Walking into the office Monday morning after a long,
three-day weekend the network administrator of ABC Ltd, an
online company, Mr Fernando, is immediately bombarded with
complaints that one of the Windows server is performing
slowly. After a quick analysis of the servers, he is
perplexed as to why the server�s performance is failing. On
performing a detailed analysis, Mr Fernando comes across a
set of files , in the operating system, that were not
initially on the server, when he left the office last week.
This begins to give Mr Fernando a sinking feeling as he
realizes that the company�s main Web server has been
compromised by some sort of unknown malicious software.
With
the dawn of the Internet, threats such as cyber battle and
cyber espionage has brought about a new level of danger for
government and organizations alike. This has been more
prevalent in the recent past with the release of many
malevolent scripts.
So
what exactly are these three malicious scripts? The term
coined for these types of malicious software is malware:
Malware, short for malicious software, is software to help
hackers disrupt user�s computer operation, gather sensitive
information, or gain unauthorized access to a computer
system. While it is often software, it can also appear in
the form of script or code. 'Malware' is a general term used
by computer professionals to mean a variety of forms of
hostile, intrusive, or annoying software or code.
According to Computer Economics 2007 Malware Report, when
conducting a survey of IT security professionals and
managers on the frequency and economic impact of malware
attacks on their organizations, stated that in 2006 malware
infections cost $13.3 Billion dollars.
The
gravity of what these new type of threats could do was
revealed in June 2010. A drone-like self-replicating
computer virus was sent to an Iranian�s nuclear power
program, at Natanz. The malware was coined Stuxnet. Stuxnet
affected window based system and the Siemens S7
programmable-logic controllers (PLC) which regulated the
machinery in this power plant. It had the ability to adjust
the speed of certain drives of the plan so that these
drivers ran at very high and low frequencies thereby
resulting in the destruction of the centrifuges in this
nuclear power plant. However the employees of Natanz were
not aware of this as this malware was informing them,
through the industrial control system software, that
everything was normal.
Although controllers are ubiquitous, knowledge of them is so
rare that many top government officials did not even know
they existed until that week in July. Several major Western
powers initially feared the worm might represent a
generalized attack on all controllers. If the factories shut
down, if the power plants went dark, how long could social
order be maintained? Who would write a program that could
potentially do such things? And why?
On
dissecting this worm the brilliance of such an invention is
seen. Unlike most malware, Stuxnet does little harm to
computers and networks that do not meet specific
configuration requirements; "The attackers took great care
to make sure that only their designated targets were
hit...It was a marksman�s job."
What
makes this even more intriguing is that Stuxnet, unlike most
computer virus, did not carry the usual forged security
clearances, which helps virus to borrow into systems; it
actual had a real clearance stolen from the most reputed
security company in the world.
Stuxnet attacked Windows systems using an unprecedented
four zero-day attacks. It is initially spread using infected
removable drives such as USB flash drives and then uses
other exploits and techniques such as peer-to-peer RPC to
infect and update other computers inside private networks
that are not directly connected to the Internet.
Once
Stuxnet got into a system it does not automatically
activate, it remained dormant. Because buried deep in the
code was a specific target, which was the centrifuges that
spin nuclear material at this Iran�s enrichment facilities.
Stuxnet was a weapon, the first to be made out of code.
But
the most important question now is not who had the malign
brilliance to design this virus but who would redesign it?
The answer is Duqu.
Discovered in September 2011, Duqu was a malware which was
said to have been based on the Stuxnet�s source code.
However unlike Stuxnet, Duqu was designed as
a cyber-espionage malware created "to act as a backdoor into
the system and facilitate the theft of private information,"
said Kaspersky Lab security researcher.
However this malware was nothing compared to the next stage
in the evolution of the use of Stuxnet as a foundation. That
is the recent Flame malware.
Discovered on 28 May 2012 by MAHER Centre of Iranian
National Computer Emergency Response Team (CERT), Kaspersky
Lab and CrySyS Lab of the Budapest University of
Technology and Economics. �Flame� cyber espionage worm came
to the attention of the experts, at Kaspersky Lab, after the
UN�s International Telecommunication Union came to Kaspersky
lab for help in finding an unknown piece of malware which
was deleting sensitive information across the Middle East.
This
is currently coined as "the most sophisticated cyber-weapon
yet unleashed" by Kaspersky Lab researchers.
The
internal code has few similarities with other malware, but
exploits two of the same security vulnerabilities used
previously by Stuxnet to infect systems.
This
malware had the ability to steal data just like Duqu, but
has the capacity to also eavesdrop on conversations, and
take screen captures of instant message exchanges, making it
dangerous for any victim.
Flame
is a sophisticated attack toolkit. It is a backdoor, a
Trojan, and it has worm-like features, allowing it to
replicate in a local network and on removable media if it is
commanded so by its master.
Flame
is an uncharacteristically large program
for malware at
20 megabytes. It is written partly in the Lua scripting
language (where usage of lua in malware is uncommon) with
compiled C++ code
linked in, and allows other attack modules to be loaded
after initial infection. Therefore the use these really
compact programming languages, make it easy to hide.
The malware uses five different
encryption methods and a SQLite database to store structured
information.
http://en.wikipedia.org/wiki/Flame_(malware) -
cite_note-cry-0 A
possible link to malware found on computers in Iran's oil
sector has experts hinting that these malwares are the work
of a nation-state. In the wake of recent finding, some
experts now claim that there are logical conclusions that
this nation-state is none other than the US government. The
icing on the cake of these allegations is that now the US
intelligence agency are said to have planted moles inside
Microsoft which had helped them exploit this famous
operating system.
As
these threats seemed to have been commissioned by
nation-state, for different purposes with an idea of
inflicting damage, one cannot but take note that, warfare is
now being gradually waged using pieces of code against some
intangible objects, using the most dangerous media around,
i.e. cyberspace. As such war is gradually taking on a
completely new dimension and complexity.
In
this way the aggressor states, not needing to expose its own
troops to the dangers of conventional war, use cyber weapons
as a formidable tool that could be deployed anonymously from
a distance, giving the aggressor the luxury of not risking
political fallout let alone absorbing a retaliatory attack.
Nevertheless in the distant future, a pensive stance should
be taken on tools of this nature, as the catastrophes caused
by such cyber warfare could escalate to cataclysmic
proportions, which would end with the ability to affect
human life as well. |