This is what I was thinking. It's not like something like this would be completely unheard of anyway.
Confusion reigns as Bundestag malware clean-up staggers on
A malware infestation at the Bundestag is proving harder to clean up than first predicted, with several unconfirmed local reports going as far as suggesting that techies might have to rebuild the entire network from scratch. As previously reported, a state-sponsored attack is suspected for the widespread infection of systems …
COMMENTS
-
This post has been deleted by its author
-
Friday 12th June 2015 11:37 GMT Mayhem
Presumably they tried bringing up a clean segment of the network in isolation, and upon migrating the necessary data across the segment got reinfected. It sounds like they might be unable to locate the vector that the infection is spreading from.
Which must be a complete bastard of a thing to deal with, especially since a government lives and breathes on paperwork.
Flattening and rebuilding the network and applications is straightforward. Doing that while retaining the data is trickier, particularly if you don't know when the infection first arrived, so historical backups are likely to be contaminated.
-
This post has been deleted by its author
-
-
This post has been deleted by its author
-
Friday 12th June 2015 21:34 GMT Anonymous Coward
This is a fixed problem: Do several hashes. This is me "emerging" an app on Gentoo:
* k3b-2.0.3a.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ...
The chance of creating a new version of that compressed tar file that does something different to the original and that has three identical hash collisions to the original are vanishingly small.
On the other hand there is always the possibility that the file does not contain what I think it does ...
-
Monday 15th June 2015 10:07 GMT LucreLout
Yes, a clever malware could make sure that a modified file retains the same SHA-256 checksum, but then how does the malware know which algorithm I used?
No idea. But then I have no idea how Mitnick worked out which algorithms had been used when he was modifying checksums, but it worked extremely well for him.
-
-
Friday 12th June 2015 23:24 GMT Anonymous Coward
Unlikely
"I vaguely recall Mitnick used to fiddle around with these when installing backdoors to circumvent exactly the checks you describe."
The checksums he would be able to circumvent are not these (md5sum is pretty old and this is with just four bits or a nybble):
$ echo "1001" | md5sum
6fa741c46485b9c618f14b79edf50e88 -
$ echo "0110" | md5sum
909fd71830d03d89fb1f74ea683829d0 -
md5sum et al are "one way hashes". Even if you could find another string that will generate the same hash as a given program, it's bloody unlikely that it will do anything at all let alone backdoor a system.
I suspect he worked around simple parity bits - things were simpler back then: /etc/passwd was plaintext and /etc/shadow hadn't been thought of, ROT13 was a cypher, spam was just a pseudo meat product and the sun always shone in summer etc etc. Still, no mean feat though and proper nerdy.
-
Sunday 14th June 2015 06:12 GMT Nick Stallman
Re: Unlikely
They've done it with md5 SSL certificates.
The trick is you make your back door then add a bunch of random data in a field that isn't parsed like a comment field. Brute force the random data with some tricky mathematics such that back-door + random data matches the original md5.
-
-
-
-
This post has been deleted by its author
-
-
Friday 12th June 2015 17:21 GMT tom dial
Re: Do you know how much this costs
Or might that not be secure off site compromised backups? How would you know they don't contain the attack, all ready for reactivation at first boot?
The nearest thing to secure probably is a really old system with no peripheral equipment later than IDE, no HDD containing software (not clear how that can be enforced, though) and certainly no FDD or USB capability. Overall, not a particularly satisfactory solution.
-
-
-
-
Friday 12th June 2015 14:57 GMT Doctor Syntax
"Nobody does spot checks on checksums for data that shouldn't be changing?"
That doesn't help with data that should be changing. Nor does it help with whatever the original vector was - that won't have changed and will still be a potential danger.
I'm not saying you're wrong to say flatten & rebuild as that's my view as well. But transferring the data cleanly to a new build isn't going to be easy as it will all need to be vetted.
And whilst this is happening business needs to continue. A long time ago someone described a particular migration as like transferring passengers from one aircraft to another in mid flight without waking them up. This sounds like another of those.
-
Friday 12th June 2015 15:58 GMT Voland's right hand
I'm sick and tired of hearing this excuse!
So am I sick and tired of listening to people shouting know it all rubbish.
An attack in this class (non-script-k1dd10t) can be:
1. Undetected for years. The biggest problem is that the entrance date and attack vector are unknown
2. Designed to aggressively seek back up systems and compromise them.
Your first point of call is figuring out a clean cut off line. However without knowing and understanding the APT in full you do not know where to draw that cut-off line. Drawing it at f.e. 5 years back is not really an option. Drawing it at a year back may actually get you back to square one with the infection rampant in the network.
-
Monday 15th June 2015 17:16 GMT Mike 137
Re: I'm sick and tired of hearing this excuse!
And that excuse too. "An attack in this class..." - what class? We don't seem to have any details yet, but as a security professional I'm regularly less than amazed when the latest "sophisticated attack" eventually turns out to have been a total push-over that circumvents deficient or degraded controls. Our biggest problem is that the "defenders" only defend reactively, but the attackers are proactive. If we managed our systems (and our business processes) robustly, a lot of these attacks would bounce off without doing much (or any) harm. But we just skirmish defensively in a guerrilla war in the enemy's territory, so we keep losing.
-
-
-
-
-
-
-
-
Friday 12th June 2015 13:48 GMT Paul Crawford
Re: Let me guesss...
"Don't believe only the luser blindly clicking on an exe is the culprit, sometimes the real luser is the syadamin"
For most corporate networks they should have all user-writeable space set to no-execute via Windows ACLs. Apart from software developers or sysadmins, who need to execute software that is not already installed in the proper (read-only) system locations?
-
This post has been deleted by its author
-
-
This post has been deleted by its author
-
Friday 12th June 2015 14:23 GMT Paul Crawford
Re: Let me guesss...
"Idiot sysadmins...greater risk to security than an unpatched Linux or Windows machine"
Often the unpatched machines are the result of said idiots.
Sure you may find machines that can't be patched for various odd reasons (not supported and/or run special software that can't work on newer OS, etc) but for $DIETY's sake you don't have them Internet-facing or in use for email/web browsing...
-
-
-
-
-
-
-
Friday 12th June 2015 12:47 GMT John Sanders
Re: No Backup Plan - Shoot The Admin
Any sensible organization will not have anything sensible were ignorant personnel can cause this level of trouble.
And they will not be running Windows connected to any form of www.
Or if they have to run Windows, run it with so many GPOs as to make the system useless.
Or even better, HIRE BETTER IT GUYS rather than outsourcing.
-
Friday 12th June 2015 13:19 GMT Anonymous Coward
"any sensible organization..."
This isn't just a large organization, nor just a government organization: that alone would get you a Westminster-grade mess. It's also the Federal govt, so the familiar mess of political and departmental fiefdoms gets to interconnect with the equivalent of the state governments too - imagine the UK once Cornwall, Shropshire, etc have devolved... Naturally the usual practices of weather-cocking policies and back-scratching of big contractors occur too, and as with any govt spending money on defensive measures takes a back seat to crowd-pleasing.
Frankly the fact that we haven't heard of the UK state systems being ransacked like this suggests (a) they haven't noticed (b) they have but are better at covering up (c) not such a high-priority target (this time)
-
Friday 12th June 2015 13:45 GMT Anonymous Coward
Which version of Windows?
I wonder if this is an excuse to finally get rid of unsupported machines and software (XP, Server 2003, etc)?
Of course if was Jeremy Clarkson writing the sub-heading it would be something like "German BOFH in XP Final Solution" but I'm not that culturally insensitive...
-
Friday 12th June 2015 15:03 GMT Detective Emil
Not my idea of fun
Kaspersky hints at the "nuke from orbit" procedure needed to get rid of its recent infection by an in-memory Duqu 2.0 APT on page 33 of this exhaustive report. Basically
1) Identify Internet gateway and install hosts used by infection.
2) Simulate power outage — cut power to everything simultaneously.
3) Isolate gateways and install hosts from Internet and internal network.
4) Bring up gateways and install hosts, disinfect and harden them.
5) Give gateways and install hosts access to each other and Internet and observe beadily.
6) When safe, bring everything else back up. Well, before doing that you might want take steps to harden everything else too, but, without the gateways to act as first-level installers, this particular infection can't reestablish itself. Until the authors start to use a different day-zero to get in.
Glad I'm not in this particular game.
-
Friday 12th June 2015 16:30 GMT Mayhem
Re: Not my idea of fun
Jesus christ. From that article
The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in memory of the infected systems, without need for persistence. To achieve this, the attackers infect servers with high uptime and then re-infect any machines in the domain that get disinfected by reboots. Surviving exclusively in memory while running kernel level code through exploits is a testimony to the technical prowess of the group. In essence, the attackers were confident enough they can survive within an entire network of compromised computers without relying on any persistence mechanism at all.
The reason why there is no persistence with Duqu 2.0 is probably because the attackers wanted to stay under the radar as much as possible. Most modern anti-APT technologies can pinpoint anomalies on the disk, such as rare drivers, unsigned programs or maliciously-acting programs. Additionally, a system where the malware survives reboot can be imaged and then analyzed thoroughly at a later time. With Duqu 2.0, forensic analysis of infected systems is extremely difficult – one needs to grab memory snapshots of infected machines and then identify the infection in memory
Yep, it pretty much can do anything to anything. I expect there are plugins for non-windows systems which can back infect everything - I can imagine infecting a switch and it will reinfect anything that connects. You literally need to shut down *everything* to get rid of it, and they know your credentials so can get back in and reinfect as soon as one of your machines touches the internet.
That is one scary piece of malware - the difference between angry script kiddies and State Espionage is profound.
-
-
Friday 12th June 2015 16:03 GMT Anonymous Coward
Kaspersky Pro - EMP Edition
With that new Dubuqu 2.0 that can only be eradicated by simulating a power failure and bringing the entire infrastructure down for cold-boot, the new Kaspersky Pro install CD comes with a 450 lb EMP warhead to be installed in your datacenter.
Upon detecting Dubuqu 2, the EMP countdown will be announced on all customer equipment, giving personnel 15 minutes to evacuate to the EMP safe zone outside the blast radius.
-
Saturday 13th June 2015 12:14 GMT Anonymous Coward
I'm a lift engineer on this site from time to time
I look after the lift control system which has some rather special programming which the site owners say needs to be kept securely on site. So to do that, I plug my lift programming gadget into the lift system (which is on its own isolated LAN for security reasons), I extract (or update) the required data, and having done that, I plug the programming gadget into the office LAN so the IT guys can take a secure backup of the data I just read from the lift system.
See any problem with that?
See any way it bypasses the standard "nuke it from orbit and rebuild" process, if the gadget that reads the lift data is running a standard IT OS but isn't subject to standard IT security precautions?
I'm not a lift engineer actually. Not even a building management system technician, or a representative of the outsourced "printing services" supplier. But I could be.
I am actually a software and electronics person and in that sector, a variant on this theme is the Windows- based electronic test equipment (oscilloscopes, logic analysers, etc) which was popular for a while till manufacturers moved on to something cheaper and more sensible than Windows in that set of applications. But the same issue applies to things like building management systems, and to networked printer/photocopiers, and probably to other things I haven't thought about yet.
This non-IT stuff as transmission vector is nothing new, it's been well documented since Stuxnet. Stuff that's not permanently or even routinely connected, stuff that's not necessarily even permanently onsite, but stuff that's a perfectly capable infection vector, yet it appears to be outwith the vision of most IT people.
Think about it.
Oh, and have a lot of fun.