Category: security

The strange story of the Stuxnet worm

A virus crippling the Iranian nuclear program could affect your business

The tale of the virus infecting Iran’s nuclear program is one of the fascinating stories of the computer world.

Whoever wrote the Stuxnet worm did a spectacular job in bringing together a number of security problems and then using two weak links — unpatched Windows servers and poorly designed programmable logic controller software — to create a mighty mess in the target organisation.

The scary thing with a rootkit like Stuxnet is that once it has got into the system, you can never be sure whether you’ve properly got rid of it.

What’s worse, this program will be writing to the Programmable Logic Controllers the infected computers supervise so plant operators will never know exactly what changes might have carried out on the devices essential to a plant’s operations and safety.

Damaging Iranian nuclear plants

A report on the Make The World A Better Place websites over the weekend indicates the Stuxnet Worm may have damaged the Iranian nuclear reactor program.

The story behind the Suxnet worm is remarkable. It appears this little beast is a sophisticated act of sabotage involving using a number of weaknesses in computer systems as detailed by Computer World in their Stuxnet Worm hits Industrial Systems and is Stuxnet the best Malware Ever articles.

The risk of unpatched systems

One of the things that leaps out is how servers running unpatched systems are an important part of the infection process. The Stuxnet worm partly relies on a security hole that was patched by Microsoft two years ago so obviously the Iranian servers were running an unpatched, older version of Windows.

This is fairly common in the automation industries. I’ve personally seen outdated, unpatched Windows servers running CCTV, security, home automation and dispatch systems. They are in that state because the equipment vendors have supplied the equipment and then failed to maintain them.

These companies deserve real criticism for using off the shelf, commercial software to run mission critical systems that it was never designed to do.

Commercial programs like the various Windows, Mac and other mass market operating systems are designed for general use, they come with a whole range of service and features that industrial control systems don’t need. In fact, the Stuxnet worm uses one of those services, the printer spooler, to give itself control of the system.

Securing industrial systems

These industrial systems require far more basic and secure control programs, a cheap option would be a customised Linux version with all the unnecessary features stripped out. In the case of Siemens, the providers of the PLCs supplied to the Iranian government, it’s disappointing such a big organisation couldn’t build its own software to control these systems.

Business owners, and anyone who has computer controlled equipment in the premises, need to ask some hard questions to their suppliers about how secure supplied computer equipment is in this age of networked services and Internet worms.

Protecting yourself from the Conficker worm

Nearly a year after it was identified, the Conficker computer worm continues to plague Windows users, infecting systems controlling everything from fighter planes to bus lane fines. We look at how to protect your computers from this threat.

Nearly a year after it was identified, the Conficker computer worm continues to plague Windows users, infecting systems controlling everything from fighter planes to bus lane fines.

The problem has become so great, a consortium of vendors have set up the Conficker Working Group to deal with the malware’s spread, and Microsoft are offering a $250,000 reward for the identity of the writer.

It’s not a problem that should be understated – the worm’s main use appears to be as a controller of botnets, networks of remote controlled computers used to launch attacks on other systems or to hide the tracks of scammers and password thieves.

Update your systems

Given the risks and embarrassment of being infected, avoiding this worm and others like it should be a priority for your business. First of all your Windows computers should have the latest updates as Conficker relies on some old security bugs that Microsoft patched last October.

Run an anti-virus

Naturally, you should be running an up to date anti-virus. Most widely used AV programs will do the job, including Open Source detectors like Clam AV and freeware programs.

Note though that the licences for freeware programs like AVG and Avast! are specifically for home use only. If you are running those on your office system, respect the developer’s right to make a living and buy a commercial licence, they are actually cheaper and more reliable than many of the better known brand names.

Restrict your users

Finally, make sure your users log on in Limited User mode. The reason why Windows computers are more prone to viruses than their Mac and Linux cousins is because most users run their Microsoft systems as the powerful Administrator mode which is the equivalent of leaving your car doors unlocked all night.

I’ve some instructions on setting up Limited User Profiles for Windows XP systems on the PC Rescue website. If you have an office with a Windows 2003 or 2008 server, your IT department or consultant will be able to do this through the network, which is a lot more secure way of doing things.

Be warned that some programs won’t work unless they run in Administrator mode. If you find this is a problem then you should consider replacing that software as the vendor has shown they are either incompetent or are prepared to put their customers at risk to save a few dollars.

Either way, you don’t need suppliers that have no respect for their customers.

Your computers are too important to your business and shouldn’t be exposed to these sorts of embarrassing and expensive risks. Get your IT people to make sure the office systems are locked down properly.

A ship of fools

To accompany the launch of their new protect yourself website eBay Australia have released a survey claiming an amazing 93% of Australian Internet users don’t understand what phishing is and 72% engage in behaviour that increases their risk of falling victim to an online scam.

This is truly mind boggling given the amount of publicity that is given to these scams.

More depressingly, the press release claims that one in three Internet users believes that only dumb people fall for phishing attempt.

You can see why the smart scammers do so well with attitudes like this. We look at one of the good scams at our PC Rescue and Cranky Tech sites.

We’ll probably make this the main story for the next ABC Nightlife spot. It looks like we have a long way to go in educating people on Internet security.

Anatomy of an Internet scam

We talk a lot about Internet scams, here’s a first hand account of how they work.

A clever little scam fell into our laps tonight. It’s the typical sort of trick that can fool anyone with an Internet connection, in this case it used Skype, but it could have been an email, a pop ad or pretty well anything any computer encounters while on the net. So we decide to follow this one to see how it works.

This was done on an a fully patched Windows XP computer running in Limited User Mode with Mozilla Firefox as the web browser. This is our preferred configuration for safe surfing.

Despite this, the computer was still fully backed up and we ran regular spyware and virus scans between each step. We strongly recommend never to click on any link, email or adverts you think might be suspicious.

The trap

You’re sitting at your computer when you notice a strange icon in the corner of your screen. It’s Skype, the Internet phone program, telling you there’s a Skype Chat message for you. The message comes from Security Center ® (Offline) Skype™ Chat and it warns WINDOWS REQUIRES IMMEDIATE ATTENTION.

We should pause here to point out if you have Skype Chat enabled you will be getting messages popping up like this on a regular basis. We’ve discussed this problem on our July ABC Nightlife spot and we’ve added the solution to our IT Queries website. You should set Skype to only accept messages from your friends.

It’s also important to note here that this message looks official. Many people think that they are too clever to be caught by these scams. What they overlook is that while many scammers are dopes, some are very clever and this one will fool a lot of intelligent people.

Following the link

At the bottom of the message is a link directing you to “a patch” that will fix the problem. Click this and you are taken to a website called “Online Alert”

This website is allegedly owned by a Sergei Machorin of Moscow. We can safely bet that Sergei, if he exists, has no idea he’s the owner of this site.

Rather than downloading a patch, which would fix the problem, Online Alert starts a fake malware scan of the computer’s hard drive. After several minutes this will report your computer is infected with the following files.

  • Backdoor:Win32/NT Root
  • Backdoor: Win32/Sivuxa
  • Trojan.Caijing

All of these are fake. In fact, if you run the test on an Apple Mac you’ll get exactly the same result.It’ll even claim the c: drive is infected.

Of course, they aren’t telling you this for nothing, at the bottom of the page there is a button to “fix this problem”, so we clicked it.

The fix takes us to a page offering to download and install a cleaner program called Scan and Repair 2007 for a mere 19.95 USD. And here you are stuck.

If you choose just to close the screen you’ll find yourself locked in a loop where you can’t get out of the purchase screen until you kill the process or shut down Windows.

Naturally we didn’t pay the 19.95 and we just killed Firefox instead. Many people though would be worried about shutting down their computer with this thing still open.

The Result

This is a pretty garden variety scam and it could be a lot worse. This site could easily have tried to install something malicious. We tested this also on Internet Explorer and Firefox in a Limited User profile and there is no evidence of this scam trying to load spyware.

Overall it’s a fairly primitive little scam. The “online scan” is fairly simple. But to give credit to the scammers, the Skype warning, the webpages and the online scan are all quite convincing looking mock ups of a real thing.

Who falls for this?

Lots of people. The fact the warnings and websites look so convincing means that even experienced users can be fooled into clicking on links or thinking their computer is infected. There’s an idea that only stupid people fall for these tricks. This is not the case and even if it were, the numbers still make it attractive for the scammers.

Why do they do this?

The scammers receive a commission on every copy of Scan and Repair 2007 they sell. Given they’ve sent this warning out to millions of people they only need a tiny proportion to buy the product to make a tidy sum. It’s easy money for someone with the right skills.

The F-Prot’s Mikko Hypponen believes malware is the fastest growing sector of the IT industry. We agree and while this isn’t an example of true malware like a Trojan or virus, it still shows the profits that can be made with just a modest bit of effort.

We’ve found over the years that most people that fall for these scams are not stupid. The crooks who try this stuff are no fools and anyone who thinks they are smarter than the crooks is probably going to be caught out. All of us need to take care on the net.