From an Information Security perspective this 2012 has begun with (too) many meaningful events, among which the most resounding so far, has been the alleged leak of portions of the source code belonging to several consumer and enterprise product by Symantec, a leading security vendor.
@YamaTough, a member of a hacking collective called “The Lords of Dharmaraja” (Dharmaraja is the Lord of Death and Justice in Hinduism) claimed paternity for an attack that, immediately after its execution, has unleashed a complicated story of Cyber Espionage full of twists and mysteries which has raised (and keeps on rising) many (un)resolved questions.
The Indian Mystery
@YamaTough, a member of an hacking group called, the Lords of Dharmaraja, leaks the source code of Symantec Endpoint Protection Enterprise Suite (SAVCE 10.2 and SEP11), approximately 5 years old. The source code was allegedly obtained from The hacking of Indian Military Servers.Symantec has admitted that “a segment of its source code used in two of our older enterprise products has been accessed”.
During the same operation the same hackers also leaked some other documents according to which:
In any case, although the leaked source code is real, it looks like the Lords of Dharmaraja faked the government memo (in order to attract more attention) since some emails there contained (and purportedly obtained by the RINOA backdoors) were allegedly stolen from the Indian Embassy on Paris and appear to have already been leaked on pastebin in December by the same hacker @YamaTough. There are also several doubts on the fact that activities of the USCC could be of any interest to Indian intelligence.
As an announced trail of the controversial Cyber Espionage affair, @YamaTough releases the source code of Norton Utilities. The author claims the leak is in support of the lawsuit between Symantec and Jame Gross, a US resident who is taking the company to court for spreading scareware. The full Source Code of Norton Antivirus is announced for Tuesday, Jan the 17th.
Not only, according to the hackers, the source code has been found on a server belonging to India Military Intelligence, but also, together with the links to the Source Code, the hackers posted an Internal Memo of India Military Intelligence entitled “Tactical Network For Cellular Surveillance”, containing potentially explosive information. According to this controversial memo “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices. Moreover it looks like the a CYCADA Team used the backdoors for espionage actions against the U.S.-China Economic and Security Review Commission (USCC) and potentially against thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.
Although the implicated manufacturers firmly denied any connection, at first glance the hypothesis of a backdoor on our mobile companions seemed possible, also because it came immediately after another controversial event concerning mobile privacy, the infamous Carrier IQ rootkit found on many mobile devices.
A giant case of Cyber Espionage? Not actually! It looks like the whole story is showing an unpredictable conclusion (?). In the last days evidences are emerging that the Lords Of Dharmaraja faked the memo, maybe in order to obtain a greater attention on their operations. Although, as previously stated, Symantec has recognized parts of the source code on the leaked data, there are too many inconsistencies and incorrect information inside the memo, and also several of the emails allegedly obtained by mean of the RINOA backdoor had already been posted on December after the original attack made by the collective at the Indian Embassy in Paris (where the memo was leaked). Moreover, the letterhead on the memo comes from a military intelligence unit not involved in surveillance.
The mistery deepens, but in the meantime the Lords Of Dharmaraja keep on posting Symantec Code: Saturday Jan 14 the alleged Source Code of the Norton Utilities was released, the next Tuesday Jan 17, will be the turn of the full Norton Antivirus Source Code.
Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.
Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…
In few circumstances I happen to deal with my old (and short) career of Astrophysical. Except when I enjoy to tell my friends the history of the Hubble Constant, and my delusion when I discovered that its value is greater than 50 (most precise determination is 72 ± 8 km/s/Mpc implying a forever expanding Universe which will likely die of Entropy), the chances in which my current activity, information security, and my “would-have-been” career of Astrophysics overlap are really rare.
You may imagine how surprised I have been, when I came across this post by F-Secure concerning the Duqu malware and the images hidden inside the traffic generated by the malware and directed to the C&C Server.
Typically keyloggers try to hide the malicious traffic by resembling legitimate traffic, and of course the infamous Stuxnet-based keylogger is not an exception to this schema, by making the transfer look innocent in case somebody is watching network traffic.
Duqu connects to a server (18.104.22.168 a.k.a. canoyragomez.rapidns.com – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.
Even if somebody is watching outbound traffic, this wouldn’t look too weird.
Nothing new except the fact that Duqu components contain different JPG files. One of them is an image of the Hubble Space Telescope: NGC 6745 also dubbed Bird’s Head (have a deep look to the image and you will discover why).
NGC 6745 (also known as UGC 11391) is an irregular galaxy about 206 million light-years (63.5 mega-parsecs) away in the constellation Lyra. It is actually a triplet of galaxies in the process of colliding.
Why did they decide to insert an astronomical image? And why just an Image representing three galaxies colliding? A possible metaphorical reference to a cyber war between three nations? The curiosity has stimulated a funny contest by F-Secure even if no interpretation, so far, seems convincing (I also tried to brainstorm but unfortunately my residual notions of Astronomy are not enough, so at first Glance I was not able to find any correspondence.
From an information security perspective, I could not help but notice that this is not the only overlapping between Stuxnet and Astronomy. As a matter of fact the original version of Stuxnet is programmed to automatically switch off on June, 24th 2012: even if a remind to the alleged End of the World according to the Mayan Calendar is unavoidable, this date is also linked to the so-called Grand Cross, corresponding to the date that Pluto in Capricorn squares off against Uranus in Aries.
But there is also another funny aspect and coincidence: do you remember the alleged Stuxnet-like worm that Iran claimed to have detected on April 25 2011? Curiously it was called Stars, and although no evidences of the malware (and not even samples as far as I know) were collected, so that many Information Security experts stated Iran was crying wolf, again the malware was dubbed with a term recalling astronomy. At this point I inevitably (and joyfully) wonder if Stars derived its name from hidden stellar images as in case of Duqu.
- Back to The Future of Stuxnet (paulsparrows.wordpress.com)
While the U.S. and U.K. are debating whether to use Cyberwarfare, someone, somewhere, has decided not to waste further time and has anticipated them, developing what appears to be a precursor of Stuxnet 2.0. In a blog post, Symantec explains how it came across the first samples of the malware thanks to a research lab with strong international connections, which, on October 14 2011, alerted the security firm to a sample that appeared to be very similar to Stuxnet.
The brand new threat has been dubbed “Duqu” [dyü-kyü] because it creates files with the file name prefix “~DQ”, and has been discovered in some computer systems located in the Old Continent. After receiving and analyzing the samples, Symantec has been able to confirm that parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.
Unlike its infamous predecessor Duqu does not target ICS but rather appears to be a RAT developed from the Stuxnet Source Code, whose main features may be summarized as follows (a detailed report is available here):
- The executables [...] appear to have been developed since the last Stuxnet file was recovered.
- The executables are designed to capture information such as keystrokes and system information.
- Current analysis shows no code related to industrial control systems, exploits, or self-replication.
- The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
- The exfiltrated data may be used to enable a future Stuxnet-like attack.
- Two variants were recovered [...], the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.
Of course this event rises inevitably many security questions: although cyberwar is actually little more than a concept, cyber weapons are a consolidated reality, besides it is not clear if Duqu has been developed by the same authors of Stuxnet, or worst by someone else with access to the source code of the cyber biblical plague (and who knows how many other fingers in this moment will be coding new threats from the same source code).
Anyway one particular is really intriguing: only yesterday the DHS issued a Bulletin warning about Anonymous Threat to Industrial Control Systems (ICS), not event 24 hours after the statement a new (potential) threat for ICS appears in the wild… Only a coincidence?