New virus can spy on online banking transactions

The latest cyber threat to target users in the Middle East could steal browser passwords and online banking account credentials, according to security firm Kaspersky Lab.

The Moscow-based firm announced on Thursday that it has discovered the cyber surveillance virus, which it calls “Gauss,” in personal computers in Lebanon.

Kaspersky Lab said Gauss is capable of stealing data from the clients of several Lebanese banks and it has also targeted Citibank and PayPal users.

It’s estimated that the virus was deployed around September 2011.

Researchers discovered Gauss due to its strong resemblance to Flame, a cyber virus that infiltrated computers in Iran and was believed to have targeted the country’s nuclear program.

Kaspersky Lab described Gauss as a “complex cyber-espionage toolkit,” which was created by the same individuals behind Flame.

“Gauss bears striking resemblances to Flame, such as its design and code base, which enabled us to discover the malicious program,” said Kaspersky Lab chief security expert Alexander Gostev.

Kaspersky Lab was helping the United Nations' International Telecommunications Union search for destructive malware when it came across Flame.

However, Gostev said that Gauss’ purpose was different than Flame’s.

“Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.”

Flame, on the other hand, targeted specific software vulnerabilities and was selective in the computers it attacked.

In a posting on its website, Kaspersky Lab said the detailed data from the infected computers is sent to the attackers.

 “Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab’s cloud-based security system,” said the company, estimating the total number of victims of Gauss to be in the tens of thousands.

Gauss has since been blocked and remediated by Kaspersky Lab.

U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say

By Ellen Nakashima, Greg Miller and Julie Tate

The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.

The massive piece of malware secretly mapped and monitored Iran’s computer networks, sending back a steady stream of intelligence to prepare for a cyber­warfare campaign, according to the officials.

The effort, involving the National Security Agency, the CIA and Israel’s military, has included the use of destructive software such as the Stuxnet virus to cause malfunctions in Iran’s nuclear-enrichment equipment.

The emerging details about Flame provide new clues to what is thought to be the first sustained campaign of cyber-sabotage against an adversary of the United States.

“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”

Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its American partners off guard, according to several U.S. and Western officials who spoke on the condition of anonymity.

There has been speculation that Washington had a role in developing Flame, but the collaboration on the virus between the United States and Israel has not been previously confirmed. Commercial security researchers reported last week that Flame contained some of the same code as Stuxnet. Experts described the overlap as DNA-like evidence that the two sets of malware were parallel projects run by the same entity.

Spokesmen for the CIA, the NSA and the Office of the Director of National Intelligence, as well as the Israeli Embassy in Washington, declined to comment.

The virus is among the most sophisticated and subversive pieces of malware to be exposed to date. Experts said the program was designed to replicate across even highly secure networks, then control everyday computer functions to send secrets back to its creators. The code could activate computer microphones and cameras, log keyboard strokes, take screen shots, extract geo­location data from images, and send and receive commands and data through Bluetooth wireless technology.

Flame was designed to do all this while masquerading as a routine Microsoft software update; it evaded detection for several years by using a sophisticated program to crack an encryption algorithm.

“This is not something that most security researchers have the skills or resources to do,” said Tom Parker, chief technology officer for FusionX, a security firm that specializes in simulating state-sponsored cyberattacks. He said he does not know who was behind the virus. “You’d expect that of only the most advanced cryptomathematicians, such as those working at NSA.”

Conventional plus cyber

Flame was developed at least five years ago as part of a classified effort code-named Olympic Games, according to officials familiar with U.S. cyber-operations and experts who have scrutinized its code. The U.S.-Israeli collaboration was intended to slow Iran’s nuclear program, reduce the pressure for a conventional military attack and extend the timetable for diplomacy and sanctions.

The cyberattacks augmented conventional sabotage efforts by both countries, including inserting flawed centrifuge parts and other components into Iran’s nuclear supply chain.

The best-known cyberweapon let loose on Iran was Stuxnet, a name coined by researchers in the antivirus industry who discovered it two years ago. It infected a specific type of industrial controller at Iran’s uranium-

enrichment plant in Natanz, causing almost 1,000 centrifuges to spin out of control. The damage occurred gradually, over months, and Iranian officials initially thought it was the result of incompetence.

The scale of the espionage and sabotage effort “is proportionate to the problem that’s trying to be resolved,” the former intelligence official said, referring to the Iranian nuclear program. Although Stuxnet and Flame infections can be countered, “it doesn’t mean that other tools aren’t in play or performing effectively,” he said.

To develop these tools, the United States relies on two of its elite spy agencies. The NSA, known mainly for its electronic eavesdropping and code-breaking capabilities, has extensive expertise in developing malicious code that can be aimed at U.S. adversaries, including Iran. The CIA lacks the NSA’s sophistication in building malware but is deeply involved in the cyber-campaign.

The CIA’s Information Operations Center is second only to the agency’s Counterterrorism Center in size. The IOC, as it is known, performs an array of espionage functions, including extracting data from laptops seized in counter­terrorism raids. But the center specializes in computer penetrations that require closer contact with the target, such as using spies or unwitting contractors to spread a contagion via a thumb drive.

Both agencies analyze the intelligence obtained through malware such as Flame and have continued to develop new weapons even as recent attacks have been exposed.

Flame’s discovery shows the importance of mapping networks and collecting intelligence on targets as the prelude to an attack, especially in closed computer networks. Officials say gaining and keeping access to a network is 99 percent of the challenge.

“It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael V. Hayden, a former NSA director and CIA director who left office in 2009. He declined to discuss any operations he was involved with during his time in government.

Years in the making

The effort to delay Iran’s nuclear program using cyber-techniques began in the mid-2000s, during President George W. Bush’s second term. At that point it consisted mainly of gathering intelligence to identify potential targets and create tools to disrupt them. In 2008, the program went operational and shifted from military to CIA control, former officials said.

Despite their collaboration on developing the malicious code, the United States and Israel have not always coordinated their attacks. Israel’s April assaults on Iran’s Oil Ministry and oil-export facilities caused only minor disruptions. The episode led Iran to investigate and ultimately discover Flame.

“The virus penetrated some fields — one of them was the oil sector,” Gholam Reza Jalali, an Iranian military cyber official, told Iranian state radio in May. “Fortunately, we detected and controlled this single incident.”

Some U.S. intelligence officials were dismayed that Israel’s unilateral incursion led to the discovery of the virus, prompting counter­measures.

The disruptions led Iran to ask a Russian security firm and a Hungarian cyber-lab for help, according to U.S. and international officials familiar with the incident.

Last week, researchers with Kaspersky Lab, the Russian security firm, reported their conclusion that Flame — a name they came up with — was created by the same group or groups that built Stuxnet. Kaspersky declined to comment on whether it was approached by Iran.

“We are now 100 percent sure that the Stuxnet and Flame groups worked together,” said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Lab.

The firm also determined that the Flame malware predates Stuxnet. “It looks like the Flame platform was used as a kickstarter of sorts to get the Stuxnet project going,” Schouwenberg said.

Latest viruses could mean ‘end of world as we know it,’ says man who discovered Flame

Eugene Kaspersky: We’re at the mercy of cyberterrorists, armed with weapons more serious than any previous IT security threat

By David Shamah

The Flame virus, whose existence was announced several weeks ago by Eugene Kaspersky, is not just any old virus. It’s so sophisticated that it represents a new level of cyber threat, one that could be “the beginning of the end of the [interconnected] world as we know it,” Kaspersky said at a press conference Wednesday. “I have nightmares about it.”

Information security expert Kaspersky, whose team of researchers uncovered Flame’s existence, was a featured speaker at Wednesday’s second annual cyber-security conference sponsored by the Tel Aviv University’s Yuval Ne’eman Workshop for Science, Technology and Security. The conference comes at a time when interest in cybersecurity is at a peak, as a result of speculation about who was behind the Flame attack and the earlier Stuxnet virus attack that is thought to have damaged, or at least delayed, progress by Iran on its nuclear program.

Also speaking at the conference were a host of top security and government officials, including Defense Minister Ehud Barak, Israel Space Agency chairman Yitzhak Ben-Yisrael, former Shin Bet director Yuval Diskin, and others.

While many companies — including Kaspersky’s — advertise sundry solutions for computer viruses and Trojans, they won’t help when it comes to Flame and other still undiscovered viruses of similar or even greater strength that are likely out there, he said. “Right now we have no way to defend against these global attacks.”

The term “cyber-war” is used by many to describe the situation, but that term — which implies that there are two equal, known enemies duking it out — is outmoded, he said. “With today’s attacks, you are clueless about who did it or when they will strike again. It’s not cyber-war, but cyberterrorism.”

Flame, which has stealthily stolen large chunks of data during the months or perhaps years it has been on the loose, is especially scary because of its many sophisticated tools, said Kaspersky. Besides being able to quickly replicate itself on networks and break up data into very small segments, making it almost impossible to trace as it is sent onwards, the virus has many unique features. “It can of course be spread very quickly via a disk-on-key, when one is plugged into a network,” but in addition, it can use bluetooth, wifi, and other communications protocols to propagate, he said.

The Russian-born Kaspersky, 46, whose company is the world’s largest privately held vendor of software security products, described the process by which his team discovered Flame, saying that he got interested in the matter when he heard that Iran had actually accused his company of designing the attack tool. “We thought that maybe our internal system was compromised, so we conducted a thorough investigation.”

It was this investigation, which entailed contacts with IT personnel in Iran itself, that yielded the data on Flame. “Dealing with what we discovered was too big a job for a company,” so Kaspersky took what he knew to the UN’s International Telecommunications Union, which was just as shocked as he was. “We worked out an arrangement where we would gather the data, and they would take care of the other issues.”

Data-gathering is a technical issue, not a political one, Kaspersky said, so he could not speculate on who invented Flame, or why. But anyone and everyone is a suspect. “There are many countries with hackers and experts who are sophisticated enough to pull something like this off.”

The US, Israel, China, and Russia are on that list, but so is Romania, “which has many talented hackers.”

But even countries without a staff of their own could kidnap the scientists they need or hire “hacktivists” to do their dirty work, and there is no shortage of willing and capable people, Kaspersky said.

Still, any country thinking of stockpiling cyber-weapons of these magnitudes should think twice, Kaspersky said, as they have a way of getting out of control.

“It’s like biological weapons; when you set one off in one place, it affects many others.” Cyber-weapons of the magnitude of Flame are just as destructive. “The world is just so interconnected today, and the viruses that attack one power plant puts them all at risk,” Kaspersky said.

Governments must work together to, for example, order a complete rewrite of software for essential systems to protect them against attacks — “there are still many systems out there using MS-DOS,” Kaspersky said — to agreeing to pool information and act jointly when an attack occurs.

The alternative, Kaspersky said, is a world in which cyberterrorists have a free hand – something like the world in the movie Die Hard 4 (also known as Live Free or Die Hard). That movie’s plot involves hackers causing blackouts, blowing up government buildings, and trying to shut down America’s computer system.

“We at Kaspersky Labs have been aware for a long time that such a scenario was possible, but until that movie came out in 2007, we forbade anyone inside the organization from using the term ‘cyber-terrorist.’ Now that the cat is out of the bag, we routinely use that word to describe what is going on.”

He, and other researchers like him, are hard at work coming up with the solutions as the problems arise. What’s at stake, he said, is nothing less “than life as we know it today. Let’s hope and pray we can keep the cyber world safe for our kids and grandkids.”

Urgent Windows Update To Kill Off Spy Virus

Microsoft has carried out an emergency update of Windows after discovering that the makers of a spy virus had exploited a software bug.

The Flame espionage tool infected PCs across the Middle East by tricking computer security systems into accepting it as a genuine Windows product.

Mike Reavey, a senior director with Microsoft's security team, said the attacks were targeted and "highly sophisticated".

As a result of the bug fix, any viruses that bears the fake Microsoft code are likely to stop working.
Microsoft declined to comment on whether other viruses had exploited the same flaw in Windows, or whether the company was looking for similar bugs in the operating system.

Experts said the method had probably been used to deliver other viruses that have not yet been identified.

"It would be logical to assume that (the virus creators) would have used it somewhere else at the same time," said Mikko Hypponen, chief research officer for security software maker F-Secure.

Flame has been in circulation since 2010 but because of its complexity was only discovered last week.

It was aimed primarily at Iran, but also affected Israeli and Palestinian territories, Sudan, Syria and Lebanon.

Researchers say that technical evidence suggests it was built on behalf of the same nation that commissioned the Stuxnet worm that attacked Iran's nuclear program in 2010.

Information about the virus is still being gathered by computer analysts.

Flame virus most powerful espionage tool ever, UN warns

The Flame virus is the most powerful espionage tool ever to target countries, a United Nations agency responsible for regulating the internet has warned.

By Damien McElroy

This is the most serious warning we have ever put out," said Marco Obiso, cyber security coordinator for the UN's Geneva-based International Telecommunications Union.

The formal warning will tell member nations that the Flame virus is a dangerous espionage tool that could potentially be used to attack critical infrastructure, he said. "They should be on alert."

Orla Cox, a security analyst at the security firm Symantec, said that Flame was targeting specific individuals, apparently Iranian related. "The way it has been developed is unlike anything we've seen before," she said. "It's huge. It's like using an atomic weapon to crack a nut."

Figures released by the Kaspersky Lab show that infections by the programme were spread across the Middle East with 189 attacks in Iran, 98 incidents in the West Bank, 32 in Sudan and 30 in Syria.

Other countries where the virus was detected include Lebanon, Saudi Arabia and Egypt.

Evidence suggest that the virus, dubbed Flame, may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran's nuclear program in 2010, according to Kaspersky Lab, the Russian cyber security software maker that took credit for discovering the infections.

"I think it is a much more serious threat than Stuxnet," Mr Obiso said.

Unlike the Stuxnet virus that was previously used to disrupt Iranian systems, Flame does not disrupt or terminate systems.

Iran, whose nuclear facilities and oil ministry have previously been the target of virus attacks, accuses the US and Israel of trying to sabotage its programme. It denies the allegation that its programme is weapons related.

A leading Israeli politician hinted at the country's involvement in the virus. Israel rejects Tehran's claims that its nuclear programme is designed to produce energy, not bombs. It considers Iran to be the greatest threat to its survival.

"Whoever sees the Iranian threat as a significant threat is likely to take various steps, including these, to hobble it," Vice Premier Moshe Yaalon told Army Radio. "Israel is blessed with high technology, and we boast tools that open all sorts of opportunities for us."