The "Dimona complex" located in the southern Negev desert in Israel, where that country is said to have centered its nuclear weapons program, may for two years have been the proving ground for Stuxnet as well.

Recently, both the U.S. Secretary of State and the head of Israel's Mossad spy agency have stated that Stuxnet has pushed Iran's full nuclear capability start date back several years. The clean-up of the virus, replacement of damaged parts on the centrifuges and other machinery and the hardening of the system against future viral attacks will add as many as three years to the program's birthdate.

At Dimona, says the Times, "Israel has spun nuclear centrifuges virtually identical to Iran's at Natanz, where Iranian scientists are struggling to enrich uranium." It's a lot easier to target a virus at a piece of machinery if you've got the machinery to hand, goes the argument.

Among additional evidence that this was a U.S.-Israel attack:

• Idaho National Laboratory conducted tests of Siemens' weaknesses for the U.S. Department of Energy, which oversees the U.S. nuclear program (the machinery Stuxnet targeted was manufactured in part by Siemens)
• In January of 2009, then-President Bush "authorized a covert program to undermine the electrical and computer systems around Natanz, Iran's major enrichment center"
• US succeeded in stopping an April 2009 delivery of Siemens controllers to Iran, according to several Wikileaks-released cables

The Times' investigation hardly proves conclusively that Stuxnet was a U.S.-Israel collaboration, but it does strongly suggest it. It will be interesting to find out if future diplomatic cable releases shed any further light on it.

Dimona cliff photo by Hanan Cohen | Natanz photo from OpenDemocracy

My second thought was how this type of attack could herald a type of economic warfare we don't think that much about any more in an era of electronic communications. To preserve our societies, we need to be able to continue to make things. This virus would attack a country at that level. But now, some experts have suggested the virus shows "signs of nation-state involvement" as it apparently goes after the control systems in an Iranian nuclear facility.

Most attacks on computer systems, Threat Post reminds us, are predicated on sweet, sweet money. The Stuxnet virus has no immediately visible paths to cash dollars. It is also not just a clever virus, but a very sophisticated one. These elements together have convinced security specialists that it has a national backer.

"The attack exploits a zero-day vulnerability in the way that all currently supported versions of Windows handle LNK files and is spread initially through USB sticks. Once an infected USB drive is attached to a PC, the attack on the machine is essentially automatic and there is little indication to the user that anything bad has happened. But that's just one piece of the puzzle. Stuxnet also exploits a vulnerability in Siemens' WinCC SCADA control software, which runs on industrial control systems in utilities, power plants, manufacturing facilities and other key environments.Once on the machines, the malware attempts to contact a remote server and join a botnet."

Another element that hints at national origin is its alleged attack on the Bushehr nuclear plant in Iran only weeks before it is supposed to go online. A journalist friend of mine in the Middle East did remind me, though, that information out of Iran is rarely accurate. If it is true, it could point to the involvement of the Israel, who have been vocal in their opposition to Iran achieving nuclear capability. The regime has threatened to destroy Israel and is within striking distance. Other suspects include the U.S., Saudi Arabia, Pakistan, the U.A.E., well, really, anyone in the area. And many outside of it.

Stuxnet has attacked 45,000 systems so far and probably took a team of about 10 hackers to create.

U.S. military computer systems are probed thousands of times a day, so viral warfare is an established element of international relations. You have to wonder when the first Chernobyl-sized hash will get served.

Atom bomb photo via Richard John Jones | SCADA diagram and Iranian nuclear logo from Wikimedia Commons

Here is the text that appears in these emails:

Hello:
This is The Document I told you about, you can find it Here. <link to .SCR file>
Please check it and reply as soon as possible.
Cheers,
<name>

As is so often the case, the text is socially engineered to ensure that users - especially in a corporate environment - will be drawn to opening the file immediately. As the worm seems to come from a reliable source and points to what at first glace appears to be a legitimate document (and most users don't associate PDF files with security threats), a lot of users are prone to opening it without even thinking twice.

What Does "Here You Have" Do?

According to security firm Symantec's Brian Ewell, here is what the worm does:

• Spread through mapped drives through autorun
• Spread through email by taking contacts from the address book
• Spread through instant messenger
• Disables various security related programs

As it manages to disable the antivirus products of numerous vendors, the virus can then propagate with relative ease. Besides email, the virus also uses open drive shares on a home or office network to spread itself even further. According to Symantec, just opening a folder that contains this file will launch the threat.

The link inside the original emails has now been taken offline, but a number of variants are already taking its place now.

Image credit: Flickr user eviltomthai.

Tweetdeck posted a warning on its blog yesterday about the fake update, but today will be the real test, as many of us go searching for the real update.

If you're seeing what I'm seeing this morning (see above), the only place to go is to the official Tweetdeck website. According to Tweetdeck, there are a number of tweets getting passed around urging users to update to the latest version of Tweetdeck. While many do need to update, the only place users should go to download this update is http://www.tweetdeck.com/desktop/. The tweets about the fake update link to a file named "tweetdeck-08302010-update.exe" and often are from the URL http://alturl.com. The Tweetdeck blog warns that many of the suspect tweets include the following:

TweetDeck will work until tomorrow, udate now! 1.Download TweetDeck udate ASAP!
2.Update TweetDeck!
3.Hurry up for tweetdeck update!
4.Sorry for offtopic, but it is a critical TweetDeck update. It won't work tomorrow!

Trend Micro researcher Paul Ferguson told Network World that the file is "a generic Trojan horse program that is not detected by most antivirus products", so installing the fake update could be harmful and go completely unnoticed.

Is it time for Facebook to step in and do more to protect its network and its users from threats like these?

The latest threat to make the rounds on Facebook is a rogue application dubbed "Distracting Beach Babes." The app compromised the security of thousands of users' accounts by way of status messages that appear to be from friends. But when the users click through on the tantalizing link, they're asked to give an application permission to run. The app then tells users they must update their "FLV player" before they can see the video. Those that attempt to do so are sent off-site to another page where malware is installed on their computer.

This is hardly the first rogue application to take advantage of Facebook's automated app approval systems. In fact, only days ago, a similar attack was underway. This one was a link to what was purportedly the "sexiest video ever!" (Those hackers sure know how to entice, don't they?)

This particular application led to a very busy weekend for anti-virus firms, indicating a major push by rogue Facebook apps, says AVG's chief research officer, Roger Thompson. Via the AVG website, Thompson reported that from midnight to 9 a.m. on May 15, its anti-malware software blocked more than 30,000 rogue Facebook applications, more than three times the rate of rogue anti-spyware.

In other words, the new anti-malware wave won't be coming from email, IM or other random websites users are tricked into visiting. It will come from your Facebook friends... or so it will seem.

Thompson acknowledged that Facebook's security team was "very responsive" in identifying and removing these sorts of rogue applications, but Facebook's by-default viral nature allowed them to spread rapidly and affect large numbers of users before the apps could be removed. "This attack was actually stunning in terms of scale," he said.

Rogue Apps, Phishing, Scams and More

Other recent Facebook-related malware attacks have included fake Facebook password reset emails, the seemingly never-ending spread of the Koobface worm, the "stalk my profile" scam (a rogue app with 25 variations, claiming it could tell you who visited your profile), the rogue "like" app (which borrows the infamous like icon), and many others. Other unpatched attack vectors pop up everyday, like this security hole which researcher Joey Tyson (a.k.a theharmonyguy) describes as a "dream situation for phishing." This vulnerability is especially troubling as it enables a hacker to present a convincing Facebook login page that actually contains the term "facebook.com" within its URL. (See it action here. Can you tell that's not the real Facebook.com?)

The situation has gotten so bad that users, in an attempt to be helpful, end up spreading around messages about various threats. Unfortunately, the threats they report are often false or are simply harmless bugs that Facebook is fixing, adding to the confusion. Case in point is the warning that anyone who received "tons of friend suggestions" was infected with a virus. The reality, ironically, involved a widespread misunderstanding of the actual Facebook friend suggestion feature. The situation is so out of control that people are now spreading jokes poking fun at the trend itself.

Facebook's Security Efforts to Date

For what it's worth, earlier this year, Facebook implemented virus-scanning for the PCs of compromised users after they had fallen victim to an attack. The company also runs its own Security Page, which serves as a warning system of sorts. The page now has over 1.8 million fans (or in the new lingo, "people who like this"). But on a network of nearly 500 million, this is the equivalent of a drop in the bucket. And it may not be enough to combat this ever-growing threat.

Sophos security researcher Graham Cluley recently pondered this same question, asking, "Isn't it time that Facebook set up an early warning system on their network, through which they can alert their... users about breaking threats as they happen?" The impact of such a feature could be dramatic, he explains. "Imagine just how many people could have been protected if a simple message had appeared on all users' screens warning them of the outbreak."

Whether an early warning system is actually needed is debatable. Another option would be for Facebook to more closely monitor the applications submitted to its platform. As the New York Times recently reported, "Facebook's automated system for application developers leaves a door open to the creation and distribution of abusive applications," even if the apps' ability to spread is short-lived.

But apps that only live for a few hours can still have thousands of victims. Maybe it's time for Facebook to make sure they never get to live at all?

Currently, the worm doesn't appear to be all that malicious - it simply changes the phone's background image to a photo of singer Rick Astley, the man whose song "Never Gonna Give You Up" has become a well-known internet meme called "rickrolling," a joke where users are tricked into clicking links that redirect them to Astley's YouTube video.

Despite the relatively innocuous nature of this particular attack, it may be the precursor to future attacks of a more malicious nature. But how dangerous will these attacks be to the iPhone-owning population as a whole? Is there really a need for concern?

According to the hacker, 21-year-old Ashley Towns, a student living in New South Wales, Australia, iKee was created to highlight the iPhone's poor security. Apparently unrepentant about his creation, Towns has made no attempt to hide his identity, posting on internet forums and on his Twitter page about his hack. He even cheekily tweets a response to a post on security firm's Sophos blog where the writer had sought out the hacker's identity via Google searches: "You know man if you wanted my number you could have asked." And he wasn't kidding - Towns has been happily responding to media requests via his Twitter account. For example, he told ABC News that he had personally infected 100 iPhones with the worm. From those phones, he explained, the worm will then try to spread to other devices.

Perhaps the reason for his transparency has to do with the relatively harmless nature of the attack. The worm just changes the iPhone wallpaper on the affected devices. However, as the Sophos' post points out, "accessing someone else's computing device and changing their data without permission is an offence in many countries."

While that may be true, it's clear that Towns feels as if he's almost doing a public service by exposing a security vulnerability that many jailbroken iPhones face.

More Hacks Expected?

While this particular worm appears to be localized to Australia, it could have spread to other countries and eventually, worldwide. It also comes directly on the heels of another similar attack on jailbroken devices. Only last week, a Dutch hacker broke into jailbroken iPhones and then displayed a message on the comprised devices demanding a ransom of 5 Euros. This attack was also made possible through the same vulnerability that the iKee worm uses.

Graham Cluley of Sophos predicts that other hackers will be tempted to write their own code now that they've seen what's possible. In addition, some hackers may be more malicious with their creations than what we've seen so far.

But Who is Really Being Affected?

However, even if the attacks escalate, the fact of the matter is that the potential victims are a minor subset of Apple iPhone users. To begin with, they're relatively tech-savvy to have managed to jailbreak their phones to begin with - a process which involves using downloadable software tools that unlock Apple's control mechanisms on the device. While not overly complex, most mainstream iPhone users won't bother to take this action, content with the iTunes App Store and its 100,000 or so available applications.

And then there is the fact that the attacks don't even affect all jailbroken iPhone owners - they only affect those who have also installed a program called SSH on their devices. The program allows users to access the iPhone's filesystem with the username of "root" and password of "alpine." Since few SSH users had bothered to change this root password, that left their phones open to attack.

Still, how many people are we talking about here? And what sort of iPhone user are they? Although exact numbers of jailbreakers are unknown, mobile analytics firm Pinch Media recently revealed data showing there are at least 4 million of these jailbroken devices in the iPhone ecosystem. It's not known how many of these users have also installed SSH.

For the most part, it's likely that those who have done so are knowledgeable enough to prevent future attacks on their devices even if they had become a victim of one of these recent hacks. At the very least, they're now aware of the issue and can follow the straightforward instructions available on the web that explain how to change the root password so it's no longer the default.

More Dangerous than the iPhone Worm: Dishonest Developers

Despite all the media hoopla over this "first iPhone worm," it's not something that most iPhone owners will have to worry about. What's more concerning are the claims that a supposedly legitimate iPhone development firm has been collecting personally identifiable information from the users of its App Store-approved iPhone games which have been installed over 20 million times. According to a suit filed in the U.S. District Court in Northern California, the firm, Storm8, has been using a backdoor method which allowed them to collect the phone numbers of anyone who had installed their applications. This wouldn't be the first time that an iPhone developer has done this, either. Apple actually provides an easy way for developers to tap into this information, if they so desire.

If anything, this is the real threat that the media should be focused on, not the iPhone worm.

Says Sophos' Senior Technology Consultant Graham Cluely in a blog post, "The bogus warnings look near identical to previous fake anti-virus software attacks that we have seen in the past - with a scrolling green progress bar and a list of alleged threats found on your computer displayed in a dramatic red colour scrolling up."

Phishers are designing site pop ups that mimic system anti-virus warnings in order to lure users into giving up personal information and in some cases, downloading malware. According to the Anti-Phishing Working Group more than 9000 scareware packages have been in circulation since late 2008.

For a list of some of these potential issues, check out ReadWriteWeb's Top Online Security Threats for 2009 or visit the US Computer Emergency Readiness Team site for industry updates.

According to ESET's report, the attackers created slide decks which would contain a link to a malware-laden website and would then lure unsuspecting victims to Slideshare using traditional social engineering tactics. The presentations themselves should have raised a red flag for careful users, we think, but we have no way of knowing how successful they were at this time.

One of the presentations found included just one slide with a single link. The slideshow was purportedly offering a cracked download of ESET's own NOD32 scanner, an antivirus software program. To lend credibility to the download, the attackers added in the SourceForge logo (as if the open-source application directory SourceForge was a place to find cracked warez!) Of course, when the user clicked the link, they wouldn't end up on SourceForge, but on a spoofed site that looked very similar. A window would then pop up prompting the user to download a .EXE file. Since the user already thought they were accessing a link for a software installation program, they would click the link and let their computer be infected with the malware.

Of course you may scoff at these victims since they were trying to get "something for nothing" - in this case, a free anti-virus program when really they were being given a free virus instead. However, while you may not have fallen for this particular scam, it's only one example of how the SlideShare platform could be used for nefarious purposes such as this. It's not far-fetched to imagine that in the future attackers could create even harder-to-detect malware-infused slideshows. We foresee them copying a legitimate slideshow from the site and then including an extra page with their malicious link. News like this is all the more reason to run a good anti-virus program on your PC.

SlideShare Responds Quickly

In SlideShare's defense, they took action quickly against this threat. As soon as it was brought to their attention by way of the ESET blog post, SlideShare CoFounder Amit Ranjan responded in the comments saying:

"I just wanted to let readers know that the offending user account has been removed. Thanks a ton for bringing this to our notice. Spam slideshows are a problem for us. And as this example shows, they can be turned malicious as well. In case anyone comes across any other user account from where this is happening, please email us, and we shall take immediate action. As a company we are committed to stop all such malpractices."

However, the rogue account which had been used to spread the malware had joined the SlideShare community in June 2009 and had uploaded as many as 2473 presentations before they were banned this week.

Social Sites Need to Think About Security

The more popular the site becomes, the more likely it will be used to spread malware, so perhaps SlideShare should be somewhat flattered that they've reached this level of notoriety. They've now joined the ranks of many other social networking sites who have seen regular malware threats invade their platforms. Facebook, for instance, has come under attack multiple times in the past, the most memorable of which was the Koobface trojan which leaped outside of Facebook to spread to other social networking sites. It continues to evolve, even infecting Twitter as recently as last month. But Facebook isn't the only example by any means of social sites under attack. Unfortunately, any website or social community where users are allowed to post content could become victim to threats such as this.

What's odd, though, is how many sites seem to think of security as an afterthought. Case in point, it was only on Monday of this week that we saw Twitter start filtering malicious links from being posted. These are the sort of features that really should have been included from the get-go. In SlideShare's case, they may eventually have to go the same route as Twitter and partner with a malware-scanning service like Google's Safe Browsing API to make sure their hosted content isn't dangerous to their users. In fact, they may want to start looking into that right now.

"Whatever you do," suggests Bennett, "don't visit StalkDaily.com. Even without registering or logging on to the site it somehow infects your Twitter profile." Curt Monash over on Network World, however, suggests you can get infected without visiting the site; clicking on the GangsterBoy Twitter account could be enough to cause the infection.

1. In your browser, clear your cache and empty all of your cookies. (This can be found in your settings.)
2. Log out of TweetDeck or any external applications you are using.
3. On Twitter.com, change your password.
4. Log back in. It should be okay. If so, log back into TweetDeck et al.
5. Go back and delete any tweets sent by you recommending StalkDaily. This is important.

Monash, who has been furiously sending messages to the @spam team to remove the seemingly malicious Gangsterboy account offers a suggestion from @pilot: disable scripts via NoScript in FireFox.

According to Bennett's latest tweet, there have not been any new instances of it in quite a while.

Update:

Twitter's Spam account has issued an update stating that it is aware of StalkDaily, is working to shut it down and recommends doing a password reset if you're locked out of your account as it may have reset your password for safety reasons.

While earlier variations of the Conficker worm prevented infected machines from accessing the servers of most antivirus companies, this new variant also blocks access to sites that offer tools for removing the worm like BitDefenders bdtools.net.

Oddly, the Conficker worm now also includes an instruction that tells the worm to remove itself on May 3 (the hackers clearly like deadlines), though after that, it will keep a port open on these machines that will allow the hackers to get back into these computers at any time.

The Big Picture: Spyware, Spambots, Pop-Ups

According to both Trend Micro and Symantec, Conficker, after downloading its update, also downloads a variant of the well-known Waledac malware. Waledac is one of the world's most active spambots.

Security researchers are still trying to understand the connection between Waledac and Conficker's new E variant (only a small number of antivirus products can currently detect this version of Waledac, by the way). Some, however, speculate that this connection could mean that Conficker was created by the same group of hackers that created Waledac and its predecessor, the infamous Storm botnet.

Business Model?

According to Kaspersky Labs' Alex Gostev, Waledac will download a rogue antivirus application onto infected machines, as well as an email-worm that can steal data and send spam. The fake antivirus software will ask users to pay $49.95 for "Spyware Protect 2009," which, of course, is anything but an antispyware product.

Protect Yourself (and others)

Of course, if your Windows machine is up to date and if you have kept your antivirus software up to date then chances are very good that you are well protected against Conficker.

If you want to learn more about Conficker and how to protect yourself, have a look at this list of resources we put together last month. If you want to see if you are infected, head over to this site from the University of Bonn.

What's interesting about this new attack vector is the fact that the worm is customizing the relevancy of its message by using geo-awareness... and this isn't the first time the worm has done so. Although an IP lookup isn't going to yield pinpoint accuracy, it will usually get the city name correct and for now, that may be good enough. But if we know malware writers, then we know that it's only a matter of time before they attempt to exploit the new geo-aware services, too, in order to deliver even more precisely targeted messages.

Are Mobile-Based Geo-Aware Exploits Next?

For truly accurate geo-aware targeting, attacks would have to come across the mobile front where people carry pocket-sized GPS units integrated into their handhelds. Mobile computing is on the rise and where the people go, so go the hackers.

In a relatively short period of time, we've seen the rise of mobile social networks like Brightkite, Loopt and others; Google's new location-based tracking service Latitude made its debut; and more recently, Yahoo's Fire Eagle technology arrived on Facebook and in Firefox. With any one of these services, a user's exact location could be plotted. Armed with that info, what could a malware author do? Send you news stories about the restaurant where you're dining? Text you drink specials when you're at a bar? Who knows! But combine that level of accuracy with mobile-ready malware-laden web sites and we could have a real threat on our hands.

Mobile Malware is Still Quiet... for Now

However, this is all just speculation at this point. Today's mobile malware incidents are few and far between. Still, the treasure troves of personal information stored on our smartphones make them appealing targets to malware writers. No matter how tight the security of these modern devices is, eventually, hackers can find their way in.

According to Andrew Storms, director of information technology at nCircle Network Security, bigger phone-based threats are just around the corner. "No one should be surprised if we see the first major threat of the migration of botnets from traditional computing devices to mobile platforms," Storms says. "Some smartphones already have more memory and higher processing power than laptops from just a few years ago. A constantly moving and adapting mobile botnet presents a compelling business proposition for hackers and an interesting real-world case study in chaos theory."

Patrik Runald, Chief Security Advisor at F-Secure, agrees. "At some point, the criminals now developing PC malware will start focusing on mobile devices," Runald said. "It's not a question of if, but when and how. I'm keeping a close eye on the iPhone -- it may be the tipping point that sets the mobile malware field afire."

Frankly, we're surprised it isn't here already. Are modern smartphones really that much more secure or do they still not yet exist in large enough numbers to make them worth attacking?

Image credit: kmevans

Once a computer has become infected with the Kooface worm, it spams the friends belonging to the owner of the computer by leaving comments on their profiles. Those comments appear to come from the infected user, saying things like "Are you sure this is your first acting experience?", "is it u there?", "impressive. i'm sure it's you on this video", "How can anyone get so busted by a spy camera?" and "You're the whole show! i'm admired with you." Save for that last one, whose bad English will likely raise a flag that all is not what it seems, the other comments appeal to people's vanity. They wonder: is that really a video of me? and then click through on the link provided.

The link actually takes them to an off-site page which pretends to offer a video download from "YuoTube," but then stalls saying that you'll need a new version of Adobe's Flash Player installed in order to continue. Of course, if you click the button to proceed with the install, you're infected. Infected users are then directed to even more contaminated web sites when they try to use search engines, which puts them at risk of identity theft, among other things. "Search terms are directed to find-www.net," said McAfee's Craig Schmugar, and that "enables ad hijacking and click fraud."

Social Networks Will Be the New Breeding Ground for Viruses

Koobface may not be the first bit of malware to hit the social networks, but it has become so widespread that it now accounts for one percent of ScanSafe's blocked malware, said ScanSafe senior security researcher Mary Landesman. (Facebook will not disclose how many members are infected.)

What's frightening about the spread of this Trojan is not the worm itself - it's really nothing new in terms of malware - but the way its being spread. Over the years people have learned to be suspicious of unknown links and attachments in their emails, so the virus writers turned to hit us where we're more vulnerable: on our social networks. Here, many people still have a feeling of comfort and security. They don't always have their guard up.

According to Graham Cluley, senior technology consultant at Sophos, "a key factor which helps social-networking spam and malware succeed is that people are more prepared to click on a link or message if they believe it is from someone they know. The average person is used to receiving unsolicited e-mails in their regular inbox, but believe messages have more credence when they arrive via Facebook. The message is clear -- people need to beware."

Cluley also warns that the situation is going to get worse next year. There will be more attacks and they will become more sophisticated. "It will probably take a long time before the general public begins to learn that hackers and scammers are using the system for their own ends."

How To Protect Yourself From Koobface

Besides doing the obvious - running an up-to-date antivirus, security patches, and firewalls - you should be on the look out for the following:

You should also keep an eye on Facebook's security page (http://www.facebook.com/security) which warns of the latest threats.