Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Stefan Tanase
Senior Security Researcher
Global Research & Analysis Team
PAGE 2 |
Malware evolutionLet’s take a look at it!
PAGE 3 |
MALWARE IS HUGE
1994
One new virus every hour
PAGE 4 |
MALWARE IS HUGE
2006
One new virus every minute
PAGE 5 |
MALWARE IS HUGE
2012
One new virus every second
Or 100.000 samples/day
PAGE 6 |
What about
2014
?
PAGE 7 |
What about
2012
?
Kaspersky Lab
is currently processing
300.000+unique malware samples
EVERY DAY
PAGE 8 |
Cyber warfareEspionage and sabotage
have now moved online
Nation states are driven by something else.
Espionage. Sabotage. Cyberwar.
Cybercriminals Money
2009 – The Aurora Operation
Attacked: Google, Adobe, Juniper, Yahoo,
Morgan Stanley, Dow Chemical, etc…
What we are used to protect
What we have to protect nowadays
Stuxnet - First known Cyber-weapon
•Created: 2003-2005 (?)•Discovered: Jun 2010•Target: Natanz FEP, Iran•Affected: Siemens PLCs•Victims: +150k•Author: unknown (nation state(s)?)•Investment: $10-$100 mil
First known cyberweapon
Stuxnet - 2010
The cyber-weapon concept
2011 – Duqu
Sophisticated. Stealthy. Elusive.
Nation state sponsored cyber-espionage.
| 20 October 2014
The attacks peaked in April 2012
The Wiper attack
2012 – Flame
BeetlejuiceBluetooth: enumerates devices around the infected machine.May turn itself into a “beacon”: announces the computer as a discoverable device and encode the status of the malware in device information using base64.
MicrobeRecords audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.
InfectmediaSelects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.
Autorun_infector
Creates “autorun.inf” that contains the malware and starts with a custom “open” command. The same method was used by Stuxnet before it employed the LNK exploit.
EuphoriaCreate a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.
LimboCreates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.
FrogInfect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.
Munch HTTP server that responds to “/view.php” and “/wpad.dat” requests.
SnackListens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when “Munch” is started.
Flame modules
• Highly modular cyber-espionage toolkit
• Complex, big
• Man-in-the-Middle attackagainst Windows Update
• Many different modules
• The name “Flame” ->
• Discovered independentlyby Kaspersky Lab andCrySyS Lab in May 2012
Flame represents the high-end of nation state sponsored cyberespionage
Flame re-cap
Where was Flame?
2012 – Gauss
Purpose (payload): Unknown.
Lebanon
1660
Israel
483
Palestine
261
Gauss geographical distribution
LOADER AND
COMMUNICATIO
N MODULE
LOADER AND
COMMUNICATION
MODULE
LOADER AND
COMMUNICAT
ION MODULE
LOADER AND
COMMUNICATI
ON MODULE
LOADER AND
COMMUNICATION
MODULE
Targets of Gauss
SDFG Relationship
2013 – Red October
Source: KL customer in an EU country
October 2012
• Katyn_-_opinia_Rosjan.xls
• WORK PLAN (APRIL-JUNE 2011).xls
• EEAS-Staff New contact list (05-25-2011).xls
• tactlist_05-05-2011_.8634.xls
• EEAS New contact list (05-05-2011).xls
• Agenda Telefoane institutii si ministere 2011.xls
• FIEO contacts update.xls
• spisok sotrudnikov.xls
• List of shahids.xls
• Spravochnik.xls
• EEAS New contact list (05-05-2011) (2).xls
File names used in attack
Red October’s
modules:
34 types
9 groups
1000+ files
maybe not
all…
sa=/pubring.*/
sa=/secring.*/
sa=/\.acidcsa$/
sa=/\.acidsca$/
sa=/\.aciddsk$/
sa=/\.acidpvr$/
sa=/\.acidppr$/
sa=/\.acidssa$/
sa=/\\ACIDInstallv.*\.exe$/
sa=/\\ACIDdirInstallv.*\.exe$/
sa=/\\Acid Technologies\\/
USB Stealer – Acid Cryptofiller
sa=/\.xia$/
sa=/\.xiu$/
sa=/\.xis$/
sa=/\.xio$/
sa=/\.xig$/
The other crypto software
Red October “Zakladka” module
2013 – NetTraveler
NetTraveler summary
• Created: 2004 (?)
• Announced: Jun 2013
• Targets: Wide
• Affected: Windows PCs
• Victims: 500-1000
• Author: unknown
• Crew size: 50 persons
• Investment: less ~$500k
Interests of the NetTraveler group
• Nanotechnology
• Lasers
• Nuclear power cells
• Aerospace
• Drilling
• Manufacturing in extreme conditions
• Radio wave weapons
Icefog
• The emergence of small
groups of cyber-
mercenaries available for
hire to perform surgical
“hit-and-run” operations.
• Main targets located in:
South Korea, Japan
• Targeted sectors:
military, shipbuilding and
maritime, research,
telecom, satellite, mass
media and television.
Icefog - summary
• Created: 2010 (?)
• Announced: Sep 2013
• Target: Supply chain
• Affected: Windows PCs, Macs
• Victims: ~100
• Crew size: 5-10
• Investment: less ~$10k
Targets of Icefog
The Mask - summary
• One of the most advanced
threats at the moment
• Since 2007
• 380 victims in 31 countries
• Linux, OSX, Windows
• Multiple interests
• Gov, Energy, Activists,
Financial
• Nation state backed
The trend: growing number of high-end cyber-espionage operations
2010 2011 2012 2013
Stuxnet Duqu Flame
Gauss
MiniDuke
RedOctober
Icefog
NetTraveler
Winnti
miniFlame
Global cyber-arms race
•Cost of entry decreasing
•More APT groups
•Emergence of cyber-
mercenaries
•Supply chain attacks
•Larger operations & surgical
strikes
•Critical infrastructure attacks
•“Wipers”, cyber-sabotage
•Nobody is safe
APT trends
The 3 dangers of Cyberwar
Ideas and techniques from cyberweapons can be re-purposed and copied.
Companies become collateral victims in the cyberwar between superpowers.
Cybercriminals start using weaponizedexploits developed by or for governments.
30,000 machines wiped by Shamoon
Saudi Aramco
Banks and TV networks HDDs wiped
Soth Korea Attacks
Collateral Damage
Stuxnet incidents: 150k (KL
stats)
Primary Example
Our critical infrastructure is fragile
Cyberweapons are tampered and used against innocent victims
What is CVE-2011-3402?
Answer: the ‘Duqu’ exploit
13 Dec
14 Dec
Commercialization of Exploits
IT Staff Biggest Nightmares
They all have something in common:
exploits
The truth?
Threats are everywhere
Against military grade weapons, you
want the best available defense
strategy.
Patch.
Defense?
Whitelist. Default Deny. Exploit prevention. 0-day defense.
Realtime monitoring. Cloud technologies.
Perimeter. Education. Raise awareness.
Local and International cooperation.
PAGE 55 |
CONCLUSIONS AND PREDICTIONS
Malware will continue to grow exponentially YoYAs long as there’s a way to make money out of it,
cybercriminals will always create malware
Malware now moving towards emerging platformsGoogle’s Android and Apple’s OS X have never been more
targeted by attackers
Cyber-espionage and cyber-sabotage, a common thing
Nation states are currently building defensive
(and offensive!) cyber capabilities
PAGE 56 |PAGE 56 |
Thank you!Questions?
Stefan Tanase, Senior Security Researcher, Kaspersky Lab
Riga, Latvia – 16 October 2014