Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon

Cross-posted from WIRED.


As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.

The new variant was designed for a different kind of attack against centrifuges used in Iran’s uranium enrichment program than later versions that were released, according to Symantec, the U.S-based computer security firm that reverse-engineered Stuxnet in 2010 and also found the latest variant.

The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005.

Like three later versions of Stuxnet that were released in the wild in 2009 and 2010, this one was designed to attack Siemens PLCs used in Iran’s uranium enrichment program in Natanz.

But instead of changing the speed of spinning centrifuges controlled by the PLCs, as those later versions did, this one focused on sabotaging the operation of valves controlling the flow of uranium hexafluoride gas into the centrifuges and cascades — the structure that connects multiple centrifuges together so that the gas can pass between them during the enrichment process. The malware’s goal was to manipulate the movement of gas in such a way that pressure inside the centrifuges and cascade increased five times the normal operating pressure.

“That would have very dire consequences in a facility,” says Liam O’Murchu, manager of security response operations for Symantec. “Because if pressure goes up, there’s a good chance the gas will turn into a solid state, and that will cause all sorts of damage and imbalances to the centrifuges.”

The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.

The 2009 and 2010 versions of Stuxnet contained two attack sequences that each targeted different models of PLCs made by Siemens being used in Iran’s uranium enrichment plant — the Siemens S7-315 and S7-417 models of PLC.

In these later variants of Stuxnet, however, only the 315 attack code worked. The 417 attack code had been deliberately disabled by the attackers and was also missing important blocks of code that prevented researchers from determining definitively what it was designed to do. As a result, researchers have long guessed that it was used to sabotage valves, but couldn’t say for certain how it affected them. There were also mysteries around why the attack code was disabled — was it disabled because the attackers had failed to finish the code or had they disabled it for some other reason?

The 2007 variant resolves that mystery by making it clear that the 417 attack code had at one time been fully complete and enabled before the attackers disabled it in later versions of the weapon. And because the 2007 variant only contained the 417 attack code — with no code attacking the Siemens 315 PLC — it appears that the attackers disabled the 417 code in later versions because they wanted to change their tactics, dropping their focus on sabotaging the valves in order to focus instead on sabotaging the spinning centrifuges.

Natanz_Satellite2Symantec discovered the 2007 variant a few months ago during a routine search of its malware database while looking for files that matched patterns of known malware.

Though the variant was only recently found, it had been in the wild at least as early as Nov. 15, 2007, when someone uploaded it to VirusTotal for analysis. VirusTotal is a free online virus scanner that aggregates more than three-dozen brands of antivirus scanners and is used by researchers and others to determine if a file discovered on a system contains signatures of known malware. It’s not known who submitted the sample to VirusTotal or in what country they were based, but Symantec believes the 2007 version was very limited in its reach and likely only affected machines in Iran.

Until now, the first known variant of Stuxnet uncovered was released in June 2009, followed by a second variant in March 2010 and a third in April 2010. Researchers always suspected that other variants of Stuxnet existed, based on the version numbers the attackers gave their code, as well as other clues.

The June 2009 variant, for example, was labeled version 1.001. The March 2010 variant was 1.100, and the April 2010 variant was 1.101. The gaps in version numbers suggested that other versions of Stuxnet were developed, even if they were not released into the wild. That theory bore out when the researchers discovered the 2007 variant, which turned out to be version 0.5.

Though Stuxnet 0.5 was in the wild as early as 2007, it was still active when the June 2009 version was released. Stuxnet 0.5 had a stop date of July 4, 2009 coded into it, which meant that after this date it would no longer infect new computers, though it would still continue to sabotage machines it had already infected, unless it got replaced with a new version of Stuxnet. The 2007 version was also programmed to stop communicating with command-and-control servers on Jan. 11, 2009, five months before the next version of Stuxnet was released. It’s possible that when the June 2009 version was released, which had the ability to update older versions of Stuxnet via peer-to-peer communication, it replaced the older 2007 version on infected machines.

Stuxnet 0.5 was much less aggressive than later versions in that it used fewer spreading mechanisms. The researchers found no zero-day exploits in the malware to help it spread, which is probably one reason it never got caught.

By contrast, the 2010 variants of Stuxnet used four zero-day exploits as well as other methods that caused it to spread wildly out of control to more than 100,000 machines in and outside of Iran.

Stuxnet 0.5 was very surgical and spread only by infecting Siemens Step 7 project files — the files that are used to program Siemens’ S7 line of PLCs. The files are often shared among programmers, so this would have allowed Stuxnet to infect core machines used to program the 417 PLCs at Natanz.

If it found itself on a system that was connected to the internet, the malware communicated with four command-and-control servers hosted in the U.S., Canada, France and Thailand.

The domains for the servers were:,,, and All of the domains are now down or registered to new parties, but during the time the attackers used them, they had the same home page design, which made them appear to belong to an internet advertising firm called Media Suffix. A tag line on the homepage read, “Deliver What the Mind Can Dream.”

Like later versions of Stuxnet, this one had the ability to deliver updates of itself to machines that were not connected to the internet, using peer-to-peer communication. Though later versions used RPC for the peer-to-peer communication, this one used Windows mailslots. All the attackers had to do was use the command-and-control server to update the code on one infected machine that was connected to the internet, and others on the local internal network would receive the update from that machine.


Once Stuxnet 0.5 found itself on a 417 PLC, and determined that it had found the right system, the attack proceeded in eight stages, sabotaging 6 out of 18 centrifuge cascades.

In the first part, Stuxnet simply sat on the PLC watching normal operations in the cascades for about 30 days and waiting for the systems to reach a certain state of operation before the attack progressed.

In the next part, Stuxnet recorded various data points while the cascades and centrifuges operated normally, in order to replay this data to operators once the sabotage began and prevent them from detecting changes in the valves or gas pressure.

Each cascade in Natanz is organized in 15 stages or rows, with a different number of centrifuges installed in each stage. Uranium hexafluoride is pumped into cascades at stage 10, where it spins at high speed for months. The centrifugal force causes slightly lighter U-235 isotopes in the gas (the desired isotope for enrichment) to separate from heavier U-238 isotopes.

Centrifuge-Stages_SymantecThe gas containing the concentration of U-235 is then siphoned out of the centrifuges and passed to stage 9 of the cascade to be further enriched, while the depleted gas containing the concentration of U-238 isotopes is diverted to cascades in stage 11. The process repeats for a number of stages, with the enriched uranium becoming more concentrated with U-235 isotopes at each stage until the desired level of enrichment is achieved.

There are three valves on a cascade that work in unison to control the flow of gas into and out of centrifuges, as well as auxiliary valves that control the flow of gas into and out of each stage in a cascade and into and out of the cascade itself.

When the sabotage kicked in, Stuxnet closed and opened various centrifuge and auxiliary valves to increase the gas pressure, thereby sabotaging the enrichment process. Stuxnet closed valves on six out of 18 cascades and modified other valves on randomly chosen individual centrifuges to prevent operators from detecting a pattern of problems. In the final step of the attack, the sequence was reset to begin the attack over again at the first stage.

It’s long been suspected by some experts that Stuxnet was already sabotaging cascades at Natanz sometime between late 2008 and mid-2009. The new finding from Symantec supports that theory.

Stuxnet 0.5 was looking for a system in which cascade modules were labeled A21 through A28. Natanz has two cascade halls — Hall A and Hall B. Only Hall A was operating in 2008 and 2009 when Stuxnet would have been active on infected machines.

Hall A is divided into cascade rooms that are labeled Unit A21, Unit A22, etc up to Unit A28. Iran began its installation of centrifuges in two rooms in Hall A in 2006 and 2007 — Unit A24 and Unit A26 — and later expanded to other rooms. In February 2007, Iran announced that it had begun to enrich uranium at Natanz.

According to reports released by the UN’s International Atomic Energy Agency, which monitors Iran’s nuclear program, by May 2007, Iran had installed 10 cascades, consisting of a total of 1,064 centrifuges, in Hall A. By May of 2008, Iran had 2,952 centrifuges installed, and Iranian President Mahmoud Ahmadinejad announced plans to increase the number of centrifuges to 6,000. The numbers did increase throughout 2008 and early 2009, with gas being fed into them shortly after they were installed. But the number of cascades that were being fed gas and the amount of gas being fed began to drop sometime between January and August 2009 when Iran appeared to be having problems with some of its cascades. In late 2009, IAEA inspectors noticed that technicians at Natanz were actually removing centrifuges from cascades and replacing them with new ones. All of this would seem to coincide with the timing of Stuxnet.

ISIS-chartOne final interesting detail of note about the new variant — during the installation process of Stuxnet 0.5, the malware created a driver file that caused a forced reboot of a machine 20 days after the malware infected it. It did this by generating a BSoD (Blue Screen of Death) — the infamous blue screen that appears on Windows machines when they crash.

Stuxnet was first discovered in June 2010 because some machines in Iran on which it was installed kept crashing and rebooting. Researchers were never able to determine why those machines crashed and rebooted, because other machines infected by Stuxnet did not respond in this way.

Though the version of Stuxnet found on those machines was not Stuxnet 0.5, it raises the possibility that multiple versions of Stuxnet might have infected those machines even though only one was recovered when they were examined. O’Murchu thinks it’s unlikely, however, that VirusBlokAda — the antivirus firm that first discovered Stuxnet — would have missed another variant on the machines.

Ladies with few clothes tend to cause a lot of trouble on PCs – and now on Android devices too

Cross-posted from Surelist

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.


Trojan-SMS.AndroidOS.Vidro is spread via porn sites. The mechanism is very similar to the way the very first Android malware (Trojan-SMS.AndroidOS.FakePlayer) spread. If the user visits a porn site with a desktop browser he will see something similar to this:


But if the potential victim somehow visits the same website using an Android device, a porn web site will be ‘optimized’ for the smartphone:


After clicking on the link ‘Watch Now’, the user will be redirected to the web site called ‘Vid4Droid’ ( which suggests to the victim that they download ‘The new Sexvideo App’:


A click on the ‘Install’ button will redirect the victim to a page containing an automatic download start which contains instructions on‘how-to-install-our-super-porno-app’ with a reminder to allow an installation of applications from unknown sources:


Vidro description

After the installation of Vidro the following icon can be found in the main menu:


If the victim launches malware the first thing he’s going to see is the dialog box which invites him to agree with the terms and conditions.


But the ‘funny’ fact is that there’s no EULA and/or terms and conditions in the app. In other words, even if those conditions exist, there’s no possibility to read them. After clicking ‘Yes’ an SMS message to will be sent to a premium rate number. The premium rate number is 72908 (Polish) and the SMS text is PAY {unique sequence of ciphers and letters}. Each message cost 2 zl (0,5 Euro). We will discuss the SMS text later. Messages will be sent every 24 hours. All the data required for sending the expensive SMS is stored in the configuration file ‘setting.json’.

Vidro is also able to hide incoming SMS messages from specific numbers. We’ve seen already such functionality in Trojans like Foncy a Mania.

Besides sending expensive messages Vidro is able to:

  • Update the configuration file (which might contain a new premium rate number and SMS text) and update itself. For connecting to remote server the malware uses its own User-Agent string:“Mozilla/5.0 (Linux; U; {app_id}; {android_version}; de-ch; Vid4Droid) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”.
  • Upload information about itself and the infected device to a remote server.

Content provider and affiliate network

If you google ‘72908’ (the premium rate number from Vidro) you can find a Polish forum which contains some complaints about this number.


Rough translation:

“How to remove ‘carmunity’ from 72908 number? Help me.”

“It’s probably some kind of virus, this SMS goes out from the phone, it’s better to disable it with your GSM provider, both outgoing and incoming.”

“I want to disable.”

Let’s take a deeper look at the malicious domain. According to Robtex this domain is controlled by two name servers at; and the mail server is handled at


There is a number of hosts (like ‘’, ‘’, ‘’ and similar) which share both name servers and mail servers with this domain. And if you visit one of these hosts you will be redirected to the web site


Carmunity is a German content and service provider company, whose “portfolio offers an array of creative and technical solutions, enabling businesses to generate and apply their own portals in the mobile internet”. This quote was copied from the English version of their web site (


Main page of Carmunity web site

Contact information contains the physical address of this company. According to this, Carmunity is located in Bremen, Mary-Astell-Str. 2. If you google this address you can find that another German company called Displayboy has the same physical address. What do we know about this organization? Well, here are some quotes from their web site (no German version, only English):

“Welcome to DisplayBoy – the leading provider for adult affiliate marketing in the mobile Internet.”

“Right now, between 5%-10% adult website users are surfing sites with mobile phones. With Displayboy you can convert your existing mobile traffic in a snap. It’s easy, simple and reliable.”


Do Carmunity and Displayboy have something in common? I think, yes 🙂 At least both companies are specialized in monetization of mobile traffic.


As was mentioned above, some host names use the domain name and mail servers. And if you try to visit one of them you’ll be redirected to Here is a part of the main page of this web site:


Yes, it’s an affiliate network created for monetizing mobile adult traffic. And there are some curious things inside. Let’s see what’s going on there.

Many mobile affiliate networks (Russian ones at least) provide full access to various so-called ‘promotional tools’ to all participants. The SexGoesMobile affiliate network also offers various ‘promotional tools’. For example, you can create a mobile pay site using one of the existing templates:


Each template has its own domain name. And each affiliate who participates in SexGoesMobile has an ID. After choosing the template this affiliate is able to choose the target audience (‘mobile’ or ‘desktop’):


And finally an affiliate is able to generate a unique URL with his ID:


If the potential victim clicks on this unique link he will be redirected to the web site that contains fake video thumbnails. By clicking on one of this thumbnails the user will be redirected to the web site where he will be invited to download vid4droid.apk file (Trojan-SMS.AndroidOS.Vidro). Do you remember the format of the SMS text in this malware? PAY {unique sequence of ciphers and letters}. This unique sequence of ciphers and letters will be generated on a remote malicious server based on the referrer (a unique URL with the ID of the affiliate). In other words, each affiliate ‘has’ his own SMS Trojan with unique SMS text.


The mobile malware industry and mobile malware services continue to evolve. A couple of years ago mobile affiliate networks were mostly Russian. Now we see that these affiliate networks appearing in other countries. Unfortunately, such networks have already become pretty effective and are an easy way to spread mobile malware and earn money illegally. And the ‘migration’ of affiliate networks will lead to new infections and huge money losses not only in Russia but in other countries as well.

Trojan “made in Germany” spies in Bahrain

h-Online: Citizenlab has released a detailed analysis of the activities of a trojan in which the experts conclude that the malware is most likely closely related to FinFisher, a commercial spyware tool developed by a company called Gamma International. The trojan targeted political activists in Bahrain and included sender names such as that of an Al Jazeera correspondent and subject lines like “Torture reports on Rabil Najaab”.

The attached .exe file, disguised as an image, disabled anti-virus software and installed a complete set of spyware programs on the recipient’s PC. The spyware proceeded to monitor, among other things, the victim’s Skype communications including conversations and file transfers. An analysis of the infected systems’ working memory repeatedly produced the “finspy” character string. This name is used by Gamma to advertise FinFisher modules.

image5The trojan even displayed images while launching its background activities

The researchers say that the malware used a very special .exe packer whose signature was also recognised in another malware sample that is thought to be a demo version of the trojan. The malware communicated with servers such as, whose domain is registered with Gamma International GmbH in Germany. Although the producers of FinFisher, Gamma International Ltd, officially operate from the UK, there is significant evidence that the software is being developed in Germany. The FinFisher surveillance tool has repeatedly attracted attention in connection with the monitoring of political activists by government agencies. Gamma International recently received a Big Brother Award for its activities.

Why Google or Facebook Buying Your Favorite Startup

Time Techland wrote:


When I learned this morning, via Twitter, that the small company behind Mac/iOS e-mail app Sparrow was being bought by Google, I almost didn’t need to read the startup’s announcement to know the upshot.

Google and Facebook buy itty-bitty web companies all the time. And the acquired businesses typically convey what’s happening in an eerily consistent five-step ritual:

  1. Announcement of thrilling acquisition
  2. Reiteration of startup’s wildly ambitious founding notion
  3. Explanation that either Google or Facebook is the best place to change the world
  4. Acknowledgement (or sometimes non-acknowledgement) that the startup’s product is being discontinued or is going into limbo
  5. Expression of heartfelt gratitude to various supporters, usually including the consumers who are losing their something they liked

So it seems to be going with Sparrow: Its five-person team will be working on Gmail henceforth; the existing Sparrow apps aren’t being discontinued, but they apparently won’t get any updates, either.


Why does this keep happening? There are several related factors at work:

Google and Facebook are already pursuing ginormous dreams of their own and don’t need new ones. They’ve got the resources they need to turn them into reality, and hundreds of millions of users who are already on board. Which is why they’re rarely all that interested in the actual products produced by the companies they snap up, especially if they cater to relatively specific needs and small user bases, such as Sparrow’s signature creation, its Gmail app for OS X.

Tiny startups are full of smart, ambitious people. To keep growing, Google and Facebook need to hire armies of  smart, ambitious people–and the most efficient way to do so is often to buy small companies and thereby acquire their teams.

Large, well-established companies are envious of small, young companies. Both Google and Facebook remain more intrepid and innovative than your average great big company. But when you’re huge, you obsess over the the possibility of becoming bloated, lethargic  and bureaucratic. You also get paranoid that some little-known upstart will create the next big thing. Buying startups is a way to address all these fears–or at least seems like one.

Getting bought by Google or Facebook is a viable business model. Many startups with cool products don’t have a clear idea of how they’re going to make money with them. Cashing a check for a few million dollars is an expedient way to do it.

Working for a powerful web giant probably does sound appealing. I don’t think the startup founders are fibbing when they say that joining a huge company will help them fulfill their founding missions. Still,the scrappy renegades who found startups and invent new things rarely seem to be content at bigger companies forever. One example that springs to mind involves Twitter rather than Google or Facebook: Loren Brichter, creator of the amazing app Tweetie, left Twitter only 19 months after he joined it.

Continue Reading:

Madi Malware: Another Trojan Targets Organizations from the Middle East [Updated]

This article is copied from Softpedia:

Researchers from Symantec, Kaspersky and Seculert have all come across Madi (Madhi), a relatively new piece of malware that mainly targets organizations from the Middle East.

Madi-Malware-Another-Trojan-Targets-Organizations-from-the-Middle-East-2Before we take a look at Madi and compare it to other infamous Trojans such as Stuxnet, Duqu, or Flame, let’s take a quick look at its name.

According to Wikipedia, Mahdi is considered to be the redeemer of Islam who will rid the world of tyranny, injustice and wrongdoings.

So, will this malware be able to rule for seven, nine or nineteen years before the Day of Judgment as some prophecies say? Let’s see what the experts believe.

First observed in December 2011, Madi has mainly targeted computer systems from Iran, Israel, Saudi Arabia and Afghanistan, but also from other parts of the globe such as United States, New Zealand and Greece.

The organizations attacked with the aid of the Trojan include government agencies, financial houses, critical infrastructure engineering firms, oil companies, and think tanks.

After it’s installed on a device, Madi is able to take screenshots, record audio, retrieve disk structures, delete data, and update the backdoor. As expected, it also has keylogging functionality that allows it to collect all sorts of sensitive data.

While the locations of the targets indicate that this may be a state-sponsored campaign, other evidence found by Symantec leads researchers to believe that the attacks may actually be conducted by a “Farsi-speaking hacker with a broad agenda.”

However, there is something far more interesting about this virus. Unlike Flame, Duqu or Stuxnet – which leveraged zero-day exploits and other advanced techniques – Madi mainly relies on social engineering to infect machines.

The attacks start with enticing content such as news articles, religious images, controversial videos, and PowerPoint presentations that unleash the nasty Trojan.

So far, experts identified a number of 800 victims, communicating with four command and control servers.

Update 1: Iran: If the Madi cyber-strike was us it would’ve been another Stuxnet

Iran replied: “If this was a product of Iran it would be professional and at least as advanced as Stuxnet and Flame,” an English language editorial carried by the semi-official FARS news agency said.

LinkedIn spam, exploits and Zeus: a deadly combination ?

Is this the perfect recipe for a cybercriminal ?:

  1. Hacking LinkedIn’s password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User’s computer is now a zombie (part of a botnet).

I would definitely say YES.
A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the “To” and/or “CC” field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth…
Here’s the email in question:


Subjects of this email might be:
“Relationship LinkedIn Mail‏”, “Communication LinkedIn Mail‏”, “Link LinkedIn Mail” or “Urgent LinkedIn Mail‏”. No doubt the subjects of this email will vary, and are not limited to these four.
Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.
Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

  • Adobe Reader
  • Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.
In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:


Continue Reading here:

Password leaks bigger than first thought

The published password hashes do not contain any email addresses or usernamesThe H-Online: There have still been no official statements on the causes and extent of the recent password leaks at LinkedIn, eHarmony and A credible source is now reporting that the published 2.5 million MD5 hashes, for example, are just the tip of a 17 million hash iceberg. That iceberg has reportedly been circulating since summer 2011.16.4 million of these – 95 per cent – have, the source claims, already been cracked, a claim which, for unsalted hashes, is entirely credible.

Since the lists do not contain any duplicates, it is likely that the number of affected users is in fact much larger than originally thought. Similarly, at LinkedIn, whose official statement persists in using the seemingly harmless phrase “some passwords”, several factors suggest that the list of 6.5 million SHA1 hashes posted online may exclude simple passwords that have already been cracked. A blog post entitled LinkedIn vs password cracking gives an excellent overview of the contemporary tools and techniques used to crack passwords.

The concrete effects of this particular password leak are not yet clear. The publicly distributed lists do not include user names or email addresses. It would, however, seem reasonable to assume that whoever stole the passwords also has, and is using, this information. Last month admitted to having received several reports of spamming involving user data. Since identical spam is sometimes sent to email addresses from the LinkedIn and leaks, it is more than likely that both databases have fallen into the same hands.

There is also a first indication as to why failed to implement rudimentary security measures to protect its users’ passwords. According to someone claiming to be a former system architect at the company, design weaknesses in the music service’s mobile API architecture were responsible for the, by today’s standards, weak encryption. The technique employed uses the password and client-side user name to calculate an access key. For the server to check this, it needs to store the password, which is secured only with MD5 hashes. The API was developed 9 years ago, and appears not to have been updated since. It’s going to be interesting to see what comes to light regarding the reasons for the sloppiness at these companies.

And one amusing detail – although eHarmony implores its users to use strong passwords including both upper and lower case letters, it saves the passwords in all upper case, thereby weakening its already weak security further. The hypocritical concern expressed by these companies has been covered in an editorial from The H Security: “Comment: LinkedIn and its password problems“.

FAQ: Flame, the “super spy”

Copied from H-Online: Source

FAQ_flame_kickerThe spyware worm Flame is being billed as a “deadly cyber weapon”, but a calmer analysis reveals it to be a tool by professionals for professionals that doesn’t actually have that many new features compared to, say, the widespread online-banking trojan Zeus.

What is Flame?

Flame is the code name for a spyware program that is built to be very modular and which is also known as Flamer and sKyWIper. Flame was just recently discovered, and it will be some time before all of its components are analyzed. Anti-virus software companies estimate that Flame has infected about 1,000 computers, mostly in the Middle East.

What does Flame do?

The spyware specializes in getting hold of many different types of information. Not only can it steal files and emails from infected computers, but it can also turn them into bugging and surveillance devices using connected microphones and webcams. It is also able to record screenshots, keystrokes, and network traffic.

But all of that is already standard for a lot of malware. Does it have anything new?

One unusual feature is that Flame is able to connect with Bluetooth devices in the area. It’s not clear yet what exactly happens in this case, but it’s possible that headsets could be used for spying or that photos could be stolen from smartphones. Machines infected with Flame seem to also be able to broadcast as Bluetooth devices that offer services. More analysis is necessary to uncover further details.

Another unique feature is the LUA interpreter that is included, which can be used to easily extend the functionality of the spyware with scripts.

A modular concept, sophisticated spying features – we’ve already seen that with Zeus and SpyEye. How is Flame different from those online-banking trojan kits?

flame-infectionUnlike with banking trojans, the individuals behind this program are not interested in spreading it as far and fast as possible – quite the opposite, in fact. As far as we know at this time, the worm didn’t try to spread itself at all at first, and if an initial analysis did not come up with anything useful on a system, Flame would even be deleted. Only when it received orders to do so – if the information it found looked promising – did Flame try to infect other systems using local networks, USB sticks, or other methods. And this would typically only infect up to a dozen computers. The final total of about 1,000 infected systems over the course of several years is minimal compared to Zeus and SpyEye, which each worked their way into millions of machines.

And how did Flame get onto the infected computers in the first place?

We do not know that yet, but we assume that the typical method for targeted attacks was used. In these cases, the perpetrators identify a group of people who have access to interesting information or can at least provide such access. These targets are then infected with the spyware, via specially crafted emails or USB sticks that someone has purposefully “lost” – or even by breaking into the victim’s apartment, where the software is manually installed on the targeted computer.

Who’s responsible for Flame? Israeli intelligence?

We don’t know – and we doubt we ever will. We do know that the software was developed by professionals, most likely by a whole team. In addition, it seems to have been repeatedly used in certain situations, mostly in the Middle East, with a particular focus on Iran. Conclusions could be drawn about the responsible parties, but it is important to keep in mind that we often only see what we are supposed to see in these situations.

Flame is often mentioned in the same breath as Stuxnet. Is there a connection there?

Both programs were used in a way that tends to suggest intelligence involvement, but technically they have very little in common. Stuxnet was a sabotage program that was very targeted and minimal, despite its wide range of functions; Flame, on the other hand, is a spyware program that is very powerful, universal and, at 20MB, somewhat bloated. The virus experts who analyzed the spyware could not find any significant similarities in the code, and there are many potential explanations for why the two programs were spread in part using similar vulnerabilities.

Is Flame a prototype for a modern “cyber weapon”?

Flame’s assignment has more to do with spying than with destruction. The spyware should therefore be labeled a “cyber wiretap” rather than a weapon.

What is actually special about Flame?

The spyware program seems to have been used for many years without being discovered, and until that happened, not a single anti-virus program recognized the malware. This situation shows once again how unsuitable anti-virus software is for protecting systems against targeted attacks. Anti-virus software focuses on defending machines against widespread, indiscriminate malware and is, for the most part, powerless against specialized software like Flame.

Painting a Picture of W32.Flamer

Symantec Connect: The number of different components in W32.Flamer is difficult to grasp. The threat is a well designed platform including, among other things, a Web server, a database server, and secure shell communications. It includes a scripting interpreter which allows the attackers to easily deploy updated functionality through various scripts. These scripts are split up into ‘apps’ and the attackers even appear to have something equivalent to an ‘app store’ from where they can retrieve new apps containing malicious functionality.

To get an idea of how all these components fit together, the best place to start is a file called mssecmgr.ocx. This is W32.Flamer’s main file and it is the first element of the threat executed by an infected computer. The file mssecmgr.ocx contains a large number of sub-components. A breakdown of the various components and how they are stored in this file are shown in Figure 1 below:


Continue Reading at Symantec Connect Blog:

Fake BBC Website Serves Exploits and Work From Home Offers

GFI Wrote: In September, our friends at Sophos wrote about a fake BBC website offering up the “chance” to work from home for predictably large sums of money. No more than a day later, we were covering fake BBC video posts targeting Facebook users.

Today we’re looking at a fake BBC URL which drops the end-user onto a “work from home and earn $10,000+ a month” fake news site, but not before it’s attempted to load up the PC with malware via a rather nasty collection of exploits. The URL in question is bbcmoneynews(dot)com:


How does this website hate thee? Let me count the ways.

The site contains:

1 ) An encrypted Blackhole exploit kit, which we detect as

2) A malicious Java applet, which we detect as Trojan.Java.Generic

The Blackhole exploit kit exploits known vulnerabilities to download and execute malicious files, checking for installed applications that may be vulnerable to exploits targeting them (in this case, Flash and Adobe Acrobat).

This sample exploits the following vulnerabilities:

1) CVE-2006-0003 – IE6 COM CreateObject Code Execution is used to download and execute the following:

i. a Zbot trojan, which we detect as Trojan.Win32.Zbot.bxh
ii. Sirefef, which we detect as Trojan.Win32.Generic.pak!cobra
iii. The Fareit Trojan, which we detect as Trojan.Win32.Zbot.bxh

2) It deploys an SWF file which exploits the following vulnerability:

CVE-2011-0611 – Adobe Flash Player Memory Corruption, which we detect as Trojan.SWF.Generic

3) Depending on the version of Adobe Acrobat installed in the system, it deploys the following PDF files:

i. For version 7 and below, 91973.pdf – CVE-2008-2992 – Adobe Reader util.printf – currently detected as Exploit.PDF-JS.Gen (v)
ii. For version 8 and 9, bc2e7.pdf – CVE-2009-0927 – Adobe Reader Collab GetIcon which we detect as Trojan.PDF.Generic

Ouch. And after all of that, you still have the redirect to the spam site to deal with.


There are a number of different work from home URLs you can expect to be sent to and they all have comments closed (right after everybody said the work from home pack worked, which is of course handy for the site owner) while claiming that the “offer ends tomorrow”. This is a rather nasty pack of malware, and it’s quite possible we may see more of these work from home sites dabbling in exploits – not a comforting thought when you can open up any random forum / website and have a halfway decent chance of seeing a “work from home, earn big money” advert.

Stay patched, stay safe and if you really want to work from home then your accountant is a safer bet than the websites listed above.