Secure List feed for B2B

Syndicate content
Online headquarters of Kaspersky Lab security experts.
Updated: 20 hours 7 min ago

Equation: The Death Star of Malware Galaxy

Mon, 02/16/2015 - 14:55

Download "Equation group: questions and answers" PDF

"Houston, we have a problem"

One sunny day in 2009, Grzegorz Brzęczyszczykiewicz1 embarked on a flight to the burgeoning city of Houston to attend a prestigious international scientific conference. As a leading scientist in his field, such trips were common for Grzegorz. Over the next couple of days, Mr Brzęczyszczykiewicz exchanged business cards with other researchers and talked about  the kind of important issues such high level scientists would discuss (which is another way of saying "who knows?").  But, all good things must come to an end; the conference finished and Grzegorz Brzęczyszczykiewicz flew back home, carrying with him many highlights from a memorable event. Sometime later, as is customary for such events, the organizers sent all the participants a CDROM carrying many beautiful pictures from the conference. As Grzegorz put the CDROM in his computer and the slideshow opened, he little suspected he had just became the victim of an almost omnipotent cyberespionage organization that had just infected his computer through the use of three exploits, two of them being zero-days.

A rendezvous with the "God" of cyberespionage

It is not known when the Equation2 group began their ascent. Some of the earliest malware samples we have seen were compiled in 2002; however, their C&C was registered in August 2001. Other C&Cs used by the Equation group appear to have been registered as early as 1996, which could indicate this group has been active for almost two decades. For many years they have interacted with other powerful groups, such as the Stuxnet and Flame groups; always from a position of superiority, as they had access to exploits earlier than the others.

The #EquationAPT group is probably one of the most sophisticated cyber attack groups in the world #TheSAS2015

Tweet

Since 2001, the Equation group has been busy infecting thousands, or perhaps even tens of thousands of victims throughout the world, in the following sectors:

  • Government and diplomatic institutions
  • Telecoms
  • Aerospace
  • Energy
  • Nuclear research
  • Oil and gas
  • Military
  • Nanotechnology
  • Islamic activists and scholars
  • Mass media
  • Transportation
  • Financial institutions
  • Companies developing encryption technologies

To infect their victims, the Equation group uses a powerful arsenal of "implants" (as they call their Trojans), including the following we have created names for: EQUATIONLASER, EQUATIONDRUG, DOUBLEFANTASY, TRIPLEFANTASY, FANNY and GRAYFISH. No doubt other "implants" exist which we have yet to identify and name.

The #EquationAPT group interacted with other powerful groups, such as the #Stuxnet and #Flame groups #TheSAS2015

Tweet

The group itself has many codenames for their tools and implants, including SKYHOOKCHOW, UR, KS, SF, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, DESERTWINTER and GROK. Incredible as it may seem for such an elite group, one of the developers made the unforgivable mistake  of leaving his username: "RMGREE5", in one of the malware samples as part of his working folder: "c:\users\rmgree5\".

Perhaps the most powerful tool in the Equation group's arsenal is a mysterious module known only by a cryptic name: "nls_933w.dll". It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands, including Seagate, Western Digital, Toshiba, Maxtor and IBM. This is an astonishing technical accomplishment and is testament to the group's abilities.

Over the past years, the Equation group has performed many different attacks.  One stands out: the Fanny worm. Presumably compiled in July 2008, it was first observed and blocked by our systems in December 2008. Fanny used two zero-day exploits, which were later uncovered during the discovery of Stuxnet. To spread, it used the Stuxnet LNK exploit and USB sticks. For escalation of privilege, Fanny used a vulnerability patched by the Microsoft bulletin MS09-025, which was also used in one of the early versions of Stuxnet from 2009.

LNK exploit as used by Fanny

It's important to point out that these two exploits were used in Fanny before they were integrated into Stuxnet, indicating that the Equation group had access to these zero-days before the Stuxnet group. The main purpose of Fanny was the mapping of air-gapped networks. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks.

Two zero-day exploits were used by the #EquationAPT group before they were integrated into #Stuxnet #TheSAS2015

Tweet

In the coming days, we will publish more details about the Equation group malware and their attacks. The first document to be published will be a general FAQ on the group together with indicators of compromise.

By publishing this information, we hope to bring it to the attention of the ITSec community as well as independent researchers, who can extend the understanding of these attacks. The more we investigate such cyberespionage operations, we more we understand how little we actually know about them. Together, we can lift this veil and work towards a more secure (cyber-)world.

Download "Equation group: questions and answers" PDF

Indicators of compromise ("one of each"): Name EquationLaser MD5 752af597e6d9fd70396accc0b9013dbe Type EquationLaser installer Compiled Mon Oct 18 15:24:05 2004 Name Disk from Houston "autorun.exe" with EoP exploits MD5 6fe6c03b938580ebf9b82f3b9cd4c4aa Type EoP package and malware launcher Compiled Wed Dec 23 15:37:33 2009 Name DoubleFantasy MD5 2a12630ff976ba0994143ca93fecd17f Type DoubleFantasy installer Compiled Fri Apr 30 01:03:53 2010 Name EquationDrug MD5 4556ce5eb007af1de5bd3b457f0b216d Type EquationDrug installer ("LUTEUSOBSTOS") Compiled Tue Dec 11 20:47:12 2007 Name GrayFish MD5 9b1ca66aab784dc5f1dfe635d8f8a904 Type GrayFish installer Compiled Compiled: Fri Feb 01 22:15:21 2008 (installer) Name Fanny MD5 0a209ac0de4ac033f31d6ba9191a8f7a Type Fanny worm Compiled Mon Jul 28 11:11:35 2008 Name TripleFantasy   MD5 9180d5affe1e5df0717d7385e7f54386 loader (17920 bytes .DLL) Type ba39212c5b58b97bfc9f5bc431170827 encrypted payload (.DAT) Compiled various, possibly fake   Name _SD_IP_CF.dll - unknown MD5 03718676311de33dd0b8f4f18cffd488 Type DoubleFantasy installer + LNK exploit package Compiled Fri Feb 13 10:50:23 2009 Name nls_933w.dll MD5 11fb08b9126cdb4668b3f5135cf7a6c5 Type HDD reprogramming module Compiled Tue Jun 15 20:23:37 2010 Name standalonegrok_2.1.1.1 / GROK MD5 24a6ec8ebf9c0867ed1c097f4a653b8d Type GROK keylogger Compiled Tue Aug 09 03:26:22 2011 C&C servers (hostnames and IPs): DoubleFantasy: advancing-technology[.]com
avidnewssource[.]com
businessdealsblog[.]com
businessedgeadvance[.]com
charging-technology[.]com
computertechanalysis[.]com
config.getmyip[.]com - SINKHOLED BY KASPERSKY LAB
globalnetworkanalys[.]com
melding-technology[.]com
myhousetechnews[.]com - SINKHOLED BY KASPERSKY LAB
newsterminalvelocity[.]com - SINKHOLED BY KASPERSKY LAB
selective-business[.]com
slayinglance[.]com
successful-marketing-now[.]com - SINKHOLED BY KASPERSKY LAB
taking-technology[.]com
techasiamusicsvr[.]com - SINKHOLED BY KASPERSKY LAB
technicaldigitalreporting[.]com
timelywebsitehostesses[.]com
www.dt1blog[.]com
www.forboringbusinesses[.]com EquationLaser: lsassoc[.]com - re-registered, not malicious at the moment
gar-tech[.]com - SINKHOLED BY KASPERSKY LAB Fanny: webuysupplystore.mooo[.]com - SINKHOLED BY KASPERSKY LAB EquationDrug: newjunk4u[.]com
easyadvertonline[.]com
newip427.changeip[.]net - SINKHOLED BY KASPERSKY LAB
ad-servicestats[.]net - SINKHOLED BY KASPERSKY LAB
subad-server[.]com - SINKHOLED BY KASPERSKY LAB
ad-noise[.]net
ad-void[.]com
aynachatsrv[.]com
damavandkuh[.]com
fnlpic[.]com
monster-ads[.]net
nowruzbakher[.]com
sherkhundi[.]com
quik-serv[.]com
nickleplatedads[.]com
arabtechmessenger[.]net
amazinggreentechshop[.]com
foroushi[.]net
technicserv[.]com
goldadpremium[.]com
honarkhaneh[.]net
parskabab[.]com
technicupdate[.]com
technicads[.]com
customerscreensavers[.]com
darakht[.]com
ghalibaft[.]com
adservicestats[.]com
247adbiz[.]net - SINKHOLED BY KASPERSKY LAB
webbizwild[.]com
roshanavar[.]com
afkarehroshan[.]com
thesuperdeliciousnews[.]com
adsbizsimple[.]com
goodbizez[.]com
meevehdar[.]com
xlivehost[.]com
gar-tech[.]com - SINKHOLED BY KASPERSKY LAB
downloadmpplayer[.]com
honarkhabar[.]com
techsupportpwr[.]com
webbizwild[.]com
zhalehziba[.]com
serv-load[.]com
wangluoruanjian[.]com
islamicmarketing[.]net
noticiasftpsrv[.]com
coffeehausblog[.]com
platads[.]com
havakhosh[.]com
toofanshadid[.]com
bazandegan[.]com
sherkatkonandeh[.]com
mashinkhabar[.]com
quickupdateserv[.]com
rapidlyserv[.]com GrayFish: ad-noise[.]net
business-made-fun[.]com
businessdirectnessource[.]com
charmedno1[.]com
cribdare2no[.]com
dowelsobject[.]com
following-technology[.]com
forgotten-deals[.]com
functional-business[.]com
housedman[.]com
industry-deals[.]com
listennewsnetwork[.]com
phoneysoap[.]com
posed2shade[.]com
quik-serv[.]com
rehabretie[.]com
speedynewsclips[.]com
teatac4bath[.]com
unite3tubes[.]com
unwashedsound[.]com TripleFantasy: arm2pie[.]com
brittlefilet[.]com
cigape[.]net
crisptic01[.]net
fliteilex[.]com
itemagic[.]net
micraamber[.]net
mimicrice[.]com
rampagegramar[.]com
rubi4edit[.]com
rubiccrum[.]com
rubriccrumb[.]com
team4heat[.]net
tropiccritics[.]com Equation group's exploitation servers: standardsandpraiserepurpose[.]com
suddenplot[.]com
technicalconsumerreports[.]com
technology-revealed[.]com IPs hardcoded in malware configuration blocks: 149.12.71.2
190.242.96.212
190.60.202.4
195.128.235.227
195.128.235.231
195.128.235.233
195.128.235.235
195.81.34.67
202.95.84.33
203.150.231.49
203.150.231.73
210.81.52.120
212.61.54.239
41.222.35.70
62.216.152.67
64.76.82.52
80.77.4.3
81.31.34.175
81.31.36.174
81.31.38.163
81.31.38.166
84.233.205.99
85.112.1.83
87.255.38.2
89.18.177.3 Kaspersky products detection names:
  • Backdoor.Win32.Laserv
  • Backdoor.Win32.Laserv.b
  • Exploit.Java.CVE-2012-1723.ad
  • HEUR:Exploit.Java.CVE-2012-1723.gen
  • HEUR:Exploit.Java.Generic
  • HEUR:Trojan.Java.Generic
  • HEUR:Trojan.Win32.DoubleFantasy.gen
  • HEUR:Trojan.Win32.EquationDrug.gen
  • HEUR:Trojan.Win32.Generic
  • HEUR:Trojan.Win32.GrayFish.gen
  • HEUR:Trojan.Win32.TripleFantasy.gen
  • Rootkit.Boot.Grayfish.a
  • Trojan-Downloader.Win32.Agent.bjqt
  • Trojan.Boot.Grayfish.a
  • Trojan.Win32.Agent.ajkoe
  • Trojan.Win32.Agent.iedc
  • Trojan.Win32.Agent2.jmk
  • Trojan.Win32.Diple.fzbb
  • Trojan.Win32.DoubleFantasy.a
  • Trojan.Win32.DoubleFantasy.gen
  • Trojan.Win32.EquationDrug.b
  • Trojan.Win32.EquationDrug.c
  • Trojan.Win32.EquationDrug.d
  • Trojan.Win32.EquationDrug.e
  • Trojan.Win32.EquationDrug.f
  • Trojan.Win32.EquationDrug.g
  • Trojan.Win32.EquationDrug.h
  • Trojan.Win32.EquationDrug.i
  • Trojan.Win32.EquationDrug.j
  • Trojan.Win32.EquationDrug.k
  • Trojan.Win32.EquationLaser.a
  • Trojan.Win32.EquationLaser.c
  • Trojan.Win32.EquationLaser.d
  • Trojan.Win32.Genome.agegx
  • Trojan.Win32.Genome.akyzh
  • Trojan.Win32.Genome.ammqt
  • Trojan.Win32.Genome.dyvi
  • Trojan.Win32.Genome.ihcl
  • Trojan.Win32.Patched.kc
  • Trojan.Win64.EquationDrug.a
  • Trojan.Win64.EquationDrug.b
  • Trojan.Win64.Rozena.rpcs
  • Worm.Win32.AutoRun.wzs
Yara rules: rule apt_equation_exploitlib_mutexes { meta: copyright = "Kaspersky Lab" description = "Rule to detect Equation group's Exploitation library" version = "1.0" last_modified = "2015-02-16" reference = "https://securelist.com/blog/" strings: $mz="MZ" $a1="prkMtx" wide $a2="cnFormSyncExFBC" wide $a3="cnFormVoidFBC" wide $a4="cnFormSyncExFBC" $a5="cnFormVoidFBC" condition: (($mz at 0) and any of ($a*)) } rule apt_equation_doublefantasy_genericresource { meta: copyright = "Kaspersky Lab" description = "Rule to detect DoubleFantasy encoded config" version = "1.0" last_modified = "2015-02-16" reference = "https://securelist.com/blog/" strings: $mz="MZ" $a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} $a2="yyyyyyyyyyyyyyyy" $a3="002" condition: (($mz at 0) and all of ($a*)) and filesize < 500000 } rule apt_equation_equationlaser_runtimeclasses { meta: copyright = "Kaspersky Lab" description = "Rule to detect the EquationLaser malware" version = "1.0" last_modified = "2015-02-16" reference = "https://securelist.com/blog/" strings: $a1="?a73957838_2@@YAXXZ" $a2="?a84884@@YAXXZ" $a3="?b823838_9839@@YAXXZ" $a4="?e747383_94@@YAXXZ" $a5="?e83834@@YAXXZ" $a6="?e929348_827@@YAXXZ" condition: any of them } rule apt_equation_cryptotable { meta: copyright = "Kaspersky Lab" description = "Rule to detect the crypto library used in Equation group malware" version = "1.0" last_modified = "2015-02-16" reference = "https://securelist.com/blog/" strings: $a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1} condition: $a }

 

1 pseudonym, to protect the original victim's identity >>
2 the name "Equation group" was given because of their preference for sophisticated encryption schemes >>

The Great Bank Robbery: the Carbanak APT

Mon, 02/16/2015 - 12:20

Download Full Report PDF

The story of Carbanak began when a bank from Ukraine asked us to help with a forensic investigation. Money was being mysteriously stolen from ATMs. Our initial thoughts tended towards the Tyupkin malware. However, upon investigating the hard disk of the ATM system we couldn't find anything except a rather odd VPN configuration (the netmask was set to 172.0.0.0).

At this time we regarded it as just another malware attack. Little did we know then that a few months later one of our colleagues would receive a call at 3 a.m. in the middle of the night. On the phone was an account manager, asking us to call a certain number as matter of urgency. The person at the end of the line was the CSO of a Russian bank. One of their systems was alerting that data was being sent from their Domain Controller to the People's Republic of China.

Up to 100 financial institutions have been hit.Total financial losses could be as a high as $1bn#TheSAS2015#Carbanak

Tweet

When we arrived on site we were quickly able to find the malware on the system. We wrote a batch script that removed the malware from an infected PC, and ran this script on all the computers at the bank. This was done multiple times until we were sure that all the machines were clean. Of course, samples were saved and through them we encountered the Carbanak malware for the first time.

Modus Operandi

Further forensic analysis took us to the point of initial infection: a spear phishing e-mail with a CPL attachment; although in other cases Word documents exploiting known vulnerabilities were used. After executing the shellcode, a backdoor based on Carberp, is installed on the system. This backdoor is what we know today as Carbanak. It is designed for espionage, data exfiltration and remote control.

Each bank robbery took 2-4 months, from infecting the first computer to cashing the money out #TheSAS2015 #Carbanak

Tweet

Once the attackers are inside the victim´s network, they perform a manual reconnaissance, trying to compromise relevant computers (such as those of administrators') and use lateral movement tools. In short, having gained access, they will jump through the network until they find their point of interest. What this point of interest is, varies according to the attack. What they all have in common, however, is that from this point it is possible to extract money from the infected entity.

The gang behind Carbanak does not necessarily have prior knowledge of the inner workings of each bank targeted, since these vary per organisation. So in order to understand how a particular bank operates, infected computers were used to record videos that were then sent to the Command and Control servers. Even though the quality of the videos was relatively poor, they were still good enough for the attackers, armed also with the keylogged data for that particular machine to understand what the victim was doing. This provided them with the knowledge they needed to cash out the money.

Cash out procedures

During our investigation we found several ways of cashing out:

ATMs were instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then collected by mules; the SWIFT network was used to transfer money out of the organisation and into criminals' accounts; and databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.

Infections and losses

Since we started investigating this campaign we have worked very closely with the law enforcement agencies (LEAs) tracking the Carbanak group. As a result of this cooperation we know that up to 100 targets have been hit. When it comes to financial institutions, In at least half of the cases the criminals were able to extract money from the infected institution. Losses per bank range from $2.5 million to approximately $10 million. However, according to information provided by LEAs and the victims themselves, total financial losses could be as a high as $1 billion, making this by far the most successful criminal cyber campaign we have ever seen.

Losses from #Carbanak per bank range from $2.5 million to approximately $10 million #TheSAS2015

Tweet

Our investigation began in Ukraine and then moved to Moscow, with most of the financial entities targeted by the group located in Eastern Europe. However thanks to KSN data and data obtained from the Command and Control servers, we know that Carbanak also targets victims in the USA, Germany and China. Now the group is expanding its operations to new areas. These include Malaysia, Nepal, Kuwait and several regions in Africa, among others.

The group is still active, and we urge all financial organizations to carefully scan their networks for the presence of Carbanak. If detected, report the intrusion to law enforcement immediately.

For a full description of the campaign, IOCs and list of infections please see our report.

To check your network for Carbanak's presence, you can also use the open IOC file available here.

FAQ What is Carbanak?

Carbanak is the name we use for an APT-style campaign targeting (but not limited to) financial institutions. The main difference with other APT attacks is that attackers do not see data but money as their primary target. We say APT-like, however the attack is not strictly speaking Advanced. Strictly speaking, the main feature defining the attackers is Persistence.

We name the backdoor Carbanak since it is based on Carberp and the name of the configuration file is "anak.cfg".

What are the malicious purposes of this campaign?

The attackers infiltrate the victim´s network looking for the critical system they can use for cashing money out. Once they have stolen a significant amount of money (from 2.5 to 10 MM USD per entity), they abandon the victim.

Why do you think it is significant?

Banking entities have always been a primary target for cybercriminals. However it was almost always through their customers. This time attackers are targeting financial entities directly in an unprecedented, determined, highly professional and coordinated attack, and using any means from the target to cash as much money out as possible, up to an apparently auto-imposed limit.

Can you explain the timeline of the campaign?

According to what we know, the first malicious samples were compiled in August, 2013 when the cybercriminals started to test the Carbanak malware. The first infections were detected in December, 2013.

On average, each bank robbery took between two and four months, from infecting the first computer at the bank's corporate network to cashing the money out.

We believe that the gang was able to successfully steal from their first victims during the period of February-April 2014. The peak of infections was recorded in June 2014.

Currently the campaign is still active.

Why didn´t you make the details public until now?

Since we started working on this campaign we have collaborated with the different LEAs involved in the investigation and helped them as much as possible. As it remains an open investigation, we were asked not to share any details until it was safe to do so.

Have you reached victims and Computer Emergency Response Teams (CERTs) in those countries where you have detected the incidents?

Yes, this investigation turned into a joint operation between Kaspersky Lab's Global Research and Analysis Team and international organizations, national and regional law enforcement agencies and a number of Computer Emergency Response Teams (CERTs) worldwide.

One of our main goals was to disseminate our knowledge of the campaign and IOCs among all detected and potential victims. We used national CERTs and LEAs as the distribution channel.

How did you contribute to the investigation?

We're helping to assist in investigations and countermeasures that disrupt malware operations and cybercriminal activity. During the investigations we provide technical expertise such as analyzing infection vectors, malicious programs, supported Command & Control infrastructure and exploitation methods.

How was the malware distributed?

Attackers used spear phishing emails with malicious attachments against employees of the targeted financial institutions, in some cases sending them to their personal email addresses. We believe the attackers also used drive by download attacks, but this second assumption is still not 100% confirmed.

What is the potential impact for victims?

Based on what the attackers stole from victims, a new victim faces potential losses of up to 10 million $. However this figure is arbitrary based on what we know: nothing limits the potential loss once an institution is infected.

Who are the victims? What is the scale of the attack?

Victims are mainly institutions in the financial industry; however we have also found traces of infections in POS terminals and PR agencies. For a sense of the scale of the attack please see the different charts and maps we provide in our report.

As with many malware campaigns there are a variety of companies/individuals analyzing the malware, resulting in requests to the Command and Control server. When we analyze those servers, all we see are the IPs and possibly some additional information. When this additional information is not present, and when the IP cannot be traced back to its owner, we mark it as an infection.

Based on this approach our analysis concludes that Russia, the US, Germany and China are the most affected countries in number of traces of infection (IP addresses).

How are corporate users protected against this type of attack? Does Kaspersky Lab protect their users?

Yes, we detect Carbanak samples as Backdoor.Win32.Carbanak and Backdoor.Win32.CarbanakCmd.

All Kaspersky Lab's corporate products and solutions detect known Carbanak samples. To raise the level of protection, it is recommended to switch on Kaspersky's Proactive Defense Module included in each modern product and solution.

We also have some general recommendations:

  • Do not open suspicious emails, especially if they have an attachment;
  • Update your software (in this campaign no 0days were used);
  • Turn on heuristics in your security suites, this way it is more likely that such new samples will be detected and stopped from the beginning.

Financial cyber threats in 2014: things changed

Thu, 02/12/2015 - 07:00

 Download Full Report PDF

In 2013 we conducted our first in-depth research into the financial cyber-threat landscape. At that time we registered a sudden surge in the number of attacks targeting users' financial information and money. The financial cyber threats landscape was discussed in detail in Kaspersky Lab's "Financial Cyber-threats in 2013" report.

In 2014, the situation changed considerably: the number of attacks and attacked users significantly decreased, as did the amount of financial phishing. The key findings of the study into the financial cyber-threat landscape in 2014 are as follows:

Attacks with Financial malware in 2013 and 2014

Financial phishing attacks
  • In 2014 financial phishing attacks, which include phishing that targets Banks, Payment Systems and E-shops, accounted for 28.73% of all phishing attacks (a decrease of 2.72 percentage points).
  • Bank-related phishing accounted for 16.27% of all attacks.
  • The amount of phishing against Payment Systems increased 2.4 p.p. (from 2.74% in 2013 to 5.14% in 2014)
Financial malware attacks
  • In 2014 Kaspersky Lab products detected 22.9 million attacks involving financial malware against 2.7 million users. This represents a YoY decrease of 19.23% for attacks and 29.77% of users.
  • Among the total number of users subjected to all types of malware attacks, 4.86% of users encountered attacks involving some kind of financial threat – that's 1.34 percentage points less than in 2013.
  • The amount of Banking malware rose 8.89 percentage points to 75.63% of all financial malware attacks in 2014.
  • The number of attacks involving Bitcoin mining malware tripled: from 360,065 attacks in 2013 to 1,204,987 in 2014

There are several possible reasons for these changes. First of all, law enforcement agencies around the world actively prosecuted cybercriminals who were spreading financial malware and phishing. In particular, last summer, law enforcement agencies in the US and the UK stopped the activities of two dangerous malicious campaigns – Gameover / Zeus and Shylock.

The second reason for the decline in the number of attacks might be a shift in the cybercriminals' focus – instead of attacking end-users they are now pursuing organizations that work with financial information and payment tools. Throughout the year there were frequent reports of malicious attacks on large stores, hotel chains and fast food restaurants that serve millions of customers a day. In each case the fraudsters used malicious software that could steal bank card data directly from the memory of the POS terminals used by the organizations under attack. Banks became yet another "new" cybercriminal target. In 2014, Kaspersky Lab investigated several attacks targeting banks rather than their users' accounts. Neither of these "new" types of attack prompted a rash of new AV detections simply because there are so few organizations involved compared with the number of private users running antivirus solutions, so it is difficult to compare the number of attacks. Nevertheless, the damage from such attacks amounted to millions of dollars so this threat can hardly be dismissed.

#Cybercriminals are less interested in "mass" malicious attacks, preferring fewer, more "targeted" #attacks #KLreport

Tweet

A third possible reason for the reduced number of cyberattacks lies in a general trend observed by Kaspersky Lab specialists in 2014. According to the company's experts, cybercriminals are less interested in "mass" malicious attacks on users, preferring fewer, more "targeted" attacks. This is shown by the increased levels of targeted phishing: fraudsters only go after a specific group of users (for example, online banking users) rather than spreading mass mailings with malicious links.

This tactic suggests that a selective malicious mailing is less likely to be detected by IT security specialists and the lifespan of malicious links and malware samples will be extended. The trick is not always successful, but one consequence of its use is a decline in the absolute number of registered cyberattacks.

Android financial malware attacks

And what about mobile financial threats?

First of all, when we talk about mobile cyberthreats we focus on Android cyberthreats. According to Kaspersky Lab experts, more than 99% of mobile malware they are aware of is designed to attack Android devices.

48.15% of the attacks against #Android users utilized malware targeting financial data (Trojan-SMS, Trojan-Banker)

Tweet

In 2014 Kaspersky Lab and INTERPOL released a joint study on Mobile Cyberthreats which – among others – covered financial malware targeting Android users. According to the findings, there were 3,408,112 attacks against 1,023,202 users recorded in the period from August 1st, 2013 to July 31st 2014. About 500,000 users have encountered Android malware designed to steal money at least once. More than half a year has passed since the end of the period covered by the Kaspersky Lab / INTERPOL study and here is how things changed since:

  • 48.15% of the attacks against users of Android-based devices blocked by Kaspersky Lab products utilized malware targeting financial data (Trojan-SMS and Trojan-Banker)
  • In comparison with 2013 the number of financial attacks against Android users increased 3.25 times (from 711,993 to 2,317,194 attacks) and number of attacked users was up 3.64 times (from 212,890 to 775,887 users)

Attacks against users of Android-based devices in 2013 and 2014

In other words, the ever-increasing numbers of financial attacks against users of Android-based devices is a strong trend that shows no sign of declining.

Read more about financial cyber-threats in 2014 in our whitepaper.

DKIM technology on guard of your mail

Tue, 02/10/2015 - 05:00

Over the last decade DKIM signatures have become an important technology in the extensive list of methods for fighting against spam. Despite the fact that many users have no idea what the term DKIM even means, it is exactly this system that behind the scenes keeps our mailboxes guarded from various types of unsolicited mail, as well as protects a part of the world mail traffic from being wrongly labeled as "spam".

In this article we investigate the structure of DKIM in perspective from its emergence all the way up to nowadays. We also reveal the main advantages and downsides of this piece of technology, as well as explore typical spammers' tricks for forging DKIM signatures.

Concept of DKIM

DKIM technology (DomainKeys Identified Mail) provides a sender verification and guarantees the integrity of the delivered email. The verification is based on the electronic message signature which is generated with asymmetric cryptography. This signature is added to the service headers and is transferred transparently for the end user.

DKIM signature validation occurs automatically on the user side. It relies on the data extracted from the DKIM header as well as on the public encryption key retrieved from the sender's DNS domain name records. The message might be marked as scam, phishing, or suspicious if the specified domain name was not authorized to send this message, depending on the user's policies. Email clients are more loyal to the correspondence with successfully validated DKIM headers, as opposed to the messages with failed DKIM verification. In the meantime, emails without any DKIM headers are processed in the standard mode.

DKIM history

The history of DKIM starts in 2003 with an independent technology DomainKeys (DKIM ancestor) developed by Mark Delany as a part of his work at Yahoo. Two years later Yahoo is granted a patent for Domainkeys, and a wide range of vendors starts to prepare the first recommendatory version of DKIM standard.

In parallel with the DomainKeys development in 2003-2007, Cisco creates their own project "Identified Internet Mail" (IIM), based on a similar concept of authentication with the message signature.

In 2007 IETF publishes DomainKeys standard RFC 4870 (as already deprecated one) and the first standard of DKIM RFC 4871. Later on DKIM standard improves and gets updated in 2009 (RFC 5672). Finally, in 2011 IETF decides to merge two specs, IIM and DKIM, into the final standard RFC 6376.

Despite the fact that new standard had been published, by the year 2012 numerous companies were still using a deprecated 2007-year version of standard. This created a lot of interesting research on potential vulnerabilities in DKIM which we discuss below.

How it works

DKIM is based on the standard asymmetric encryption.

5 main DKIM stages:
  1. For every server a public/private key pair (or a set of pairs) is generated.
  2. The private key is stored on the sender's server and is being used to create all corresponding DKIM headers for the outgoing mail.
  3. The public key is added to the domain DNS zone file in the form of special TXT-record by the domain owner and be comes accessible to everyone.
  4. Email with DKIM signature is sent to the recipient (see below).
  5. Signature is verified using the public key retrieved from the DNS records.
DKIM-signed email delivery
  1. Compose and send message.
    User sends an email and it is accepted by the sender's mail server.
  2. Create DKIM signature.
    The mail server adds a new "DKIM signature" header. This header includes an electronic signature created with the private encryption key, the message's body, its headers, current time, and other parameters.
  3. Transfer signed message.
    Message with a new signed "DKIM signature" header is sent to the recipient.
  4. Message reception and signature validation.
    The recipient's mail client analyzes the DKIM header and gives a verdict based on the public key, whether the sender and email are legitimate or not.
DKIM header validation

The very last stage, message validation, is especially interesting.
Main milestones:

  1. Sending DNS-request.
    Mail client/service performs a DNS-request that includes the domain name from which allegedly the message was sent.
  2. Public encryption key retrieval.
    The corresponding TXT-record that includes a public key is extracted from the response body from the DNS-server
  3. DKIM header analysis:
    1. Every tag in the header is decrypted from Base64 to its text representation.
    2. Received strings are decrypted using the previously retrieved public key.
  4. Final verdict.
    The last stage is to compare the body text and headers with the decrypted information from the DKIM header. Any sort of discrepancy leads to dkim=fail, whereas if the content matches the verdict is dkim=pass.

DKIM header structure

Typical DKIM signature headers comprises of a list of tags like "tag=value". Tags names have short names and usually are 1-2 characters long.

Example:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=foursquare.com; h=from:to:subject:mime-version:content-type; s=smtpapi; bh=9UsnWtzRLBWT7hnQc8V2RF4Ua4M=; b=IgnW7QsK2LBp0VQJ4FJcLv9MmHBvD 2Ch6jPxQ/Hkz+TX2WXyWkGbScx4gbZeWj3trqN4LUVvTf2U+htG4Wsg6sQAKqvnC neTeDvcmm225CKji0+MSXL8VK6ble8mkk14EAwWDP8+DJMwL2f7v/wp6QEdd7jqY q/fX+TY5ChIYHQ= Tags and descriptions

Main tags:

Tag Tag description b message content (body + headers, encoded in Base64) bh hash of the canonicalized body part of the message(also in Base64) d domain name of the signing entity h list of signed headers

Additional headers:

Tag Tag description a main algorithm to generate the signature v system version s selector subdividing the namespace for the "d=" (domain) tag c algorithm to use to convert the body and headers to the canonical form q list of query methods used to retrieve the public key x signature expiration time i identity of the client on behalf of which the message is signed (in quoted-printable) l body length count in the number of octets in the body included in the cryptographic hash t signature timestamp z copied header fields at the moment of signature generation Common attack methods on DKIM Simple attacks

First attempts to use DKIM by spammers were observed by us back in 2009. Originally, spammers tried to add headers with content that was far away from valid DKIM signatures. Spammers paid very small attention to the accuracy of the signature, what created some pretty interesting cases.

For example, spammers used the same header for all emails in this spam mailing (the genuine DKIM headers are actually different for non-identical messages since each of them is based the message body, headers, timestamps, and other unique factors).

Tags spoofing

Other spam samples show how spammers copied DKIM signature from the legitimate third-party website and for every email changed content of only one DKIM-tag, completely forgetting that other tags also depend on the message content and should have different values as well.

Similar mistakes systematically appeared in spam throughout the last years.

Some of the most popular of them:

  1. Spammers correctly generate the "b"-tag which describes the message body, but forget about the "bh"-tag (hashed body).
  2. Domain name specified in "d"-tag does not correspond to the sender, nor to any details information in the email at all.
  3. Specified timestamp ("t"-tag) is not accurate and is related to some other date in the distant past.
Legitimate DKIM headers in spam

Spammers are capable of setting up their own mail servers and domains in order to generate legitimate DKIM headers as the average system administrator would do. In spite of that, valid DKIM headers have been fairly uncommon in spam until recently.

This is largely due to the complexity of the installation process of the DKIM server side for the valid signatures generation. However, the number of domain names involved in the spam activity has increased significantly over time, therefore attacks on DKIM have become more efficient and profitable for spammers. For these reasons spammers had to learn how to skillfully operate DNS-records of their numerous domains.

In the example below we can see a perfectly valid DKIM signature along with a correct domain's  TXT-record which lead to the "dkim=pass" verdict when coupled together.

This extra work appears to be reasonable enough for spammers since many email services are more loyal to the messages with correct DKIM signatures, and spammers' mail eventually has higher chances not to be banned by anti-spam filters and end up in the user's mailbox.

In addition to simple checks for the "DKIM=fail" verdict in message headers, our Kaspersky Security for Linux Mail Server detects all email spam with mentioned spammers tricks. It either detects this mail as spam and forwards straight to the junk folder  or increases the spam rate of the message.

Vulnerabilities and weaknesses of DKIM
  1. DKIM does not provide any guarantees.

It is not reasonable to rely solely on DKIM for the following reasons:

а) Spammers, as well as the average users, can correctly configure DKIM on their own website.
b) It is possible that some of mail coming from a single domain name does not have any DKIM headers. One example might be if the domain uses multiple mail servers with different configurations, although there might be many other scenarios.

Because of these reasons, the standard advises not to "penalize" any mail without DKIM signatures.

  1. Lack of sustainability when message structure changes.

DKIM signature becomes invalid when the headers order is even slightly modified, when new headers are added, or when headers had any minor changes in their content. These kinds of changes are quite common and occur when the message is processed by the server-forwarder on the way to the recipient.

  1. Short encryption keys are vulnerable.

All DKIM signatures signed with private keys shorter than 1024 bits in length are vulnerable according to the research by Zach Harris published in Wired in October 2012. Moreover, Harris managed to crack the 384-bit authentication in just 24 hours using his laptop only. You can read about other requirements to DKIM in our blog article about this news.

Interestingly enough, Harris had successfully sent emails to Google founders Sergey Brin and Larry Page in 2012 by spoofing their DKIM headers and formatting messages as their personal correspondence between each other.

Recently, numerous companies including Google and Microsoft started to intensively promote the use of encryption keys with the sufficient length. Despite that, there are still a great number of insecure mail servers signing DKIM headers with private keys of not cryptographically strong lengths.

Advantages of DKIM
  1. Correctly created DKIM signature confirms that the received message has been indeed sent from the specified domain.
  2. DKIM is a powerful tool for building a domain reputation based on the variety of messages received throughout a period of time (often used by diverse anti-spam solutions and by members of the DKIM reputation project)
  3. DKIM gives another indicator which helps to make a decision on the client side, whether to trust the sender or not.
How to use DKIM?

DKIM is used in combination with other technologies of mail reputational analysis. The majority of modern email services and mail clients already support DKIM verification. However, it is useful to ensure that DKIM is configured correctly if you use your own domain name, or if you want to set up DKIM on your own mail server.

DKIM installation on the corporate mail service

Many corporate email services support DKIM installation with only several clicks required. However, the domain administrator will have to manually edit the DNS zone file to add corresponding TXT-records.

For example, this is how the DKIM activation process looks like for Gmail for Work service.

  1. Open administratior panel for your domain name at https://admin.google.com
  2. Choose "Apps" in the list of menu items.
  3. Then choose Gmail from the list of apps.
  4. Confirm the intention to activate the "Email-authentication" and click "Generate new record".
  5. Service will generate the content of new TXT-record that you have to store in your domain's DNS zone file. To do that, open your domain's administrator panel, find a section for manually editing the domain zone, add a new record with TXT type, and copy there all values offered by Gmail.
  6. Final content of the zone record should be similar to:

            google._domainkey IN TXT v=DKIM1; k=rsa; p=(generated public key)

  7. As an extra step, you can create another TXT-record in order to support SPF policy as well. For Gmail for Work service this record should be:
  8.         @ IN TXT  v=spf1 include:_spf.google.com ~all

    This record authorizes Google servers to send mail from your domain name, and therefore the reversed verification on the recipient side will result in the spf=pass verdict.

  9. Shortly after you finish all previous steps (often already after 20 minutes, but may take up to 48 hours), all emails sent from your domain start to be labeled with dkim=pass and spf=pass flags, confirming the legitimacy of the sender.

If you have any problems with installation, the DKIM installation manual and SPF record manual from Google Apps should be helpful. For the details on the zone file editing, refer to your domain name registrant documentation.

DKIM installation on your own mail server

Setting up DKIM on your own mail server is a less trivial process. We will give a short explanation of the DKIM installation procedure for Postfix mail agent on the server with Debian-like distribution. DKIM installation for other mail servers and OS is analogous. For more details, refer to the documentation on the interested email client and the information at the OpenDKIM project website.

Main stages:

  1. Install Postfix MTA and the following OpenDKIM packages from the official repositories depending on your distribution
  2.         postfix opendkim opendkim-tools

  3. Generate the private key to be able to create DKIM signatures in the future. You will need to specify your domain name, as well as the selector name that can be chosen arbitrarily (used later).
  4.         $ opendkim-genkey -r -s selector -d yourdomain.com

    Store the generated key to the arbitrary file in the server directory with limited access and specify the path to it in the configuration file below.

  5. Copy the example file from /etc/opendkim/opendkim.conf.sample to /etc/opendkim/opendkim.conf and edit the following options depending on your domain name and the chosen selector name:
  6.         /etc/opendkim/opendkim.conf
            Domain                yourdomain.com
            KeyFile                /path/to/the/key
            Selector                selector
            Socket                  inet:8891@localhost
            UserID                 opendkim

  7. Create new TXT-record in your DNS zone file (see also examples of zone file configuration above in the example for Gmail for Work service). Do not forget to specify your selector name picked on the previous steps. The record should look similar to:
  8.         selector._domainkey IN TXT v=DKIM1; k=rsa; p=...

    You can validate the TXT-record of your domain with a simple request using host tool:

            host -t TXT selector._domainkey.yourdomain.com

    However, take into account it might take up to several hours to have your TXT-record updated because DNS providers cache data on their side.

  9. The last stage is the integration of opendkim to Postfix. Edit the configuration file /etc/postfix/main.cf and add the following data to it:
  10.         /etc/postfix/main.cf
            smtpd_milters = inet:localhost:8891
            non_smtpd_milters = inet:localhost:8891

  11. The installation is finished and you can run opendkim service.
  12.         sudo service opendkim start

Indicators of DKIM-validated mail

The majority of public email services support DKIM signatures, validate them transparently for the user, and use the received verdicts for their own anti-spam systems.

Some services try to make DKIM-check more visual and mark emails that successfully pass DKIM validation.

For example, Gmail service marks emails with a 'secured connection' icon if the sender is verified and this email passes some internal validations for the sender.

You can enable this functionality in Settings → Labs → Authentication icon for verified senders.

As another example, Yandex.Mail service supports DKIM-indicators by default. It shows the  icon when this email has a valid electronic signature.

Alternatives to DKIM

DKIM technology has various competitors and has become a basis for other sender authentication solutions.

  1. Sender Policy Framework (SPF)

SPF also uses DNS for storing information, and is a tool for verification the sender's domain. As opposed to DKIM, SPF stores not the public key in DNS records, but the list of the servers authorized to send email messages. Overall, SPF allows to verify the authenticity of the domain name, but not the message text or its headers.

Nonetheless, SPF technology is more widespread than DKIM and is supported by the vast majority of mail clients and email services.

  1. Pretty Good Privacy (PGP)

PGP is currently the most popular algorithm for email encryption in the world. It allows to encrypt the entire message under assumption that both sides generate public/private keys in advance and exchange the public keys. DKIM does not try to compete with PGP while being just an extension of the ordinary concept of email-message with the ability to validate the sender.

  1. Domain-based Message Authentication, Reporting and Conformance (DMARC).

DMARC is a relatively fresh authentication method that combines both SPF and DKIM technologies. This system was presented for the first time in 2011 and numerous top vendors expressed interest in it. In 2013 DMARC was already protecting more than half of the world mailbox while still not yet being an official standard, which once again proves the success of DKIM technology that underlies DMARC.

Spammers against hurricanes and terrorist attacks

Wed, 02/04/2015 - 06:00

Nothing holds a potential reader's attention stronger than a story about a catastrophe. A few days ago we came across an excellent example of a mass mailing where spammers took full advantage of this universal fascination with destruction.

The mass mailing in question is intended primarily for the US users. In it, the spammers list a series of recent tragedies and predict that worse is yet to come. They also propose a solution – just click the link to find out how to protect yourself and your family from harm.

In the email below the authors mention Sandy hurricane that hit North America about two years ago.

The spammers recall the crisis that faced many Americans after that hurricane – stranded in badly-damaged houses without food or electricity. The author of the email claims to know a guy who lived right in the center of the storm, in a wind-lashed city in New Jersey, and who suffered no shortages of anything. Click the link, and the spammers promise you'll enjoy the same good fortune if disaster strikes your neighborhood.

Yet another example mentions the recent terror attacks in France.

In this email, the spammers paint a bleak picture of America's immediate future, claiming the government is hiding the truth but expects blood to flow in the streets as it did in France. But there is an answer – just click the link and you'll find out how to protect your family from any attack.

When users follow these links they are taken to sites that are also striking. They start with an audio presentation of a confidential story told by a well-wisher.

The design of the site, the voice and the details of the story differ but the essence is the same: anyone who spends a few minutes to listen to the audio will be introduced to our hero, understand why he decided to share his warnings about the disasters in store for America and, eventually, find out how to build a miracle machine that can be easily assembled in your own home. The link to the video tutorial on self-assembly of this life-saving device costs just a few dozen dollars and shows you how to create a generator so simple that even your grandmother could make it work. Happy buyers don't only get an autonomous source of energy to be used in the event of disaster; they ca also save on household energy bills.

The audio is supported by a presentation which displays the speaker's text. So even users who cannot turn on the sound need only have the patience to watch for a few minutes, see the offer and reward the spammers for their efforts to spread paranoia by sending them their hard-earned dollars.

WhatsApp for Web in the sight of cybercriminals

Mon, 02/02/2015 - 08:40

There is no doubt WhatsApp is among the most popular mobile IMs nowadays – its 700 million users worldwide were eagerly awaiting this week's promised desktop version. However, it wasn't just users who were waiting – cybercriminals were quick to start using this new feature in their attacks, aiming to spread malware and infect users.

In fact we've been seeing malicious messages about a supposed desktop WhatsApp long before the app added that platform to its repertoire. Fake downloads appeared in several languages and countries, and now there is a real product out there the fraudsters have returned to their old attacks, dressed them up in new clothes and sent them on the prowl for new victims. In Brazil, for example, we soon saw messages like this:

"WhatsApp for your PC" is now real, but this link is malware

We found several malicious domains registered to be used in these attacks. Some were already in use and others were waiting their owners' command, such as whatsappcdesktop.com.br, spreading Brazilian Trojan bankers (b93417abdc82cf79d79b737b61744353 and 9f485efea5c20b821e9522e3b4aa0e11):

However, other bad guys decided to prepare a nice design and ask users to install a suspicious Chrome extension that had nothing to do with WhatsApp:

You do not need a Chrome extension to use WhatsApp Web…

There are also some unofficial desktop versions of WhatsApp circulating among speakers of Arabic and Spanish. Here a website offer a version of "WhatsApp Plus" for installation:

And here the "WhatsApp Spy" targeting Spanish-speaking countries:

To download the supposed desktop version you need to inform your mobile number:

Why they ask your number? To subscribe on premium services that will cost money and to send you spam. Yes, spam. One thing is certain: all these web services aim to easily collect your mobile number and feed the long-established spam industry that already uses WhatsApp. As pointed out by Adaptive Mobile, the number of these spam messages increases day by day. WhatsApp process around 30 billion messages per day – not surprisingly, many of them are spam:

Mobile Spam, now on your instant message

It´s not difficult find Brazilian spammers who are already doing this, masquerading as 'marketing companies' and selling packages to disperse spam. Their services don't just include text, there's also the opportunity of spreading pics, audio or even video for the low price of $0.03 cents per message, including an admin and API panel:

U$75 for 5k credits, which correspond to 5,000 spam messages

Unfortunately, it is not possible block messages from unknown contacts on WhatsApp; all you can do is block the sender after the message was arrived, which does not solve the problem at all. In all cases keep in mind the real web services of WhatsApp are located at https://web.whatsapp.com so please refuse imitations and suspicious apps.

Why You Shouldn't Completely Trust Files Signed with Digital Certificates

Thu, 01/29/2015 - 06:00

A digital certificate with a file is always seen as a token of its security. For users, a digital certificate is an indication that the file does not contain malicious code. Many system administrators develop their corporate security policies by allowing users to launch only those files that are signed with a digital certificate. In addition, some antivirus scanners automatically consider a file to be secure if it is signed with a valid digital certificate.

However, users' absolute trust in files signed with digital certificates encourages cybercriminals to search for various ways to have their malicious files signed with the same trusted digital certificates to help use them in their criminal schemes.

This article looks into the main threats associated with signed files, and suggests practical methods of mitigating the risks associated with launching them.

Creating digital signatures for files

Before we explore the threats associated with using digital certificates, let us first look into the process when a file is signed with a digital certificate:

  1. The software developer compiles the file.
  2. A hash sum (MD5, SHA1, or SHA2) is calculated for the file.
  3. That hash sum is encrypted with the software developer's private key.
  4. The obtained encrypted block of data and the digital certificate are added to the end of the file.

The digital certificate contains the software developer's public key, which can be used to decrypt the message and check the file's integrity. It also contains information with which the software developers' authenticity can be checked.

The authenticity of the file's manufacturer is confirmed with the help of the Certification Authority (CA). This entity certifies to other users that the public key that decrypts the hash sum and checks the file's integrity does indeed belong to the developer in question. To do so, the CA signs the developer's certificate and thus testifies that the unique pair of public and private keys belongs to that particular developer. A certificate from the CA testifying that the file is authentic is also added to the end of the file alongside the developer's certificate.

CA certificates are verified by no one other than these entities. For Windows to trust the certificates issued by a certain CA, that CA's certificate must be placed into the operating system's storage of certificates. The certificates of the most authoritative CAs have undergone an audit and are automatically included into the storage and are delivered to users along with Windows updates. Certificates issued by other CAs can be added to the storage at the discretion of the user.

The use of trusted certificates by cybercriminals

Now let's look at attacks that can be carried out at each stage of signing a file. We are not interested in theoretical attacks based on the weaknesses of the encryption algorithms used to sign the file, but will concentrate instead on the attack methods most often used by cybercriminals in practice.

Planting malicious code at the file compilation stage

In many large software companies, files are signed automatically immediately after the file compilation is complete. File compilation is done centrally on a dedicated Build server.

If cybercriminals gain access to a software manufacturer's corporate network, they can use the corporate Build server to compile a malicious file on it, so it automatically gets signed with the company's digital signature. As a result of this attack, cybercriminals obtain a malicious file signed with a valid digital certificate.

In practice this type of attack is quite rare because large software manufacturers have adequate security in place to protect their Build servers. Nevertheless, there have been identified cases when targeted attacks were successfully conducted and malicious files were signed with a trusted company's certificate.

Stealing a private key

Sometimes, cybercriminals succeed in penetrating a corporate network and gaining access to a private key used to sign files. With that key, they can sign any malicious file and pass it off as a file produced by a legal software manufacturer.

One way to steal a private key is to use specialized malware created specifically for this purpose.

After stealing a private key, the cybercriminal either uses it or sells it to someone else to use. The more famous the software manufacturer from which the key was stolen, the more valuable the key will be among cybercriminals. Software from well-known manufacturers does not attract any suspicion from users and security administrators on corporate networks.

At the same time, large software manufacturer companies keep their private keys in dedicated, well-protected hardware modules, which makes it much more difficult to steal them.  As a result, private keys are typically stolen from smaller companies or private software manufacturers who do not pay enough attention to security.

Vulnerabilities in the algorithms that check executable file signatures

For an operating system to know which part of the file is supposed to contain the information about the presence of a digital certificate, the header of each signed executable file includes 8 bytes of data that contain information about the location and the size of the digital certificate. These 8 bytes are ignored when checking the file's signature. If a block of data is added to the end of the file's signature, and the size of the signature is increased by an appropriate amount, these changes also will also have no effect on the outcome of the signature check. This makes it possible to gain extra space in a signed file where data can be added without affecting the outcome of a signature check.

This algorithm is used actively in legal web installers: software developers who create these web installers modify the size of the digital signature to make room for an additional block of data, so that the digital certificate block includes a link to a file for that installer to download from the software developer's page and install on the users' system. This is a practical approach for software developers because the installer does not have to be re-signed each time the link to the software distribution kit is changed: it is enough to simply change the link stored in the digital signature block.

Cybercriminals, in turn, can use this algorithm for their own purposes. A cybercriminal takes a web installer for legal software, and changes the link so a different distribution kit to be downloaded. The installer then downloads and installs malware on the user's system. After that, the cybercriminal uploads the modified installer to software distribution sites.

To fix this vulnerability, Microsoft released a security update that enforces a rigorous check of each file's digital certificates. However, this update does not apply automatically because many software developers use the above algorithm in their installers, and their software programs would be considered unsigned if this update was applied across the board. The user can enable this update manually, if required.

The use of legally obtained certificates

A few years ago, digital certificates were actively used by large software manufacturers that were legally registered companies. Today, certificates are used increasingly often by individual software developers and small companies. The graph below shows how the number of certificates with which to sign software code known to Kaspersky Lab changed over time. As can be seen, the number of certificates is steadily growing year on year.

The number of certificates verified by CAs and known to Kaspersky Lab

The procedure of purchasing a certificate to sign executable code is quite simple: individuals must present their passport details, and companies must present their registration details. Some certificate-issuing CAs make no further checks into the activities of the companies seeking to purchase the certificate. All a CA does is it issues a certificate entitling the client to sign executable files, and verifies that the certificate has indeed been issued to the specific person or company.

This enables cybercriminals to legally purchase a certificate to sign their malicious and/or potentially unwanted software.

It is companies manufacturing potentially unwanted software that most often purchase certificates. On the one hand these companies do not manufacture malware programs, so they can legally purchase a digital certificate to sign their software. On the other hand, they produce software annoys users. In fact, they get their software signed with digital certificates precisely to encourage users to trust them.

Untrusted certificates

In all cases described above, be it stealing a private key, compromising a company's infrastructure and signing a file with that company's digital certificate, or purchasing a certificate with the intent of signing malware with it, the end result is the same: a trusted certificate is used to sign a malicious file.

Therefore, these certificates cannot be considered trusted in spite of the fact that their authenticity has been verified by a CA, as they were (or continue to be) used to sign malicious files. We will hereafter describe these certificates as 'untrusted'.

If a private key is stolen from a software developer, or a company's infrastructure is compromised and a trusted certificate is used to sign a malicious file, the CAs cease verifying the trustworthiness of the certificate that was earlier issued by them (a process also known as recalling the certificate). The speed of the CA's reaction depends on how soon it becomes known that the certificate has been used by somebody other than the legitimate developer.

However, when a certificate was purchased to sign potentially unwanted software, the CAs do not always recall the certificate. As a result the certificate could remain valid and be used to sign potentially dangerous software.

The following chart shows the proportions of untrusted certificates used to sign malware and potentially unwanted software (Kaspersky Lab data).

Breakdown of untrusted certificate numbers by their type

Methods of protection against launching software programs signed with untrusted certificates

We have discussed the most popular cybercriminals techniques to get files signed with digital certificates. Recently we have seen an increasingly significant problem concerning malicious and potentially unwanted files being signed with digital certificates. In 2008, 1,500 certificates were later used to sign malware; in 2014, there were more than 6,000 of these cases.

The number of untrusted certificates known to Kaspersky Lab

Given the growing number of threats associated with malicious files signed with digital certificates, users and administrator can no longer risk placing blind faith in signed files and just allow them to be launched simply because they have a digital certificate.

Here are a few practical tips to reduce your chances of launching a new malware program that has a valid digital certificate and hasn't yet reached your anti-virus databases:

  1. Only allow the launch of software programs signed by a reputable manufacturer.
  2. You can substantially reduce the risk of infection on your computer by disabling the launch of all software programs signed with digital certificates belonging to unknown software manufacturers. As described above, certificates are most often stolen from smaller software companies.

  3. Only allow programs to be launched after they are identified by their unique digital signature attributes.
  4. Several certificates issued to the same company may be distributed under the same name. If one of these certificates is stolen from a reputable company, a check that automatically trusts well-known publishers would allow a file signed with a stolen certificate.

    To prevent this from happening, before allowing programs signed with known certificates to launch, it is necessary to check other attributes as well as the certificate name. These attributes might be the serial number or certificate fingertip (hash sum). Serial numbers are only unique within the range of certificates issued by a single CA, so we recommend checking this along with the company that issued the certificate in the first place.

  5. Activate the MS13-098 security update.
  6. For experienced users and system administrators, it is advisable to enable update MS13-098 – it fixes an error which enables the inclusion of additional data in a signed file without tampering with the file's signature. To read more about how to activate this update, follow this link to Microsoft Security Center.

  7. Do not install certificates from unknown CAs into your security storage.
  8. It is not a good idea to install root certificates from unknown CAs into your storage. If you do so, any files signed with a certificate confirmed by that specific CA will subsequently be considered trusted.

  9. Use a trusted certificates database from a security software manufacturer.
  10. Some security software manufacturers, including Kaspersky Lab, include a database of trusted and untrusted certificates in their products; this database is updated on a regular basis along with the anti-virus databases. With this database, you will receive prompt updates about as-yet unrecalled certificates used to sign malware and/or potentially unwanted software. Files signed with untrusted certificates from this database require enhanced monitoring by the security product.

    The database of trusted certificates includes certificates from reputable software publishers that were used to sign trusted software programs. If a certificate is listed in this database, it is a strong indicator that corporate application control can allow the application to launch.

    If this kind of database is included in a security product it will help make the administrator's job easier, sparing them the need to create and maintain an in-house database of trusted certificates.

The number of digital certificates used to sign malware and/or potentially unwanted software is doubling every year on average. That is why it is vital that companies exercise ever greater control over signed files with the help of security product tools, and follow the above security policies.

Comparing the Regin module 50251 and the "Qwerty" keylogger

Tue, 01/27/2015 - 07:00

On January 17 2015, Spiegel.de published an extensive article based on documents obtained from Edward Snowden. At the same time, they provided a copy of a malicious program codenamed "QWERTY" (http://www.spiegel.de/media/media-35668.pdf), supposedly used by several governments in their CNE operations.

We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin. Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin.

Analysis

The Qwerty module pack consists of three binaries and accompanying configuration files. One file from the package– 20123.sys – is particularly interesting.

The "20123.sys" is a kernel mode part of the keylogger. As it turns out, it was built from source code that can also be found one Regin module, the "50251" plugin.

Using a binary diff it is easy to spot a significant part of code that is shared between both files:

Most of the shared code belongs to the function that accesses the system keyboard driver:

Most of the "Qwerty" components call plugins from the same pack (with plugin numbers 20121 – 20123), however  there is also one piece code that references plugins from the Regin platform. One particular part of code is used in both the "Qwerty" 20123 module and the Regin's 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin. The Regin's plugin 50225 is reponsible for kernel-mode hooking.

This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225.

As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.

The reason why the two modules have different plugin IDs is unknown. This is perhaps because they are leveraged by different actors, each one with its own allocated plugin ID ranges.

Conclusions

Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform.  The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225.  Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.

Another important observation is that Regin plugins are stored inside an encrypted and compressed VFS, meaning they don't exist directly on the victim's machine in "native" format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.

 

Appendix (MD5 hashes):

QWERTY 20123.sys:

0ed11a73694999bc45d18b4189f41ac2


Regin 50251 plugins:

c0de81512a08bdf2ec18cb93b43bdc2d  e9a43ea2882ac63b7bc036d954c79aa1

The Syrian malware part 2: Who is The Joe?

Tue, 01/27/2015 - 04:00
Introduction

Kaspersky Lab would like to alert users in the Middle East for new malware attacks being delivered through Syrian news and social networking forums. Malware writers are using multiple techniques to deliver their files and entice the victims to run them, creating an effective infection vector. Mainly depending on social engineering, the attackers exploit Victims' trust in social networking forums, curiosity in following news related to the conflict in Syria, their standing in Syria, in addition to their lack of Cyber Security awareness. Once criminals infect the victim's computer, attackers have full access and control over victim's devices.

In the first report on Syrian malware, Kaspersky Lab detailed many attacks being used in Syria to spy on users, the report included attacks from different teams and many sources.

This post will follow up on one of the domains, seemingly the most active in the last period: thejoe.publicvm.com

The malware files were found on activist sites and social networking forums, some others were reported by regional organisations like CyberArabs.

Reports that mention "the Joe"
https://citizenlab.org/2013/06/a-call-to-harm/
https://www.eff.org/files/2013/12/28/quantum_of_surveillance4d.pdf

All the files hide under the hood a full-featured variant of a RAT, Remote Administration Trojan (Bitfrose/NjRAT/Shadowtech/Darkcomet...), capable of getting full control over victim machines and devices, monitoring any movements and accessing all files. The thejoe.publicvm.com domain is related to many samples, here we will focus on the most important and luring, that most probably collected the highest number of targeted victims, estimated in thousands.

There are many factors and entities at play in this event, we will only focus on the malware and the facts that have been found during the analysis, presenting only relevant information, in the hope of setting a clear context for this research.

What is the information we had on theJoe?
What has the Joe been doing in the last period?
Who is the Joe?

What is the information we had on the Joe?

The Joe is one of the most active cyber criminals in Syria and the Middle East, targeting all types of users, following is the information collected on the Joe and his activities.

Domain information "thejoe.publicvm.com"

The Joe is using a dynamic domain to be able to change his IP address and maintain anonymity:
The domain thejoe.publicvm.com has been seen using the following IP addresses located in Syria and Russia:

  • 31.9.48.146
  • 31.9.48.119
  • 31.9.48.146
  • 31.9.48.80
  • 31.9.48.78
  • 31.9.48.119
  • 31.8.48.7

TCP ports used in the attacks: 1234, 1177, 5522.

Malware information

From the malware samples collected, we were able to find strings in the code, from the Windows device used by the Joe.

Folder paths recovered from the malware files:

  • C:\Users\joe\Desktop\2014\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplication1.pdb
  • C:\Users\joe\Desktop\Desktop\Syriatel\Syriatel\obj\Debug\Syriatel.pdb
  • C:\Users\joe\Desktop\NJServer\NJServer\obj\Debug\NJServer.pdb
Youtube Channel

The Joe is also using a fake youtube channel where he posts social engineering videos with links to download malware.

http://www.youtube.com/channel/UCCdoQBw-a6dM15ZyhrsqW_w

The Channel is distributing malware files under the name "Lions of the revolution" or other...

What has the Joe been doing in the last period?

The Joe was busy in the last period; In the below we display some of the most graphical and luring samples collected by the Kaspersky Intelligence services and the Kaspersky Security Network (KSN cloud), detailing their functionalities and how The Joe is able to use the situation in Syria to have the users automatically open the files even if they suspect infected. The most targeted countries are Syria, Turkey, Lebanon and Saudi Arabia. The number of victims is estimated around 2000.

6 new stories:

  1. Let us fix your SSL vulnerability
  2. Now Let us clean your Skype!
  3. Did you update to the latest VPN version?
  4. Let's Check if your phone number is among the monitored numbers
  5. The Facebook account encryption application
  6. What's your favourite security product?

1 - Let us fix your SSL vulnerability

MD5 Hash: dc6166005db7487c9a8b32d938fec846
Filename: TheSSL.exe, SSL Cleaner.rar

Following up on the vulnerabilities in the OPENSSL, and the amount of news it reached, the cyber criminals are trying to benefit of the user perception of such news but lack of awareness on how the vulnerabilities could be fixed.

Demonstration video on the Heartbleed vulnerability + Link to download the "Fix" with infection



2 - Now Let us clean your Skype!

MD5 Hash: d6ab8ca6406fefe29e91c0604c812ff9
File Name: Skype.exe

Another social engineering trick used to lure criminals to download and execute a malicious file, the skype cleaner to "protect and encrypt your skype communications".


3 - Did you update to the latest VPN version?

MD5 Hash: 2e07e8622b4e997f6543fc0497452dad
File Name: VPN.exe

Psiphon, a legitimate application used around the world for anonymity protection, is particularly effective and used in Syria for users to protect their traffic from snooping or interception, the application here is bound with malware and delivered to the users as an updated version.


4 - Let's Check if your phone number is among the monitored numbers

MD5 Hash: ad9a18e1db0b43cb38da786eb3bf7c00
File Name: Syriatel.exe

Another one of the popular malware files, is used to fake a tool that is used to check the mobile phone numbers under surveillance and sorted by location, delivered as a "leaked program" to the victims.



5 - The Facebook account encryption application

MD5 Hash: efdaa73e0ac1b045d5f2214cadd77f09
File Name: Rooms.exe


6 - What's your favourite security product?

One of the latest files used to infect users is quite different: a binding of a Kaspersky Lab tool with malware. Developed by Kaspersky Lab, TDSSKiller is a powerful free tool that can detect and remove a specific list of rootkit malware families.

Bound with malware, the Joe is using the Kaspersky name to deliver the malware in an attempt to lure victims to open and trust the files he is sending.

 Who is "The Joe"

Hundreds of samples were analyzed relating to the Syrian malware, one of the samples, extracts to multiple documents, in one of which, we were able to find a metadata slip which extracted to some interesting information.

The metadata slip by the guy using "Joe" as his nickname, revealed his personal email, which using further research leads to his other emails, full identity, social pages...

On Facebook:

On Linkedin:

Indicators of compromise MD5 Hash Name(s) used for the malware file First Seen f62cfd2484ff8c5b1a4751366e914613 Adobe.exe
Reader.exe
Card.exe Sept 2013 012f25d09fd53aeeddc11c23902770a7
89e6ae33b170ee712b47449bbbd84784 قائمة الأرهاب .zip ("list of terrorism") file extracts to .JPG and malicious .SCR files Jan 2014 dc6166005db7487c9a8b32d938fec846
62023eb959a79bbdecd5aa167b51541f TheSSL.exe (to "remove SSL weaknesses")
SSL Cleaner.rar April 2014 cc694b1f8f0cd901f65856e419233044 Desktop.exe
Empty.exe
Host.exe Mar 2014 d6ab8ca6406fefe29e91c0604c812ff9 Skype.exe
Skypecleaner.exe July 2014 2e07e8622b4e997f6543fc0497452dad VPN.exe Sept 2014 efdaa73e0ac1b045d5f2214cadd77f09 Rooms.exe (to "encrypt your Facebook") Nov 2014 39d0d7e6880652e58b2d4d6e50ca084c Photo.exe Nov 2014 abf3cfecd2e194961fc97dac34f57b24 Ram.exe
Setup.exe Nov 2014 a238f8ab946516b6153816c5fb4307be tdskiler.exe (to "remove malware") Jan 2015 6379afd35285e16df4cb81803fde382c Locker.exe (to "encrypt/decrypt" files) Jan 2015

Kaspersky Lab detects all malicious files used in the attacks.
All files are actively being used by the cybercriminals at the time of this report.

Conclusion

Syrian malware has a strong reliance on social engineering and the active development of malicious variants. Nevertheless, most of them quickly reveal their true nature when inspected carefully; and this is one of the main reasons for urging Syrian users to be extra vigilant about what they download and to implement a layered defense approach. We expect these attacks to evolve both in quality and quantity.

For more details, please contact: intelligence@kaspersky.com

An analysis of Regin's Hopscotch and Legspin

Thu, 01/22/2015 - 05:00

With high profile threats like Regin, mistakes are incredibly rare. However, when it comes to humans writing code, some mistakes are inevitable. Among the most interesting things we observed in the Regin malware operation were the forgotten codenames for some of its modules.

These are:

  • Hopscotch
  • Legspin
  • Willischeck
  • U_STARBUCKS

We decided to analyze two of these modules in more detail - Hopscotch and Legspin.

Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these tools are simple, straightforward and provide interactive console interfaces for Regin operators. What makes them interesting is the fact they were developed many years ago and could even have been created before the Regin platform itself.

The Hopscotch module MD5 6c34031d7a5fc2b091b623981a8ae61c Size 36864 bytes Type Win32 EXE Compiled 2006.03.22 19:09:29 (GMT)

This module has another binary inside, stored as resource 103:

MD5 42eaf2ab25c9ead201f25ecbdc96fb60 Size 18432 bytes Type Win32 EXE Compiled 2006.03.22 19:09:29 (GMT)

This executable module was designed as a standalone interactive tool for lateral movement. It does not contain any exploits but instead relies on previously acquired credentials to authenticate itself at the remote machine using standard APIs.

The module receives the name of the target machine and an optional remote file name from the standard input (operator). The attackers can choose from several options at the time of execution and the tool provides human-readable responses and suggestions for possible input.

Here's an example of "Hopscotch" running inside a virtual machine:

Authentication Mechanism (SU or NETUSE) [S]/N: Continue? [n]: A File of the same name was already present on Remote Machine - Not deleting...

The module can use two routines to authenticate itself at the target machine: either connecting to the standard share named "IPC$" (method called "NET USE") or logging on as a local user ("SU", or "switch user") who has enough rights to proceed with further actions.

It then extracts a payload executable from its resources and writes it to a location on the target machine. The default location for the payload is: \\%target%\ADMIN$\SYSTEM32\SVCSTAT.EXE. Once successful, it connects to the remote machine's service manager and creates a new service called "Service Control Manager" to launch the payload. The service is immediately started and then stopped and deleted after one second of execution.

The module establishes a two-way encrypted communication channel with the remote payload SVCSTAT.EXE using two named pipes. One pipe is used to forward input from the operator to the payload and the other writes data from the payload to the standard output. Data is encrypted using the RC4 algorithm and the initial key exchange is protected using asymmetric encryption.

\\%target%\pipe\{66fbe87a-4372-1f51-101d-1aaf0043127a}
\\%target%\pipe\{44fdg23a-1522-6f9e-d05d-1aaf0176138a}

Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively removing all the traces of the operation.

The SVCSTAT.EXE payload module launches its copy in the process dllhost.exe and then prepares the corresponding named pipes on the target machine and waits for incoming data. Once the original module connects to the pipe, it sets up the encryption of the pipe communication and waits for the incoming shellcode.

The executable is injected in a new process of dllhost.exe or svchost.exe and executed, with its input and output handles redirected to the remote plugin that initiated the attack. This allows the operator to control the injected module and interact with it.

The Legspin module MD5 29105f46e4d33f66fee346cfd099d1cc Size 67584 bytes Type Win32 EXE Compiled 2003.03.17 08:33:50 (GMT)

This module was also developed as a standalone command line utility for computer administration. When run remotely it becomes a powerful backdoor. It is worth noting that the program has full console support and features colored output when run locally. It can even distinguish between consoles that support Windows Console API and TTY-compatible terminals that accept escape codes for coloring.

"Legspin" output in a standard console window with color highlighting

In addition to the compilation timestamp found in the PE headers, there are two references that point to 2003 as its true year of compilation. The program prints out two version labels:

  • 2002-09-A, referenced as "lib version"
  • 2003-03-A

In addition the program uses legacy API functions, like "NetBIOS" that was introduced in Windows 2000 and deprecated in Windows Vista.

Once started and initialized, it provides the operator with an interactive command prompt, waiting for incoming commands. The list of available commands is pretty large and allows the operators to perform many administrative actions. Some of the commands require additional information that is requested from the operator, and the commands provide a text description of the available parameters. The program is actually an administrative shell that is intended to be operated manually by the attacker/user.

Command Description cd Change current working directory dir
ls
dirl
dirs List files and directories tar Find files matching a given mask and time range, and write their contents to a XOR-encrypted archive tree Print out a directory tree using pseudographics
trash Read and print out the contents of the Windows "Recycle Bin" directory get Retrieve an arbitrary file from the target machine, LZO compressed put Upload an arbitrary file to the target machine, LZO compressed del Delete a file ren
mv
copy
cp Copy or move a file to a new location gtm Get file creation, access, write timestamps and remember the values stm Set file creation, access, write timestamps to the previously retrieved values mtm Modify the previously retrieved file timestamps scan
strings Find and print out all readable strings from a given file more Print out the contents of an arbitrary file access Retrieve and print out DACL entries of files or directories audit Retrieve and print out SACL entries of files or directories finfo Retrieve and print out version information from a given file cs Dump the first 10,000 bytes from an arbitrary file or from several system files:

advapi32.dll
kernel32.dll
msvcrt.dll
ntdll.dll
ntoskrnl.exe
win32k.sys
cmd.exe
ping.exe
ipconfig.exe
tracert.exe
netstat.exe
net.exe
user32.dll
gdi32.dll
shell32.dll

lnk Search for LNK files, parse and print their contents info Print out general system information:
  • CPU type
  • memory status
  • computer name
  • Windows and Internet Explorer version numbers
  • Windows installation path
  • Codepage
dl Print information about the disks:
  • Type
  • Free/used space
  • List of partitions, their filesystem types
ps List all running processes logdump Unfinished, only displays the parameter description reglist Dump registry information for a local or remote hive windows Enumerate all available desktops and all open windows view List all visible servers in a domain domains List the domain controllers in the network shares List all visible network shares regs Print additional system information from the registry:
  • IE version
  • Outlook Express version
  • Logon default user name
  • System installation date
  • BIOS date
  • CPU frequency
  • System root directory
ips List network adapter information:
  • DHCP/static IP address
  • Default gateway's address
times Obtain the current time from a local or remote machine who List the names of current users and the domains accessed by the machine net
nbtstat
tracert
ipconfig
netstat
ping Run the corresponding system utility and print the results tel Connect to a given TCP port of a host, send a string provided by the operator, print out the response dns
arps Resolve a host using DNS or ARP requests users List information about all user accounts admins List information about user accounts with administrative privileges groups List information about user groups trusts List information about interdomain trust user accounts packages Print the names of installed software packages sharepw Run a brute-force login attack trying to obtain the password of a remote share sharelist Connect to a remote share srvinfo Retrieve current configuration information for the specified server netuse Connect, disconnect or list network shares netshare Create or remove network shares on the current machine nbstat List NetBIOS LAN adapter information run Create a process and redirect its output to the operator system Run an arbitrary command using WinExec API exit Exit the program set Set various internal variables used in other shell commands su Log on as a different user kill Terminate a process by its PID kpinst Modify the registry value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] System
This value should normally point to "lsass.exe". svc
drv Create, modify or remove a system service help
? Print the list of supported commands

The Legspin module we recovered doesn't have a built-in C&C mechanism. Instead, it relies on the Regin platform to redirect the console input/output to/from the operators.

Conclusions

Unlike most other Regin modules, Legspin and Hopscotch appear to be stand-alone tools developed much earlier. The Legspin backdoor in particular dates back to 2003 and perhaps even 2002. It's worth pointing that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their victims through other Regin platform functions.

This means that Legspin could have been used independently from the Regin platform, as a simple backdoor together with an input/output wrapper.

Although more details about Regin are becoming available, there is still a lot that remains unknown. One thing is already clear – what we know about Regin is probably already retired information that has been replaced by new modules and techniques as time passes.

Windows 10 Preview and Security

Wed, 01/21/2015 - 15:25

Microsoft presented a preview of their newest "experience", Windows 10, over a live stream this morning. The release is expected later this year. This isn't envisioned as just an OS for desktops, but it brings support as a truly broad computing platform. They claim to have built Windows 10 with "more personal computing" in mind, and it's an ambitious push into seamlessly bringing together desktop computing, holographic computing (awesome!!!), mobile devices, gaming and IoT, a move to the "Store", productivity applications, big data services and sharing, new hardware partner technologies, and cloud computing for a "mobility of experience". They skimmed over "Trust" only in light of data privacy issues. From what I have seen, pushing aside security is a somewhat disappointing theme for all of the vendors at their previews, not just Microsoft. There is, however, a very long list of enhanced security features developed into this new codebase along with a massive amount of new attack surface introduced with this new platform.

Microsoft is attempting to better tighten down the new version of Windows the operating system by disallowing untrusted applications from installing and verifying their trustworthiness with their digital signature. This trusted signing model is an improvement, however, this active handling is not perfect. APT like Winnti's attacks on major development shops and their multiple, other significant ongoing attack projects demonstrate that digital certificates are readily stolen and re-used in attacks. Not just their core group's winnti attacks, but the certificates are distributed throughout multiple APT actors, sharing these highly valued assets, breaking the trust model itself to further their espionage efforts.

With seamless integration of all these data sharing services across computing resources, authentication and their underlying credentials and tokens cannot be leaked across services, applications, and devices. Pass-the-hash attack techniques frequently used by targeted attackers haunted corporate organizations using Windows for almost a decade. These types of credential theft techniques will have to be better protected against. And Flame introduced a whole new level of credential attack, so we may see Hyper-V and the newest container model for Windows 10 attacked to gain access to and abuse these tokens for lateral movement and data access. Defensive efforts haven't been terribly successful in their responsiveness in the past, and Active Directory continues to see new attacks on organization-wide authentication with "skeleton keys". So, their implementation of credential provisioning and access token handling will deserve security researchers' attention - Hyper-V technologies and components' attack surface will come under a new focus for years to come. And the DLP implementation for sharing corporate data securely is encouraging as well, but how strong can it be across energy constrained mobile hardware?

Considering that 2014 brought with it over 200 patch-worthy vulnerabilities for the various versions of Internet Explorer, a minimalist refresh of this code with the "Project Spartan" browser would be welcome. Simply put, the IE web browser was hammered in 2014 across all Windows platforms, including their latest. Our AEP and other technologies have been protecting against exploitation of these vulnerabilities in high volume this past year. Not only has its model implementing ActiveX components and its design been under heavy review, but the slew of newer code and functionality enabling "use-after-free" vulnerabilities led to critical remote code execution. The new Spartan browser brings with it large amounts of new code for communications and data sharing, which brings with it Microsoft's track record of introducing hundreds of patch-worthy vulnerabilities annually into their browser code. Hopefully their team won't bring that baggage with them, but the load seems pretty heavy with the new functionality. I didn't see any new security features, development practices, or sandboxes described for it and will wait to see what is in store here.

An unusually large amount of time was set aside to present their "intelligent assistant" Cortana, which started with a somewhat disconnected and bizarre conversation between the presenter and the actual Cortana assistant instance onstage. The devil is in the details when implementing security support for access to data across fairly unpredictable services like this one.

Of course, our products will be ready to go. Kaspersky Lab consumer products will support Windows 10 after its official launch. There will be no need for customers to reinstall Kaspersky Lab solutions for migration onto the new platform. All these products will be patched accordingly and will provide the same exceptional level of protection on the new Windows OS.

Microsoft Security Updates January 2015

Wed, 01/14/2015 - 20:34

Microsoft's security team begins 2015 with a minimal set of Security Bulletins, MS15-001 through MS15-008. The set included one critical vulnerability in a service that probably shouldn't be shipped any longer (telnet), and seven bulletins rated "Important" patches for elevation of privilege, DoS, and security bypass issues.

The critical Bulletin effects the telnet service. The telnet service is an ancient piece of software that provides shell access to a system, mostly available on router installations. Only it's over unencrypted, plain text communications, and should not be used. It was also a bit of a bear to configure and make useful, but may have been useful in development and IT environments. Luckily, this service is not enabled by default on supported windows systems (but it is installed by default on Windows Server 2003). A quick search in shodan shows a pretty reduced set of users, and its presence in our Ksn data is very limited. And, on the public internet, the number of Windows telnet servers listening on port 23 and providing a related banner is only a couple hundred. So, this patch effects very few customers.

But, if someone didn't install an alternative like OpenSSH, uses the PowerShell facility, WinSCP, RDP, or other facilities, and oddly installed this service, they may be running a server vulnerable to remote malformed packet delivery leading to remote code execution. Meaning it's a severe issue that really "shouldn't" effect many users. And it appears to not be exploited on our user base. When installed and enabled, Microsoft's telnet server runs as "Tlntsess.exe" on all Windows systems since Windows Server 2003. And on a somewhat related note, Ksn shows infected Tlntsess.exe files on new customer systems running a first scan or enabling a scan after running infected code:
Virus.Win32.Virut.ce
Worm.Win32.Mabezat.b
Virus.Win32.Sality.gen
Virus.Win32.Parite.b
Virus.Win32.Nimnul.a
Virus.Win32.Tenga.a
Virus.Win32.Expiro.w
Virus.Win32.Slugin.a

It's always surprising to still see the viral stuff, but it's certainly more prevalent than telnet service exploitation at this point.

The other Security Bulletins are rated "Important", and the escalation of privilege issues are somewhat interesting and the kind of thing businesses should be aware of - they are frequently used as a part of target attack activity.

One of these EoP vulnerabilities was reported privately and exposed publicly by Google's Project Zero two days prior to the scheduled and known patch release. The project maintains a database of exploitable vulnerabilities, each of which has a deadline of 90 days from reporting before the bug goes public: "Deadline exceeded - automatically derestricting". This EoP was fixed and the fix released by Microsoft as MS015-003 on its scheduled "patch tuesday" release, two days after Google exposed their bug issue publicly. It's strange that Google would do such a thing, it's not as if Microsoft doesn't commit to reasonable time frames for fixes and proper testing anymore. Microsoft responded with a lengthy writeup on responsible disclosure and cooperation within the industry, and mentioned Google's approach in particular.

The flawed code has yet to be seen as abused in the wild, but it will likely happen. You can find a set of executive summaries for the Bulletins here.

And one last note, the Advanced Notification Service is coming to an end. Microsoft ended their practice of broadcasting advance notice of security updates to all customers, and offers it only to paying Premiere-level customers. For the most part, it seems that this works out just fine and possibly frustrates people less with security maintenance. However, I think that it would be useful for Microsoft to pre-release forecasted download file sizes and reboot requirements for the updates, along with their ratings of critical or not, etc. For example, knowing that I will have to download over 200mb of critical software updates requiring system reboots would be helpful. That information would be useful to their customers both large and small. Time will tell if they bring it back, but likely, they will not need to.

Bitcoin value plunges following $5M Bitstamp Heist

Thu, 01/08/2015 - 11:02

The new year has started rather badly for the Bitcoin world. On January 4th, a cyber-attack against Bitstamp, one of the biggest bitcoin exchanges in the world, resulted in the loss of almost 19,000 BTC - the equivalent of more than $5 million.

While very little is known at the moment about how the attackers managed to pull off this latest bitcoin heist, Bitstamp is assuring their customers that all of their bitcoins remain safe. The company states that "this breach represents a small fraction of Bitstamp's total bitcoin reserves", so hopefully covering the losses shouldn't be a problem for them.

Because of the irreversible nature of bitcoin transactions, the only thing Bitcoin enthusiasts can do right now is to sit and watch how the attackers are emptying the address used to collect the stolen bitcoins.

You can follow the thieves' transactions by yourself here: https://blockchain.info/address/1L2JsXHPMYuAa9ugvHGLwkdstCPUDemNCf

Right now, the attackers are most likely trying to move those bitcoins around through as many addresses as possible, and then will proceed to launder the stolen coins by using so-called "mixing" services

Bitstamp seems to have been much better prepared for such an incident compared to Mt. Gox, so while the price of Bitcoin was of course impacted, the impact was not that big. Part of the reason is that bitcoins are currently trading at prices that haven't been seen since the autumn of 2013 anyway, between $250 and $300 for 1 BTC.


Bitcoin price in 2014 - source: ZeroBlock

Taking into account these cyber attacks, we conclude that in 2015 security will continue to remain the most important thing for Bitcoin exchanges and enthusiasts.

Our advice is to diversify and try and minimize the time in which your bitcoins are hosted by anyone else except yourself. Bitcoin exchanges and third party wallet providers seem to act as a magnet for attackers, so it's better to take the security of your bitcoins in your own hands.

Make sure to check out our tips on How to Keep Your Bitcoins Safe.

The second round of CODE BLUE in Japan

Wed, 01/07/2015 - 01:33

CODE BLUE@TOKYO, a cutting-edge IT security conference, was held from 18th -19th December. It was the second round, following its first occurrence in February 2014.

More than 400 people came together from all around the world, including one remotely participating in the conference via a drone. Heated discussions took place among researchers and engineers during intervals, lunchtime and coffee breaks - some were too enthusiastic they almost missed the next presentation (I admit I was one of them).

The concept of the meeting is "an international conference where the world's top class information security specialists gather to give cutting edge talks, and is a place for all participants to exchange information and interact beyond borders and languages." As this states, all the presentations were of high-quality technical research selected from topics submitted from researchers around the world. The security topics include: embedded technologies, penetration testing, vulnerabilities, malware, programming and more. It would be perfect if I could cover all the presentations, but to save my time and yours, I would like to pick up five of them.

  1. A security assessment study and trial of Tricore-powered automotive ECU

Dennis Kengo Oka (ETAS) and Takahiro Matsuki (FFRI) analyzed the behavior of ECU software running on TriCore, to attempt to verify the possibilities of attacks against it. Although they were not able to obtain the actual software itself for their testing, they created a test program on their own to show that the control system of TriCore was at risk of attack. There was a return address in a certain part of memory, and it was possible to transfer processing of the program to an arbitrary address if this was successfully overwritten. They proved the vulnerability by means of four demos, using an evaluation board. They said that they would need to obtain the ECU software actually used by TriCore in order to investigate whether or not the vulnerability could be a real threat.

  1. Physical [In]Security: It's not ALL about Cyber

Inbar Raz (Check Point) presented risks in cinema-ticketing machines, PoS machines and TVs in hospitals. Such devices have USB/LAN ports; and inserting USB keyboards or flash drives with LiveOS into those ports and booting them makes it possible to extract data stored on these devices. Since these devices often store credit card information or private keys for communications, this may pose risks. Through the presentation, Raz pointed out that special devices commonly used in public often lack protection against inappropriate access and could give away confidential data to malicious third parties.

 

  1. The story of IDA Pro

The keynote for Day 2, by Ilfak Guilfanov, was about the history of IDA from ver. 0.1 to IDA Pro. He outlined how IDA was created; which functionalities had been implemented; what issues have been resolved; and the existence of a pirated version of IDA Pro. Besides the future landscape of IDA Pro, the identity of the icon-lady was also revealed.

IDA Pro is widely used among engineers and malware researchers in their analysis of programs; I am not an exception.

 

  1. Drone attack by malware and network hacking

Dongcheol Hong (SEWORKS) pointed out the inadequate security settings of a drone system and showed that it was easy to hijack a drone. In his video he demonstrated experiments of malware infection via a smartphone app and an attack from an infected drone to a clean drone. At the end of the presentation, he warned that drones could possibly pose threats to other systems, since it may be possible to conduct a remote attack through PC, AP, or smart devices.

 

  1. Embedded Security in The Land of the Rising Sun

Ben Schmidt (Narf Industries) and Paul Makowski (Narf Industries) focused on routers commonly used in Japan, outlined which part of their code was vulnerable and demonstrated an attack on a router. According to them, there are a lot of home routers worldwide, which allow access to HTTP and UPnP ports from a WAN – Japan was number four on their worldwide list. They further pointed out that at the time of their presentation there were ~200,000 vulnerable routers which allowed HTTP and UPnP access from a WAN in Japan. Schmidt and Makowski sent me some additional comments after their presentation. They said: "Japanese embedded devices are attractive targets because Japanese Internet links are high bandwidth and low latency." They also emphasized the importance of quick patching of embedded devices.

David Jacoby from Kaspersky Lab GReAT was also a speaker at CODE BLUE. His presentation, entitled "How I Hacked My Home" ,was about the results of him hacking his own devices at home. His blog post is available in Securelist.

Kaspersky Lab Japan was Emerald Sponsor of CODE BLUE, as it had been for the first round.

 

Chthonic: a new modification of ZeuS

Thu, 12/18/2014 - 07:00

In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons:

  • First, it is interesting from the technical viewpoint, because it uses a new technique for loading modules.
  • Second, an analysis of its configuration files has shown that the malware targets a large number of online-banking systems: over 150 different banks and 20 payment systems in 15 countries. Banks in the UK, Spain, the US, Russia, Japan and Italy make up the majority of its potential targets.

Kaspersky Lab products detect the new banking malware as Trojan-Banker.Win32.Chthonic.

The Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

Infection

We have seen several techniques used to infect victim machines with Trojan-Banker.Win32.Chthonic:

  • sending emails containing exploits;
  • downloading the malware to victim machines using the Andromeda bot (Backdoor.Win32.Androm in Kaspersky Lab classification).

When sending messages containing an exploit, cybercriminals attached a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products. The file has a .DOC extension to make it look less suspicious.

Sample message with CVE-2014-1761 exploit

In the event of successful vulnerability exploitation, a downloader for the Trojan was downloaded to the victim computer. In the example above, the file is downloaded from a compromised site – hxxp://valtex-guma.com.ua/docs/tasklost.exe.

The Andromeda bot downloaded the downloader from hxxp://globalblinds.org/BATH/lider.exe.

Downloading the Trojan

Once downloaded, the downloader injects its code into the msiexec.exe process. It seems that the downloader is based on the Andromeda bot's source code, although the two use different communication protocols.

Example of common functionality of Andromeda and Chthonic downloaders

Differences in communication protocols used by Andromeda and Chthonic C&C

The Chthonic downloader contains an encrypted configuration file (similar encryption using a virtual machine was used in KINS and ZeusVM). The main data contained in the configuration file includes: a list of С&С servers, a 16-byte key for RC4 encryption, UserAgent, botnet id.

The main procedure of calling virtual machine functions

After decrypting the configuration file, its individual parts are saved in a heap - in the following format:

This is done without passing pointers. The bot finds the necessary values by examining each heap element using the RtlWalkHeap function and matching its initial 4 bytes to the relevant MAGIC VALUE.

The downloader puts together a system data package typical of ZeuS Trojans (local_ip, bot_id, botnet_id, os_info, lang_info, bot_uptime and some others) and encrypts it first using XorWithNextByte and then using RC4. Next, the package is sent to one of the C&C addresses specified in the configuration file.

In response, the malware receives an extended loader – a module in a format typical of ZeuS, i.e., not a standard PE file but a set of sections that are mapped to memory by the loader itself: executable code, relocation table, point of entry, exported functions, import table.

Code with section IDs matching the module structures

It should be noted that the imports section includes only API function hashes. The import table is set up using the Stolen Bytes method, using a disassembler included in the loader for this purpose. Earlier, we saw a similar import setup in Andromeda.

Fragment of the import setup function in Andromeda and Chthonic

Header of a structure with module

The extended loader also contains a configuration file encrypted using the virtual machine. It loads the Trojan's main module, which in turn downloads all the other modules. However, the extended loader itself uses AES for encryption, and some sections are packed using UCL. The main module loads additional modules and sets up import tables in very much the same way as the original Chthonic downloader, i.e. this ZeuS variant has absorbed part of the Andromeda functionality.

The entire sequence in which the malware loads, including the modules that are described below, is as follows:

Modules

Trojan-Banker.Win32.Chthonic has a modular structure. To date, we have discovered the following modules:

Name Description Has a 64bit version main Main module (v4.6.15.0 - v4.7.0.0) Yes info Collects system information Yes pony Module that steals saved passwords No klog Keylogger Yes http Web injection and formgrabber module Yes vnc Remote access Yes socks Proxy server Yes cam_recorder Recording video from the web camera Yes

The impressive set of functions enables the malware to steal online banking credentials using a variety of techniques. In addition, VNC and cam recorder modules enable attackers to connect to the infected computer remotely and use it to carry out transactions, as well as recording video and sound if the computer has a webcam and microphone.

Injections

Web injections are Chthonic's main weapon: they enable the Trojan to insert its own code and images into the code of pages loaded by the browser. This enables the attackers to obtain the victim's phone number, one-time passwords and PINs, in addition to the login and password entered by the victim.

For example, for one of the Japanese banks the Trojan hides the bank's warnings and injects a script that enables the attackers to carry out various transactions using the victim's account:

Online banking page screenshots before and after the injection

Interesting functions in injected script

The script can also display various fake windows in order to obtain the information needed by the attackers. Below is an example of a window which displays a warning of non-existent identification problems and prompts the user to enter TAN:

Fake TAN entry window

Our analysis of attacks against customers of Russian banks has uncovered an unusual web injection scenario. When opening an online banking web page in the browser, the entire contents of the page is spoofed, not just parts of it as in an ordinary attack. From the technical viewpoint, the Trojan creates an iframe with a phishing copy of the website that has the same size as the original window.

Below is a fragment of injected code, which replaces everything between title and body closing tags with the following text:

And here is the script itself:

Additionally, the bot receives a command to establish a backconnect connection if the injection is successful:

Coverage

There are several botnets with different configuration files. Overall, the botnets we are aware of target online banking systems of over 150 different banks and 20 payment systems in 15 countries. The cybercriminals seem most interested in banks in the UK, Spain, the US, Russia, Japan and Italy.

Chtonic target distribution by country

It is worth noting that, in spite of the large number of targets on the list, many code fragments used by the Trojan to perform web injections can no longer be used, because banks have changed the structure of their pages and, in some cases, the domains as well. It should also be noted that we saw some of these fragments in other bots' config files (e.g., Zeus V2) a few years back.

Conclusion

We can see that the ZeuS Trojan is still actively evolving and its new implementations take advantage of cutting-edge techniques developed by malware writers. This is significantly helped by the ZeuS source code having been leaked. As a result, it has become a kind of framework for malware writers, which can be used by anyone and can easily be adapted to cybercriminals' new needs. The new Trojan – Chthonic – is the next stage in the evolution of ZeuS: it uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader.

What all of this means is that we will undoubtedly see new variants of ZeuS in the future.

A few md5:

12b6717d2b16e24c5bd3c5f55e59528c
148563b1ca625bbdbb60673db2edb74a
6db7ecc5c90c90b6077d5aef59435e02
5a1b8c82479d003aa37dd7b1dd877493
2ab73f2d1966cd5820512fbe86986618
329d62ee33bec5c17c2eb5e701b28639
615e46c2ff5f81a11e73794efee96b38
77b42fb633369de146785c83270bb289
78575db9f70374f4bf2f5a401f70d8ac
97d010a31ba0ddc0febbd87190dc6078
b670dceef9bc29b49f7415c31ffb776a
bafcf2476bea39b338abfb524c451836
c15d1caccab5462e090555bcbec58bde
ceb9d5c20280579f316141569d2335ca
d0c017fef12095c45fe01b7773a48d13
d438a17c15ce6cec4b60d25dbc5421cd

Kaspersky Security Bulletin 2014. A look into the APT crystal ball

Thu, 12/11/2014 - 08:00

 PDF version
 EPUB version
 Download Full Report PDF
 Download Full Report EPUB

  1. Predictions 2015
  2. Overall statistics for 2014
  3. Malware Evolution
  4. A Look into the APT Crystal Ball

Over the past years, Kaspersky's Global Research and Analysis Team (GReAT) has shed light on some of the biggest APT campaigns, including RedOctober, Flame, NetTraveler, Miniduke, Epic Turla, Careto/Mask and others. While studying these campaigns we have also identified a number of 0-day exploits, including the most recent CVE-2014-0546. We were also among the first to report on emerging trends in the APT world, such as cyber mercenaries who can be contracted to launch lightning attacks or more recently, attacks through unusual vectors such as hotel Wi-Fi. Over the past years, Kaspersky Lab's GReAT team has monitoring more than 60 threat actors responsible for cyber-attacks worldwide, organizations which appear to be fluent in many languages such as Russian, Chinese, German, Spanish, Arabic, Persian and others.

By closely observing these threat actors, we put together a list of what appear to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention, both from an intelligence point of view but also with technologies designed to stop them.

The merger of cyber-crime and APT

For many years, cyber-criminal gangs focused exclusively on stealing money from end users. An explosion of credit card theft, hijacking of electronic payment accounts or online banking connections led to consumer losses in the worth hundreds of millions of dollars. Maybe this market is no longer so lucrative, or maybe the cybercriminal market is simply overcrowded, but it now seems like there is a struggle being waged for 'survival'. And, as usual, that struggle is leading to evolution.

What to expect: In one incident we recently investigated attackers compromised an accountant's computer and used it to initiate a large transfer with their bank. Although it might seem that this is nothing very unusual, we see a more interesting trend: Targeted attacks directly against banks, not their users.

In a number of incidents investigated by Kaspersky Lab experts from the Global Research and Analysis Team, several banks were breached using methods straight out of the APT playbook. Once the attackers got into the banks' networks, they collected enough information to enable them to steal money directly from the bank in several ways:

  • Remotely commanding ATMs to dispense cash.
  • Performing SWIFT transfers from various customer accounts,
  • Manipulating online banking systems to perform transfers in the background.

These attacks are an indication of a new trend that is embracing APT style attacks in the cybercriminal world. As usual, cybercriminals prefer to keep it simple: they now attack the banks directly because that's where they money is.  We believe this is a noteworthy trend that will become more prominent in 2015.

Fragmentation of bigger APT groups

2014 saw various sources expose APT groups to the public eye. Perhaps the best-known case is the FBI indictment of five hackers on various computer crimes:

This public "naming and shaming" means we expect some of the bigger and "noisier" APT groups to shatter and break into smaller units, operating independently.

What to expect: This will result in a more widespread attack base, meaning more companies will be hit, as smaller groups diversify their attacks. At the same time, it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comments Crew and Wekby) will see more varied attacks from a wider range of sources.

Evolving malware techniques

As computers become more sophisticated and powerful, operating systems also become more complex. Both Apple and Microsoft have spent a lot of time improving the security posture of their respective operating systems. Additionally, special tools such as Microsoft's EMET are now available to help thwart targeted attacks against software vulnerabilities.

With Windows x64 and Apple Yosemite becoming more popular, we expect APT groups to update their toolsets with more powerful backdoors and technologies to evade security solutions.

What to expect: Today, we are already seeing APT groups constantly deploying malware for 64-bit systems, including 64-bit rookits. In 2015, we expect to see more sophisticated malware implants, enhanced evasion techniques and more use of virtual file systems (such as those from Turla and Regin) to conceal precious tools and stolen data.

While we see these increases in advanced techniques, some attackers are moving in the opposite direction. While minimizing the number of exploits and amount of compiled code they introduce to compromised networks altogether, their work continues to require sophisticated code or exploit introduction at a stable entry into the enterprise, script tools and escalation of privilege of all sorts, and stolen access credentials at victim organizations.

As we saw with BlackEnergy 2 (BE2), attackers will actively defend their own presence and identity within victim networks once discovered. Their persistence techniques are becoming more advanced and expansive. These same groups will step up the amount and aggression of destructive last effort components used to cover their tracks, and they include more *nix support, networking equipment, and embedded OS support. We have already seen some expansion from BE2, Yeti, and Winnti actors.

New methods of data exfiltration

The days when attackers would simply activate a backdoor in a corporate network and start siphoning terabytes of information to FTP servers around the world are long gone. Today, more sophisticated groups use SSL on a regular basis alongside custom communication protocols.

Some of the more advanced groups rely on backdooring networking devices and intercepting traffic directly for commands. Other techniques we have seen include exfiltration of data to cloud services, for instance via the WebDAV protocol (facilitates collaboration between users in editing and managing documents and files stored on web servers).

These in turn have resulted in many corporations banning public cloud services such as Dropbox from their networks. However, this remains an effective method of bypassing intrusion detection systems and DNS blacklists.

What to expect: In 2015, more groups to adopt use of cloud services  in order to make exfiltration stealthier and harder to notice.

New APTs from unusual places as more countries join the cyber arms race

In February 2014, we published research into Careto/Mask, an extremely sophisticated threat actor that appears to be fluent in Spanish, a language rarely seen in targeted attacks. In August, we also released a report on Machete, another threat actor using the Spanish language.

Before that, we were accustomed to observing APT actors and operators that are fluent in relatively few languages. Additionally, many professionals do not use their native language, preferring instead to write in perfect English.

In 2014, we observed a lot of nations around the world publicly expressing an interest in developing APT capabilities:

What to expect: Although we haven't yet seen APT attacks in Swedish, we do predict that more nations will join the "cyber-arms" race and develop cyber-espionage capabilities.

Use of false flags in attacks

Attackers make mistakes. In the vast majority of the cases we analyze, we observe artifacts that provide clues about the language spoken by the attackers. For instance, in the case of RedOctober and Epic Turla, we concluded that the attackers were probably fluent in the Russian language. In the case of NetTraveler we came to the conclusion that attackers were fluent in Chinese.

In some cases, experts observe other meta features that could point toward the attackers. For example, performing file timestamp analysis of the files used in an attack may lead to the conclusion in what part of the world most of the samples were compiled.

However attackers are beginning to react to this situation. In 2014 we observed several "false flag" operations where attackers delivered "inactive" malware commonly used by other APT groups. Imagine a threat actor of Western origin dropping a malware commonly used by a "Comment Crew," a known Chinese threat actor. While everyone is familiar with the "Comment Crew" malware implants, few victims could analyze sophisticated new implants. That can easily mislead people into concluding that the victim was hit by the Chinese threat actor.

What to expect: In 2015, with governments increasingly keen to "name and shame" attackers, we believe that APT groups will also carefully adjust their operations and throw false flags into the game.

Threat actors add mobile attacks to their arsenal

Although APT groups have been observed infecting mobile phones, this hasn't yet become a major trend. Perhaps the attackers wish to get data that isn't usually available on mobiles, or maybe not all of them have access to the technologies that can infect Android and iOS devices.

In 2014 we saw several new APT tools designed for infecting mobiles, for instance Hacking Team's Remote Control System mobile modules.

Additionally, during the Hong Kong protests in October 2014, attacks were seen against Android and iOS users which appear to be connected to APT operations.

Although a mobile phone might not have valuable documents and schematics, or geopolitical expansion plans for next 10 years, they can be a valuable source of contacts as well as listening points. We observed this with the RedOctober group, which had the ability to infect mobile phones and turn them into "Zakladka's", mobile bugs.

What to expect: In 2015, we anticipate more mobile-specific malware, with a focus on Android and jailbroken iOS.

APT+Botnet: precise attack + mass surveillance

In general, APT groups are careful to avoid making too much noise with their operations. This is why the malware used in APT attacks is much less widespread than common crimeware such as Zeus, SpyEye and Cryptolocker.

In 2014 we observed two APT groups (Animal Farm and Darkhotel) using botnets in addition to their regular targeted operations. Of course, botnets can prove to be a vital asset in cyberwar and can be used to DDoS hostile countries; this has happened in the past.  We can therefore understand why some APT groups might want to build botnets in addition to their targeted operations.

In addition to DDoS operations, botnets can also offer another advantage - mass surveillance apparatus for a "poor country". For instance, Flame and Gauss, which we discovered in 2012, were designed to work as a mass surveillance tool, automatically collecting information from tens of thousands of victims. The information would have to be analyzed by a supercomputer, indexed and clustered by keywords and topics; most of it would probably be useless. However, among those hundreds of thousands of exfiltrated documents, perhaps one provides key intelligence details, that could make a difference in tricky situations.

What to expect: In 2015 more APT groups will embrace this trend of using precise attacks along with noisy operations and deploy their own botnets.

Targeting of hotel networks

The Darkhotel group is one of the APT actors known to have targeted specific visitors during their stay in hotels in some countries. Actually, hotels provide an excellent way of targeting particular categories of people, such as company executives. Targeting hotels is also highly lucrative because it provides intelligence about the movements of high profile individuals around the world.

Compromising a hotel reservation system is an easy way to conduct reconnaissance on a particular target. It also allows the attackers to know the room where the victim is staying, opening up the possibility of physical attacks as well as cyber-attacks.

It isn't always easy to target a hotel. This is why very few groups, the elite APT operators, have done it in the past and will use it as part of their toolset.

What to expect: In 2015, a few other groups might also embrace these techniques, but it will remain beyond the reach of the vast majority of APT players.

Commercialization of APT and the private sector

Over the last few years, we published extensive research into malware created by companies such as HackingTeam or Gamma International, two of the best known vendors of "legal spyware". Although these companies claim to sell their software only to "trusted government entities", public reports from various sources, including Citizen Lab, have repeatedly shown that spyware sales cannot be controlled. Eventually, these dangerous software products end up in the hands of less trustworthy individuals or nations, who can use them for cyber-espionage against other countries or their own people.

The fact is that such activities are highly profitable for the companies developing the cyber-espionage software. They are also low risk because – so far – we have not seen a single case where one of these companies was convicted in a cyber-espionage case. The developers of these tools are usually out of the reach of the law, because the responsibility falls with the tool users, not the company that develops and facilitates the spying.

What to expect: It's a high-reward, low risk business that will lead to the creation of more software companies entering the "legal surveillance tools" market. In turn, these tools will be used for nation-on-nation cyber-espionage operations, domestic surveillance and maybe even sabotage.

Conclusions

In general, 2014 was a rather sophisticated and diverse year for APT incidents. We discovered several zero-days, for instance CVE-2014-0515 which was used by a group we call "Animal Farm". Another zero-day we discovered was CVE-2014-0487, used by the group known as DarkHotel. In addition to these zero-days, we observed several new persistence and stealth techniques, which in turn resulted in the development and deployment of several new defense mechanisms for our users.

If we can call 2014 "sophisticated", the word for 2015 will be "elusive". We believe that more APT groups will become concerned with exposure and they will take more advanced measures to hide from discovery.

Finally, some of them will deploy false flag operations. We anticipate these developments and, as usual, will document them thoroughly in our reports.

Cloud Atlas: RedOctober APT is back in style

Wed, 12/10/2014 - 06:03

Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.

After our announcement in January 2013, the RedOctober operation was promptly shut down and the network of C&Cs was dismantled. As usually happens with these big operations, considering the huge investment and number of resources behind it, they don't just "go away" forever. Normally, the group goes underground for a few months, redesigns the tools and the malware and resume operations.

See:

Since January 2013, we've been on the lookout for a possible RedOctober comeback. One possible hit was triggered when we observed Mevade, an unusual piece of malware that appeared late in 2013. The Mevade C&C name styles as well as some other technical similarities indicated a connection to RedOctober, but the link was weak. It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good.

Meet Cloud Atlas

In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world.

Some of the filenames used in the attacks included:

  • FT - Ukraine Russia's new art of war.doc
  • Катастрофа малайзийского лайнера.doc
  • Diplomatic Car for Sale.doc
  • МВКСИ.doc
  • Organigrama Gobierno Rusia.doc
  • Фото.doc
  • Информационное письмо.doc
  • Форма заявки (25-26.09.14).doc
  • Информационное письмо.doc
  • Письмо_Руководителям.doc
  • Прилож.doc
  • Car for sale.doc
  • Af-Pak and Central Asia's security issues.doc

At least one of them immediately reminded us of RedOctober, which used a very similarly named  spearphish: "Diplomatic Car for Sale.doc". As we started digging into the operation, more details emerged which supported this theory.

Perhaps the most unusual fact was that the Microsoft Office exploit didn't directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.

Cloud Atlas exploit payload - VBScript

This VBScript drops a pair of files on disk - a loader and an encrypted payload. The loader appears to be different every time and internal strings indicate it is "polymorphically" generated. The payload is always encrypted with a unique key, making it impossible to decrypt unless the DLL is available.

We observed several different spear-phishing documents that drop uniquely named payloads. For instance, the "qPd0aKJu.vbs" file MD5:

E211C2BAD9A83A6A4247EC3959E2A730 drops the following files:

DECF56296C50BD3AE10A49747573A346 - bicorporate - encrypted payload
D171DB37EF28F42740644F4028BCF727 - ctfmonrn.dll - loader

The VBS also adds a registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ setting the key "bookstore" to the value "regsvr32 %path%\ctfmonrn.dll /s", which ensures the malware runs every time at system boot.

Some of the DLL names we observed include:

f4e15c1c2c95c651423dbb4cbe6c8fd5 - bicorporate.dll
649ff144aea6796679f8f9a1e9f51479 - fundamentive.dll
40e70f7f5d9cb1a669f8d8f306113485 - papersaving.dll
58db8f33a9cdd321d9525d1e68c06456 - previliges.dll
f5476728deb53fe2fa98e6a33577a9da - steinheimman.dll

Some of the payload names include:

steinheimman
papersaving
previliges
fundamentive
bicorporate
miditiming
damnatorily
munnopsis
arzner
redtailed
roodgoose
acholias
salefians
wartworts
frequencyuse
nonmagyar
shebir
getgoing

The payload includes an encrypted configuration block which contains information about the C&C sever:

The information from the config includes a WebDAV URL which is used for connections, a username and password, two folders on the WebDAV server used to store plugins/modules for the malware and where data from the victim should be uploaded.

C&C communication

The Cloud Atlas implants utilize a rather unusual C&C mechanism. All the malware samples we've seen communicate via HTTPS and WebDav with the same server "cloudme.com", a cloud services provider. According to their website, CloudMe is owned and operated by CloudMe AB, a company based in Linköping, Sweden.

(Important note: we do not believe that CloudMe is in any way related to the Cloud Atlas group - the attackers simply create free accounts on this provider and abuse them for command-and-control).

Each malware set we have observed so far communicates with a different CloudMe account though. The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism. Of course, it should be possible to reconfigure the malware to use any Cloud-based storage service that supports WebDAV.

Here's a look at one such account from CloudMe:

The data from the account:

The files stored in the randomly named folder were uploaded by the malware and contain various things, such as system information, running processes and current username. The data is compressed with LZMA and encrypted with AES, however, the keys are stored in the malware body which makes it possible to decrypt the information from the C&C.

We previously observed only one other group using a similar method – ItaDuke – that connected to accounts on the cloud provider mydrive.ch.

Victim statistics: top 5 infected countries CloudAtlas RedOctober Russia 15 35 Kazakhstan 14 21 Belarus 4 5 India 2 14 Czech Republic 2 5 Similarities with RedOctober

Just like with RedOctober, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN). Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years.

Interestingly, some of the spear-phishing documents between Cloud Atlas and RedOctober seem to exploit the same theme and were used to target the same entity at different times.

Cloud Atlas RedOctober

Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used – RC4 in RedOctober vs AES in Cloud Atlas.

The usage of the compression algorithms in Cloud Altas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the "scheduler" plugin uses it to decompress executable payloads from the C&C.

It turns out that the implementation of the algorithm is identical in both malicious modules, however the way it is invoked is a bit different, with additional input sanity checks added to the CloudAtlas version.

Another interesting similarity between the malware families is the configuration of the build system used to compile the binaries. Every binary created using the Microsoft Visual Studio toolchain has a special header that contains information about the number of input object files and version information of the compilers used to create them, the "Rich" header called so by the magic string that is used to identify it in the file.

We have been able to identify several RedOctober binaries that have "Rich" headers describing exactly the same layout of VC 2010 + VC 2008 object files. Although this doesn't necessarily mean that the binaries were created on the same development computer, they were definitely compiled using the same version of the Microsoft Visual Studio up to the build number version and using similar project configuration.

Number of object files, CloudAtlas loader Number of object files, Red October Office plugin Number of object files,Red October Fileputexec plugin HEX compiler version Decoded compiler version 01 01 01 009D766F VC 2010 (build 30319) 01 01 01 009B766F VC 2010 (build 30319) 22 2E 60 00AB766F VC 2010 (build 30319) 5B 60 A3 00010000 – 05 07 11 00937809 VC 2008 (build 30729) 72 5C AD 00AA766F VC 2010 (build 30319) 20 10 18 009E766F VC 2010 (build 30319)

To summarize the similarities between the two:

Cloud Atlas RedOctober Shellcode marker in spearphished documents PT@T PT@T Top target country Russia Russia Compression algorithm used for C&C communications LZMA LZMA C&C servers claim to be / redirect to BBC (mobile malware) BBC Compiler version VC 2010 (build 30319) VC 2010 (build 30319) (some modules)

Finally, perhaps the strongest connection comes from targeting. Based on observations from KSN, some of the victims of RedOctober are also being targeted by CloudAtlas. In at least one case, the victim's computer was attacked only twice in the last two years, with only two malicious programsRedOctober and Cloud Atlas.

These and other details make us believe that CloudAtlas represents a rebirth of the RedOctober attacks.

Conclusion

Following big announcements and public exposures of targeted attack operations, APT groups behave in a predictable manner. Most Chinese-speaking attackers simply relocate C&C servers to a different place, recompile the malware and carry on as if nothing happened.

Other groups that are more nervous about exposure go in a hibernation mode for months or years. Some may never return using the same tools and techniques.

However, when a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down everything. They simply go offline for some time, completely reshuffle their tools and return with rejuvenated forces.

We believe this is also the case of RedOctober, which makes a classy return with Cloud Atlas.

Kaspersky products detect the malware from the Cloud Atlas toolset with the following verdicts:

Exploit.Win32.CVE-2012-0158.j
Exploit.Win32.CVE-2012-0158.eu
Exploit.Win32.CVE-2012-0158.aw
Exploit.MSWord.CVE-2012-0158.ea
HEUR:Trojan.Win32.CloudAtlas.gen
HEUR:Trojan.Win32.Generic
HEUR:Trojan.Script.Generic
Trojan-Spy.Win32.Agent.ctda
Trojan-Spy.Win32.Agent.cteq
Trojan-Spy.Win32.Agent.ctgm
Trojan-Spy.Win32.Agent.ctfh
Trojan-Spy.Win32.Agent.cter
Trojan-Spy.Win32.Agent.ctfk
Trojan-Spy.Win32.Agent.ctfj
Trojan-Spy.Win32.Agent.crtk
Trojan-Spy.Win32.Agent.ctcz
Trojan-Spy.Win32.Agent.cqyc
Trojan-Spy.Win32.Agent.ctfg
Trojan-Spy.Win32.Agent.ctfi
Trojan-Spy.Win32.Agent.cquy
Trojan-Spy.Win32.Agent.ctew
Trojan-Spy.Win32.Agent.ctdg
Trojan-Spy.Win32.Agent.ctlf
Trojan-Spy.Win32.Agent.ctpz
Trojan-Spy.Win32.Agent.ctdq
Trojan-Spy.Win32.Agent.ctgm
Trojan-Spy.Win32.Agent.ctin
Trojan-Spy.Win32.Agent.ctlg
Trojan-Spy.Win32.Agent.ctpd
Trojan-Spy.Win32.Agent.ctps
Trojan-Spy.Win32.Agent.ctpq
Trojan-Spy.Win32.Agent.ctpy
Trojan-Spy.Win32.Agent.ctie
Trojan-Spy.Win32.Agent.ctcz
Trojan-Spy.Win32.Agent.ctgz
Trojan-Spy.Win32.Agent.ctpr
Trojan-Spy.Win32.Agent.ctdp
Trojan-Spy.Win32.Agent.ctdr
Trojan.Win32.Agent.idso
Trojan.Win32.Agent.idrx
HEUR:Trojan.Linux.Cloudatlas.a
Trojan.AndroidOS.Cloudatlas.a
Trojan.IphoneOS.Cloudatlas.a

 

Parallel research:

'Destover' malware now digitally signed by Sony certificates (updated)

Tue, 12/09/2014 - 15:47

Several days ago, our products detected an unusual sample from the Destover family. The Destover family of trojans has been used in the high profile attacks known as DarkSeoul, in March 2013, and more recently, in the attack against Sony pictures in November 2014. We wrote about it on December 4th, including the possible links with the Shamoon attack from 2012.

The new sample is unusual in the sense it is signed by a valid digital certificate from Sony:

The signed sample has been previously observed in a non signed form, as MD5: 6467c6df4ba4526c7f7a7bc950bd47eb and appears to have been compiled in July 2014.

The new sample has the MD5 e904bf93403c0fb08b9683a9e858c73e and appears to have been signed on December 5th, 2014, just a few days ago.

Functionally, the backdoor contains two C&Cs and will alternately try to connect to both, with delays between connections:

  • 208.105.226[.]235:443 - United States Champlain Time Warner Cable Internet Llc
  • 203.131.222[.]102:443 - Thailand Bangkok Thammasat University

So what does this mean? The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We've seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.

We've already reported the digital certificate to COMODO and Digicert and we hope it will be blacklisted soon. Kaspersky products will still detect the malware samples even if signed by digital certificates.

Stolen certificate serial number:

  • ‎01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce

Thumbprint:

  •  ‎8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a

 

UPDATE (December 10, 2014)

Since the publication of this blog, news has emerged that this sample may have been the result of a "joke" by a group of security researchers.  This has prompted questions from journalists and others in the community so we decided to address them with this update:

1. Did you find the signed sample in the wild?

So far, we have not encountered the signed sample in the wild. We've only seen it submitted to online malware scanning services. However, the existence of this sample demonstrated that the private key was in the public domain. At that point we knew we had an extremely serious situation at hand, regardless of who was responsible for signing this malware.

Reports indicate the "researcher" reached out to the certificate authorities to get the certificate revoked after submitting the malware online. The certificate would have been revoked without the creation of new malware. There really was no need to create new malware to prove that the certificate hadn't been revoked yet.

2. Do you know how many Sony certificates were leaked? 

So far dozens of PFX files have been leaked online. PFX files contain the needed private key and certificate. Such files are password protected, but those passwords can be guessed or cracked. Not all of these PFX files will be of immediate value to attackers.

3. What is the danger of a code-signing certificate from a major corporation leaking online?

The importance of leaked code-signing keys cannot be overestimated. Software signed by a trusted publishing house will generally be trusted by the operating system, security software and first responders. It's an extremely powerful way for attackers to stay below the radar.

Certificate revocation needs to be a top priority when responding to a major malware and breach incidents.

4. Do anti-malware products "trust" signed programs more those that are not signed?

Trust in files is based on their reputation and digital signatures play a big role in gauging reputation. But a digital signature by itself is not enough to create trust. We look at the reputation of the entities that issued and requested the certificate.

Kaspersky Lab products detect digitally signed files. Our products detected the signed Destover variant with the detection routine created for the first Destover variant.

Kaspersky Security Bulletin 2014. Malware evolution

Tue, 12/09/2014 - 05:00

 Download PDF
 Download EPUB
 Download Full Report PDF
 Download Full Report EPUB

  1. Predictions 2015
  2. Overall statistics for 2014
  3. Malware Evolution
  4. A Look into the APT Crystal Ball

The end of the year is traditionally a time for reflection – for taking stock of our lives before considering what lies ahead. We'd like to offer our customary retrospective of the key events that shaped the threat landscape in 2014.

1. Targeted attacks and malware campaigns

Targeted attacks are now an established part of the threat landscape, so it's no surprise to see them feature in our yearly review.

The complex cyber-espionage campaign called 'Careto' or 'The Mask' (Careto is Spanish slang for 'ugly face' or 'mask') was designed to steal sensitive data from specific organizations. The victims of the attack included government agencies, embassies, energy companies, research institutions, private equity firms and activists from 31 countries around the world. Careto included a sophisticated backdoor Trojan capable of intercepting all communication channels and of harvesting all kinds of data from infected computers – including encryption keys, VPN configurations, SSH keys, RDP files and some unknown file types that could be related to bespoke military/government-level encryption tools. The code was highly modular, allowing the attackers to add new functionality at will. There are versions of the backdoor for Windows and Mac OS X and we also found references in some modules indicating that there might be versions for Linux, iOS and Android. As with any sophisticated campaign of this sort, attribution is difficult. Use of the Spanish language in the code doesn't help, since Spanish is spoken in many parts of the world. Also, it's possible that its use is an intentional piece of misdirection. However, the very high degree of professionalism of the group behind this attack is unusual for cybercriminal groups – one indicator that Careto could be a state-sponsored campaign. Like previous targeted attack campaigns, the roots of Careto stretch back well before the threat first came to light: we believe that the attackers have been active since 2007.

Early in March there was widespread discussion among security researchers about a cyber-espionage campaign called 'Epic Turla'. Researchers at G-DATA believed the malware may have been created by Russian special services; while research carried out by BAE Systems linked it to malware identified as 'Agent.btz' that dates back to 2007 and was used in 2008 to infect the local networks of US military operations in the Middle East. Our initial analysis of Epic Turla focused on the malware's use of USB flash drives to store stolen data that can't be sent directly over the Internet to the attackers' Command-and-Control (C2) server. The worm writes a file called 'thumb.dd' to all USB flash drives connected to an infected computer. If the flash drive is subsequently inserted into another computer, the 'thumb.dd' file is copied to the new computer. Epic Turla isn't the only malware that is aware of 'thumb.dd'. This is one of the files in the 'USB Stealer module' in Red October. Looking back further, Gauss and miniFlame were aware of 'thumb.dd and looked for the file on USB flash drives. You can find a chart showing the points of comparison here. We think it's likely that there are tens of thousands of USB flash drives around the world containing files called 'thumb.dd' created by this malware.

In our subsequent analysis of Epic Turla we explained how the attackers use social engineering to spread the malware and highlighted the overall structure of the campaign. The attackers use spear-phishing emails to trick their victims into installing a backdoor on their computer. Some of these include zero-day exploits – one affecting Adobe Acrobat Reader and the other a privilege escalation vulnerability in Windows XP and Windows Server 2003. They also use watering-hole attacks that deploy a Java exploit, Adobe Flash exploits and Internet Explorer exploits, or trick victims into running fake 'Flash Player' malware installers. Depending on the IP address of the victim, the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. Unsurprisingly, the choice of web sites reflects the specific interests of the attackers (as well as the interests of the victims).

However, our analysis showed that the Epic Turla backdoor is just the first stage of the infection. It is used to deploy a more sophisticated backdoor known as the 'Cobra/Carbon system' (named 'Pfinet' by some anti-malware products). The unique knowledge to operate these two backdoors indicates a clear and direct connection between them: one is used to gain a foothold and validate the high-profile victim. If the victim proves to be of interest to the attackers, the compromised computer is upgraded to the full Carbon system. You can find an overview of the Epic Turla campaign here:

In June we reported on our research into an attack on the clients of a large European bank that resulted in the theft of half a million euros in just one week. We named this 'Luuuk', after the path in the administration panel used in the C2 server. Although we were unable to obtain the malware used to infect the victims, we believe the criminals used a banking Trojan that performed 'Man-in-the-Browser' operations to steal the victims' credentials through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and one-time passcodes (OTP) in real time. The attackers used the stolen credentials to check the victim's account balance and perform malicious transactions automatically, probably operating in the background of a legitimate banking session. The stolen money was then transferred automatically to pre-defined money mule accounts. The classification of pre-defined money mules used by the attackers was very interesting. There were four different money mule groups, each defined by the amount of money the mules in the group could accept – probably a reflection of the level of trust between them. We identified 190 victims in total, most of them located in Italy and Turkey. The sums stolen from each victim ranged from €1,700 to €39,000; and amounted to €500,000.

Although the attackers removed all sensitive components soon after our investigation started, we believe that this represents a change of infrastructure rather than a complete shutdown of the operation. The cybercriminals behind the campaign are highly professional and very active. They have also shown proactive operational security activities, changing tactics and removing traces when discovered. The investigation into this campaign, which we reported to the bank concerned and to the appropriate law enforcement agencies, is ongoing.

The end of June saw the re-activation of a targeted attack campaign from early 2013, called 'MiniDuke'. The original campaign stood out for several reasons. It included a custom backdoor written in the 'old school' Assembler programming language. The attack was managed using an unusual command-and-control (C2) infrastructure: it made use of multiple redundancy paths, including Twitter accounts. The developers transferred their updated executables hidden inside GIF files.

Targets of the new operation, known as 'CosmicDuke', or 'TinyBaron', include government, diplomatic, energy, military and telecom operators. But unusually the list of victims also includes those involved in the trafficking and reselling of illegal substances, including steroids and hormones. It's not clear why: maybe the customizable backdoor was made available as so-called 'legal spyware', or it was available in the underground market and was purchased by various rivals in the pharmaceutical business to spy on each other.

Victim geography (Miniduke and CosmicDuke)

The malware spoofs popular applications designed to run in the background - including file information, icons and even file size. The backdoor itself is compiled using 'BotGenStudio' - a customizable framework that allows the attackers to enable and disable components when the bot is constructed. The malware not only steals files with specific extensions, but also harvests passwords, history, network information, address books, information displayed on the screen (screenshots are made every five minutes) and other sensitive data. Each victim is assigned a unique ID, making it possible to push specific updates to individual victims.

The malware is protected with a custom obfuscated loader which heavily consumes CPU resources for 3-5 minutes before passing execution to the payload. This makes it hard to analyze. But it also drains the resources needed by security software to emulate the malware's execution. On top of its own obfuscator, the malware makes heavy use of encryption and compression based on the RC4 and LZRW algorithms. They are implemented slightly differently to the standard versions - we believe that this is done deliberately to mislead researchers. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure, which has various record types including strings, integers and internal references. Stolen data uploaded to the C2 server is split into small chunks (of around 3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If it's a large file, it may be placed into several hundred different containers that are all uploaded independently. It's likely that these data chunks are parsed, decrypted, unpacked, extracted and reassembled on the attacker's side. While this method might add an overhead, the layers of additional processing ensure that very few researchers will get to the original data. This method also offers increased reliability against network errors.

In July we published an in-depth analysis of a targeted attack campaign that we dubbed 'Crouching Yeti' – also known as 'Energetic Bear', because researchers from CrowdStrike had suggested that the attackers were located in Russia: we don't think there's enough evidence to confirm this one way or the other. This campaign, active since late 2010, has so far targeted the following sectors: industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology. So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 different victim organizations – mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.

The attackers behind Crouching Yeti use various types of malware (all designed to infect systems running Windows) to infiltrate their victims, extend their reach within the target organizations and steal confidential data, including intellectual property and other strategic information. The malware used includes special modules to collect data from specific industrial IT environments. Infected computers connect to a large network of hacked web sites that host malware modules, hold information about victims and send commands to infected systems. The attackers use three methods to infect their victims. These include a legitimate software installer re-packaged to include a malicious DLL file; spear-phishing e-mails; and watering-hole attacks.

Technology is now an integral part of our lives, so it's hardly surprising to see a cyber-dimension to conflicts around the world. This is especially true of the Middle East, where geo-political conflicts have intensified in recent years. In August we reported on the increase in malware activity in Syria from early 2013. The victims of these attacks are not only located in Syria: the malware has also been seen in Turkey, Saudi Arabia, Lebanon, Palestine, the United Arab Emirates, Israel, Morocco, France and the United States. We were able to track the C2 servers of the attackers to IP addresses in Syria, Russia, Lebanon, the United States and Brazil. In total, we found 110 files, 20 domains and 47 IP addresses associated with the attacks.

It's clear that the groups involved in the attacks are well organized. So far the attackers have made use of established malware tools rather than developing their own (although they use a variety of obfuscation methods to bypass simple signature-based detection). However, we think it's likely that the number and sophistication of malware used in the region is likely to increase.

In November we published our analysis of the 'Darkhotel' APT, a campaign that has been operating for almost a decade, targeting thousands of victims across the globe. 90% of the infections we have seen are in Japan, Taiwan, China, Russia and Hong Kong, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland.

The campaign employs varying degrees of targeting. First, they use spear-phishing e-mails and zero-day exploits to infiltrate organizations from different sectors, including Defense Industrial Base (DIB), government and Non-Governmental Organizations (NGOs). Second, they spread malware indiscriminately via Japanese P2P (peer-to-peer) file-sharing sites. Third, they specifically target business executives who are traveling overseas and staying at hotels in a number of countries: using a two-step infection process, the attackers first identify their victims and then download further malware to the computers of more significant targets, designed to steal confidential data from the infected computer.

2. Our homes and other vulnerabilities

Exploiting unpatched vulnerabilities remains one of the key mechanisms used by cybercriminals to install malicious code on victims' computers. This relies on the existence of vulnerabilities in widely-used software and the failure of individuals or businesses to patch applications.

This year vulnerabilities were discovered in two widely-used open source protocols, known as 'Heartbleed' and 'Shellshock' respectively. Heartbleed, a flaw in the OpenSSL encryption protocol, lets an attacker read the contents of the memory, and intercept personal data, on systems using vulnerable versions of the protocol. OpenSSL is widely-used to secure Internet-based communications, including web, e-mail, instant messaging and Virtual Private Networks (VPN), so the potential impact of this vulnerability was huge. As often happens when there's a risk that personal data might have been exposed, there was a rush to change passwords. Of course, this could only be effective once an online provider had taken steps to patch OpenSSL and thereby secure their systems – otherwise any new password would be just at risk from attackers trying to exploit the vulnerability. We offered some perspectives on the impact of the flaw two months after its disclosure.

In September, the information security world faced a red alert following the discovery of the Shellshock vulnerability (also known as 'Bash'). The flaw allows an attacker to remotely attach a malicious file to a variable that is executed when the Bash command interpreter is invoked (Bash is the default shell on Linux and Mac OS X systems). The high impact of this vulnerability, coupled with the ease with which it could be exploited, caused considerable concern. Many people compared it to Heartbleed. However, unlike Heartbleed, Shellshock provided full system control – not just the ability to steal data from the memory. It didn't take long for attackers to try and take advantage of the vulnerability – we discussed some early examples soon after it was discovered. In most cases attackers remotely attacked web servers hosting CGI (Common Gateway Interface) scripts that have been written in Bash or pass values to shell scripts. However, it remains possible that the vulnerability could have an impact on a Windows-based infrastructure. Unfortunately, the problem wasn't confined only to web servers. Bash is widely used in the firmware of devices that now take for granted in our everyday lives. This includes routers, home appliances and wireless access points. Some of these devices can be difficult or impossible to patch.

The Internet is becoming woven into the fabric of our lives – literally, in some cases, as connectivity is embedded into everyday objects. This trend, known as the 'Internet of Things', has attracted more and more attention. It can seem very futuristic, but the Internet of Things is actually closer than you may think. The modern home today is likely to have a handful of devices connected to the local network that aren't traditional computers – devices such as a smart TV, a printer, a games console, a network storage device or some kind of media player/satellite receiver.

One of our security researchers investigated his own home, to determine whether it was really cyber-secure. He looked at several pieces of household kit, including network-attached storage (NAS) devices, smart TV, router and satellite receiver, to see if they were vulnerable to attack. The results were striking. He found 14 vulnerabilities in the network-attached storage devices, one in the smart TV and several potentially hidden remote control functions in the router. You can read the full details here. It's important that we all understand the potential risks associated with using network devices – this applies to individuals and businesses alike. We also need to understand that our information is not secure just because we use strong passwords or run software to protect against malicious code. There are many things over which we have no control, and to some degree we are in the hands of software and hardware vendors. For example, not all devices include automated update checks – sometimes consumers are required to download and install new firmware. This is not always an easy task. Worse still, it's not always possible to update a device (most devices investigated during this research had been discontinued more than a year before).

3. The continuing exponential growth of mobile malware

We have seen dramatic growth in the numbers of mobile malware in recent years. In the period from 2004-13 we analyzed almost 200,000 mobile malware code samples. In 2014 alone we analyzed a further 295,539 samples. However, this doesn't give the whole picture. These code samples are re-used and re-packaged: in 2014 we saw 4,643,582 mobile malware installation packs (on top of the 10,000,000 installation packs we had seen in the period 2004-13). The number of mobile malware attacks per month increased tenfold – from 69,000 per month in August 2013 to 644,000 in March 2014 (see Mobile Cyber Threats, Kaspersky Lab and INTERPOL Joint Report, October 2014).

53% of all mobile malware detections are now related to malware capable of stealing money. One of the more notable examples is Svpeng, designed to steal money from customers of three of Russia's biggest banks. The Trojan waits until a customer opens an online banking app and replaces it with its own, to try and obtain the customer's login details. It also tries to steal credit card data by displaying its own window over the Google Play app and asking for card details. Another is Waller which, in addition to behaving like a typical SMS Trojan, steals money from QIWI wallets on infected devices.

Cybercriminals have also diversified their efforts to make money from their victims, using methods that have been well-established on desktops and laptops. This includes ransomware Trojans. Fake anti-virus apps are another example of an established approach now being applied to mobile devices. Finally, this year saw the appearance of the first Trojan that is managed through a C2 server hosted in the Tor network. The Torec backdoor is a modification of the commonly-used Tor client, Orbot. The benefit, of course, is that the C2 server can't be shut down.

Until recently, nearly all malware targeting iOS was designed to exploit 'jailbroken' devices.

However, the recent appearance of the 'WireLurker' malware has shown that iOS is not immune from attack.

Mobile devices are now integrated into the fabric of our lives, so it's hardly surprising that the development of mobile malware is underpinned by a cybercrime business that includes malware writers, testers, app designers, web developers and botnet managers.

4. Your money or your file(s)

The number of ransomware programs has been growing in recent years. Some simply block access to the victim's computer and demand a ransom payment in order to restore normal access. But many go further than this, encrypting data on the computer. One recent example is 'ZeroLocker'. ZeroLocker encrypts nearly all the files on the victim's computer and adds the extension '.encrypt' to encrypted files (although it doesn't encrypt files located in directories containing the words 'Windows', 'WINDOWS', 'Program Files', 'ZeroLocker' or 'Destroy' and doesn't encrypt files larger than 20MB in size). The Trojan uses a 160-bit AES key to encrypt files. Once the files are encrypted, it runs the 'cipher.exe' utility to remove all unused data from the drive. Both these things make file recovery very difficult. The cybercriminals behind ZeroLocker demand an initial $300 worth of Bitcoins to decrypt the file. If the victim does not pay promptly the fee increases to $500 and $1,000 as time goes on.

Another ransomware program that we analyzed this year is Onion. Not only does this Trojan use the Tor network to hide its C2 servers, but it also supports full interaction with Tor without any input from the victim. Other programs like this communicate with the Tor network by launching (sometimes by injecting code into other processes) the legitimate 'tor.exe' file. By contrast Onion implements this communication as part of the malware code itself. Onion also uses an unorthodox cryptographic algorithm that makes file decryption impossible, even if traffic between the Trojan and the C2 server is intercepted. This Trojan not only uses asymmetric encryption, it also uses a cryptographic protocol known as ECDH (Elliptic Curve Diffie-Hellman). This makes decryption impossible without the master private key – which never leaves the cybercriminals' controlled server.

This year the use of ransomware programs has been extended to devices running Android. The first version of Svpeng, for example, discovered early in 2014, blocks the phone, claiming that the victim was viewing child pornography and demanding a 'fine' of $500 to unlock the phone. A subsequent modification of this malware, discovered in June 2014, completely blocks the device, so that it can only be turned off by pressing down the 'Off' button for a long time – and the Trojan loads again as soon as the device has been switched on again. This version was aimed mainly at victims in the US, but we also saw victims in the UK, Switzerland, Germany, India and Russia. This version demands a payment of $200 to unblock the phone, payment to be made using MoneyPak vouchers. The ransom demand screen displays a photograph of the victim, taken using the frontal camera. Another Trojan, called 'Koler', discovered in May 2014, uses the same approach – blocking access to the device and demanding a ransom payment of between $100 and $300 to unblock the phone. Like Svpeng, this Trojan displays a message claiming to be from the police – it targets victims in more than 30 countries around the world, using local 'police' messages.

Koler's distribution infrastructure

The first Android Trojan to encrypt data, called 'Pletor', appeared in May 2014. This Trojan uses the AES encryption algorithm to encrypt the contents of the phone's memory card and then displays a ransom demand on the screen, payable using the victim's QIWI Visa wallet, MoneXy or standard transfer of money to a telephone number. This Trojan mainly targets victims in Russia and Ukraine (although we have seen victims in other former Soviet republics) and demands the equivalent of around $300 in rubles or hryvnia.

Ransomware operations rely on their victims paying up. Don't do it! Instead, make regular backups of your data. That way, if you ever fall victim to a ransomware program (or a hardware problem that stops you accessing your files) you will not lose any of your data.

5. Cha-ching! Using malware to get money from ATMs

Malware for ATMs is not new. The first malware of this kind, called 'Skimer', was found in 2009 – this targeted ATMs in Eastern Europe running a Windows-based operating system. This used undocumented functions to print details of cards inserted in the infected machine and to open cassettes using a master card command. We saw further ATM malware in Brazil, in 2010 ('SPSniffer'): this collected PIN numbers in outdated ATMs using PIN pads that weren't using strong cryptographic protection. Then last year we saw a further family of ATM malware ('Atmer'), designed to steal money from ATMs in Mexico.

This year, at the request of a financial institution, we carried out a forensic investigation into a new attack on ATMs in Asia, Europe and Latin America. The operation was in two stages. The cybercriminals gain physical access to the ATMs and use a bootable CD to install the malware, called 'Tyupkin'; then they reboot the machine to load the malware, putting them in control of the ATM. The malware then runs in an infinite loop, waiting for a command.

To make the scam less obvious, the malware only accepts commands at specific times on Sunday and Monday nights. The attackers can then enter a combination of digits on the ATM keyboard, make a call to the malware operators, enter a further set of numbers and then collect the cash dispensed by the ATM.

Video Footage obtained from security cameras at the infected ATMs showed the methodology used to access cash from the machines. A unique digit combination key based on random numbers is freshly generated for every session: this ensures that no one outside the gang can accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown: this ensures that the mules collecting the cash do not try to go it alone. When the correct key is entered, the ATM shows how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. Then it dispenses 40 bank notes at a time from the chosen cassette.

The upswing in ATM attacks in recent years is a natural evolution from the more well-established method of using physical skimmers to capture data from cards used in ATMs that have been tampered with. Unfortunately, many ATMs run operating systems with known security weaknesses. This makes physical security even more important; and we would urge all banks to review the physical security of their ATMs.

6. Windows XP: forgotten but not gone?

Support for Windows XP ended on 8 April: this means no new security updates, no security hotfixes, free or paid assisted support options or online technical content updates. Sadly, there are still a lot of people running Windows XP – our data suggests that Windows XP accounts for around 18% of infections. This is a lot of people wide open to attack now that security patches have dried up. Effectively, every vulnerability discovered since April is a zero-day vulnerability – that is, one for which there is no chance of a patch. This problem will be compounded as application vendors stop developing updates for Windows XP. Every unpatched application will become yet another potential point of compromise, further increasing the potential attack surface. In fact, this process has already started: the latest version of Java no longer supports Windows XP.

Every Windows XP vulnerability discovered since April is a zero-day vulnerability #KLReport

Tweet

It might seem that the simple and obvious solution is to upgrade to a newer operating system. But even though Microsoft gave plenty of notice about the end of support, it's not difficult to see why migration to a new operating system might be difficult for some businesses. On top of the cost of switching, it may also mean investing in new hardware and even trying to replace a bespoke application developed specifically for the company – one that will not run on a later operating system. So it's no surprise see some organizations paying for continued XP support.

Of course, an anti-virus product will provide protection. But this only holds good if by 'anti-virus' we mean a comprehensive Internet security product that makes use of proactive technology to defend against new, unknown threats – in particular, functionality to prevent the use of exploits. A basic anti-virus product, based largely on signature-based scanning for known malware, is insufficient. Remember too that, as times goes by, security vendors will implement new protection technologies that may well not be Windows XP-compatible.

Anyone still running Windows XP should see this as a stop-gap, while they finalize a migration strategy. Malware writers will undoubtedly target Windows XP while significant numbers of people continue to run it, since an un-patched operating system will offer them a much bigger window of opportunity. Any Windows XP-based computer on a network offers a weak point that can be exploited in a targeted attack on the company – if compromised this will become a stepping-stone into the wider network.

There's no question that switching to a newer operating system is inconvenient and costly - for individuals and businesses. But the potential risk of using an increasingly insecure operating system is likely to outweigh the inconvenience and cost.

7. Beneath the layers of the onion

Tor (short for The Onion Router) is software designed to allow someone to remain anonymous when accessing the Internet. It has been around for some time, but for many years was used mainly by experts and enthusiasts. However, use of the Tor network has spiked this year, in large part because of growing concerns about privacy. Tor has become a helpful solution for those who, for any reason, fear surveillance and the leakage of confidential information. However, our investigations highlighted the fact that Tor is also attractive for cybercriminals, who value the anonymity it offers.

We started seeing cybercriminals actively using Tor to host their malicious infrastructure in 2013. In addition to malware, we found many related resources, including C2 servers, administration panels and more. By hosting their servers in the Tor network, cybercriminals make them harder to identify, blacklist and eliminate. There's also a Tor-based underground marketplace, including the buying and selling of malware and stolen personal data – typically paid for using the crypto-currency Bitcoin, enabling cybercriminals to remain untraceable. Tor allows cybercriminals to conceal the operation of the malware they use, to trade in cybercrime services and launder their illegal profits.

In July we published our analysis of a ransomware Trojan, called 'Onion' that broke new ground in its use of Tor.

Developers of Android-based malware have also started to use Tor. The Torec Trojan, a malware variation of the popular Orbot Tor client, uses a domain in the .onion pseudo zone as a C2 server. Some modifications of the Pletor ransomware Trojan also use the Tor network to communicate with the cybercriminals managing the scam.

Cybercriminals can't always operate with impunity, despite using Tor, as demonstrated by the recent global law enforcement operation against a number of Tor-based cybercrime services ('Operation Onymous').

This begs the question of how the police agencies involved were able to compromise a supposedly 'impenetrable' network – because, in theory at least, there's no way of knowing the physical location of a web server behind a hidden service that someone visits. However, there are ways to compromise a hidden service that don't involve attacking the Tor architecture itself, as we discussed here. A Tor-based service can only remain secure if it's properly configured, if it's free from vulnerabilities or configuration errors and the web application doesn't have any flaws.

8. The good, the bad and the ugly

Unfortunately, software isn't neatly divided between good and bad programs. There's always the risk that software developed for legitimate purposes might be misused by cybercriminals. At the Kaspersky Security Analyst Summit 2014 in February we outlined how improper implementation of anti-theft technologies residing in the firmware of commonly used laptops and some desktop computers could become a powerful weapon in the hands of cybercriminals. Our research started when a Kaspersky Lab employee experienced repeated system process crashes on one of his personal laptops, related to instability in modules belonging to the Computrace software developed by Absolute Software. Our colleague hadn't installed the software and didn't even know it was present on the laptop. This caused us concern because, according to an Absolute Software white paper, the installation should be done by the owner of the computer or their IT service. On top of this, while most pre-installed software can be permanently removed or disabled by the owner of the computer, Computrace is designed to survive a professional system cleanup and even a hard disk replacement. Moreover, we couldn't simply dismiss this as a one-off occurrence because we found similar indications of Computrace software running on personal computers belonging to some of our researchers and some enterprise computers. As a result, we decided to carry out an in-depth analysis.

When we first looked at Computrace, we mistakenly thought it was malicious software, because it uses so many tricks that are popular in current malware. Indeed, in the past this software has been detected as malware although at present most anti-malware companies whitelist Computrace executables.

In our view, strong authentication and encryption must be built into a powerful legal surveillance tools #KLReport

Tweet

We believe that Computrace was designed with good intentions. However, our research shows that vulnerabilities in the software could allow cybercriminals to misuse it. In our view, strong authentication and encryption must be built into such a powerful tool. We found no evidence that Computrace modules had been secretly activated on the computers we analyzed. But it's clear that there are a lot of computers with activated Computrace agents. We believe that it's the responsibility of manufacturers, and Absolute Software, to notify these people and explain how they can deactivate the software if they don't wish to use it. Otherwise, these orphaned agents will continue to run unnoticed and will provide opportunities for remote exploitation.

In June, we published the results of our research into a piece of 'legal' software called Remote Control System (RCS) developed by the Italian company HackingTeam. We discovered a feature that can be used to fingerprint its C2 servers. This allowed us to scan the entire IPv4 space and find all the IP addresses of RCS C2 servers across the globe. We found 326 in total, the greatest number of them located in the US, Kazakhstan and Ecuador. Several IPs were identified as 'government'-related, based on their WHOIS information. Of course, we can't be sure that the servers located in a specific country are being used by law enforcement agencies in that country, but this would make sense: after all, it would avoid cross-border legal problems and avoid the risk of servers being seized by others. We also found a number of mobile malware modules coming from HackingTeam, for Android, iOS, Windows Mobile and BlackBerry. They are all controlled using the same configuration type – a good indication that they are related and belong to the same product family. Unsurprisingly, we were particularly interested in those relating to Android and iOS, because of the popularity of those platforms.

The modules are installed using infectors – special executables for either Windows or Mac OS that run on already-infected computers. The iOS module supports only 'jailbroken' devices. This does limit its ability to spread, but the method of infection used by RCS means that an attacker can run a jailbreaking tool (such as Evasi0n) from the infected computer to which the phone is connected – as long as the device isn't locked. The iOS module allows an attacker to access data on the device (including e-mail, contacts, call history, cached web pages), to secretly activate the microphone and to take regular camera shots. This gives complete control over the whole environment in and around a victim's computer.

We seek to detect and remediate any malware attack, regardless of its origin or purpose #KLReport

Tweet

The Android module is protected by the DexGuard optimizer/obfuscator, so it was difficult to analyze. But we were able to determine that it matches the functionality of the iOS module, plus offering support for hijacking information from the following applications: 'com.tencent.mm', 'com.google.android.gm', 'android.calendar', 'com.facebook', 'jp.naver.line.android' and 'com.google.android.talk'.

This new data highlighted the sophistication of such surveillance tools. Our policy in relation to such tools is very clear. We seek to detect and remediate any malware attack, regardless of its origin or purpose. For us, there's no such thing as 'right' or 'wrong' malware; and we've issued public warnings about the risks of so-called 'legal' spyware in the past. It's imperative that these surveillance tools don't fall into the wrong hands – that's why the IT security industry can't make exceptions when it comes to detecting malware.

9. Privacy and security

The ongoing tension between privacy and security has continued to make headlines.

Among the usual steady stream of security breaches this year, it's not really surprising that the incident that attracted most attention was the theft and subsequent publication of explicit photographs of various Hollywood celebrities. This story highlights the dual responsibility of providers and individuals in securing data stored online. It seems that the theft was made possible by a loophole in iCloud security: the 'Find My iPhone' interface lacked any limitation on the number of password attempts, allowing attackers to brute-force the passwords of the victims. Apple closed up this loophole soon afterwards. However, the attack would not have been possible had the victims not used weak passwords. We increasingly live our lives online. But many of us fail to consider the implications of storing personal data online. The security of a cloud service depends on the provider. The moment we entrust our data to a third-party service, we automatically lose some control over it. It's important to cherry-pick the data we store in the cloud and decide what data is automatically moved from our devices to the cloud.

The issue of passwords is one that keeps surfacing. If we choose a password that is too easy to guess, we leave ourselves wide open to identify theft. The problem is compounded if we recycle the same password across multiple online accounts – if one account is compromised, they're all at risk! This is why many providers, including Apple, Google and Microsoft, now offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Two-factor authentication certainly enhances security – but only if it's required, rather than just being an option.

Two-factor authentication enhances security – but only if it's required, rather than being an option #KLReport

Tweet

There's always a trade-off between security and ease of use. In an effort to strike this balance, Twitter recently launched its Digits service. Customers no longer need to create a username and password combination in order to sign in to an app. Instead, they simply enter their phone number. They receive a one-time passcode to confirm each transaction – this code is read automatically by the app. Twitter is effectively making itself a go-between, verifying the identity of the customer for the app provider. There are several benefits. Consumers no longer have to worry about creating a login and password combination to set up an account with an app provider; and they don't need to have an e-mail address. App developers don't need to create their own framework for verifying logins; and they won't lose potential customers who don't use e-mail. Twitter gets more visibility into what its customers are interested in. In addition, the fact that no passwords are stored on the app provider's server is also a plus: a breach of an app provider's server will not result in the loss of personal data belonging to customers. However, if someone loses their device, or if it's stolen, the number verification will still work – and anyone with access to the device will be able to access an app in the same way as the legitimate owner. That said, it doesn't represent a step backwards in security compared to the traditional username and password method. Currently, mobile apps don't force a login each time an app is run anyway, so if someone steals a phone, and the owner isn't using a PIN, passcode or fingerprint, the thief has access to everything – e-mail, social networks and apps. In other words, security is dependent on a single-point-of-failure – the PIN, passcode or fingerprint used to access the device itself.

In response to increasing concerns about privacy, the developers of the 'pwnedlist.com' web site created an easy to use interface where people can check to see if their e-mail addresses and passwords have been stolen and published online. This year they have made this a chargeable service.

The response of both Apple and Google to growing fears about loss of privacy was to enable default encryption of data on iOS and Android devices, something that some law enforcement agencies believe plays into the hands of cybercriminals – making it easier for them to evade detection.

10. International law enforcement: co-operation brings results

Cybercrime has become an established part of life, on the back of the ever-increasing online activities we engage in. It's tempting to imaging that cybercriminals are able to operate with impunity, but the actions of law enforcement agencies can have a significant impact on their activities. International co-operation is particularly important, given the global nature of cybercrime. This year there have been some notable police successes.

In June 2014 an operation involving law enforcement agencies of several countries, including the UK's NCA (National Crime Agency) and the FBI, was able to take down the global network of computers responsible for managing the 'GameoverZeus' botnet. The police operation ('Operation Tovar') disrupted the communications underlying the botnet, thereby preventing the cybercriminals from controlling it. GameoverZeus was one of the largest operating botnets based on the code of the Zeus banking Trojan. In addition to infecting computers with the Zeus Trojan and stealing login credentials for online e-mail accounts, social networks, online banking and other online financial services, the botnet also distributed the 'Cryptolocker' ransomware program. The police campaign offered victims a breathing-space in which to clean their computers.

Earlier this year Kaspersky Lab contributed to an alliance of law enforcement and industry organizations, co-ordinated by the NCA, to disrupt the infrastructure behind the 'Shylock' Trojan. The Shylock banking Trojan, so-called because its code contains excerpts from Shakespeare's The Merchant of Venice, was first discovered in 2011. Like other well-known banking Trojans Shylock is a man-in-the-browser attack designed to steal banking login credentials from the computers of bank customers. The Trojan uses a pre-configured list of target banks, located in different countries around the world.

In November, Operation Onymous resulted in the take-down of dark markets running within the Tor network.

The 'Penquin' Turla

Mon, 12/08/2014 - 15:05

Recently, an interesting malicious sample was uploaded to a multi-scanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle. That puzzle is "Turla", one of the most complex APTs in the world.

We have written previously about the Turla APT with posts about their Epic Turla operations  and Agent.btz inspiration.

So far, every single Turla sample we've encountered was designed for the Microsoft Windows family, 32 and 64 bit operating systems. The newly discovered Turla sample is unusual in the fact that it's the first Turla sample targeting the Linux operating system that we have discovered.

This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet.

The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.

Md5 Size Verdict Name 0994d9deb50352e76b0322f48ee576c6 627.2 kb N/A (broken file) 14ecd5e6fc8e501037b54ca263896a11 637.6 kb HEUR:Backdoor.Linux.Turla.gen

General executable characteristics:

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped

Statically linked libraries:

  • glibc2.3.2 - the GNU C library
  • openssl v0.9.6 - an older OpenSSL library
  • libpcap - tcpdump's network capture library

Hardcoded C&C, known Turla activity: news-bbc.podzone[.]org
The domain has the following pDNS IP: 80.248.65.183

80.248.65.183 aut-num:        AS30982 announcement:   80.248.65.0/24 as-name:        CAFENET descr:          CAFE Informatique et telecommunications admin-c:        YN2-AFRINIC tech-c:         AN39-AFRINIC org:            ORG-CIet1-AFRINIC mnt-by:         AFRINIC-HM-MNT mnt-lower:      CAFENET-NOC source:         AFRINIC # Filtered


Note: the C&C domain is currently sinkholed by Kaspersky Lab.

Functional description

The sample is a stealth backdoor based on the cd00r sources.

This Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary remote commands. It can't be discovered via netstat, a commonly used administrative tool. It uses techniques that don't require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.

Startup and Execution

To start execution, the process requires two parameters: ID (a numeric value used as a part of the "magic packet for authentication") and an existing network interface name. The parameters can be inputted two different ways: from STDIN, or from dropper a launching the sample. This is NOT a command-line parameter, it's a real prompt asking the attacker user to provide the input parameters. After the ID and interface name are entered and the process launched, the backdoor's process PID is returned. Here is a screenshot of this simple interface:

While there is no initial network callback, a section of code maintains a hardcoded c2 string "news-bbc.podzone[.]org". This fully qualified domain name was first set up in 2010, suggesting that this binary is fairly recent in the string of Turla campaigns. Also, while we haven't seen additional file download activity from this server by this tool, it likely participated as a file server of sorts.

Magic Packets for Remote Command Execution

The module statically links PCAP libraries, and uses this code to get a raw socket, applies a filter on it, and captures packets, checking for a specific condition (the *original cd00r first used this method, based on ports and SYN-packets). This condition is expressed here (it is based on the ID value input at startup by the attacker):

ID = 123 Filter = (tcp[8:4] & 0xe007ffff = 0xe003bebe) or (udp[12:4] & 0xe007ffff = 0xe003bebe) ID = 321 Filter = (tcp[8:4] & 0xe007ffff = 0x1bebe) or (udp[12:4] & 0xe007ffff = 0x1bebe)

In simple terms, it checks for an ACK number in the TCP header, or the second byte from the UDP packet body.

If such a packet is received and the condition check is successful, execution jumps to the packet payload contents, and it creates a regular socket. The backdoor handles this socket as a file with read/write operations. It's not the typical recv/send used in this code. It uses this new socket to connect to the source address of the "magic packets". Then it reports its own PID and IP to the remote address, and starts an endless loop for receiving remote commands. When a command arrives, it is executed with a "/bin/sh -c " script.

Further analysis of the sample's functionality will be updated here.

Conclusions

Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet.

This specific module appears to have been put together from public sources with some added functionality from the attackers. Some of the malicious code appears to be inactive, perhaps leftovers from older versions of the implant. Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity.

The discovery of this Turla module rises one big question: how many other unknown Turla variants exist?

Update: Since the publishing of this blogpost, we have discovered another Linux Turla module, which apparently represents a different malware generation than the previously known samples:

The new sample was heuristically detected by our product due to similarities with the previously discovered samples.

Md5 Size Verdict Name 19fbd8cbfb12482e8020a887d6427315 801,561 bytes HEUR:Backdoor.Linux.Turla.gen Related research: