Archive for August, 2012

New virus linked to makers of Flame detected across Mideast

Kaspersky internet security firm says new virus, named Gauss, based on Flame platform; infected computers found in Israel, Lebanon, PA, among other states.

The Kaspersky internet security firm announced on Thursday that it has detected of a new kind of computer virus that has been targeting computers in Lebanon, Israel, and the Palestinian Authority.

According to the firm, the new virus, called Gauss, was designed as a spy tool, and that it was programmed using the platform of another computer virus, Flames, which was exposed earlier this year.

In the past, Kaspersky officials have determined that there was a clear link between Flame, Stuxnet – the computer worm reportedly used to target Iran’s nuclear facilities – and another virus by the name of Doqu.

What this means, is that Gauss could be another in a chain of cyber assault tools developed by a single country, or by a many countries.

According to the security firm, Gauss injects code into different internet browsers in order to track the users’ activities and steal passwords, “cookie” files, and browser history. In addition, it also collects information on the computer’s network connections and attached devices, which he sends to the virus’ control servers.

Kaspersky indicated that Gauss was developed in 2011-2012, and was actively distributed throughout the Middle East in the last ten months. Most of the infected computers were in Lebanon (1,660), with Israel a distant second, housing 483 computers with the virus.

In addition, 261 infected computers were also found in the Palestinian Authority, along with a handful of computers in Egypt, Qatar, Syria, Jordan, and Saudi Arabia, as well as 43 in the United States and five in Germany.

The virus reportedly injured Microsoft operation systems, from Windows 7 to Windows XP.

Last month, the Iranian Students’ News Agency quoted an unnamed cyber security official as saying that the United States will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran. Iran has previously accused the United States and its allies of trying to sabotage its disputed nuclear program by using computer worms like Stuxnet, which caused centrifuges at the country’s main enrichment facility to fail in 2010.

In June, Iran said it had detected plans by the United States, Israel and Britain to launch what it said was a massive cyber strike, after diplomatic efforts to curb Tehran’s nuclear program broke down.

Western powers believe Iran wants to produce atomic bombs, a charge Tehran denies. It says it only wants the technology to generate medical isotopes to treat cancer patients.

Source: Haaretz


Chinese Espionage Campaign ‘Luckycat’ Targets Android

Luckycat, a gang of Chinese cybercriminals targeting executives in the aerospace, energy, and engineering industries, has been evolving its attacks since initial reports emerged in June 2011.

First they targeted Windows (easy). Then earlier this year, we saw Luckycat exploit a Javascript flaw to spy on Mac OS systems, with SabPub.

This summer, Trend Micro reports evidence that Luckycat is now targeting Android devices.

The company discovered two unfinished, and undelivered Android apps during a recent investigation of a Luckycat command and control center (Trend also discovered ongoing deliveries of SabPub via a Javascript exploit). The two apps were called “testService” and the only difference was that one of the icons was invisible. Clearly, the attackers were working on making this as stealthy as possible:

The apps exhibited behaviors similar to a Remote Access Trojan (RAT), like being able to locate sensitive data and upload them to a remote server. However the “remote shell” command was incomplete, meaning the attackers couldn’t take real-time control of the devices.

Tom Kellermann, director of cyber security at Trend Micro, illustrated the potential danger of being able to remotely control devices in real time.

“For example if I the attacker see in your [phone’s] calendar that you have a meeting in ten minutes, I could just pop the mic,” he said.

Lookout Mobile confirmed seeing the same malware samples, all clearly in debug (testing) mode since the output was all debug messages.

The key question now is, how do the attackers intend to deliver this malware to their targets? The attackers have several options, Trend Micro notes. One is an SMS or email containing a download URL disguised as something legit (spearphishing). Sabpub, for instance, was delivered through poorly-spellt emails appealing to Tibetan sympathizers.

Should You Worry?
You may not be a key target of Luckycat, but one day the same malware could be used to target your Android device. Some simple countermeasures we normal folk can take are, well, the same as always:

  1. Stick to the official Google Play and Amazon Android app Stores.
  2. Don’t click on strange links within emails.
  3. Use a mobile security app—free versions of Lookout, Trend Micro, avast!, and McAfee provide strong lines of defense.