhead on the memo comes from a military intelligence unit not involved in surveillance.

The mistery deepens, but in the meantime the Lords Of Dharmaraja keep on posting Symantec Code: Saturday Jan 14 the alleged Source Code of the Norton Utilities was released, the next Tuesday Jan 17, will be the turn of the full Norton Antivirus Source Code.

About these ads

Back to The Future of Stuxnet

October 19, 2011 4 comments

While the U.S. and U.K. are debating whether to use Cyberwarfare, someone, somewhere, has decided not to waste further time and has anticipated them, developing what appears to be a precursor of Stuxnet 2.0. In a blog post, Symantec explains how it came across the first samples of the malware thanks to a research lab with strong international connections, which, on October 14 2011, alerted the security firm to a sample that appeared to be very similar to Stuxnet.

The brand new threat has been dubbed “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”, and has been discovered in some computer systems located in the Old Continent. After receiving and analyzing the samples, Symantec has been able to confirm that parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Unlike its infamous predecessor Duqu does not target ICS but rather appears to be a RAT developed from the Stuxnet Source Code, whose main features may be summarized as follows (a detailed report is available here):

  • The executables […] appear to have been developed since the last Stuxnet file was recovered.
  • The executables are designed to capture information such as keystrokes and system information.
  • Current analysis shows no code related to industrial control systems, exploits, or self-replication.
  • The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
  • The exfiltrated data may be used to enable a future Stuxnet-like attack.
  • Two variants were recovered […], the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.

Of course this event rises inevitably many security questions: although cyberwar is actually little more than a concept, cyber weapons are a consolidated reality, besides it is not clear if Duqu has been developed by the same authors of Stuxnet, or worst by someone else with access to the source code of the cyber biblical plague (and who knows how many other fingers in this moment will be coding new threats from the same source code).

Anyway one particular is really intriguing: only yesterday the DHS issued a Bulletin warning about Anonymous Threat to Industrial Control Systems (ICS), not event 24 hours after the statement a new (potential) threat for ICS appears in the wild… Only a coincidence?

Follow

Get every new post delivered to your Inbox.

Join 3,200 other followers