Computer Science Student Michael Heerklot

DLL Side Loading – a malicious DLL in a specific Windows directory is loaded instead of the legitimate one due to a vulnerable feature

Which tool and application were used to exploit the identified vulnerability on the targeted Microsoft® Windows 2003 XP server?

Ralph Langner’s article on the Stuxnet worm discusses the hardware, distribution and targets of the attack. He also goes into detail regarding the outlook of future attacks and what we can do to prevent them.

The two vulnerabilities that will be discussed in this report are Flame and ZeroAccess Botnet. Flame is a malicious program that was discovered in May 2012 by Kaspersky Lab experts. It is a program that can have several dangerous effects to an infected system. It also has the potential of stealing valuable information. It is known to be the largest cyber weapon discovered to date.

As such, he introduces a technique of identifying a spectrum of potential vulnerabilities and suggests procedures to deal with them. Systems Specification and High Order Language Implementation are categorized as items of high risk to attacks. Security Policy and Machine Language Implementation are classified as items of moderate risk of being vulnerable to attacks. Circuits Electronics and Device Physics are of low and very low risks respectively. He also discusses potential threats such as deceiving operating systems to grant access to file or data to unauthorized users through direct (overt) and indirect (convert) channels. Walker also says that lack of precise definition of trusted operating systems and the higher cost of building them are the significant drawbacks faced by the vendors. Vendors are concerned that if they build trusted operating systems, they might not be accepted by their customers. The only solution suggested by the author was to have someone or a company builds it, shares the technology used, and convinces the general public on the significance of it. Once it becomes accepted, then there will be a widespread use of trusted computer operating systems.

Teneable Nessus has been rated by its users to be the best in preventative defense in addition to being low cost solution with free online training. Though the application suite requires profile configurations to start, it provides the necessary functions to support the requirements of software and system configuration vulnerability assessments and easily scales to accommodate future growth. Plugins are updated regularly and new plugins are added to account for new Common Vulnerabilities and Exposures (CVEs) as they arise. Security Center Continuous View simplifies the administrator’s role by integrating with other tools like Mobile Device Management (MDM) and a head to toe vulnerability detection and mitigation solution for any platform [3].

System/application attacks fall within three categories: denial or destruction, alteration, and disclosure. This paper will cover some common system/application domain vulnerabilities: unauthorized physical and logical access to resources, weaknesses in server operating system and application software, and data loss.

Monitor all network traffic and alert personnel to suspected compromises using network intrusion-detection systems, host-based intrusion detection systems, and intrusion-prevention systems.

Another occurrence of cyberwarfare and its power lies within the Stuxnet worm, unleashed primarily to attack Iranian industrial programmable logic controllers (PLCs) in the nation’s Nuclear facilities. The Stuxnet worm is typically introduced to its target environment via an infected USB flash drive, and upon being loaded onto a computer running the Microsoft Windows operating system the worm would then seek out Siemens Step7 software. This software will then allow for Stuxnet to control Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart. Stuxnet’s complexity is evident in its three prong approach to infection: It unloads a worm that executes all routines related to the main attack, it executes a link file that automatically activates other copies of the worm on the same network, and it activates its rootkit, which allows it to hide its processes and activity on the local computer as well as the entire computer network. Kaspersky Lab, an international software security group operating in almost 200 countries and territories worldwide, concluded that the attack “is a one-of-a-kind, sophisticated malware attack backed by a well-funded, highly skilled attack team” and that the “attack could only be conducted with nation-state support and backing”. In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, in which

Ping sweeps and port scans are two techniques that a malicious computer user such as a hacker can utilize to compromise an Enterprise networks security and gain access to their proprietary data. For example, private email messages can be forwarded to a rogue destination email address: Done by installing a virus program into a user’s email client through a discovered active computers open TCP/IP IMAP port (port number 143) that is not being currently used by that user (Clarke, 2008). The virus then could take advantage of security vulnerabilities in that users email client program and forward emails from that users inbox over to another destination email address without them knowing about

A zero day event is defined by Wikipedia as an undisclosed computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers, control machinery in this case, or to a network. It is known as a zero-day because once the flaw becomes known, the application’s

Computer viruses are minute program which is “embedded inside an application or within a data file which can copy itself into another program“(Adams et al, 2008 ) for the sole determination of meddling with normal computer operations. The consequences may range from corruption and deletion of data; propagation of virus on to network and deployment through attachments through emails in order to further creating havoc to all associated computing devices.

One attribute of APT refers to the continuous attacks from threat actors to penetrate SPE infrastructure. Although the attack on Sony Corporation in 2011 to its network might not have been related to this incident in 2014, it has been proven “the hackers behind the SPE attack exploited a previously undisclosed or unknown [Zero-Day] vulnerability in its computer systems that gave them unlimited access to the entirety of SPE’s network.” (Bechor,

Using Windows operating system the Stuxnet worm attacks computer systems by using four separate zero-day attacks via Windows. Stuxnet uses vulnerability in the way Windows handles shortcut files to spread to new systems. The worm was designed from the bottom up to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities (Broad, W., Markoff, J., & Sanger, D., 2011).

In today’s world, we see many systems getting infected with malware and threats that are just feeding off the user’s actions. However, we must focus on preparing ourselves for these malicious threat agents that are hidden and very hard to see in the open. Moreover, we should be ready for the next gigantic attack on our systems which brings me to this article where the creator of it explains that he has developed an open source tool named rapid_env. This analysis tool stands for rapid environment that allows for the template based provisioning of a Windows environment. This tool sees files, registry keys, processes and mutex which can change the way modern threats behave in our systems. Also, in the article you can see the analysis tool in