At the beginning of December 2011 the Duqu developers wiped their C&C servers. So far this year Kaspersky has seen no new Duqu incidents, allowing its researchers to spend more time analyzing the malware. This time it looked at the target organizations and the type of data sought; and has concluded that Duqu is specifically targeted against Iran “seeking information about production management systems in different industrial sectors in Iran, as well as information about the trade relations of several Iranian organizations.”
Given that Duqu’s code uses both a standardized platform (dubbed ‘Tilded’) and a separate unknown programming language, Kaspersky believes that this current lull in activity will be short-lived. “One can assume,” it writes, “that the developers of Tilded will most likely continue their work and we will have to deal with their program in the future (possibly very soon).”
Kaspersky also discusses the two vulnerabilities found in Google’s Android Wallet during February. The first, discovered by Joshua Rubin, requires root access to the phone. The second is more simple. Deleting all the app properties via the app menu simply causes Google Wallet to prompt for a new PIN when next launched.
In early February Kaspersky saw fake Google Analytics embedded into compromised web pages. The fake code looks very much like standard Google Analytics, but uses a false ID code and directs visitors not to google-analytics.com but to google--analytics.com (now harmless). Visitors sent to the latter would be served the Blackhole exploit kit.
Kaspersky also notes the evolution of mobile botnets, and concludes “that the gap is narrowing between the number of mobile and ‘conventional’ botnets.” It discusses the Chinese RootSmart botnet, already infecting hundreds of thousands of smartphones. While PC botnets tend to be used to deliver spam and DDoS attacks, mobile botnets (including RootSmart) are directed to use fee-based messaging. The bot-masters are able to control the frequency and length of the text messages to avoid detection, and says Kaspersky, “Unlike SMS Trojans, this approach allows cybercriminals to generate a stable, substantial cash flow over a long period of time.”
The report finally discusses the extent of hacktivist attacks during February. Political attacks by Anonymous were aimed at CIS, Sur-Tec, the FTC and the US Department of Justice, Universal Music and the RIAA and MPAA – and a revenge attack for Anonymous arrests against Interpol. A separate group within Anonymous (LONGwave99) launched attacks against US financial institutions such as NASDAQ, BATS and the Miami Stock Exchange.
But Kaspersky also notes the sophisticated use of botnets for political purposes in Russia ahead of the Russian presidential election. “The websites of media outlets, opposition groups, and government agencies were all subjected to politically motivated attacks.” In an apparently new development, the botnets used were commercial botnets where “their owners are merely ‘hired help’ – willing to launch an attack against anyone for the right price.” This may become an increasingly important part of well-funded political campaigning in the future.