Category Archives: Key-Logger

05/10/12

Russia’s Million Dollar Hackers

“Few nationalities are as good at making money from hacking than the Russians. Their share of the global cyber crime market, an estimated $12.5 billion black market, doubled last year to $4.5 billion, according to Moscow-based Group-IB, a cyber security services firm working mainly with the Russian government and banks to help reduce online fraud (See infographics here*). The Russians are hacking into your computer and your cell phone and they’re making millions as a result… Not all hacking is intolerable, or illegal. But a lot of it is, and the Russian computer geniuses walk the red carpet within the international hacker community. On the A-list of Russia’s multi-million dollar spammers and online fraudsters include the talents of Koobface members Stanislav Avdeyko (aka leDed); Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav Polichuck (PsycoMan). That’s just the now defunct Koobface posse. There’s also Vladislav Khorokhorin (aka BadB), the 30 year old Russian who lived in Israel and ran the online stores Dumps.name and BadB.biz specializing in sale of compromised data of bank card users. He’s been at it for more than 8 years on the front lines of credit card fraud… Traditional crime syndicates are beginning to organize the previously disorganized Russian cybercrime market. In addition, these crime syndicates are beginning to work more closely together, sharing compromised data, botnets, and cashing schemes… in 2011, the largest type of Russian cybercrime was online fraud valued at $942 million; followed by spam at $830 million; cybercrime to cybercrime, or C2C (including services for anonymization and sale of traffic, exploits, malware, and loaders) at $230 million; and Denial of Service attacks, or DDoS, valued at $130 million.”

http://www.forbes.co…dollar-hackers/

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
04/6/12

Supply Chain Cyber Attack

gATO rEaDiNg - 2012 Maindiant “An Evolving Threat” and Trend-Micro LuckyCat ReDux reports. Great reading for any security geek but most important it’s about the business side of the hack. Take the old smash and grab of financial information and split town, process the financial windfall and party like it’s 2999. Now it’s more beneficial for the criminals to stay inside the victims servers and collect intelligence and espionage. Ok let the gAtO break it down for you, not as a criminal that’s easy, as a state actor I would go after AeroSpace, Energy, Shipping, Military Research, Engineering, India  and Tibetan Activist… Wait a minute a India, a Tibetan Activist group, oh yeah you know it’s China but this is to be expected from China. Now the new spin is why would they go into a banks and use advanced persistent threats (APTs) hacks, well as gAtO understands it the Chinese have a shit load of MONEY— follow the money is not only an american thing it’s for every player in the world.

We have to look at the data through 3 different set of eye’s (magnifying glass with gAtO’s old EyE’s) but it’s still the same – Your data (ALL- your little company secrets) needs protection.

Here is the Score-Card your Business — versus – Competition, Government, Criminals, Hacktavist, Economic Espionage, Nuisance Hackers. On top of all this 94% of victims were notified by an external entity that they were hacked. If that doesn’t send chills down every board member in every company in the world, nothing does.

Here you are doing your business and let’s be frank some business well they walk a thin line sometimes like dumping medical and radioactive waste on a beach in New Jersey ( I know Snooki lives there) . IS your company maybe polluting the ground water for a 100 mile radius of the plant. This is not the information that they want hackers, or the press to get a hold of. “Remmember Rudolf Murdock News Hacking Empire- hey hack anyone for a buck”

Protect Customer Data yeah companies and governments want to protect it, but their little illegal/legal stuff companies do like hiding the report of the of shore oil well that just blew up and spilled all kinds of stuff all over the Gulf coast. These are the real thing that keep business people up at night worrying about hackers, it’s plain and simple cover your ass and let’s get that no bid government contract after we pay off the senator and we better encrypt that information…..

Hackers come in all flavors but if you look at the LuckyCat crewz these are very unique. Not only real computer scientist but marketing campaign and project management. They dual tier C&C (Command and Control), they use the victims supply chain to move laterally across trusted networks in order to be more invisible. Invisible takes a new trend here these hacker hide their code in plain site, they used older malware as insertion points sometimes and of course social engineering to gain access.

Bottom line these new hackers- they  are business-men, -they are governments, -they are commercial criminals, -they are hacktivist or -they are a lone wolf hacker. Companies are finally getting the message. Protect your data, not just your customer’s data, but all your little secrets because if your online– someone is watching you and these can be a 15 year old kid or a Dual Master degree in computer technology that is unemployed or works for a government. Trust but verify takes on a new meaning now -gAtO oUt

lab notes - The report, which is based on hundreds of advanced threat investigations conducted over the past year, includes analysis, statistics and case studies that highlight how advanced and motivated attackers are stealing sensitive intellectual property and financial assets.

Malware Only Tells Half of the Story Organizations’ investments in malware detection and antivirus capabilities, while effective in detecting characteristics associated with common worms, botnets, and drive-by downloads, do little to help defend against targeted intrusions.

The use of these publicly available tools has added some complexity to identifying threat actors because when organizations identify a piece of publicly available malware they often cleanse the file and — in the process — obscure what could be a larger incident.

It’s unclear why banks wouldn’t already be looking for unusual settlement activity and conducting daily monitoring, but there it is. At any rate,  “high-risk” merchants generally handle the dicey and vicey types of online commerce, such as Internet gaming, adult Web sites, rogue anti-virus software sales and online pharmacies. Might be a good idea to keep an extra close eye out for these types of unauthorized charges over the next few days

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
12/16/11

Stuxnet / Duqu Cyber Weapons Diagram

Notes for Diagram W32.Duqu threat

These files must be installed by another executable (the installer) which has not yet been recovered.

1. the installer get’s in and installed the all and register the files to 

gather enumeration information and encrypts it.

 

Highly Targeted towards a limited number of organizations for their specific assets.

Enumerating the Network – Recording Keystrokes – Gathering System Information -

uses HTTP and HTTPS to communicate with a command-and-control

general remote access capabilities

gather intelligence from a private entity to aid future attacks on a third party

  • The DLL offers nine main routines:
    • 65h: List of running processes, account details, and domain information
  • • 66h: Drive names and information, including those of shared drives
    • 68h: Take a screenshot
    • 69h: Network information (interfaces, routing tables, shares list, etc.)
    • 67h: Keylogger
    • 6Ah: Window enumeration
    • 6Bh: Share enumeration
    • 6Dh: File exploration on all drives, including removable drives
    • 6Eh: Enumerate computers on the domain through NetServerEnum 
  • The log file contains records with the following fields:
    • Type
    • Size
    • Flags
    • Timestamp
  • • Data

Key points:

•    Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
•    The executables are designed to capture information such as keystrokes and system information.
•    Current analysis shows no code related to industrial control systems, exploits, or self-replication.
•    The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
•    The exfiltrated data may be used to enable a future Stuxnet-like attack.

The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

 

Text of Diagram:

Stuxnet / Duqu

Architecture

Installation

Injection Procedure

USB Drives

Infection Routine Flow

Windows Computers

Stuxnet Updates Itself

Command and Control Server Communication

Internet Connection

Internal Networks

Remote Control

C&C Server

Compromised Computer -Client

GET

200 OK

GET index.php?data=[DATA]

DATA

OS Version

Machine Name

Workgroup Name

Exec RPC code

Responce Type 1:

200 OK execute RPC routine

Decrypt & exec.code

Responce Type 2:

200 OK encryption binary code

C&C Control

Check Internet Connection

Send system information to C&C

C&C response to execute to execute encrypted binary code

C&C reponse to execute RPC routine

Security Issues -Mitigation Techniques

Security Information

Event Management

Intrusion monitoring system intergrated with SIEM

Implement Extrusion Detection

Implement passive vulnerability scanners (PVS)

Control System

o

Secure Facility No Internet

Installation

Injection Procedure

USB Drives

Infection Routine Flow

Windows Computers

NO – Stuxnet Updates Itself

PLC Controllers

Industrial Motors

Command and Control Server Communication

Internet Connection

Internal Networks

Remote Control

PLC Controllers

Industrial Motors

PLC- Programmable logic controller

Duqu

Duqu – this capability to gather intelligence from a private entity to aid future attacks

Duqu – creators of Duqu had access to the source code of Stuxnet

Duqu – payload has been replaced with general remote access capabilities

Duqu – automatically remove itself from the system.

Duqu -  threat is configured to run for 36 days

Duqu – C&C – primarily downloading or uploading what appear to be JPG files

Duqu – information is logged to a lightly encrypted and compressed local file

Duqu -gathering system information

Duqu – enumerating the network

DUQU – download additional executables

Duqu -HTTP and HTTPS to communicate

Duqu – signed with a valid digital certificate

Duqu – record keystrokes

DATA:

Lists of running processes, account details, and domain information

Drive names and other information, including those of shared drives

Screenshots

Network information (interfaces, routing tables, shares list, etc.)

Key Presses – Key Logger

Open Windows Names

File Exploration on all Drives, including removable Drives

Enumeration of computers in the Domain through NetServerEnum

SCADA

Process automation protocols  DF-1 FOUNDATION fieldbus – H1 & HSE Profibus – by PROFIBUS International. PROFINET IO CC-Link Industrial Networks – Supported by the CLPA CIP (Common Industrial Protocol) – Can be treated as application layer common to DeviceNet, CompoNet, ControlNet and EtherNet/IP Controller Area Network utilised in many network implementations, including CANopen and DeviceNet ControlNet – an implementation of CIP, originally by Allen-Bradley DeviceNet – an implementation of CIP, originally by Allen-Bradley DirectNet – Koyo / Automation Direct proprietary, yet documented PLC interface EtherNet/IP – IP stands for “Industrial Protocol”. An implementation of CIP, originally created by Rockwell Automation Ethernet Powerlink – an open protocol managed by the Ethernet POWERLINK Standardization Group (EPSG). EtherCAT Interbus, Phoenix Contact’s protocol for communication over serial links, now part of PROFINET IO HART Protocol Modbus RTU or ASCII or TCP Modbus Plus Modbus PEMEX Ethernet Global Data (EGD) – GE Fanuc PLCs (see also SRTP) FINS, Omron’s protocol for communication over several networks, including ethernet. HostLink Protocol, Omron’s protocol for communication over serial links. MECHATROLINK – open protocol originally developed by Yaskawa. MelsecNet, supported by Mitsubishi Electric. Optomux – Serial (RS-422/485) network protocol originally developed by Opto 22 in 1982. The protocol was openly documented and over time used for industrial automation applications. Honeywell SDS – Smart Distributed System – Originally developed by Honeywell. Currently supported by Holjeron. SERCOS interface, Open Protocol for hard real-time control of motion and I/O SERCOS III, Ethernet-based version of SERCOS real-time interface standard GE SRTP – GE Fanuc PLCs Sinec H1 – Siemens SynqNet – Danaher TTEthernet – TTTech PieP – An Open Fieldbus Protocol BSAP – Bristol Standard Asynchronous Protocol, developed by Bristol Babcock Inc. RAPIEnet[1], Real-time Automation Protocols for Industrial Ethernet

Company Management

Internet

Local Control Offshore Platform

o

PLC-DCS -  distributed control system (

PLC-RTU – Remote Terminal Unit

Valve Station

Stress Breach Station

Terminals

Internet

PLC Programmable Logic Controller

Stuxnet Seeks Specific Models S7-300 S7-400

Read Input of Device

Execute Program

Diagnostics & Communications

Update Output

PLC Scans

Communication Media

Sattelite

TelCom

Internet

SONET / SDH

Cellular Networks

SCADA Master

Internet

HMI

MTU

Web Server

Internet

Duqu – Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu -Geographics

France, Netherland, Switzerland, Ukraine

India

Iran

Sudan

Vietnam

Duqu – Compile Time Wed Jun 01, 03:25:18 2011 Mon Oct 17 17:07:47 2011 Mon Oct 17 16:26:09 2011 Tue Aug 09 21:37:39 2011 Purpose Stealing information Reconnaissance module Lifespan extender Stealing information

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit
10/11/11

Our Predator Drones Hacked Again?

The shadow cyber war have actualize. – gAtO first wrote this about Oct. 11,2011 but now it comes back to haunt us again. This time the took down the CIA RQ-170.

On May 31, 2011 Washington moved to classified an attack to essential infrastructure via cyberspace could be as damaging as any kinetic attacks on US soil. Pentagon officials disclosed to the Wall Street Journal that any hacker threatening US security by attacking its nuclear reactors, pipelines or public networks such as mass transport systems. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” an official said. But they go ahead and hack a top secret CIA/AF drone flight center. These “drones” are some of our most essential tools in our modern offensive cyber or conventional arsenal.

Do we have a retaliatory virus attacks on U.S Predator drones?  

Predator drones hacked in Iraq operations

Are we in a cyber war? If you infect my top secret complex and install an unstoppable key logger that controls my  main offensive warfare capabilities. To perform CIA and U.S. military unmanned drone aircraft operations in Afghanistan, Somalia, Pakistan and other conflict zones. “We keep wiping it off, and it keeps coming back” said one U.S Military source “We think it’s benign. But we just don’t know.” Another military spokesman said to Wired, “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks“.

The virus was first detected two weeks ago and is thought to be logging every keystroke made as US-based drone pilots remotely fly overseas missions. The drones have not been grounded as military officials claim that confidential information has not been compromised.
As you might expect military officials are attempting to downplay the significance of the computer virus attacks. They state that they do not yet know whether the virus was placed in the drone’s software by a targeted attack or if it is a piece of malware that somehow entered the network by accident. Military officials do admit that they do not know how far the virus has spread throughout the drone network.

 

IT security field is full of clueless people… A perfect example of a lemon market (Gutmann). Part of the problem is high demand for IT security, and over-reliance on certifications. Demand is even higher for personnel with secret or higher clearance… and it seems that in some cases if a candidate for a position has the clearance, then knowledge, expertise and other such “nonsense” are deemed optional.  A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions… They think it’s “benign”! I bet Stuxnet also seemed pretty “benign” for while.

And they are running GCS on Windows… Yeah, yeah, I am aware of the common criteria EAL for Windows. I have seen a warship’s main computer running on Windows :) How crazy is that? Of course a $26 software causes the problem…

The interesting aspect of this is that the operators are doing what I’ve always predicted American soldiers would do – fighting through the problem. Sure, they’re bringing systems down and rebuilding them, but they’re still operating. This can be both good and bad – good if you need to accomplish the mission but bad because it’s hard to bring down all of the systems at once to prevent cross-infection (I do wonder why they don’t patch the Windows vulnerability – could it be that the SPO didn’t plan for patching?)

The Creech folks are facing the same problem an oil refinery had when nimda hit them. The refinery would have had to shut down at the cost of millions of dollars if they had lost “view” of the process. However, the operator consoles (HMI) were the last source of re-infection. Eventually, they isolated all but one HMI, fixed the isolated systems, and then swapped those for the one that was probably still infected. Since that’s the logical path, I’m sure the Creech folks are trying it – but they apparently have not yet succeeded.

Long ago, in the DARPA IA program, an epidemiologist pointed out the strange anomaly between real-world infections and cyber-world infections. In the real world there is a rapid rise of number of infections until the infection vector is saturated, then either treatment or immunity develops and the number of infections slowly trails off with time to near zero. Cyber-world infections follow a similiar pattern until the trail off stage when the curve maintains a significant value above zero in the tail end. Anyone who monitors firewalls and IDS knows that there are still machines out there somewhere trying to infect others with blaster and nimda and every other major malware.

Once again, we see that key loggers are notoriously difficult to identify and eradicate. By far the most effective way of neutralising the effects of key loggers is techniques that ensure they receive either no data or false data. Unless you track 100% of system changes after each and every session..

We are constantly being attacked from everywhere -by everyone, what one attack vector won’t find, another attack vector will, it becomes a numbers game.
These were directed campaign to get the key-logger install in a secure facility. That’s good Social Engineering. That open’s up another can of worms. You gone tell me it was “Lady Gaga” on a thumb drive again.
Windows :D Let’s let the defense boy’s use a PS3 (more secure) to fly these drones, better than a windows box, without a mirror of the OS as a fallback plan. Disaster Recovery Boy’s and girls. It’s becoming a SNL comedy skit, but it ain’t funny D: The last year it’s been all China, that is the question.

I’ll back away from the soapbox now.

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit