back to article Confusion reigns as Bundestag malware clean-up staggers on

A malware infestation at the Bundestag is proving harder to clean up than first predicted, with several unconfirmed local reports going as far as suggesting that techies might have to rebuild the entire network from scratch. As previously reported, a state-sponsored attack is suspected for the widespread infection of systems …

  1. This post has been deleted by its author

    1. imanidiot Silver badge

      This is what I was thinking. It's not like something like this would be completely unheard of anyway.

    2. Mayhem

      Presumably they tried bringing up a clean segment of the network in isolation, and upon migrating the necessary data across the segment got reinfected. It sounds like they might be unable to locate the vector that the infection is spreading from.

      Which must be a complete bastard of a thing to deal with, especially since a government lives and breathes on paperwork.

      Flattening and rebuilding the network and applications is straightforward. Doing that while retaining the data is trickier, particularly if you don't know when the infection first arrived, so historical backups are likely to be contaminated.

      1. This post has been deleted by its author

        1. LucreLout

          Nobody does spot checks on checksums for data that shouldn't be changing

          I'm a dev, not an admin, but I'm pretty sure checksums aren't actually infallible. I vaguely recall Mitnick used to fiddle around with these when installing backdoors to circumvent exactly the checks you describe.

          1. This post has been deleted by its author

            1. Anonymous Coward
              Anonymous Coward

              This is a fixed problem: Do several hashes. This is me "emerging" an app on Gentoo:

              * k3b-2.0.3a.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ...

              The chance of creating a new version of that compressed tar file that does something different to the original and that has three identical hash collisions to the original are vanishingly small.

              On the other hand there is always the possibility that the file does not contain what I think it does ...

            2. LucreLout

              Yes, a clever malware could make sure that a modified file retains the same SHA-256 checksum, but then how does the malware know which algorithm I used?

              No idea. But then I have no idea how Mitnick worked out which algorithms had been used when he was modifying checksums, but it worked extremely well for him.

          2. Anonymous Coward
            Anonymous Coward

            Unlikely

            "I vaguely recall Mitnick used to fiddle around with these when installing backdoors to circumvent exactly the checks you describe."

            The checksums he would be able to circumvent are not these (md5sum is pretty old and this is with just four bits or a nybble):

            $ echo "1001" | md5sum

            6fa741c46485b9c618f14b79edf50e88 -

            $ echo "0110" | md5sum

            909fd71830d03d89fb1f74ea683829d0 -

            md5sum et al are "one way hashes". Even if you could find another string that will generate the same hash as a given program, it's bloody unlikely that it will do anything at all let alone backdoor a system.

            I suspect he worked around simple parity bits - things were simpler back then: /etc/passwd was plaintext and /etc/shadow hadn't been thought of, ROT13 was a cypher, spam was just a pseudo meat product and the sun always shone in summer etc etc. Still, no mean feat though and proper nerdy.

            1. Nick Stallman

              Re: Unlikely

              They've done it with md5 SSL certificates.

              The trick is you make your back door then add a bunch of random data in a field that isn't parsed like a comment field. Brute force the random data with some tricky mathematics such that back-door + random data matches the original md5.

        2. John G Imrie

          Do you know how much this costs

          And how the bean counters are going to react to all this money being spent on such an unlikely event.

          You'll be outsourced faster than it takes the organisation to pay for adequate backup storage these days.

          1. This post has been deleted by its author

            1. John G Imrie

              Re: Do you know how much this costs

              What money? Keeping old backup tapes instead of recycling them? They have a limited lifespan anyway, so you're talking pennies here.

              I was thinking more about secure off site backups.

              1. tom dial Silver badge

                Re: Do you know how much this costs

                Or might that not be secure off site compromised backups? How would you know they don't contain the attack, all ready for reactivation at first boot?

                The nearest thing to secure probably is a really old system with no peripheral equipment later than IDE, no HDD containing software (not clear how that can be enforced, though) and certainly no FDD or USB capability. Overall, not a particularly satisfactory solution.

        3. Doctor Syntax Silver badge

          "Nobody does spot checks on checksums for data that shouldn't be changing?"

          That doesn't help with data that should be changing. Nor does it help with whatever the original vector was - that won't have changed and will still be a potential danger.

          I'm not saying you're wrong to say flatten & rebuild as that's my view as well. But transferring the data cleanly to a new build isn't going to be easy as it will all need to be vetted.

          And whilst this is happening business needs to continue. A long time ago someone described a particular migration as like transferring passengers from one aircraft to another in mid flight without waking them up. This sounds like another of those.

        4. Voland's right hand Silver badge

          I'm sick and tired of hearing this excuse!

          So am I sick and tired of listening to people shouting know it all rubbish.

          An attack in this class (non-script-k1dd10t) can be:

          1. Undetected for years. The biggest problem is that the entrance date and attack vector are unknown

          2. Designed to aggressively seek back up systems and compromise them.

          Your first point of call is figuring out a clean cut off line. However without knowing and understanding the APT in full you do not know where to draw that cut-off line. Drawing it at f.e. 5 years back is not really an option. Drawing it at a year back may actually get you back to square one with the infection rampant in the network.

          1. Mike 137 Silver badge

            Re: I'm sick and tired of hearing this excuse!

            And that excuse too. "An attack in this class..." - what class? We don't seem to have any details yet, but as a security professional I'm regularly less than amazed when the latest "sophisticated attack" eventually turns out to have been a total push-over that circumvents deficient or degraded controls. Our biggest problem is that the "defenders" only defend reactively, but the attackers are proactive. If we managed our systems (and our business processes) robustly, a lot of these attacks would bounce off without doing much (or any) harm. But we just skirmish defensively in a guerrilla war in the enemy's territory, so we keep losing.

    3. MacroRodent
      Black Helicopters

      Purging the plaque

      But in this case it might be they do not dare to use anything from the old installation, except possibly the cables! Backups? Could be infected (eg. if most of the documents are DOC files, as they probably are). . Servers? Disks? The worm might be in the firmware.

    4. Voland's right hand Silver badge

      Most parliaments do not

      I am not aware of a parliament (+ its archive, library and several other key digital assets) having a proper recovery plan after a state actor cyber attack. Care to enlighten us about a country which has it?

  2. CAPS LOCK

    Let me guesss...

    ... a Windows network?

    1. Chris Miller

      Re: Let me guesss...

      Must be, because (as any fule kno) only Microsoft systems ever suffer from malware. </sarcasm>

    2. Anonymous Coward
      Anonymous Coward

      Re: Let me guesss...

      I've seen once a Windows network which was badly compromised - from an upatched Linux FTP server on the perimeter that allowed the attackers in.

      1. John Sanders
        Trollface

        Re: Let me guesss...

        Give more details.

        Was it a .exe on a share via Samba?

        1. Anonymous Coward
          Anonymous Coward

          Re: Let me guesss...

          No. They got the admin users and passwords, which were of course the same used to administer other systems...

          Don't believe only the luser blindly clicking on an exe is the culprit, sometimes the real luser is the syadamin...

          1. Paul Crawford Silver badge

            Re: Let me guesss...

            "Don't believe only the luser blindly clicking on an exe is the culprit, sometimes the real luser is the syadamin"

            For most corporate networks they should have all user-writeable space set to no-execute via Windows ACLs. Apart from software developers or sysadmins, who need to execute software that is not already installed in the proper (read-only) system locations?

            1. This post has been deleted by its author

          2. This post has been deleted by its author

            1. Paul Crawford Silver badge

              Re: Let me guesss...

              "Idiot sysadmins...greater risk to security than an unpatched Linux or Windows machine"

              Often the unpatched machines are the result of said idiots.

              Sure you may find machines that can't be patched for various odd reasons (not supported and/or run special software that can't work on newer OS, etc) but for $DIETY's sake you don't have them Internet-facing or in use for email/web browsing...

              1. ulf molin

                Re: Let me guesss...

                "for $DIETY's sake"

                That would be the god of weight reduction, right?

    3. CAPS LOCK

      Oh MS shills...

      So predictable. Why bother, no-one is fooled.

  3. Wolfclaw
    Mushroom

    No Backup Plan - Shoot The Admin

    Any sensible organisation will have a WAR plan to continue to function if they loose their primary data systems, but not the Budestag !

    1. Anonymous Coward
      Joke

      Re: No Backup Plan - Shoot The Admin

      Sure, just switch on the backup switches, routers, servers, clients...

    2. John Sanders
      Holmes

      Re: No Backup Plan - Shoot The Admin

      Any sensible organization will not have anything sensible were ignorant personnel can cause this level of trouble.

      And they will not be running Windows connected to any form of www.

      Or if they have to run Windows, run it with so many GPOs as to make the system useless.

      Or even better, HIRE BETTER IT GUYS rather than outsourcing.

    3. Anonymous Coward
      Anonymous Coward

      "any sensible organization..."

      This isn't just a large organization, nor just a government organization: that alone would get you a Westminster-grade mess. It's also the Federal govt, so the familiar mess of political and departmental fiefdoms gets to interconnect with the equivalent of the state governments too - imagine the UK once Cornwall, Shropshire, etc have devolved... Naturally the usual practices of weather-cocking policies and back-scratching of big contractors occur too, and as with any govt spending money on defensive measures takes a back seat to crowd-pleasing.

      Frankly the fact that we haven't heard of the UK state systems being ransacked like this suggests (a) they haven't noticed (b) they have but are better at covering up (c) not such a high-priority target (this time)

  4. K
    Coat

    throw away whole IT system and start again

    My hats off to the German BoFH.

    Used this particular trick myself to get some new infrastructure, but they have set the bar very high indeed.

  5. Anonymous Coward
    Anonymous Coward

    I know a company that did it...

    ... just to see its new systems infected again very soon.

  6. Proud Father
    Joke

    Norbert Lammert

    Is that the German version of Norman Lamont?

  7. Anonymous Coward
    Anonymous Coward

    Which version of Windows?

    I wonder if this is an excuse to finally get rid of unsupported machines and software (XP, Server 2003, etc)?

    Of course if was Jeremy Clarkson writing the sub-heading it would be something like "German BOFH in XP Final Solution" but I'm not that culturally insensitive...

  8. Detective Emil
    Mushroom

    Not my idea of fun

    Kaspersky hints at the "nuke from orbit" procedure needed to get rid of its recent infection by an in-memory Duqu 2.0 APT on page 33 of this exhaustive report. Basically

    1) Identify Internet gateway and install hosts used by infection.

    2) Simulate power outage — cut power to everything simultaneously.

    3) Isolate gateways and install hosts from Internet and internal network.

    4) Bring up gateways and install hosts, disinfect and harden them.

    5) Give gateways and install hosts access to each other and Internet and observe beadily.

    6) When safe, bring everything else back up. Well, before doing that you might want take steps to harden everything else too, but, without the gateways to act as first-level installers, this particular infection can't reestablish itself. Until the authors start to use a different day-zero to get in.

    Glad I'm not in this particular game.

    1. Mayhem

      Re: Not my idea of fun

      Jesus christ. From that article

      The Duqu 2.0 malware platform was designed in a way that survives almost exclusively in memory of the infected systems, without need for persistence. To achieve this, the attackers infect servers with high uptime and then re-infect any machines in the domain that get disinfected by reboots. Surviving exclusively in memory while running kernel level code through exploits is a testimony to the technical prowess of the group. In essence, the attackers were confident enough they can survive within an entire network of compromised computers without relying on any persistence mechanism at all.

      The reason why there is no persistence with Duqu 2.0 is probably because the attackers wanted to stay under the radar as much as possible. Most modern anti-APT technologies can pinpoint anomalies on the disk, such as rare drivers, unsigned programs or maliciously-acting programs. Additionally, a system where the malware survives reboot can be imaged and then analyzed thoroughly at a later time. With Duqu 2.0, forensic analysis of infected systems is extremely difficult – one needs to grab memory snapshots of infected machines and then identify the infection in memory

      Yep, it pretty much can do anything to anything. I expect there are plugins for non-windows systems which can back infect everything - I can imagine infecting a switch and it will reinfect anything that connects. You literally need to shut down *everything* to get rid of it, and they know your credentials so can get back in and reinfect as soon as one of your machines touches the internet.

      That is one scary piece of malware - the difference between angry script kiddies and State Espionage is profound.

  9. Anonymous Coward
    Anonymous Coward

    Kaspersky Pro - EMP Edition

    With that new Dubuqu 2.0 that can only be eradicated by simulating a power failure and bringing the entire infrastructure down for cold-boot, the new Kaspersky Pro install CD comes with a 450 lb EMP warhead to be installed in your datacenter.

    Upon detecting Dubuqu 2, the EMP countdown will be announced on all customer equipment, giving personnel 15 minutes to evacuate to the EMP safe zone outside the blast radius.

  10. Anonymous Coward
    Anonymous Coward

    Once infected a rebuild from scratch is the only option

    You can scrub malware off an o/s as much as you like - the damage is already done.

  11. Destroy All Monsters Silver badge
    Holmes

    Der Overtake ist jetzt complete!

    Watchdog fears it would be easier to throw away whole IT system and start again

    What we have here is an electronic brownfield generator.

  12. Anonymous Coward
    Anonymous Coward

    I'm a lift engineer on this site from time to time

    I look after the lift control system which has some rather special programming which the site owners say needs to be kept securely on site. So to do that, I plug my lift programming gadget into the lift system (which is on its own isolated LAN for security reasons), I extract (or update) the required data, and having done that, I plug the programming gadget into the office LAN so the IT guys can take a secure backup of the data I just read from the lift system.

    See any problem with that?

    See any way it bypasses the standard "nuke it from orbit and rebuild" process, if the gadget that reads the lift data is running a standard IT OS but isn't subject to standard IT security precautions?

    I'm not a lift engineer actually. Not even a building management system technician, or a representative of the outsourced "printing services" supplier. But I could be.

    I am actually a software and electronics person and in that sector, a variant on this theme is the Windows- based electronic test equipment (oscilloscopes, logic analysers, etc) which was popular for a while till manufacturers moved on to something cheaper and more sensible than Windows in that set of applications. But the same issue applies to things like building management systems, and to networked printer/photocopiers, and probably to other things I haven't thought about yet.

    This non-IT stuff as transmission vector is nothing new, it's been well documented since Stuxnet. Stuff that's not permanently or even routinely connected, stuff that's not necessarily even permanently onsite, but stuff that's a perfectly capable infection vector, yet it appears to be outwith the vision of most IT people.

    Think about it.

    Oh, and have a lot of fun.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like