Tag Archive: malware

Targeted Trojans

A very particular problem that we face is around customised malware, aka targeted Trojans. These malicious programs are written specifically to avoid detection by our current anti-virus systems and are sent to carefully selected people within the institution. The purpose of these programs can only be inferred by the recipients.

LSE uses MessageLabs to protect our inbound email, primarily to reduce  the flood of spam to as small a trickle as possible. One of the systems that MessageLabs use is something called skeptic, that tries to identify previously unseen malicious software and to block it.

We think that this has been quite successful, although it is impossible to know how many attacks have managed to get through. Using the information we get from this system, we can discuss the implications of being on the list with the people being targeted.

The uncomfortable facts are that:

  1. LSE is a major target
  2. academia is being systemically attacked by a number of groups
  3. the threat is growing all of the time

There is no foolproof way of blocking every attack, but the intelligence gained from knowing the areas of interest of the attackers allows us to focus our efforts of the people at highest risk.

If you want more information on this or are at LSE and want specific advice, please contact me.

UPDATE: Martin Lee and I are proposing doing a talk about this at the RSA Conference 2012 in San Francisco. See the teaser trailer here.

This week, LSE received a couple of calls from “Microsoft”, stating that they had detected a virus on the PC that the user was using and could they install an update. Luckily, the person they called is in our support team and she managed to string them along for a bit. We have managed to get the originating telephone number, apparently a Croatian number, and have passed it on to the Police.

It’s worth following up on these calls, which are blatant social engineering attempts and informing staff. We have had reports that Skype users are also being targeted.

It’s a sad fact that many people exploit human nature for their own ends. The BBC reports that there is a text message circulating in Asia suggesting that radiation has “leaked” [sic] across Asia from the Fukushima power plant in Japan. Sophos’ Graham Cluley has blogged about malware spreading across the globe in the guise of videos supposedly coming from Japan with subject lines like: “VIDEO: The village that escaped the tsunami”, “VIDEO: Struggle for normal life in Japan”, “VIDEO: Woman talks about tsunami escape”, and “Japan tsunami touches New Zealand”.

Other examples include the fake Japanese Tsunami charity appeals, fakes CNN footage of the tidal wave, and a Facebook “clickjacking” scam that entices people with the bizarre claim of showing viewers a whale stuck in a building after the Tsunami.

This goes to show that everyone needs to be extra careful when tragedies such as the one in Japan happen, as people will try to hijack the event, appealing to people’s curiosity or good nature for their own purposes. Even viewing a video or clicking on a site may reveal more than you want.

If you want to donate to the relief effort, go directly to a reputable charity.

An interesting story on Slashdot this morning is about a Brazilian report [and here in the original Portuguese] into the effectiveness of free anti-virus software against non-English threats. Admittedly, they only tested six, all of which were free, but the results were pretty disappointing, especially compared to a set of independent statistics (taken from “Virus Bulletin“):

Name % detected (in the report) % detected (independent stats1)
Avira 78% 99.7%
AVG 75% 93%
Panda Cloud 70.6% NDA
Avast! 69.8% 98.2%
PC Tools 64.7% NDA
Microsoft Security Essentials 13.4% 87.1%

1 These results are from 2009, but give an indication.

So, there are a number of things to draw from this, aside from the fact that no paid-for software was tested. Even if there is a large margin of error, the discrepancy in the results is quite stark and might make large organisations, particularly multi-nationals, re-consider their AV protection. What works in one part of the world may not be quite so effective in another.

It’s also worth mentioning that most anti-virus products will use a variety of techniques to detect malicious software, from signatures to heuristics and these results will almost certainly not reflect real-world detection rates if everything is turned on and additional software, like firewalls and anti-spyware products are used.

STUXNET: Updated

Just a short post to report that Iran has admitted that some malicious software did, in fact, interfere with its uranium enrichment programme, which I would assume implies STUXNET. If it hadn’t spread so widely, it’s debatable whether it would have been noticed.

I have more about this in my previous post.

A news item that keeps bubbling up in the information security world is about STUXNET, a malicious piece of software that was originally said to target nuclear reactors in Iran. This might seem a bit odd, as most malicious software is pretty random, infecting anything it comes across. This malware seems to have had a very particular purpose.

It has been well known since its discovery that STUXNET targeted SCADA (Supervisor Control and Data Acquisition) systems, which are used in industrial process control environments, essentially providing electro-mechanical control over a logical network, be that the Internet or via a dial-up modem. SCADA systems are used all over the place, controlling sluice gates, traffic lights and in nuclear reactors. In general, these systems are kept as far away from public networks as possible, to prevent the infection of the networks they reside on, as the results can often be catastrophic.

However, an article in The Register, referencing a Symantec blog, detailed that this malware was even more specifically targeted. In summary, the article explains how STUXNET was aimed at frequency converter drives made by Fararo Paya of Iran and Vacon of Finland, both, presumably, used in the Iranian nuclear programme. Not only that, but only those drives that operate at very high speeds, between 807 Hz and 1210 Hz. It also had the capability to spread via USB sticks, thereby not being dependent on an accessible process control network.

The code reveals that the malware would change the output of the drives, intermittently, over a period of months, thereby disrupting whatever they were controlling, albeit subtly. Interestingly, this type of equipment has export restrictions placed on it by the US as they can be used in the centrifuges that enrich uranium.

One has to assume that the purpose of the malware was to sabotage the Iranian uranium enrichment programme in such a way as to not be discovered.

The reason it got discovered was that it was too successful. Tens of thousands of systems across the world have been infected by STUXNET, notably in Indonesia.

Given the level of targeting and pre-requisite knowledge of uranium enrichment, was this written by the regular clan of virus writers, whose main aim is quick profit? Unlikely.

Mobile phone applications are huge business. There are millions of apps available for every conceivable purpose; some are useful, some are seriously irritating (the electronic vuvuzela, anyone?!). But people sometimes forget that apps are just like programs for computers: they don’t always do what you expect them to.

Apple vs. Android

I’m not a big fan of the way that Apple manage their app store but it does have one advantage over many others – by checking every application submitted, Apple are undoubtedly preventing applications from getting anywhere near iPhones, iPods and iPads that may compromise the platform or user account data. The advantage of doing this has been highlighted today with a report by a blog post from Lookout, a mobile phone security company. They analysed an Android wallpaper application and found that, despite its benign appearance, it was sending user data, including phone numbers, subscriber data and other details back to the developers.

While the author of the blog post is keen to stress that there is no evidence of deliberately malicious activity, it is a concern that some apps may be doing things you aren’t expecting.

Hoax Malware

If you’ve had an email account for any length of time, you will have received an email that probably starts along the lines of:


This information arrived this morning, from Microsoft and Norton. Please send it to everybody you know who accesses the Internet.

You may receive an apparently harmless email with a PowerPoint presentation called “Life is beautiful.pps.”

If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and delete it immediately.

If you open this file, a message will appear on your screen saying: “It is too late now, your life is no longer beautiful”, subsequently you will LOSE EVERYTHING IN YOUR PC and the person who sent it to you will gain access to your name, email and password.

There are lots of these hoaxes floating around on the Internet; you just need to search for “hoax” at Symantec’s Security Center to see that there are hundreds. What people don’t appreciate is that the hoaxes do also cause damage. People can panic when not fully aware of facts and Chinese whispers can distort a fairly benign situation into something seemingly far worse.

An example of this is today’s announcement by Facebook Security that rumours have started about a virus that was affecting user profiles called the “knob face virus” (full article is here). The full text states:

Virusspreading like wildfire onFaceBook!! It is a trojan worm called “knob face”. It will steal your info, invade your system and shut it down! Do NOT open the link “Barack Obama Clinton Scandal”! If “SmartGirl15” adds you, don’t accept it; it is a virus. If somebody on your list adds her, ……then……. you get the …………virus too!! Copy and paste to your wall

So, the advice? Don’t forward or post anything like this without checking it out. All it does is create fear and clog up inboxes.

%d bloggers like this: