STE WILLIAMS

An appeal for help from the programming community has allowed antivirus analysts to classify the unknown language used to develop key components of the Duqu Trojan.

Duqu creates a backdoor on compromised SCADA-based industrial control systems. The malware is closely related to the nuke plant centrifuge-busting Stuxnet worm and was probably developed by the same group. Security researchers at Kaspersky Lab found that Duqu uses the mystery code to communicate with its command-and-control (CC) servers from infected machines. Unlike the rest of Duqu, the so-called Duqu Framework is not written in C++ and it’s not compiled with Microsoft’s Visual C++ 2008.

The code was not written using Delphi or .Net, other virus-writing favourites, either. Hardcore VXers use assembler to write malicious code but it wasn’t that either.

After going some way in unraveling the mystery language used by the Duqu Framework, Kaspersky Lab researchers appealed for help from the programming community.

During a webcast on Monday, Kaspersky Lab chief malware expert Vitaly Kamluk said that a variety of programming languages had been suggested in response for this appeal for help, including Lisp and Ada.

However the suggestion that the Duqu Framework might have been developed using old-school Object Oriented C (OO C) hit the bullseye. Code compiled using C and Microsoft Visual Studio 2008 was a close match for the code in the Duqu framework, allowing Kaspersky researchers to conclude that the framework had been written using a custom object-oriented extension to C or plain C with a changed dialect, as Kamluk described it.

“It’s old school C. These are techniques used by professional software developers but not malware writers,” Kamluk explained.

Kamluk said the whoever created the framework had reapplied an approach most often encountered in professional Mac OS applications development to create Windows malware.

Using the approach offered several advantages compared to using conventional malware writing techniques, Kamluk explained. He said that the approach created code that was “more efficient, smaller, faster, more flexible and re-useable”.

Knowing the techniques used to develop the malware allows Kaspersky’s researchers to make better guesses about who might be behind the code. The security researchers said that the Duqu framework was probably created by old school professional developers who were well used to making software using Object Oriented C.

“The developers of the framework prefer to extend an ‘old-school’ language with contemporary techniques,” the Kaspersky boffins conclude. “The framework could have been reused from an existing software project. [The approach is] common for professional software developers, but unique for malware writers.”

“The code was written by a team of experienced ‘old-school’ developers who wanted to create a customised framework to support a highly flexible and adaptable attack platform. The code could have been reused from previous cyber-operations and customised to integrate into the Duqu Trojan,” said Igor Soumenkov, Kaspersky Lab malware expert. “However, one thing is certain: these techniques are normally seen by elite software developers and almost never in today’s general malware.”

Creating Duqu was a major project, so it’s possible that an entirely different team was responsible for creating the Duqu Framework, while others worked on creating drivers and system infection exploits. In this scenario it’s even possible that those who created the Duqu framework were ignorant of the real purpose of their work.

Compiling source code is a one-way transformation. Virus analysts are skilled at going from machine code to assembler but are unable to go any further. By experience the researchers can tell which language and compiler is likely used to write an item of malware, but the techniques used in the Duqu framework were not out of the regular VXer cookbook, hence the appeal for help from the wider programming community.

Researchers at Kaspersky were the first to find the “smoking code” linking Stuxnet and Duqu. A detailed analysis of the Duqu code by Kaspersky researchers, can be found here.

More on how the language behind the Duqu language was deduced can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/duqu_trojan_mystery/

In an astonishing blunder, New Zealand’s Crown Law Office and its police commissioner have admitted to a ‘procedural error’ when they seized cash, cars and other property from Megaupload chief Kim Dotcom.

According to the New Zealand Herald, Justice Judith Potter of the High Court has declared the first restraining order under which the seizures were made to be “null and void” and having “no legal effect”.

The slip-up happened when the police applied for the seizure of Megaupload assets during January, and was discovered within the week, with police making a revised application on January 30. However, the approach taken by NZ Police and the Crown Law Office had denied Dotcom a chance to mount a defense, the judge said.

The blog Talkleft has noted that the mistake was made despite NZ Police boasting that a team of five from the OFCANZ (New Zealand’s organized crime agency) had worked on the case, up to and including the seizures, hand-in-hand with the FBI.

Radio New Zealand reports that during the next week, Justice Potter will hold another hearing to decide whether or not the assets should be returned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/nz_police_blunder_over_dotcom/

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs.

The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process.

Once under your machine’s guard, the malware tries to attack Windows User Account Control so it install the Lurk Trojan and connect to an associated botnet. That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot.

That the malware is able to do so is down to a known Java vulnerability, CVE-2011-3544 to be precise. Snoracle has long-since patched that hole. Another mitigating factor that will hopefully make this a short-lived attack is the fact Kaspersky picked it up in ads served only on Russian web sites. The security company has informed the ad-serving company and the offending code has been withdrawn.

But researcher Sergey Golavanov also warns “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process. that “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/fileless_malware_found/

The Metropolitan Police Service will use software from the 1980s to coordinate the command and communications of its policing operations during the London Olympic Games.

The software, known as MetOps, is installed in the force’s special operations room (SOR), the central control room providing communications support during more than 500 major incidents and events each year, according to a report (PDF) by the Met into the riots of August 2011.

MetOps, a messaging and recording system, was not designed for dynamic incident management, and means commanders have no simple way to view the latest situation during an evolving incident, the report says.

The age of MetOps system means that it is not linked directly to the software used in the force’s central communications centre, known as the computer aided dispatch (CAD) system. “This can result in the central communications centre being unaware of what is being dealt with within SOR, and conversely SOR being unaware of what is being dealt with through the CAD system,” says the report.

The system’s limitations contributed to a number of issues during the August 2011 riots, the report found, including the inability to monitor key incidents; slow communication with commanders on the ground; the lack of capability to hand over command to the oncoming team; and the inability to log key decisions and rationales for future review.

“These significant limitations coupled with the sheer scale of task around the flow of information, communication and coordination of resources posed an immense challenge for those within SOR, particularly on Monday 8th August,” the document says.

The process of replacing MetOps is under way and the force has also proposed some temporary solutions, including a new GIS system which is being trialled to assist with the coordination of resources. The Met is also considering adopting software currently used with live crime investigations for SOR.

The Met’s report also highlights the use of CCTV during disturbances. While the document says CCTV proved to be a critical to the investigation of offences committed during the riots, it also says that there were significant challenges because of the sheer volume of footage, an estimated 200,000 hours, that had to be examined.

The police’s response to social media is also examined in the report, which notes that a digital communications steering group has been set up by the Met in response to its struggle to monitor social media in real time during the riots. The group wants to use social media to help the police understand what is going on in the community.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/met_police_will_use_1980s_software_during_2012_olympics/

An alleged member of hacker group LulzSec appeared in a London court on Friday charged with conspiracy over cyber-attacks against websites maintained by the CIA and the UK’s Serious Organised Crime Agency.

Ryan Ackroyd, 25, of Oak Road, Mexborough, Doncaster, is also charged with breaking into systems maintained by the NHS and Sun newspaper publisher News International, the BBC reports.

At a hearing at Westminster Magistrates’ Court, district judge Howard Riddle granted Ackroyd, who spoke only to confirm his name and address and did not enter a plea, bail pending a case management hearing before Southwark Crown Court on 11 May.

Unemployed Ackroyd is accused of conspiring with Jake Davis, 18, Ryan Cleary, 19, and a 17-year-old lad to launch a string of denial-of-service attacks against websites between 1 February and 30 September 2011.

Bail conditions imposed on Ackroyd ban him from accessing the internet, The Guardian reports.

Ackroyd, who is accused of using the hacker label Kayla, also faces allegations in the US that he participated in hacks against the Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/lulzsec_suspect_court_date/

Users of China’s hugely popular social media platforms must now register with their real-names if they want to be granted posting rights after a strict new government ruling came into force on Friday night, although reports suggest that the rules have yet to be enforced across the board.

The new system has been rolled out nationally on sites such as Sina Weibo, Sohu and Tencent ostensibly to eradicate zombie follower accounts and prevent “harmful” rumours from spreading across the web, although critics fear it will usher in an era of even stricter censorship online.

ID card or mobile phone number are the two primary ways users are being allowed to register for such sites, the latter acceptable because in China users need to submit their ID card details in order to activate a new mobile SIM.

However, when The Reg checked on Friday afternoon on the Sina Weibo home page, only around 19 million users had registered with their real name details, well short of the site’s estimated 300m users.

With the deadline for registrations coming at midnight on the same day, it’s unlikely that even half of the users on the site are abiding by the new rules, something which chief executive Charles Chao has already warned could silence a massive number of Sina Weibo users.

Reports have emerged that users are able to post on the sites despite not having registered with their ID details, although it could be that enforcement of the rules has yet to kick in.

Mark Natkin, managing director of Beijing-based IT consultancy Marbridge Consulting, told The Reg that at the moment there aren’t any real incentives for users to move forward with the real-name registration process.

“For those accounts that belong to real people, we expect broad real-name registration compliance only once the platform operators begin enforcing the requirement and closing loopholes for circumnavigating it,” he added.

“So far users who registered Sina Weibo accounts prior to the transition period are still able to post and forward without registering their real-name details and an account I registered using only a pre-paid mobile number in mid-February can also still post and forward.”

Critics have argued that the new rules are another nail in the coffin for free speech in China, just when social media sites were emerging as a genuine platform for web users in the People’s Republic to air their views.

The authorities have already introduced strict new rules governing what journalists can report in what was widely seen as an effort to discourage them from sourcing stories from social media. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/china_weibo_real_name/

A trio of Indian researchers have proposed a method of steganography which hides messages in by using non-random distribution of letters with or without straight lines.

Steganography is a group of techniques for hiding messages in plain sight. Microdots, tiny text written inside a full stop and only legible when magnified, are one steganography technique. Steganography is hard to detect and decrypt, so much so that this paper from the US National Science and Technology Council (PDF) wrings its hands about it’s potential use by terrorists.

The new method for steganography has been outlined by Shraddha Dulera and Devesh Jinwala, both from the Department of Computer Engineering at the S V National Institute of Technology in Surat, India, and Aroop Dasgupta of Gandhinagar ‘s Bhaskaracharya Institute for Space Applications and Geo-Informatics. The trio’s paper, Experimenting with the Novel Approaches in Text Steganography, suggests that the low signal-to-noise ratio required by many current steganography techniques makes for slow decipherment.

The trio’s alternative is a system based on the characteristics of letters in the Hindu-Arabic alphabet, which they group into those possessing straight lines and those possessing curved lines. Each group is assigned a value of either zero or one as the basis for a binary code.

One method for using this scheme is to “ … generate a random string that contains the single letters (from alphabet) as the cover text. Subsequently, whenever we want to hide a ‘0’ bit in the input text file, we use the letters from the group A amongst the letters generated; whereas whenever we wish to hide a ‘1’ bit, we use the letters from the group B amongst the letters generated.”

A second scheme sees curved or straight letters capitalised at the start of sentences, so that the sentence “All birds can fly. Ostrich is a bird. Ostrich can also fly” yields a binary value of 100.

The trio’s third scheme proposes to further divide the alphabet into letters with:

• Curves;
• A straight horizontal middle line;
• One vertical straight line;
• A diagonal line.

By doing so, it becomes possible to create a code in which capital letters can have a binary value of 0, 1, 10 or 11.

The trio assert that “Our analysis reveals that our approaches impart increased randomness and because of randomness, these approaches are noticeable but it cannot be decoded until a user is not aware about these approaches. In addition, the proposed approaches are also immune to retyping and reformatting of text.”

But they also warn that “… one of the weaknesses of the proposed approaches is that once their applicability is known, they can easily be attacked. Hence, it is essential to keep the application of a particular approach to a particular data set secret, while using them.”

Do you promise not to tell? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/19/new_steganography_plan/

In an astonishing blunder, New Zealand’s Crown Law Office and its police commissioner have admitted to a ‘procedural error’ when they seized cash, cars and other property from Megaupload chief Kim Dotcom.

According to the New Zealand Herald, Justice Judith Potter of the High Court has declared the first restraining order under which the seizures were made to be “null and void” and having “no legal effect”.

The slip-up happened when the police applied for the seizure of Megaupload assets during January, and was discovered within the week, with police making a revised application on January 30. However, the approach taken by NZ Police and the Crown Law Office had denied Dotcom a chance to mount a defense, the judge said.

The blog Talkleft has noted that the mistake was made despite NZ Police boasting that a team of five from the OFCANZ (New Zealand’s organized crime agency) had worked on the case, up to and including the seizures, hand-in-hand with the FBI.

Radio New Zealand reports that during the next week, Justice Potter will hold another hearing to decide whether or not the assets should be returned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/nz_police_blunder_over_dotcom/

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs.

The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process.

Once under your machine’s guard, the malware tries to attack Windows User Account Control so it install the Lurk Trojan and connect to an associated botnet. That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot.

That the malware is able to do so is down to a known Java vulnerability, CVE-2011-3544 to be precise. Snoracle has long-since patched that hole. Another mitigating factor that will hopefully make this a short-lived attack is the fact Kaspersky picked it up in ads served only on Russian web sites. The security company has informed the ad-serving company and the offending code has been withdrawn.

But researcher Sergey Golavanov also warns “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process. that “we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/fileless_malware_found/

WikiLeaks has taken the natural next step in its evolution as a force of continuous disclosure by announcing it wants to challenge for a seat in the Australian Senate.

The organisation announced on Saturday that founder and chief Leaker Julian Assange will run for a seat in the Australian Senate, although the details of which state that will be in have yet to be revealed. Wikileaks also announced that it is looking for a candidate to take on Prime Minister Julia Gillard in her Victorian seat.

“WikiLeaks ‏ @wikileaksWe will also be fielding a candidate to run against Julia Gillard in her home seat of Lalor (Vic)…….The name of the Laylor candidate and the state Julian will run for will be announced at the appropriate time.”

Assange currently remains in the UK on bail awaiting news of the British Supreme Court decision on his appeal against possible extradition to Sweden, where he is wanted for questioning over alleged sexual assaults in 2010.

Incarceration concerns aside, Wikileaks claim that he can still run for the Australian senate while detained. But WikiLeaks says despite his legal predicament, Assange is eligible to run for the Upper House.

In every way the move into the political arena was an inevitable one for Assange,the only surprise picking such a small stage, as he describes his organisation in his unauthorised biography; “we are a people’s bureau of checks and balances, working internationally and knowing that the things that governments and diplomats do behind closed doors is entirely our business.”

Meanwhile Assange’s mother Christine has called for Australia’s new Foreign Affairs Minister Bob Carr to “stand up now” for his plight. Assange told a forum in Brisbane on Friday that “any day now, the [British] Supreme Court will announce its decision. If the answer is his appeal is upheld, Julian can, in theory, come home or stay in the UK. If it is not, he will be taken to Sweden within 10 days.”

She urged Australians to “stand up now and tell the politicians how you feel,” and called for the day after Supreme Court decision to be “a day for Julian” replete with protests outside government offices, to raise awareness of case.

Meanwhile, a Wikileaks support and discussion site WLCentral, which is not affiliated with the Wikileaks organisation, has accused mainstream media for “gross misrepresentations” over coverage of Assange’s candidacy. The site draws attention to a number of News Ltd reports which quote WLCentral and independent legal opinion which was posted in the site on January 2nd and draw the conclusion that the site is a mouth piece for Wikileaks.

“The writer and WLC simply request that the main stream media cease and desist from those gross misrepresentations,” the WLCentral site said.

Crikey blogger William Bowe – The Poll Bludger – believes any Senate success for Assange would be a big ask, pointing out that a Wikileaks party would “face a formidable challenge in assembling the requisite 14.3 per cent quota for election in any given state”. There’s also the small matter of a federal election not being due for around eighteen months.

However, it has at least demonstrated Assange’s ability to generate a media buzz. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/18/asange_in_bid_for_senate/