Kamis, 19 September 2013

Surviving in the Cyber War !


Two elephants fight , coney die in the middle . That fate will likely be experienced by Internet users if stuck in combat malware attacks between the countries in conflict .

At first , malware authors are students / youth who search for identity and mostly making malware to show the existence of self and became famous for being able to make malware . In the 2000s morphed malware makers became more organized and the result is a malware became more sophisticated because it is done by a group of people with the primary purpose of financial gain . This is evident from the proliferation of spyware , adware , rogue antivirus ( fake antivirus ) and in certain countries circulated ransomware that the data hostage / victim computer systems with demands to send money to restore the encrypted data . Antivirus industry in the face of recent threats can actually be said to get a balanced opponent for malware authors have organized against antivirus firms are also organized . If the malware makers in the 1990s can be said to be a featherweight boxer , then the antivirus companies can be thought of as a welterweight boxer and obviously corporate antivirus malware makers are not worried about the individual . But the makers facing spyware, antivirus and ransomware rogue antivirus companies get a balanced opponent and seems the battle will take long because each is in the same class and have high stamina . Antivirus products supported by income from selling antivirus and malware makers / fake antivirus get money from criminal activities and accomplishments to date remains. If you think this is the end of the story , you are wrong . Precisely this is the beginning of a new story in which the emergence of malware heavyweight if even the best antivirus companies today can not be compared with some of the elite new malware detected in 2010 despite running the action years earlier . Why is categorized as malware malware heavyweight ? Is antivirus companies detect trouble ? Who is behind all this ?

In mid- 2010, PT . Vaksincom facing a strange case in Indonesia where many computers are suddenly getting low disk space message due to the size of the hard drive to swell ( see figure 1 )

Figure 1 , the low disk space message which proved to be a side effect of Stuxnet

At first PT . Vaksincom think it is a new malware variant and it had detected with Winsta name . However , apparently not realizing it is the beginning of cyber war with the circulation of malware heavyweight who later identified by antivirus companies as Stuxnet . Stuxnet malware is not out of love or student-made Russian criminal enterprises who want to earn money from computer users . But Stuxnet is malware yangdiduga secretly developed by the United States and Israel are secretly deployed with the main objectives , inhibiting the development of his country 's nuclear program of Iran . Stuxnet exploited four vulnerabilities and is able to spread itself effectively to computers that are not connected to the network though . The technique used is very simple , the use of data exchange via the UFD ( USB Flash Disk ) . Although it looks simple and does not require complicated technology , apparently spread through the UFD was intentional because apparently Stuxnet targeted computers that run SCADA ( Supervisory Control And Data Acquisition ) , tools ( hardware and software ) output Siemens used by Iran in the Iran uranium enrichment process . Stuxnet SCADA administrator cleverly fool by giving false display that all processes are running normally SCADA . Yet in reality SCADA being ordered to do activities that damage the hardware and processes that are running . Stuxnet also runs in user mode and kernel in which he uses certified drivers using a certificate stolen from JMicron and Realtek ( Hsinchu , Taiwan ) , this is one of the main factors that cause why the process was not identified Stuxnet . It also shows that the resources to make this malware does not mess around because they have to have legitimate access to steal the certificate belongs to two leading hardware companies in Taiwan are obviously far away from the target country Iran .

Not only that , after successfully carrying out its mission hinder Iran's nuclear program in 2010 , the Stuxnet attack on Iran are reported back to the power plant and a target Iran's oil industry or exactly two years later in December 2012. Motivation attack this time is expected to disrupt Iran's economy is 80 % dependent upon oil income . Back it was a severe blow to the antivirus industry that failed to detect the action of Stuxnet in 2010 . How the obvious malware detected by antivirus program and successfully carry out the action by storm back in 2010 successfully infect and run the action 2 years later in the same country ?


If in a conventional war , a battle takes place in the Middle East that are geographically very far from Indonesia is certainly the direct impact of this war will be less pronounced. Moreover, Stuxnet malware used are categorized as targeted malware attack that targets only certain in this case is the fact SCADA users of oil and gas exploration companies and SCADA administrators around the world had been very careful to Stuxnet attack . But in reality , it is not only troublesome Stuxnet SCADA administrator only and Indonesia, which happens to be the number 2 most countries in infections by Stuxnet after Iran getting the side effects of the rampant spread of Stuxnet computer where the majority of victims will experience low disk space due process Stuxnet ( Winsta ) who inflate themselves ( see figure 2 ) . This is expected because of the widespread use of USB Flash Disk in Indonesia which was used as the primary means of Stuxnet to spread itself to a standalone SCADA computers or separate from the network / network .

 
Figure 2 , Indonesia ranks second after Iran Stuxnet infection

According to Vaksincom , when the spread of Stuxnet occurred in July 2010 http://vaksin.com/2010/0710/Stuxnet % 20winsta 20winsta % % % 20virus/Stuxnet 20virus.htm , there is an interesting phenomenon that struck the Indonesian computer users where suddenly a lot of good computer Windows Vista and Windows 7 ( which had heralded as normally would be safer from malware attacks because of the additional protection UAC ( User Access Control ) ) are experiencing strange symptoms that suddenly ballooned and a hard drive full / low disk space ( see figure 1 ) , print sharing sudden death , crashes on many internal applications because dll corrupt , breaking network connections and ultimately make a computer that turns its victims to hang all of which are side effects of Stuxnet . Apparently unwitting internet world has entered the era of the cyber war that was then followed by other malware discoveries are more surprising as Duqu , Flame , Shamoon who allegedly was behind the attack Iran and claimed tens of thousands of computer oil company of Saudi Arabia ( Aramco ) and Qatar ( RasGas ) in mid- January 2013 and re- emerged a heavyweight malware spying embassies around the world and known as Rocra or Red October .

Seeing how far above its weight class malware generated from countries attacked each other , we certainly do not want to be a coney dead in the middle . His name is also coney certainly be smart and get out when two elephants fight . But how to be an astute internet users and minimize losses from malware attacks this weight class ?


Duqu, Stuxnet predecessor spy 


Middle east can be said to be the most volatile regions in the world and sometimes conflicts arising between the middle eastern countries carry over to the rest of the world . Of war in the Sinai to the Suez Canal crisis , from Black September at the Munich attack which resulted in the deaths of 11 Israeli Olympic team , which is then returned by the Mossad to kill those responsible for the incident which is believed to Black September. Actions by Mossad despite providing surprising results , but the risk is very high for a secret agent and the teams involved and the resources needed , costs and extraordinary effort to have as good as Mossad network . Moreover, with the arrest of Mossad spies lot more difficult to develop its network and its enemies increasingly vigilant against infiltration by Mossad spy network that is owned by the state even though only a small but not lost its luster with the secret services of the state such as the CIA , KGB or MI6 . But apparently it is already a thing of the past and of spying is still being done , but with the support of more advanced technology . In terms of strategic and efficiency , the use of technology is a very logical choice . If we can get what we want without the need to fight and sacrifice soldiers or spies us on the battlefield , why spend resources and energy as sending spies that are clearly at high risk if caught . That's why it seems the secret service secretly began using digital spies to gather information on the activities of his country and even in some cases digital spy malware shaped supposing it functioned as a combat soldier who provide direct hit on activities that will lead to harm large in his country . Although compared to activities involving direct spies less risky , but the destructive power of this digital spy no less deadly than minus 007 action just a beautiful woman with a much lower risk . It is also evident from the development of the technology battle with the predator aircraft have a much higher capacity than conventional aircraft -controlled pilot being able to detect and attack targets with cost and risk is much lower because it does not involve human pilots who have limitations compared to machines .

Stuxnet action to slow Iran's nuclear program an example of a digital spy activity most successful , of course, the state would deny victims . If Stuxnet was launched to slow down Iran's nuclear program , the question naturally arises of where the collection of data on these activities ? Stuxnet may not be able to carry out the action so directed without accurate data . Duqu malware is apparently a precursor to Stuxnet carry out the action to collect the data for the target computers analyzed , then based on the data obtained from Duqu , Stuxnet was launched to carry out the action menghambatprogram to disrupt Iran 's nuclear centrifuges player controlled by SCADA .

How does the process of transmitting data Duqu is very interesting to observe . If you think that would Duqu infects computers secretly victim then sends the data acquired to the command center . You 've been in the right direction . But interesting to our study is the technique Duqu collects data and sends it to the command center .

Duqu makers apparently utilizing CentOS ( one variant of Linux that is very popular and had overcome the popularity of Ubuntu ) to a central server command and immediately remove traces of Duqu announced the time of publication . From the analysis of these servers apparently all servers running CentOS servers where some are even already owned since 2009 or 2 years before it is detected Duqu . Even found a surprising fact that the techniques they use zero day exploits in OpenSSH 4.3 for the master servers . Once the server command center using CentOS OS is ready , it is of course necessary targets to be stolen computer data and one of the most logical way is to use a Trojan horse program . But how to embed this trojan programs and evade detection antivirus program because it will almost certainly want to attack the target computer is definitely at least been protected with updated antivirus program . Therefore, the most effective method to bypass antivirus detection is to exploit software vulnerabilities , where the computers that contain malware security loopholes have not been closed will be able to bypass antivirus detection and carry out his evil actions . But in the computer that performs the automatic update timeframe is very thin and Duqu makers should choose a program that exploits vulnerabilities popular ( used by many people ) and use zero days exploits , where the security holes are patched before he had had an attack . Option was dropped in Microsoft Word vulnerability CVE - 2011-3402 vulnerability in the process where there is a TrueType font that Windows process with a specially designed font that will be able to exploit the vulnerability and provide access to run code in kernel mode program like creating a new user account with rights full access . This would support the action of the Duqu secretly would run espionage collect data from the victim computer .
Then , how Duqu sends its data ? Whether to upload the data to the database server and then downloaded and analyzed by the command center ? You are 70 % correct , and it seems to also have taken into account the manufacturer Duqu because if you become an administrator overseeing ISP and data traffic where Duqu carry out the action , you likely will not be able to guess if the activity data that passes in front of your eyes is the activity of Duqu . Why ? ? Because Duqu is not allowed to upload data in conventional database that will surely arouse suspicion . The tricks performed by Duqu is sending encrypted data as a JPEG file with a size of 54 X 54 pixels . Thus , the data transmitted in addition disguised as a JPEG file and then protected with encryption and then combined by computer command center .

Duqu is the most important component called infostealer designed in such a way so as not to leave a trace file on the hard drive of the victim or temporary files on the computer and download this module and stored in temporary memory and executed by injection technique similar to that used by Stuxnet to avoid stored temporary files on the hard drive . But it also means that the process of data theft Duqu has a limited period , until the moment the computer to reboot . Therefore, each Duqu infection independently run remotely via computer command center and not spread itself automatically like Stuxnet . In addition , in order to ensure the trail is not easily detected , every 36 days Duqu deletes itself and eliminate all traces of activity on the victim computer .


Dexter Regular

Author Duqu is also not to be outdone in eliciting quirky uniqueness as Stuxnet that send email from Jason B ( Jason Bourne ) . Exploit security holes in MS Word , he made a new font with the name Dexter Showtime Regular artificial Inc. , 2003. Dexter Regular program actually is a pretty popular TV series broadcast by Showtime Cable Inc .

Duqu was first detected in mid- April 2011 , but since the publication of his existence he removes himself suddenly in mid- October 2011 . Although Duqu was eliminating his footsteps and we do not know when he will carry out the action again , if you want to make sure your computer is not infected by Duqu you can use tools issued by the Duqu Detector Crysys and can be downloaded at http://www.crysys.hu/ duqudetector.html . For the record , in September 2011, two months before the existence of Duqu was announced , Norman Sandbox technology has been able to detect the presence of the Duqu malware Generic name . The actions are alleged as Stuxnet Duqu lite version can be seen in the diagram on the call Duqu drivers figure 1 below.

 
Figure 1 , Call Diagram Duqu drivers


Survive in the age of digital warfare.


In the case of Stuxnet and Duqu appears that Iran was subjected to malware attacks that allegedly controlled by the his country . In military power , the United States supports Israel in its confrontation with Iran is still counted as the most powerful country in the world [ and able to enforce desires coup ] . However , in cyber warfare there is no guarantee that the most powerful country definitely won the war [ against the state despite the unstable economy ] . In World War II in Africa alone , Erwin Rommel ( Germany ) with limited resources but have a good strategy to offset the war and defeated the confederates [ anticipate intelligence ] in many wars battle tanks in Africa . Especially in the digital war where national borders become lost and very difficult to differentiate between friend and where the opponent which is still a lot of countries / organizations that are strong enough in the digital capabilities such as Russia and China that could compensate for Israel and the United States , not to mention groups independent as anonymous hacker who has power should not be underestimated [ and misses appreciation ] . This is evident from the expected counter-attack by Iran or its sympathizers with the release of malware Shamoon . And this time the victim is a gulf which incidentally is an ally of the United States where at least 30,000 computers Aramco ( Saudi Arabia ) and RasGas ( Qatar ) Shamoon victims and in [ coup desire ] aka wipe clean as is done by including removing wiper MBR ( Mother Boor Record ) which will instantly paralyze the victim computer . From the analysis of the action later , Shamoon visible connection with Cutting Sword of Justice ( Anonymous) where Shamoon will check the stop time ( time to stop the action ) on a post made ​​by anonymous on Pastebin . Of cases of Stuxnet , Duqu and Shamoon can be concluded that in the digital wars between countries , the most in the drill is related to the government's strategic sectors such as energy ( oil and gas ) , electricity , defense and intelligence departments [ this is not a conspiracy theory prosperity ] . Excluding government agencies , large corporate circles also potentially get a direct attack especially if the corporate has a close relationship with strategic sectors mentioned above as the contractor related to national defense or critical sectors . Surely the parties mentioned above are already aware of this and try to anticipate the possibility of an attack [ coup desire ] , but what about the small corporate and home computer users , it is safe from attack this digital war ? Of Stuxnet experience in Indonesia where many computers are acting strangely and suddenly the hard drive [ having controversy heart ] which seems to be full of a side effect of the Stuxnet threat of war seem that digital is not indiscriminate and anyone can be a victim of digital warfare . So what can we do to minimize the loss of this digital war .

The first thing you want to inform Vaksincom is no way we can guarantee 100 % safe from attack , so that no claim can guarantee you 100 % safe from malware attacks , especially Stuxnet malware is a production class organization with unlimited funds and resources whose class greater than any antivirus companies . Vaksincom recommend that you do not easily believe it and forget it because there is evidence that shows that the malware is able to perform an action for years without being able to be detected by any antivirus in the world and when it was discovered immediately removes his footsteps . If you believe , you will enter into a false sense of security and regret [ controversy heart ] when it was too late and important data or your computer system is protected already become victims . This is not to discourage [ create fear desire ] you but it is true that you must first realize and become one of the foundation was to prepare the defense . 


The few things that you can do to strengthen your system of  attack are :
  1. Perform a variety of security protection and do not depend on a single vendor / brand alone . Security protection from a single vendor will be more vulnerable to attack than the protection of many vendors . Antivirus defense with more than one antivirus engine proved more reliable than the defense with one engine . The authors do not suggest you use some antivirus program in the computer because it will cause instability and system hangs but if any antivirus programs that use more than one antivirus engine without disturbing the system or cause the hang , it is an option worth checking out . For the protection of the whole network system , using multiple antivirus engines [ harmonization engine ] to protect your system as a whole also provides a clear advantage compared to using only one antivirus engine [ anticipate intelligence ] . For example if you are using a search program to protect computer systems and networks , use antivirus engine to protect your mail server B and C use antivirus engine to protect the gateway . Joint protection will provide better defense than you use only one antivirus engine for all lines.
  2.  Make sure patch management runs well on systems that you manage . Special attention should be given on a computer that serves the public interest and can be accessed through the firewall such as HTTP , FTP , mail , and DNS services . One of the reasons why we can not be protected 100 % safe from attack is because computers and applications that we use are all man-made filled with [ controversy heart ] . And computer / application that no one is perfect and every day always found the security hole [ controversy heart ] new that could be exploited to infect the system . The only way that the best we can do is make sure that the security hole was always awake and patching process runs automatically / regularly . Always make sure all systems are used by all computers updated . Almost all malware that spreads through network belongs to the class of worms and the main techniques used by the worm during this is to exploit computer application vulnerabilities , whether it is the operating system or applications that are popularly used all have security gaps . By doing regular patch has reduced the risk of worm infection is very significant because the worm to infect primary weapon system [ anticipate intelligence ] is to exploit security holes . You need to know , even if your system is protected with updated antivirus programs and can detect the worm attack , but if there are vulnerabilities that have not been closed and happened to be exploited by the worm [ coup desire ] , then the antivirus program you will not be able to prevent infection by the worm [ unstable economy ] though its definition has been able to recognize the worm. In terms of operating system proprietary and non proprietary , according to the opinion of the writer basically because the risk is not too different from that determine the security of a system not made ​​by anyone but maintained by anyone .
  3.  For large networks , consider doing protection with intrusion prevention with powerful firewall and monitored . If necessary, use additional monitoring software gateway that does not burden the system such as the Norman Network Protector is a transparent proxy and can protect traffic in and out of the malware without slowing the system or change the client proxy settings .
  4. Crucial for the exchange of data between offices or remote administration using public network ( Internet ) has become imperative to secure your traffic using a VPN ( Virtual Private Network ) in order to maintain security of the data you send from eavesdroppers and maintain the security system of access is not desirable . Always remember to change the default setting of our tool with the outside world , such as routers .
  5.  Consider whitelisting method for securing access . Where the approach taken with the reverse blacklist . In whitelisting , all access to the system will be rejected unless of address / IP - IP specified / whitelist only.
  6.  Growing awareness of computing both on the user and apply the policy consistently control , [ avoid controversy heart ] . An example is the application of control that may be downloaded and executed by a computer inside your network . Tight control on the UFD ( USB Flash Disk ) is the de facto today remains one of the primary means for distributing malware in Indonesia and is used by network security Stuxnet to penetrate and reach the computer running SCADA that is not connected to the network . In general , corporate antivirus program already included for free [ unstable economy ] and the drive control applications can be done centrally and monitored either by an administrator logs in order to find out who tried to foul to get the warning and change the bad habits [ or will make the situation experiencing prosperity ] .
  7.  Familiarize yourself with passwords to secure password manager , and if you want to do a fairly conservative approach , avoid typing a password in order to avoid the risk of a keylogger that can cause [ controversy heart ] . With password protection and use a combination of both good and make it a habit to not use the same password for multiple accounts . Use password creator that uses a combination of letters , numbers , punctuation marks to create a password . Password Manager programs like KeePass Password Safe www.keepass.info which can be obtained free of charge providing all these facilities , either copy and paste the password , making the combination of a good password and storing all your passwords in one encrypted file properly . To access all the features of this you only need to remember one master password to unlock the password manager and password manager that will perform the task is to remember and protect all passwords you have.
  8.  Last but most important . Perform regular backups on separate media and save with systematically . Please remember to check the results periodically backup all backups to ensure that you are doing is correct and can be used in the event of an incident / disaster .

Tidak ada komentar:

Posting Komentar