Stuxnet, Duqu, Flame, and Gauss.

    Stuxnet, Duqu, Flame, and now, Gauss. These four malwares are some of the most dangerous out there. They are all coded fairly similarly, which brings up the question, are they coded by the same person? We can't really know for sure, but I believe that the answer is yes and no.

     As you may be aware, some time ago, HBGary Federal was experimenting with stuxnet decompiles, and suspected to be planning on using it for their own purposes. The hacker group Anonymous intercepted multiple emails and compromised one of their servers to find that they had most of the stuxnet source code. Anonymous then released this source to the public. A While after this, we see Duqu appear. While Duqu is very similar to Stuxnet, it is still quite different. This leads us to believe that while it was based on the source of Stuxnet, the version released by Anonymous, it was coded, or modified, by someone else.

    After that, we encounter Flame. This malware is very different, although many of its features are quite similar. Many thought Flame was an attack by a government, possibly the US. There is little to no evidence to support this, although it is entirely possible. This malware was also derived from the stuxnet source, although it was modified a great deal more than Duqu. So, once again, this is most likely from another coder entirely.

    Now, a newer malware was detected, and named "Gauss".While much of this malware is still unknown  as its main payload is fairly heavily encrypted, it seems to fall in with Stuxnet, Duqu, Flame, etc. There are also some who think this is another governmental espionage virus. While I do not know much about this malware, it does seem likely that governments are relying heavily on things like malware for infosec and things of that nature. Things like Flame could even be used to shut down power grids, take  over full control of a network, etc, which could be extremely useful.

As soon as I learn more about Gauss, or the relationship between all these trojans/malware I will let you know.

More on Gauss
http://www.crysys.hu/
Eset

Stuxnet source
github

Credits
Eset
Crowdleaks

Some more on Flame

Flame, a virus I overviewed in my previous blog posting, has become common knowledge, and possibly even old news for some. It is for this reason that Microsoft states that it is not worried about it anymore. They have, however, released a patch fixing an exploit it used to digitally sign itself with official Microsoft certificates. It says that it is worried other viruses might also try to exploit this loop. If you have not done so, make sure to apply the latest updates to secure your computer. This update is "KB2718704" and should be applied automatically if you have that enabled.

Credits: The hacker news, krebsonsecurity

As always, tell me what to post about next in the comments below.

A quick overview of Skywiper/flame

I have read numerous reports and analysis of this (relatively) new virus discovered in the wild, including, but not limited to, those of The Hacker News, McAfee, TrendLabs, Eset, and Damballa. Here is what I have found so far.

Flame is an incredibly large and sophisticated piece of malware. It seems to be targeting the middle east, and has been around since 2010 (first detection). The file itself is about 20mb large and contains everything it needs to run (libraries, etc). There is speculation about who made it, a private entity or a nation state. I personally am leaning towards a government (possibly US) as it seems to be targeting political and military victims (this may just be the conspiracy theorist inside me). It is capable of monitoring keystrokes, capturing webcam data, taking screenshots, and listening though microphones connected to the infected machine. It spreads by through any connected removable storage, through printer sharing, and domain controllers. It is very careful to not leave any tracks and removes all traces of itself and other viruses when uninstalled. The main class itself is estimated to have 750,000 lines of C code (650,000 have been reversed by McAfee).

Initial detection map
McAfee

It is larger than StuxNet and some believe it to be created or used by the same group, while others think they may just be "recycling" some of StuxNet's code (more likely). Flame is the most sophisticated virus known to date, and contains a vast amount of obfuscation and anti-decompiler code. Accodording to McAfee, it is capable of at least the following:

- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources

I'll keep you all posted and give more info once I get it.

let me know what I should post about next!