Wiper – The AK47 of cyberwar

Hi folks,

Unless you have been living under a rock recently, you know that Sony was hacked, d0xed, and whacked. (The meaning of “Hacked” is obvious. D0xed means that a whole lot of documents were stolen. Whacked is Australian for, well, whacked. As in over the head with a 2×4.)

Most people are quite reasonably focused on the implications of the leakage of movies, and salacious emails, but this has drawn attention away from the fact that the Las Vegas Sands suffered a similar attack at roughly the same time, with roughly similar results. A whole lot of information was stolen, and a whole lot of computers were wiped out.

No one knows exactly who is doing it, but the m.o. is remarkably similar to the Shamoon attack, from 2012, and the 2013 attacks on South Korean banks, so it doesn’t require a huge leap of imagination to suggest that it is all the work of the same group. If you’re interested, I made a video of the 2012 Shamoon attack, which you can view here, which will give you a pretty fair idea what the attack looks like, when they actually start the machine wipe.

In fact, the m.o. can be summarized as three steps…
(1) Penetrate the network,
(2) Surveil the heck out of it, until you understand it completely, and have stolen all the data you can, and
(3) Wipe out all the devices that you can, at the same time.

Compared with things like Stuxnet and Flame, the Wiper component is relatively unsophisticated, and Shamoon was even a bit buggy, but that tends not to matter if it hits you, because it hurts. If you get 30,000 PCs and servers wiped out overnight, that’s going to leave a mark on anyone. That’s why I call it the AK47 of cyberwar. Compared to a Stealth fighter, an AK47 is as crude as a club, but if it shoots you, well, dead is dead.

The first question is, “Can traditional antivirus protect us against this?”

The answer is, “Yes, and no.” Friends of mine, who still work “at the coal face” in antivirus, tell me that they see about one million new and unique bits of malware every day. Most of this is crimeware, and most of it is Zoo, in that it is just produced programmatically, to overload the signature scanners, and by and large, the av companies catch most of it between them, but the type of attacker that we are talking about today, only needs to get one bit of malware past everyone, and they are “in”.

This is classic, asymmetric warfare.

Defenders have to try to block everything. Attackers only have to find one way in.

We have to find new ways to defend. We can’t give up on antivirus, because someone has to handle the million new malware each day, and you need to make sure that your product of choice is keeping up. Try turning your av off, and see how that works for you.

This all matters because it’s going to happen again.

That’s a given.

What we don’t know is


it’s going to happen next.

If it’s a business, well, that’s bad for that business, but if it’s critical infrastructure, like power grids, that’ll hurt everyone.

We may be confident that this group is trying to get into that critical infrastructure right now. Hopefully, they are still just trying.

This is a difficult, but critical, problem.

This blog will keep looking for solutions.


Quick introduction, and a Chinese (or is it Irish) curse.

Hi folks,

Please allow me to introduce myself. I’m Roger Thompson, and I wrote the first antivirus program in Australia, waaaay back in 1987, and I’m one of the few first generation anti virus guys still active in the industry. This probably means that the other guys who started at the same time as I did, guys like Alan Solomon, and John McAfee, were better marketers than I am, because they sold their businesses, and retired, or did other stuff.

That’s ok, because I really enjoy what I do, and like to think I can make the world a little safer, from time to time, through my work. Even if I don’t, it’s still fun.

The world of malicious software keeps changing. Every few years, there is what I call a measurable extinction level event, or ELE, that wipes out the malware of the day, but the Bad Guys don’t give up. They evolve, and find a new way to do Bad Things, and the Good Guys need to come up with a defense, and we’re off again.

We can, and will, talk more about these Ages, and ELEs, in future blogs, but first, let’s talk about the afore-mentioned Chinese (or Irish) curse, which is, “May you live in interesting times.”

We live in _very_ interesting times, and by “very interesting”, I really mean “unprecedentedly dangerous”. As well as dealing with something of the order of a million unique pieces of malware every _day_, we now have to find ways of defending against enterprise or nation-state developed malware, that is being used for espionage, and even worse, sabotage.

Personally, I am fond of electricity, and I prefer it “on”, but more about that later.

This is all unveiling against a background of Bring Your Own Device, (BYOD), also known as Bring Your Own Destruction, to work, and in a World Wide Web that is racing pellmell to make every human being’s personal life visible, and available to the highest bidder. This is also known as “Advertising”, but more about that later, as well.

The reason I joined West Coast Labs is that, from here, I think I can help educate a largely unsuspecting world, and also maybe help figure out which products, both new and old, might help defend us, our personal lives, and our finances. Oh, and help keep the electricity on.

Please stay tuned.

West Coast Labs llc

Welcome to the new WCL blog.

Recently, WCL has moved it’s headquarters to the US and announced the hiring of two industry veterans. Roger Thompson has joined as our CTO, and Larry Bridwell is the V.P. of Strategic Alliances.

Check back for technical posts from Roger and the latest news from the testing industry from Larry.

Fujitsu and the Japanese Government announce a “good virus”

Happy New Year.

Traditionally, in early January, there are a raft of predictions from the security industry about what is likely to happen over the next 12 months in terms of emerging threats, consumer and corporate focus in terms of what people will be doing with their technology, and a general amount of crystal ball gazing.

Rather than make predictions that are doubtless going to come back in 12 months’ time and bite us somewhere unpleasant because they haven’t come true, it is perhaps better to focus on a story that has come out early in the year from Japan and is detailed here: http://www.yomiuri.co.jp/dy/national/T120102002799.htm – the headline being that the Japanese Government has entered into a relationship with Fujitsu to create a “good virus”.

Leaving aside the fact that, although this has been widely reported through several channels, there only appears to be one main source for this – the above site – and journalists are normally shy of putting out stories without corroboration from an independent source, this raises a number of questions.

There is, of course, a long standing debate going back many years as to whether there is such a thing as a good virus, and if so how it is defined, for example here: http://www.people.frisk-software.com/~bontchev/papers/goodvir.html. We’ll not get into that here, but looking at the story it seems to be rather light on technical details. Perhaps this is understandable, given that the parties involved would not want the financial investment to go to waste, but there are a few things that can be implied – note that this is supposition on our parts and should not be taken as any insider knowledge!

Firstly, the story reports that the code (let’s call it code, as calling it a weapon gives it some sort of legitimacy, an issue that we’ll get onto momentarily) is capable of identifying both the sources of the attacks and the intermediary hosts used, and indeed states later in the article that this is used for looking at DDoS attacks. Once a host is identified, it would seem as if the code then copies itself to the infected host before running operations to disable the host from being part of the attack – whether this is by disabling a particular executable or by terminating the hosts’ internet connection isn’t specified.

The important part of this is that the code copies itself to the hosts. This means exploiting a vulnerability, presumably the same one that the original code exploited to get itself onto the box in the first place, or the command and control channel that is used by the malware itself. One of the things that both operating system patches and anti-malware vendors try to deal with is ensuring that the vulnerabilities are not exploitable, so that means that (in the case where people have good patching procedures, and let’s be honest don’t we all? Erm…) the vulnerability could no longer exist, and where anti-malware signature updates are applied, and scans are run regularly, the vulnerability may have been flagged already or the malware may have been already removed.

This leads to a situation where the code could be trying to get onto a machine that is already cleaned up or, at the very least, has had the vulnerability patched, and doesn’t even touch on whether there are any self-protection mechanisms written into the malware itself.

Then there arises the question as to whether the methods used by the code will themselves be determined as malicious and stopped by anti-malware vendors – the general gut feeling around WCL is that it probably will be – after all, it is a “virus”.

The testing has taken place in a “closed environment”. No details here are given, but let’s assume that it is mostly Windows based. The first questions that should be being asked about this are: Was the environment used homogenous (ie all the same type of operating system) or heterogenous (different variants of Windows, different patch levels on each)? In order to simulate a large scale DDoS, how large was the environment (number of hosts)? Were they real hosts or virtual hosts? How many of the botnet variants were used? How adaptable is the code to new types of code used in these attacks? How adaptable is the code to non-botnet malware?

In order to get a seriously large replication of a DDoS attack, obviously none of the major industry tools for traffic creation can be used, as they don’t have “real hosts” (including virtual) for the code to go back to and “clean up”. This implies that it works on a small scale and, for something as specific as the operation of this code and the type of malware that it appears to be targeting, there really is no substitute for seeing how it works in the real world.

Once we get past the technical issues, there are other more holistic issues to consider – will AV companies be subjected to pressure by the Japanese government to exclude detection for this code? That has, when tried previously, normally failed, and authorities using “viruses” was recently in the news in Germany in October last year when Federal police admitted to using code to monitor Skype (http://www.theregister.co.uk/2011/10/12/bundestrojaner/).

What are the legal implications for this? After all, the intention seems to be to put a piece of code onto a users’ machine in the same way as malware, without asking the user first, and given that there is no legal jurisdiction over the internet as it is a global network, there are potentially issues if this code gets onto machines in, for example, the US, Russia, China, any of the EU countries, and so on. Fujitsu and the Japanese government could find themselves at the center of a lot of legislation very quickly. Surely, when this project was mooted in 2008, somebody in either Fujistu or the government should have considered that there might be legal implications and started preparing for it then, rather than trying to sort it out after the code is written and ready to be released – any delays here (from a purely technical point of view) mean that the code will be outdated and potentially useless by the time that it actually gets released.

This will be an interesting time as the lawmakers try to sort out whether they can use the code and then, if they can, what subsequently happens with the AV industry and whether the code itself can make any inroads at all into reducing the number of DDoS attacks. Perhaps the one prediction we should make is that we’ll be watching this story with interest.


Future that sort of is

Here’s a gem from a book written in 1981, which predicts that the only crime in the future would be computer crime.

(via PaleoFuture)

Obviously crime is additive, not subtractive.

Reading this, I started out thinking of it as the usual sort of “hey, where’s my flying car!” future-gazing.  But by the end, their description of the current state of malware was not too far off the mark.

Except that “cassette” bit.  That made me giggle.

Because clearly storage media wasn’t going to advance past (very easily destroyed) 1970s technology.