Kaspersky reveals October’s top threats

Duqu captured the world’s attention, German states admitted cyber-spying, Android on the hit list

Tags: Cyber crimeDuqu Kaspersky Lab
  • E-Mail
Kaspersky reveals October’s top threats The Duqu trojan has captured the attention of the globe with its similarities to the Stuxnet worm, according to Kaspersky Lab.
By  Georgina Enzer Published  November 16, 2011

The Duqu Trojan captured the attention of the world this month because of its similarities to the first major cyber weapon, the Stuxnet worm, according to Kaspersky Lab. The similarities between the two malicious programs suggest they were both written by the same group of people or the Stuxnet source code was used.

However, instead of directly affecting the uranium enrichment process like Stuxnet, Duqu is more of an industrial espionage tool. Duqu files include an additional Trojan-Spy module capable of intercepting data entered via the keyboard, capturing screenshots and gathering information about the system.  New Duqu victims were discovered by Kaspersky, primarily in Iran.

"We also found new and previously unknown Duqu files. This confirms our suspicions that the people behind Duqu are continuing their activity, and their attacks, unlike the mass infections by Stuxnet, target carefully selected victims," said Alexander Gostev, chief security expert at Kaspersky Lab. "A unique set of files is used for every targeted attack. It is also possible that other modules are used, and not just a Trojan-Spy but modules with a range of other functions."

In Germany, police forces in five federal states admitted that they had used the Backdoor.Win32.R2D2 Trojan during criminal investigations. German hacker group, Chaos Computer Club, investigated the Trojan with help from experts from Kaspersky Lab's German office. The Chaos Club revealed that apart from Skype traffic, which can be legally intercepted under German law, the Trojan also intercepted messages in all the most popular browsers, various instant messenger services and VoIP programs: ICQ, MSN Messenger, Low-Rate Voip, paltalk, SimpPro, sipgate X-Lite, VoipBuster and Yahoo! Messenger. It was also found that the backdoor was capable of working on 64-bit versions of Windows. The authorities claimed that use of the Trojan was within the law, but would review use of the technology.

Android was top of the hit list for operating system attacks in October, Kaspersky Lab data showed that the total number of malicious programs for Android outstripped that for Java 2 Micro Edition for the first time.

"The fact that the growth in malware for Android has increased so dramatically indicates that for the time being the virus writers will most probably be concentrating on this operating system," warns Denis Maslennikov, senior Malware Analyst at Kaspersky Lab.

October also saw the emergence of Trojan-Downloader.OSX.Flashfake.d, a new version of the Flashfake Trojan for Mac OS X, which masquerades as an Adobe Flash Player installation file.

The Trojan's main function is to download files, but new functionality has also been added that disables Mac's built-in protection system XProtect, a simple signature scanner that is updated on a daily basis. Once disabled the protection system cannot receive updates from Apple, rendering it useless.

October also saw a lot  of corporate and state cyber-attacks. With organizations in Japan and the US most frequently attacked.

An attack was detected against members of Japan's lower house of parliament and Kaspersky said that it is highly likely that the hackers gained access to internal documents and the emails of affected parliamentarians. Malware was also detected on computers in several Japanese embassies around the world.

An investigation by Tokyo police into August's attack on Mitsubishi Heavy Industries revealed that about 50 different malicious programs were found on 83 computers targeted in the attack. The infected system was accessed over 300,000 times by the hackers, and the source of the attack was an infected computer that belonged to the Society of Japanese Aerospace Companies (SJAC). Hackers used this computer to send malicious emails to Mitsubishi Heavy and Kawasaki Heavy and covered their tracks by accessing the machine at SJAC from an anonymous proxy server in the US.

Kaspersky Lab said that the story of a virus found on the ground control systems of pilotless planes at a US air base highlights the unacceptably lax levels of security at important installations. According to an anonymous source at the US Department of Defence, the Trojan was designed to steal user data for a number of online games. It most probably ended up on the air base's system by accident and was not part of an attack.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code