If you are having trouble viewing this email, click here to view this online



   ISSUE 13

15 August 2012

Article of the Month   Around the World

Cyber Warfare

Walking into the office Monday morning after a long, three-day weekend the network administrator of ABC Ltd, an online company, Mr Fernando, is immediately bombarded with complaints that one of the Windows server is performing slowly. After a quick analysis of the servers, he is perplexed as to why the server’s performance is failing. On performing a detailed analysis, Mr Fernando comes across a set of files , in the operating system, that were not initially on the server, when he left the office last week. This begins to give Mr Fernando a sinking feeling as he realizes that the company’s main Web server has been compromised by some sort of unknown malicious software.

With the dawn of the Internet, threats such as cyber battle and cyber espionage has brought about a new level of danger for government and organizations alike. This has been more prevalent in the recent past with the release of many malevolent scripts. 

So what exactly are these three malicious scripts? The term coined for these types of malicious software is malware: 

Malware, short for malicious software, is software to help hackers disrupt user’s computer operation, gather sensitive information, or gain unauthorized access to a computer system. While it is often software, it can also appear in the form of script or code. 'Malware' is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or code. 

According to Computer Economics 2007 Malware Report, when conducting a survey of IT security professionals and managers on the frequency and economic impact of malware attacks on their organizations, stated that in 2006 malware infections cost $13.3 Billion dollars. 

The gravity of what these new type of threats could do was revealed in June 2010. A drone-like self-replicating computer virus was sent to an Iranian’s nuclear power program, at Natanz. The malware was coined Stuxnet. Stuxnet affected window based system and the Siemens S7 programmable-logic controllers (PLC) which regulated the machinery in this power plant. It had the ability to adjust the speed of certain drives of the plan so that these drivers ran at very high and low frequencies thereby resulting in the destruction of the centrifuges in this nuclear power plant. However the employees of Natanz were not aware of this as this malware was informing them, through the industrial control system software, that everything was normal.

Although controllers are ubiquitous, knowledge of them is so rare that many top government officials did not even know they existed until that week in July. Several major Western powers initially feared the worm might represent a generalized attack on all controllers. If the factories shut down, if the power plants went dark, how long could social order be maintained? Who would write a program that could potentially do such things? And why?  

On dissecting this worm the brilliance of such an invention is seen. Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; "The attackers took great care to make sure that only their designated targets were hit...It was a marksman’s job."

What makes this even more intriguing is that Stuxnet, unlike most computer virus, did not carry the usual forged security clearances, which helps virus to borrow into systems; it actual had a real clearance stolen from the most reputed security company in the world.  

Stuxnet attacked Windows systems using an unprecedented four zero-day attacks. It is initially spread using infected removable drives such as USB flash drives and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet.  

Once Stuxnet got into a system it does not automatically activate, it remained dormant. Because buried deep in the code was a specific target, which was the centrifuges that spin nuclear material at this Iran’s enrichment facilities.  Stuxnet was a weapon, the first to be made out of code.  

But the most important question now is not who had the malign brilliance to design this virus but who would redesign it? The answer is Duqu.  

Discovered in September 2011, Duqu was a malware which was said to have been based on the Stuxnet’s source code.

However unlike Stuxnet, Duqu was designed as a cyber-espionage malware created "to act as a backdoor into the system and facilitate the theft of private information," said Kaspersky Lab security researcher.

However this malware was nothing compared to the next stage in the evolution of the use of Stuxnet as a foundation. That is the recent Flame malware.

Discovered on 28 May 2012 by MAHER Centre of Iranian National Computer Emergency Response Team (CERT), Kaspersky Lab and CrySyS Lab of the Budapest University of Technology and Economics. ‘Flame’ cyber espionage worm came to the attention of the experts, at Kaspersky Lab, after the UN’s International Telecommunication Union came to Kaspersky lab for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East.

This is currently coined as "the most sophisticated cyber-weapon yet unleashed" by Kaspersky Lab researchers. 

The internal code has few similarities with other malware, but exploits two of the same security vulnerabilities used previously by Stuxnet to infect systems.  

This malware had the ability to steal data just like Duqu, but has the capacity to also  eavesdrop on conversations, and take screen captures of instant message exchanges, making it dangerous for any victim.   

Flame is a sophisticated attack toolkit. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

Flame is an uncharacteristically large program for malware at 20 megabytes.  It is written partly in the Lua scripting language (where usage of lua in malware is uncommon) with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection. Therefore the use these really compact programming languages, make it easy to hide.

The malware uses five different encryption methods and a SQLite database to store structured information.  

http://en.wikipedia.org/wiki/Flame_(malware) - cite_note-cry-0 A possible link to malware found on computers in Iran's oil sector has experts hinting that these malwares are the work of a nation-state. In the wake of recent finding, some experts now claim that there are logical conclusions that this nation-state is none other than the US government. The icing on the cake of these allegations is that now the US intelligence agency are said to have planted moles inside Microsoft which had helped them exploit this famous operating system.  

As these threats seemed to have been commissioned by nation-state, for different purposes with an idea of inflicting damage, one cannot but take note that, warfare is now being gradually waged using pieces of code against some intangible objects, using the most dangerous media around, i.e. cyberspace. As such war is gradually taking on a completely new dimension and complexity.

 In this way the aggressor states, not needing to expose its own troops to the dangers of conventional war, use cyber weapons as a formidable tool that could be deployed anonymously from a distance, giving the aggressor the luxury of not risking political fallout let alone absorbing a retaliatory attack. 

Nevertheless in the distant future, a pensive stance should be taken on tools of this nature, as the catastrophes caused by such cyber warfare could escalate to cataclysmic proportions, which would end with the ability to affect human life as well.

Kumar Manthri

Kumar is in the Board of Directors of ISACA Sri Lanka Chapter, serving as the Marketing Director. Kumar works as an Information Systems Auditor at SJMS Associates, an esteemed firm of Chartered Accountants backed by Deloitte Touche Tohmatsu.



AntiLeaks Group Claim Responsibility For WikiLeaks Attacks

  By Iain Thomson, | 11th August 2012  | 00:03 GMT

The WikiLeaks website has been under a major DDoS attack over the last few days and a group calling itself AntiLeaks has claimed responsibility.  According to the WikiLeaks Twitter feed, the website, and those of its associates and mirrors, have been hit by a massive DDoS attack reaching 10Gbits/s and using a more complex system than a standard bulk UDP or ICMP packet flooding. The range of IP addresses is huge, indicating either thousands of machines taking part or some really good simulation.  The AntiLeaks group hasn't been heard of before and its Twitter feed only started this month. While it's possible they are simply claiming the attacks rather than carrying them out, it's clear the attacks are being taken by WikiLeaks as an attempt to shut down information.  The attack comes as WikiLeaks is trying to distribute more emails from the hacking of private security group Stratfor Global Intelligence. This latest batch, released in the last few days, concern the existence of a US-based monitoring system called Trapwire.

Researchers Release Detection Tool For Gauss Malware’s Palida Narrow Font

By Alex Fitzpatri | July 12, 2012


One of the many mysteries around the discovery of the Gauss malware is why the tool installs a new font called Palida Narrow on infected machines. Researchers have been unable to figure out yet what the purpose of the font is, but as its presence on a PC is a good indicator of a Gauss infection, CrySyS Lab and Kaspersky Lab today released a tool to detect it.  The detection tool can be found on the Securelist site and also on the CrySyS Lab site. The two main questions surrounding Gauss are why Palida Narrow is installed and what's inside the encrypted payload that Gauss installs on infected machines. While it may be some time before the contents of the payload are known, researchers have a number of theories about why the font is installed on newly infected machines.  Perhaps the most intriguing of these theories is that Palida Narrow is being used as a kind of brand to mark infected PCs for the command-and-control servers.  "A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages. We tell you how. If you open a web page, it can contain a CSS style sheet link, that actually tells your browser how the text blocks should look like on the web page. This style sheet can in fact include references to font faces to be used. The font face definition can refer to a local font and a URL also (with some limitations) in order to get the necessary font face if it is not installed on your system," CrySyS Lab said in a blog post.

Hackers strike again, hit Nvidia's developer zone
By Roger Cheng | July 13, 2012 4:53 AM PDT

"Nvidia is the latest company to get hit by hackers: The chipmaker was forced to take down its developer support Web site yesterday because user passwords may have been compromised...."

Month in Brief

Facebook Incidents Reported to Sri Lanka CERT|CC in July 2012


  Fake + Harassment



Statistics - Sri Lanka CERT|CC



Microsoft Cyber-Crime Department Phishing Scam

Email purporting to be from the Microsoft Cyber-Crime Department claims that all email users around the world are required to validate their account by clicking a link in the message or risk having their email address deleted from the world email server.

Third-party Android markets host bulk of mobile malware, says F-Secure

  Robert Westervelt, |7 Aug 2012

The new malware strains are trending upward, designed to continue SMS-based attacks and other attack techniques used with previous versions of the malware, F-Secure said. The company's researchers found FakeInst and OpFake, two closely related malware families, are tied to the bulk of the mobile malware being detected.

  Notice Board
  Training and Awareness Programmes - August 2012  
Date Event Venue
- 13,14 Workshop on “ Isuru Linux” ICT Laboratory of ICT Branch , Ministry of Education
- 13-15 Workshop on Learning content Management System Provincial ICT Center, Pannipitiya
- 21 Safe use of Internet Awareness programme conducted by Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT|CC) Auditorium, Ministry of Education

Brought to you by:                           

In Partnership with: