Duqu Installer Contained Microsoft Word Zero-Day Exploit

Earlier this week Symantec released an update on Duqu. Apparently an installer was found for Duqu (dubbed Stuxnet II) that used a Microsoft Zero-day:

“The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they’re working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries.”

So far Duqu infections have been confirmed in six organizations in eight countries. The locations include France, India, Iran and Sudan.

In a short release on Tuesday, Microsoft stated that they know of the threat and are working on getting it patched, “We are working diligently to address this issue and will release a security update for customers.”


Memory Forensics: How to Capture Memory for Analysis

There are several ways to capture memory from a Windows machine for analysis, but want an easy one? I mean a really easy one? Then look no further than MoonSols “DumpIt“.

MoonSols, the creator of the ever popular “win32dd” and “win64dd” memory dump programs have combined both into a single executable that when executed creates a copy of physical memory into the current directory. Just throw DumpIt onto a USB drive or save it on your hard drive, double click it, select yes twice and before you know it you have a complete copy of your machine’s memory sitting on disk.

The only thing you need to make sure of, especially if using a USB drive is that it is large enough to hold the file that is created. The memory dump will be a little larger than the size of your installed RAM. So, for instance, a machine with 4GB RAM will produce about a 5 GB file.

Malware Analysts use memory dumps to analyze malicious software. Once you have the memory dump, you can perform some very interesting analysis on it, like viewing what processes and programs were running on the machine, and what network connections the system had.

You can even pull passwords from them, which we will look at next time.

** Part 2Memory Forensics: How to Pull Passwords from a Memory Dump

Drone Wars – When Cyber War becomes Real

The race to create unmanned military equipment is in full furry. No ground robots were used during the Iraq War in 2003, but by 2008 there were about 12,000 in use there. Congress has required that one/third of all military ground vehicles be unmanned by 2015. Unmanned drones flown by pilots in the US are used daily in the hunt for terrorists in remote places in Afghanistan and Pakistan.

Arial drone technology is advancing rapidly. The US is testing the X-47B prototype that will not only land on aircraft carriers but will also be able to be refueled while it is still in the air. A stealth drone (The RQ-170 Sentinel) not only exists, but has been used in service for several years now. At least one of these units provided live video and monitored Pakistani military communications during the raid on Osama bin Laden’s hideout.

But the US is not the only country that has this technology. China, Russia, Pakistan, Iran and about 45 other countries are either developing them or are buying them. Hezbollah has even joined the fray, reportedly using an Iranian designed system.

Much hype has been heard in the media about “Cyber Wars” but most of the instances cited so far point more to espionage or even at the most extreme case, sabotage.  The comparison to “war” really hasn’t been justified. But what if these automated machines could be compromised? What if a drone based virus could change friend from foe designations?

One would have to look first to see if there are any situations where military robots have acted erratic or have been acted upon by external sources. P.W. Singer’s “Wired for War” covers several of these instances.

According to his book numerous accounts have been made where electronic interference have affected these units. Several types of robots in service have been noted to spin or act erratically (called a “Crazy Ivan”) if it is near radio frequency interference. Humorous at best, but when the robots are armed it really isn’t that funny:

The Marine Corp’s Gladiator combat robot protoype (the one the size of a golf cart) also had a Crazy Ivan experience during its testing, driving about in a circle that left the marines at the excercise not knowing whether to laugh or run away.”

Electronic jammers used on US vehicles to prevent IED attacks have also wreaked havoc with military drones. According to Singer, the jammers can cause some drones to crash when they fly overhead. Prompting one army EOD team to call their Talon drone “Rainman the Robot.”

Also according to Singer, military robot manufacturers are using off the shelf components in some equipment and are being pressured to cut some corners in testing to get the units out into the field:

One engineer described “pressure to try to pass safety tests only with the paper version [of the robot’s design]; that is, no field tests.”

Militants have intercepted live video feeds from predator drones in the past, using $26 worth of off the shelf equipment. And recently a virus was found in military systems near computers used in piloting drones.

With many of our systems, military and civilian, under constant attack by foreign entities (even our satellites!), one would have to assume that automated military systems will eventually be targeted by our adversaries too.

Though currently no instances have been recorded of automated systems being infected or attacked, if code could be injected into these systems that allowed enemies to remote control them or change friend from foe designation, we may truly be on the verge of a real cyber war.