3 March 2011. Add Avast AV check of the file.

1 March 2011. Add list of high-risk files found by Norton AV in the HBG-Stuxnet-Raw file.

28 February 2011

Add two messages and Cryptome note of appreciation for HBGary emails as a source of valuable technical information.

HBGary Suspected Trickery

The AV warning below appeared six days after the HBGary Stuxnet Raw Data file was offered and has been added to the Zipped file.

http://cryptome.org/0003/hbg/HBG-Stuxnet-Raw.zip (7.5MB)

Twelve Norton AV quick scans during the period failed to spot the intruder; a full scan on 28 February 2011 found it inside a HBGary Zipped file which was inside a Cryptome Zipped file. No other of the 33 HBGary files posted to Cryptome have been reported by Norton AV as a risk -- so far. Some intruders are designed to remain out of sight until a particular time or circumstance, or never revealed, quietly doing their job like Stuxnet and its kin in malware, copyright policing, cyberspying and cyberwar, all HBGary and its kin specialization in trickery.

While the warning may be due to the illicit characteristics of Stuxnet, there has been speculation that HBGary salted its files with hidden bait and markers for tracking thieves and invaders. The "Stuxnet" in this file may be bait for a trap or a phony virus-warning generator to scare off transgressors. HBGary researched, designed and deployed bait to test security risks as well as covertly installed security breachers using common deception techniques such as giving files popular names. HBGary emails describe measures taken when examining illicit programs on isolated machines with tools designed to avoid contamination, knowing that invaders themselves often set bait for outsmarting and entrapping researchers.

Unanswered still is what countermeasures the targets of Stuxnet have designed to use the program for counterattack such as unleashing a modified Stuxnet version with hidden features. This appears to be one of the purposes for HBGary to research the program for McAfee and others. HBGary laying low at the moment may be attributed to its harvesting results of the all-too-easy email hack, or if it did not facilitate the hack by lowering the security bar for Anonymous social engineering, to take advantage of the credulity and unwariness of its email consumers to well-known security deceptions, such as social engineering and facilitated hacks for covert release of bait, tracers and markers.

Bear in mind that there has been speculation that files submitted to Wikileaks, TOR and others have been used for this purpose. Heeding security wizards such HBGary, Cryptome regularly warns of its being used for this common ruse. The best security wizards never tell the whole truth, stating there is no such thing, there is only trickery -- that is no doubt adept social engineering of marketing. Good buddy of HBGary, Palantir, is reported today intending to replace Google as the premier Internet spying trickster.

A sends:

When I read your post above, I went to run a quick scan on the zip file only to find that the AV program could not be started. The error message went something like 'try re-installing'. I then noticed there was no AVG icon bottom bottom right. I immediately checked the Windows CP security centre which reported the AV program installed and running OK - but it wasn't.

I ran the repair utility on the AV prog and restarted. All then appeared - and appears OK. Running a scan on the HBG-Stuxnet-Raw.zip file then produced 26 infections in the file - per attached screenshot.

I've moved the file to a virgin thumb drive. A full scan on the original machine says its clean but I get more paranoid by the month these days.

A2 sends:

Please, tell me you didn't see that coming. Welcome to asymmetrical warfare: and you just thought you were in the middle. I was really scratching my head when I saw the file. Now you really have something to write about. 

Appreciating HBGary Emails

Cryptome: After reading several hundreds of HBGary emails and attachments, many of them not in the news due to the excessive coverage of Aaron Barr and HBGary Federal, the material offers impressive information about the dark side of cyberworld and the technological battles going on worldwide. The emails of Greg Hoglund and his correspondents are chock full of useful information about contending with ever-growing malware and designing defenses against it. Research, details, tests, failures and successes are bountiful. Emails about trying to market products based on years of diligent work to customers less technically capable are highly instructive. The foolishness of Barr and cohorts should not be a reason to avoid learning from and appreciating the skills of the parent firm disclosed in its emails.

High-risk files found by Cryptome's Norton AV in the HBG-Stuxnet-Raw file:

A3 sends:

3 March 2011

Just got around to having a look and my anti-virus, Avast, flagged the binaries in the Stuxnet directory of the zip file. I'm not privy to Avast's naming but I took a cursory look at it and the alarms identified it as Stuxnet, parts or variants C and B, specifically a dropper, rootkit stuff and infected binaries that replace or circumvent parts of the kernel and Windows firewall, which are generically named as common malware, I think.