-
Stefan Tanase
Senior Security Researcher
Global Research & Analysis Team
-
PAGE 2 |
Malware evolutionLet’s take a look at it!
-
PAGE 3 |
MALWARE IS HUGE
1994
One new virus every hour
-
PAGE 4 |
MALWARE IS HUGE
2006
One new virus every minute
-
PAGE 5 |
MALWARE IS HUGE
2012
One new virus every second
Or 100.000 samples/day
-
PAGE 6 |
What about
2014
?
-
PAGE 7 |
What about
2012
?
Kaspersky Lab
is currently processing
300.000+unique malware samples
EVERY DAY
-
PAGE 8 |
Cyber warfareEspionage and sabotage
have now moved online
-
Nation states are driven by something else.
Espionage. Sabotage. Cyberwar.
Cybercriminals Money
-
2009 – The Aurora Operation
Attacked: Google, Adobe, Juniper, Yahoo,
Morgan Stanley, Dow Chemical, etc…
-
What we are used to protect
-
What we have to protect nowadays
Stuxnet - First known Cyber-weapon
-
•Created: 2003-2005 (?)•Discovered: Jun 2010•Target: Natanz FEP,
Iran•Affected: Siemens PLCs•Victims: +150k•Author: unknown (nation
state(s)?)•Investment: $10-$100 mil
First known cyberweapon
Stuxnet - 2010
-
The cyber-weapon concept
-
2011 – Duqu
Sophisticated. Stealthy. Elusive.
Nation state sponsored cyber-espionage.
-
| 20 October 2014
The attacks peaked in April 2012
The Wiper attack
-
2012 – Flame
-
BeetlejuiceBluetooth: enumerates devices around the infected
machine.May turn itself into a “beacon”: announces the computer as
a discoverable device and encode the status of the malware in
device information using base64.
MicrobeRecords audio from existing hardware sources. Lists all
multimedia devices, stores complete device configuration, tries to
select suitable recording device.
InfectmediaSelects one of the methods for infecting media, i.e.
USB disks. Available methods: Autorun_infector, Euphoria.
Autorun_infector
Creates “autorun.inf” that contains the malware and starts with
a custom “open” command. The same method was used by Stuxnet before
it employed the LNK exploit.
EuphoriaCreate a “junction point” directory with “desktop.ini”
and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were
not present in the resource file). The directory acts as a shortcut
for launching Flame.
LimboCreates backdoor accounts with login “HelpAssistant” on the
machines within the network domain if appropriate rights are
available.
FrogInfect machines using pre-defined user accounts. The only
user account specified in the configuration resource is
“HelpAssistant” that is created by the “Limbo” attack.
Munch HTTP server that responds to “/view.php” and “/wpad.dat”
requests.
SnackListens on network interfaces, receives and saves NBNS
packets in a log file. Has an option to start only when “Munch” is
started.
Flame modules
-
• Highly modular cyber-espionage toolkit
• Complex, big
• Man-in-the-Middle attackagainst Windows Update
• Many different modules
• The name “Flame” ->
• Discovered independentlyby Kaspersky Lab andCrySyS Lab in May
2012
Flame represents the high-end of nation state sponsored
cyberespionage
Flame re-cap
-
Where was Flame?
-
2012 – Gauss
Purpose (payload): Unknown.
-
Lebanon
1660
Israel
483
Palestine
261
Gauss geographical distribution
-
LOADER AND
COMMUNICATIO
N MODULE
LOADER AND
COMMUNICATION
MODULE
LOADER AND
COMMUNICAT
ION MODULE
LOADER AND
COMMUNICATI
ON MODULE
LOADER AND
COMMUNICATION
MODULE
Targets of Gauss
-
SDFG Relationship
-
2013 – Red October
-
Source: KL customer in an EU country
October 2012
-
• Katyn_-_opinia_Rosjan.xls
• WORK PLAN (APRIL-JUNE 2011).xls
• EEAS-Staff New contact list (05-25-2011).xls
• tactlist_05-05-2011_.8634.xls
• EEAS New contact list (05-05-2011).xls
• Agenda Telefoane institutii si ministere 2011.xls
• FIEO contacts update.xls
• spisok sotrudnikov.xls
• List of shahids.xls
• Spravochnik.xls
• EEAS New contact list (05-05-2011) (2).xls
File names used in attack
-
Red October’s
modules:
34 types
9 groups
1000+ files
maybe not
all…
-
sa=/pubring.*/
sa=/secring.*/
sa=/\.acidcsa$/
sa=/\.acidsca$/
sa=/\.aciddsk$/
sa=/\.acidpvr$/
sa=/\.acidppr$/
sa=/\.acidssa$/
sa=/\\ACIDInstallv.*\.exe$/
sa=/\\ACIDdirInstallv.*\.exe$/
sa=/\\Acid Technologies\\/
USB Stealer – Acid Cryptofiller
-
sa=/\.xia$/
sa=/\.xiu$/
sa=/\.xis$/
sa=/\.xio$/
sa=/\.xig$/
The other crypto software
-
Red October “Zakladka” module
-
2013 – NetTraveler
-
NetTraveler summary
• Created: 2004 (?)
• Announced: Jun 2013
• Targets: Wide
• Affected: Windows PCs
• Victims: 500-1000
• Author: unknown
• Crew size: 50 persons
• Investment: less ~$500k
-
Interests of the NetTraveler group
• Nanotechnology
• Lasers
• Nuclear power cells
• Aerospace
• Drilling
• Manufacturing in extreme conditions
• Radio wave weapons
-
Icefog
• The emergence of small
groups of cyber-
mercenaries available for
hire to perform surgical
“hit-and-run” operations.
• Main targets located in:
South Korea, Japan
• Targeted sectors:
military, shipbuilding and
maritime, research,
telecom, satellite, mass
media and television.
-
Icefog - summary
• Created: 2010 (?)
• Announced: Sep 2013
• Target: Supply chain
• Affected: Windows PCs, Macs
• Victims: ~100
• Crew size: 5-10
• Investment: less ~$10k
-
Targets of Icefog
-
The Mask - summary
• One of the most advanced
threats at the moment
• Since 2007
• 380 victims in 31 countries
• Linux, OSX, Windows
• Multiple interests
• Gov, Energy, Activists,
Financial
• Nation state backed
-
The trend: growing number of high-end cyber-espionage
operations
2010 2011 2012 2013
Stuxnet Duqu Flame
Gauss
MiniDuke
RedOctober
Icefog
NetTraveler
Winnti
miniFlame
-
Global cyber-arms race
-
•Cost of entry decreasing
•More APT groups
•Emergence of cyber-
mercenaries
•Supply chain attacks
•Larger operations & surgical
strikes
•Critical infrastructure attacks
•“Wipers”, cyber-sabotage
•Nobody is safe
APT trends
-
The 3 dangers of Cyberwar
Ideas and techniques from cyberweapons can be re-purposed and
copied.
Companies become collateral victims in the cyberwar between
superpowers.
Cybercriminals start using weaponizedexploits developed by or
for governments.
-
30,000 machines wiped by Shamoon
Saudi Aramco
-
Banks and TV networks HDDs wiped
Soth Korea Attacks
-
Collateral Damage
-
Stuxnet incidents: 150k (KL
stats)
Primary Example
-
Our critical infrastructure is fragile
Cyberweapons are tampered and used against innocent victims
-
What is CVE-2011-3402?
Answer: the ‘Duqu’ exploit
13 Dec
14 Dec
Commercialization of Exploits
-
IT Staff Biggest Nightmares
They all have something in common:
exploits
-
The truth?
Threats are everywhere
-
Against military grade weapons, you
want the best available defense
strategy.
Patch.
Defense?
Whitelist. Default Deny. Exploit prevention. 0-day defense.
Realtime monitoring. Cloud technologies.
Perimeter. Education. Raise awareness.
Local and International cooperation.
-
PAGE 55 |
CONCLUSIONS AND PREDICTIONS
Malware will continue to grow exponentially YoYAs long as
there’s a way to make money out of it,
cybercriminals will always create malware
Malware now moving towards emerging platformsGoogle’s Android
and Apple’s OS X have never been more
targeted by attackers
Cyber-espionage and cyber-sabotage, a common thing
Nation states are currently building defensive
(and offensive!) cyber capabilities
-
PAGE 56 |PAGE 56 |
Thank you!Questions?
Stefan Tanase, Senior Security Researcher, Kaspersky Lab
Riga, Latvia – 16 October 2014
