back to article Duqu 2.0: 'Terminator' malware that pwned Kaspersky could have come from Israel

Eugene Kaspersky reckons hacking into his firm's corporate network was a "silly" move by cyberspies, but independent experts are far from convinced. All seem agreed that the rare attack by a state against an leading information security firm is bad news for corporate security more generally, as it shows attacks are getting …

  1. Anonymous Coward
    Anonymous Coward

    Not a game changer, this was never a game

    I find it quaint that Kaspersky appears to be surprised that this happened - Kamluk appears to believe in some unwritten rule keeping companies like his above the fray - how can you possibly believe that organizations like NSA are bound by ANY rules, written or unwritten?

    This is a war, people, get off your asses and take this seriously.

    1. Voland's right hand Silver badge

      Re: Not a game changer, this was never a game

      Nobody in this game is bound to any rules.

      In fact, the normal rules of engagement regarding collateral damage, etc do not apply. After all, after you let a worm loose there is bugger all control exactly where it will get into.

    2. Dan Paul

      Re: Not a game changer, this was never a game (Exactly AC)

      I find it rather naïve that any anti-virus vendor wouldn't think they were already targeted by various hackers.

      If Duqu 2.0 was that hard to find that a company, whose very business is to protect their customers from these viruses; didn't detect it for a long time then it must be very well written. By whom is the real question.

      OR it could have been written with the ASSISTANCE of a virus software manufacturer and all this angst is a smokescreen to make it appear the Israelis are behind it when there are any number of "Bad Actors" that are closer to Kaspersky's operation who could have done it.

      1. Matt Bryant Silver badge
        Big Brother

        Re: Dan Paul Re: Not a game changer, this was never a game (Exactly AC)

        "..... it appear the Israelis are behind it when there are any number of "Bad Actors" that are closer to Kaspersky's operation who could have done it." Or, alternatively, the cost of doing business in Russia is doing favours for the FSB and Putin, which would certainly be of interest to the NSA, GCHQ, BND, etc., etc.,etc. So that gives motive to just about every intel agency outside of Russia, plus some bods in Russia not keen on Putin.

        But it also strange that the Duqu2 worm is being found (or claimed to have been found) so far afield. Indeed, the main backup to the claim the Israelis did it is that it was thought to have infected three hotels used for nuke conferences with the Iranians, yet it seems to have also hit a lot of places that are nothing to do with the Iranians at all. That randomness makes it look like more of the typical cybercrime gang work.

  2. CAPS LOCK Silver badge

    A Windows network and no backup for the entry point system?

    Amateurs. (There's a more detailed account over on Arse T.)

    1. gerdesj Silver badge

      Re: A Windows network and no backup for the entry point system?

      It would seem sensible for an AV n security outfit not to use MS's or Apple's products for general day to day infra for obvious reasons.

      Perhaps a roll out of *BSD n Linux desktops all around and anything Win and i related kept on another subnet. While they are at it, multiple firewalls and a lot of VLANs wouldn't go amiss. Don't simply make the firewalls "outbound? any:any" either. Also, have people wearing tin foil hats fulltime watching logs and stuff.

      Once bitten, don't just change the locks: throw the sodding door away (to mix a metaphor)

  3. JeffyPoooh Silver badge
    Pint

    I find it funny, at Kaspersky's expense...

    It's a LOL moment.

    Look at the bright side; they're hated less than Symantec.

  4. Phuq Witt
    WTF?

    WTF?

    "...CrySySLab's analysis of Duqu 2.0 discloses that it received samples (more specifically two DLL files) of what was later identified as Duqu 2.0 from Kaspersky Lab in May 2015...

    Wait a minute... a firm whose bread & butter is security was running some of their internet facing infrastructure on Windows?

    Wow!... Just Wow!

  5. Terry 6 Silver badge

    What would you expect?

    A good, really good, security breaking product needs to be tested. Just like any other.

    At some point ( particularity if V3 is, as suggested, already sitting in the wings) it has to aim high and try it out on the opposition.

    How else can they know what its weak points are?

    Purely logically - if there is indeed a v3 then finding out when and how v2 was detected is like gold dust.

    V3 will presumably hide itself even better.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: What would you expect?

      So what were the owners of this particular nasty after? Were they simply gathering intel on Kaspesky's products or were they interested in setting up for a future attack? An alternative to this being a state-sponsored attack is industrial espionage. Other companies might want to either steal company secrets or undermine confidence in Kaspersky.

  6. streaky

    Kaspersky Talks Shit About Viruses..

    ... v4.1.

    Somebody found 3 zero-days all at once, must be a state actor.

    A friend of mine who works in infosec has about 40 lined up to report at basically any given time. It's not difficult, it doesn't take state actors (or even teams of people) and it isn't (that) impressive. What it takes is ignorance, naivety or just plain bad luck on the part of the people who wrote the code in the first place.

    Also blaming Israel is fairly convenient. It's either the USA or Israel. It's never Russia or China, even though Russia and China have the largest budgets of any nation state actors for this stuff.

    BTW - I'm not saying it wasn't Israel by any stretch, it's just saying calling states out without any evidence is absurd - it doesn't actually achieve anything either.

    1. Anonymous Coward
      Anonymous Coward

      Re: Kaspersky Talks Shit About Viruses..

      "ignorance, naivety or just plain bad luck on the part of the people who wrote the code in the first place."

      Speaking of 'talking shit':

      howzabout a "top down root and branch" OS code security review that was more of a marketing exercise than a real code review, judging by its apparent effectiveness in eliminating long-standing vulnerabilities.

      1. streaky

        Re: Kaspersky Talks Shit About Viruses..

        Are you talking about Kaspersky or Gemalto now? :)

  7. Pascal Monett Silver badge

    "hacking into his firm's corporate network was a "silly" move "

    Only if you think that demonstrating your level of insecurity to the world is silly.

    Personally, I think it was brilliant. They got in, lounged around for weeks, if not months, and then finally got detected. They're probably analyzing activity logs now to find out why they ended up begin caught, so as to "survive" even longer next time.

    This is pure gold for everyone. For the hackers, who have taken a magnificent opportunity to see their baby operate in what is supposed to be a very secure environment. For Kaspersky, who had the guts to go public on this and now has reams and reams of data to analyze and further lock down their processes and network. For the public, who once more has proof that nobody is "secure". What they'll do with that knowledge is another matter.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020