Archive for December, 2011

The Mystery of Duqu

Duqu is a sophisticated malware that was discovered on September 1st, 2011. Some experts claim that Duqu could only have been created by creators of the Stuxnet because nobody else could have the source code to create such a sophisticated malware that is identical to Stuxnet but serves an entirely different purpose as a malware. The three major similarities that have been come to attention between Stuxnet and Duqu are firstly, the components that are signed is done through stolen certificates. Secondly, similar to Stuxnet, Duqu uses a zero-day vulnerability to attack Windows system and lastly, the way Duqu is targeted it requires advanced intelligence to operate it again similar to Stuxnet.

Highlighted few weeks ago by Symantec, researchers have discovered how Duque infects the targeted computers. The malware hides in a Word file (. doc) sent through email to the victims. Once opened, it exploits an 0-day vulnerability in the Windows kernel to execute code and infects the system through service.exe. The infected computers can then be remotely controlled by attackers, who can spread the malware on the network and retrieve data in the process. Symantec issued a diagram summarizing the performance of the intrusion.

With this new discovery, security researchers are now confident that Duqu is designed to address specific high profile critical infrastructures via Word documents designed to look legitimate. Symantec has identified six organizations contaminated in 8 countries: Iran, Sudan, Vietnam, India, France, the Netherlands, Switzerland and Ukraine. To which is added a list of identifications made by other experts in Austria, Hungary, Indonesia and the United Kingdom.

If Duqu starts attacking Pakistani networks, Pakistan would face a huge threat regardless of the existing on-going cyber war between Pakistan and India. Duqu, on the other hand, is a much more powerful malware which if targeted towards Pakistani networks, it could collect intelligence data and assets from high profile entities, with the purpose of conducting a future attack without much effort against additional third parties.

Today remains to be seen whether future changes made by Microsoft will be sufficient to stem the problem. At present, the source of Duqu has not yet been identified. Many measures may be taken to prevent this situation from reaching a system. It is important to have a backup of all exiting data but even more importantly since Duqu is a powerful malware the best way to prevent any potential attacks from it is by protecting and securing critical infrastructure networks from such threats. Microsoft has finally patched the flaw being exploited by the Duqu.

Moreover, a recent discovery was made which states that Duqu has shut down all operations and has cleaned up all their commands leaving security experts almost no evidence for their further research. According to Kaspersky Lab, Duqu has been active since 2007 and was only discovered in October 2011 which proves that several systems might have been infected with the Duqu since years and possibly still not detected.

A further discovery was made that Duqu undertook a global clean on October 20th which cleaned up all their activities since the year 2009 as a result leaving almost no trace of their existence throughout these years. This goes to prove that the aim of attackers behind Duqu was to keep it a secret and as soon as the word got out it was banished. Even now the command & control (C&C) servers behind Duqu remain undiscovered which only goes to show the capability and power of the attackers behind this malware.

Experts were able to point out that servers were hacked through brute-forcing the root password rather than the believed zero-day theory and as soon as the attackers gained control over the servers they upgraded OpenSSH 4.3 to version 5.8 which explains that the newer version of the software must hold such importance.


Pakistani Websites under Attack

Recently many Pakistani websites have faced attacks from various international blackhat groups, which continue to be a huge concern for Pakistani cyber space. The main reason behind this remains the lack of secured hosting infrastructure along with badly coded web applications. Such websites can be extremely vulnerable and may be easily compromised by attackers.

Telenor Pakistan Hacked

Pakistani websites may be vulnerable to various attacks, which include blogs, forums, government, telecommunication, and banking websites. Only recently some of the high profile websites that were defaced include LG Electronics Pakistan, WorldCall Telecom Limited, DunyaTV, Supreme Court of Pakistan, Telenor Pakistan, National University, and few more.

Moreover, a newer form of malware has been discovered which has been attacking Pakistani websites not only does this malware attack the target website but also mobile devices. More than hundreds of Pakistani government sites including Ministry of Information and Broadcasting – Government of Pakistan (infopak.gov.pk), PESC – Peshawar Electric Supply Company (pesco.gov.pk), Pakistan Navy (paknavy.gov.pk) are under attack by this malware, known to be controlled by an Indian blackhat. Most of the websites initially fail to understand the importance of having a secured web application and consequently lack the information security knowledge for securing their online information.

Malware Alert on the Infected  Pakistani Websites

That is where we usually get involved and get to know about such incidents. Our team protects customers’ infrastructure from such attacks and performs constant monitoring. Rewterz already has a reputation of securing information for a number of high profile organizations. By providing services such as penetration testing, incident handling, application code review, forensics analysis, and security outsourcing, we ensure complete security to an affected website.

Today hacking is a career which is backed by strong institutes estimating about $2 billion annually. The cyber war between Pakistani and Indian blackhat community has been going on since years and this is not the first time we have seen rise in such attacks. The best way to protect the information available online on websites is by having secured hosting infrastructure which mitigates vulnerabilities that attackers may be looking to get into in order to carry out an attack. Taking such measures is becoming critically important in the cyber world and must be understood by personnel who make critical information available online before it’s too late.


Copyright © Rewterz. All rights reserved.