Malware Alerts

Subscribe to Malware Alerts feed
Just another Kaspersky US Blog Sites site
Updated: 2 hours 2 min ago

HackingTeam 2.0: The Story Goes Mobile

Tue, 06/24/2014 - 13:04

More than a year has passed since the release of our last article on HackingTeam, the Italian company that develops a "legal" spyware tool known as Remote Control System, or short, RCS. In the meantime a lot has been happened, so it's time for an update on all our current research findings on the RCS malware.

Locating the command servers

One of the most important things we've uncovered during our long and extensive research is a specific feature than can be used to fingerprint the RCS command servers (C2s). We presented details of this method at the Virus Bulletin 2013 conference.

To summarize, when a special request is sent to a "harmless" HackingTeam RCS C&C server, the RCS C&C responds with the following error message:


Slide from our VB presentation with HackingTeam's C2 fingerprint

First of all, the codename 'RCS' is there, all right. What we weren't sure about was the 'Collector' referred to in the response. This probably refers to the fact that the server "collects" information from the victims. We used this particular fingerprinting method to scan the entire IPv4 space, which allowed us to find all the IP addresses of the RCS C2s around the world and plot them nicely to a map showing their locations. šWe pinpointed a grand total of 326 C2s.

Count of C2s Country name 64 UNITED STATES 49 KAZAKHSTAN 35 ECUADOR 32 UNITED KINGDOM 24 CANADA 15 CHINA 12 COLOMBIA 7 POLAND 7 NEW ZEALAND 6 PERU 6 INDONESIA 6 BRAZIL 6 BOLIVIA 6 ARGENTINA 5 RUSSIAN FEDERATION 5 INDIA 4 HONG KONG 4 AUSTRALIA 3 SPAIN 2 SAUDI ARABIA 2 MALAYSIA 2 ITALY 2 GERMANY 2 FRANCE 2 EGYPT 1 UKRAINE 1 THAILAND 1 SWEDEN 1 SINGAPORE 1 ROMANIA 1 PARAGUAY 1 MOROCCO 1 LITHUANIA 1 KENYA 1 JAPAN 1 IRELAND 1 HUNGARY 1 DENMARK 1 CZECH REPUBLIC 1 CYPRUS 1 Other 1 BELGIUM 1 AZERBAIJAN


Map showing the countries of the current HackingTeam servers’ locations

The largest amount of identified servers was in the US, Kazakhstan and Ecuador. Unfortunately, we can’t be sure that the servers in a certain country are used by that specific country’s LEAs; however, it would make sense for LEAs to put their C&Cs in their own countries in order to avoid cross-border legal problems and the seizure of servers.  Nevertheless, several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.

Mobile modules

It was a well-known fact for quite some time that HackingTeam products included malware for mobile phones. However, these were rarely seen. In particular, the Android and iOS Trojans have never been identified before and represented one of the remaining blank spots in the story. Earlier this year, we discovered a number of mobile malware modules coming from HackingTeam for the following platforms:

  • Android
  • iOS
  • Windows Mobile
  • BlackBerry

All these modules are controlled by the same configuration type, which is a good indication that they are related and belong to the same product family.


Configuration file from the RCS mobile modules

Certainly, our main interest during the analysis of the mobile modules was in iOS and Android, due to their popularity. The iOS module works only on jailbroken devices. Here is a description of the main functionality of the iOS module:

  • Control of Wi-Fi, GPS, GPRS
  • Recording voice
  • E-mail, SMS, MMS
  • Listing files
  • Cookies
  • Visited URLs
  • Cached web pages
  • Address book
  • Call history
  • Notes
  • Calendar
  • Clipboard
  • List of apps
  • SIM change
  • Live microphone
  • Camera shots
  • Support chats, WhatsApp, Skype, Viber
  • Log keystrokes from all apps and screens via libinjection


Disassembled code of the iOS module

The Android module is protected by the DexGuard optimizer/obfuscator and is therefore extremely difficult to analyze. However, we discovered (see the trace below) that the sample has all the functionality of the iOS module listed above - plus support for hijacking information from the following applications:

  • com.tencent.mm
  • com.google.android.gm
  • android.calendar
  • com.facebook
  • jp.naver.line.android
  • com.google.android.talk


Trace of an RCS Android sample

Mobile infectors

Another aspect of particular interest to us was the way the malware samples are installed on mobile devices. We discovered several modules that infect mobile devices connected to infected Windows or Mac OS X computers.

As already mentioned, the iOS module can only be used on jailbroken devices. That is why the iOS infector uses the AFP2 protocol to transfer. The "infector" has a nice GUI that enables installation if there is physical access to the victim's device or remote admin access to an infected computer.


Main window of the iOS infector

iPhone1,1 iPhone1,2 iPhone2,1 iPhone3,1 iPhone3,2 iPhone3,3 iPhone4,1 iPhone5,1 iPhone5,2 iPad1,1 iPad2,1 iPad2,2 iPad2,3 iPad2,4 iPad3,1 iPad3,2 iPad3,3 iPad3,4 iPad3,5 iPad3,6 iPhone iPhone 3G iPhone 3GS iPhone 4 iPhone 4 iPhone 4 (cdma) iPhone 4s iPhone 5 (gsm) iPhone 5 iPad iPad2 (Wi-Fi) iPad2 (gsm) iPad2 (cdma) iPad2 (Wi-Fi) iPad3 (Wi-Fi) iPad3 (gsm) iPad3 iPad4 (Wi-Fi) iPad4 (gsm) iPad4    

List of Apple devices supported by the iOS infector

After successfully connecting, the iOS infector copies several files to iOS and runs an install.sh file:


Part of the install.sh file that is run on an infected iOS device

As mentioned above, remote admin access to an infected computer is one of the possible ways for the malware to be installed on a connected mobile device. The fact that only jailbroken iOS devices are supported can be a limiting factor. However, this is not a huge problem since an attacker can also run a jailbreaking tool such as Evasi0n via the same infected computer. In this case the only thing that can protect a user from a remote jailbreak and infection is the mobile device’s passcode. However, if the device is unlocked while connected to the infected computer, it can be infected by the attacker.

Another interesting mobile infector is the one for BlackBerry devices, which uses the JavaLoader application to load malware samples on BB 4.5 and 5.0. In its disassembled code, we found a path to the PDB debug file, which appears to have been mistakenly forgotten by the authors. The original project was located in the ‘C:\HT\RCSBlackBerry\Workspace\RCS_BB_Infection_Agent\’ when this malware was created.


Part of the code of a Blackberry infector with a path to the PDB file

Summary

In this latest installment of our ongoing research, we uncovered a huge infrastructure that is used to control the RCS malware implants. Our latest research has indentified mobile modules that work on all well-known mobile platforms, including as Android and iOS. These modules are installed using infectors - special executables for either Windows or Macs that run on already infected computers. They translate into complete control over the environment in and near a victim’s computer. Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target - which is much more powerful than traditional cloak and dagger operations.

The new data we are publishing on HackingTeam’s RCS is extremely important because it shows the level of sophistication and scale of these surveillance tools. We like to think that if we’re able to protect our customers from such advanced threats, then we’ll sure have no trouble with lesser, more common threats like those posed by cybercriminals.

Appendix:

MD5s of mobile infectors:

  • 14b03ada92dd81d6ce57f43889810087 - BlackBerry infector
  • 35c4f9f242aae60edbd1fe150bc952d5 - iOS infector

MD5s of Android samples:

  • ff8e7f09232198d6529d9194c86c0791
  • 36ab980a954b02a26d3af4378f6c04b4
  • a2a659d66e83ffe66b6d728a52130b72
  • 9f06db99d2e5b27b01113f78b745ff28
  • a43ea939e883cc33fc766dd0bcac9f6a
  • a465ead1fd61afe72238306c7ed048fe

MD5s of Windows samples:

  • bf8aba6f7640f470a8f75e9adc5b940d
  • b04ab81b9b796042c46966705cd2d201
  • 1be71818a228e88918dac0a8140dbd34
  • c7268b341fd68cf334fc92269f07503a

List of active C2s on 19.06.2014:

  • 50.63.180.***
  • 146.185.30.***
  • 204.188.221.***
  • 91.109.17.***
  • 106.186.17.***
  • 119.59.123.***
  • 95.141.46.***
  • 192.71.245.***
  • 106.187.99.***
  • 93.95.219.***
  • 106.187.96.***
  • 124.217.245.***
  • 23.92.30.***
  • 82.146.58.***
  • 93.95.219.***
  • 209.59.205.***

RCS modules (using Kaspersky Lab’s classification names):

  • Backdoor.OSX.Morcut
  • Rootkit.OSX.Morcut
  • Trojan.OSX.Morcut
  • Backdoor.Win32.Korablin
  • Backdoor.Win64.Korablin
  • Rootkit.Win32.Korablin
  • Rootkit.Win64.Korablin
  • Trojan.Multi.Korablin
  • Trojan-Dropper.Win32.Korablin
  • Backdoor.AndroidOS.Criag
  • Trojan-Spy.AndroidOS.Mekir
  • Trojan.Win32.BBInfector
  • Trojan.Win32.IOSinfector
  • Trojan.OSX.IOSinfector
  • Trojan-Spy.IphoneOS.Mekir
  • Trojan-Spy.WinCE.Mekir
  • Trojan-Spy.BlackberryOS.Mekir

Blog: The Rise of Cybercrime in Dubai and UAE

Mon, 06/23/2014 - 13:20
Dubai today has become a global city and a business hub, same is going for threats and malware attacks, UAE is the most attacked country in the Middle East. In this report we highlight the most popular and dangerous threats and attacks, in addition to possible solutions to handle such threats.

The Rise of Cybercrime in Dubai and UAE

Mon, 06/23/2014 - 12:35

A lot of our everyday communication and commercial activities are now taking place online, the threat from cybercrime is increasing, targeting citizens, businesses and governments at a rapidly growing rate.

Organizations and individuals are worried about the increase of Cybercrime, not just because of financial damage, but loss of privacy and intellectual property, in addition to reputation problems.

Recent statistics have shown dramatic growth in the Cybercrime in the UAE. Emerging markets have long been of interest for Cyber criminals.

Official statistics from Dubai have shown a dramatic 88% increase in the number of electronic crime cases reported in 2013 compared to the year before. The cyber investigation department of Dubai Police received a total of 1,419 reports in 2013, 792 in 2012 and 588 in 2011.

Kaspersky malware statistics in the UAE and worldwide

The increase in the number of attacks in the UAE and the region is also reflected by the number of attacks and infection attempts detected by Kaspersky Security Network in the region. The KSN cloud network uses the latest intelligence technologies to enable the reporting and analysis of threats around the world.

Kaspersky top Malware detections statistics for 2014 in the world Adware.Win32.Amonetize.heur 3,700,000+ Worm.VBS.Dinihou.r 1,800,000+ Virus.Win32.Sality.gen 1,780,000+ AdWare.Win32.BetterSurf.b 1,500,000+ AdWare.Win32.Yotoon.heur 1,500,000+ Exploit.Win32.CVE-2010-2568.gen 1,388,000+ Worm.Win32.Debris.a 1,094,000+ Trojan.Win32.Starter.lgb 1,007,000+ AdWare.Win32.Skyli.a 883,000+ Exploit.Java.Generic 850,000+ Trojan.Win32.AntiFW.b 829,000+ Virus.Win32.Nimnul.a 713,000+ Trojan.WinLNK.Runner.ea 676,000+ Why is cybercrime surging in the UAE?

The last few years have seen huge increase in the use of smart electronic devices and Internet services, all these devices are connected to the Internet.

Increasing use of online services

According to recent statistics Internet penetration has reached 92% in the UAE. Most people now use online services, including the transfer of financial and personal information to fulfill their day-to-day needs, and the most popular services are as follows:

  1. E-Government transactions, e-bills
  2. E-banking
  3. E-shopping

While the benefits of using online services are obvious, there are also threats that target user information.

Smartphone Threats

Many people in the UAE and Gulf region have smart mobile devices. These have many benefits and allow anyone to easily access services and activities online. These devices are expensive, so users often wrongly assume they have some kind of default protection.

Android is the most targeted mobile platform. At Kaspersky Lab we now have more than 10 million unique Android malware samples in our databases.

In Q1 2014, more than 99% of all mobile malware targeted Android devices. Detections over the past three months included:

  • 1 258 436 installation packages,
  • 110 324 new malicious programs for mobile devices,
  • 1 182 new mobile banking Trojans.
Financial Motivation

The huge increase in the use of online payment and e-services, in addition to the wide availability of unprotected smartphones, has encouraged cyber-criminals to target users with malware and phishing attacks affecting all types of devices.

Just like offline crime, money is a prime motive, especially when the risks of a criminal life are less apparent when you're hiding being a computer screen. The perception of low risk and high financial reward stimulates many cyber criminals to participate in identity theft and fraudulent activities.

Personal Motivation

Human beings and the crimes they commit are often motivated by personal emotions and vendettas. From irritated employees to jealous boyfriends, many crimes have their roots in powerful passions.

Ideological and Political Motivation

These kinds of attacks are carried out for moral, ideological or political reasons, damaging or disabling online services and networks to protest against individuals, corporations or governments. Anonymous group is a popular example of ideologically motivated hackers.

The most dangerous attacks on users in the UAE Banking Malware

The UAE is a country well known for its concentration of financial resources. Banking malware targets user devices to steal financial information like credit card details and bank account passwords. The criminals then use this stolen information to transfer money from the compromised accounts.

The most popular banking malware in the UAE are as follows:

  • Zeus (Windows)
  • Carberp (Windows)
  • mToken (Android)

Zeus and Carberp have long been popular malware for Windows computers and widely available public source code has enabled criminals to develop many variants of these. Zeus Gameover, the latest variant of Zeus has hit hard in the UAE, the third most affected country in the world. Zeus Gameover was taken down by the FBI and Microsoft on 2nd of June 2014.


Number of Zeus and Carberp attacks, and files blocked between 5 and 12 June 2014 in UAE

mToken was first recognized and reported by the Intercrawler organization. This is a different type of malware that mainly targets Android devices. It is used to steal banking usernames and passwords, in addition to stealing SMS token messages from the banks. There were 513,000 mToken attacks in Q1 2014 in the GCC region according to statistics from the Telecommunications Regulatory Authority. The mToken disguises itself as a banking token generator for some of the most popular banks in KSA and UAE Most of its victims are in the United Arab Emirates and the Kingdom of Saudi Arabia.

Kaspersky Lab products have detected and blocked Zeus variants since 2010 and Mtoken variants since 2012.

Ransomware: Lockers and Crypters

Lockers and Encrypters are ransomware trojans. An attack may come from several sources; one example is disguised as an authentic email attachment.

Some Lockers can be removed with no damage to the system or files, others harm files by encrypting them using RSA public-key cryptography where only the hackers have the keys to decrypt and recover the files.

The malware displays a message which offers to unlock/decrypt the device and data if a payment is made by a stated deadline (through either Bitcoin or a pre-paid coupon), and threatens to delete the key if the deadline passes.

Lockers and Encrypters mainly target Windows devices but recently we have seen versions for Android.


Number of ransomware attacks and files blocked between 5 and 12 June 2014 in UAE


Even though it is old, CashU malware is still active in the UAE


Cryptolocker encrypts your files and they can only be recovered using the hacker's key


Ransomware targeting Android devices, disguised as a protection application

The most popular attacks in the UAE

The total number of attacks from Jan-May 2014 is 12,713,890

Top 3 Adware in the UAE in 2014 AdWare.Win32.BetterSurf.b 1,228,000+ AdWare.Win32.BrainInst.u 1,189,000+ AdWare.Win32.BHO.batb 680,000+ Top 3 malware attacks in the UAE in 2014 Virus.Win32.Sality.gen 378,000+ Net-Worm.Win32.Kido.ih 348,000+ Exploit.Win32.CVE-2010-2568.gen 339,000+

Sality virus: blocks some security functions and utilities on Windows computers. It also tries to download malware from other servers. It infects Windows files and copies itself to removable and remote drives.

Kido worm: also known as conficker, is malware that targets the Windows operating system, mainly attacking the MS08-067 vulnerability; it also uses dictionary attacks on administrator passwords to spread and create a botnet.

CVE-2010-2568 is one of the most popular weaknesses in the Microsoft Operating system. When exploited by malware attacks, it allows a user to execute code via shortcut file (.lnk) that is not properly handled by the operating system.

Sality virus, Kido worm and the CVE-2010-2568 exploit are legacy attacks which were used to infect millions of machines worldwide. They are still widespread because they can easily infect new machines or they are publicly available for the criminals to use which explains the high success rates if a device is not protected.

These recent statistics suggest that the most popular malware and adware in the UAE are not new:

First Date of malware detection by Family BetterSurf adware Oct 2013 BrainInst adware Dec 2013 BHO adware Mar 2006 Sality virus Oct 2009 Kido worm Nov 2008 CVE-2010-2568 exploit Jul 2010

The main reasons why old attacks are still very successful are as follows:

  • The absence of correct patching on the user operating systems
  • The use of unlicensed software
  • The lack of security software to protect the user devices against the latest threats
  • The lack of good practices for handling smart devices, like good passwords and awareness on cyber security
Conclusion and future expectations

Most malware works in stealth mode. It doesn't announce itself on a PC or mobile device, preferring to monitor and steal information and then use it to steal your money or reveal themselves while extorting money. In most cases criminals are not very interested in the information on most personal or business computers. But this data is vital to the owner, and criminals manipulate the need for confidentiality, integrity and availability to cause financial and reputational damage to victims.

The UAE has a diverse, cosmopolitan and multicultural society and the accelerated economic growth in the region has encouraged cyber-criminals to excessively target citizens, using and adapting the latest trends in global cybercrime.

The increasing number and complexity of threats targeting users and businesses in the UAE requires better protection and awareness to defend against various cyber-threats.

You can follow me on twitter: @mahasbini

Adware or money loss instead of your favorite World Cup game

Thu, 06/19/2014 - 13:28

This is the fourth and final part of our series of blogposts about the World Cup and the IT threats associated with it. Moreover, these are problems that we face right now, while our soccer stars are strutting their stuff in Brazil.

Many fans have found themselves away from the TV and looking for a live stream of a big game - but looking for live broadcasts on the Internet can cost you money or leave a malicious program on your computer.

When you search on Internet for the live Word Cup broadcast, you will sometimes find purchased advertisements that lead to fraudulent or malicious content. Here are two fresh examples of it, all set up for the World Cup:

When you go to the Website, it asks you to download a special plugin available for all browsers. This is supposed to be the player needed to watch the on-line broadcast of the games:

In reality, it is an Adware program, which may not show you anything but will drain your computer's resources. Adware software straddles a thin line between classic cybercrime and legitimate software. This is why our statistics show the constant detection grow on the same on the user's devices:

Sites like these also promise to show all the World Cup action:

The sites offer every game, at any time. They promise high quality footage taken from the best cameras in the arenas. Of course, all credit cards are accepted!

However, if you pay, you will just lose your money. Dubious and dishonest websites like these have no interest in playing by any rules.

One last important point is every day we see a lot of new registered domain names containing words like "Fifa Live World Cup steaming 2014". We believe most of them will be used for a malicious purpose.

Cybercriminals, opportunists and other malicious individuals look for occasions like the World Cup. They know this is the best time to cheat people, stealing their money and infecting their devices. Stay ahead of the game and do not fall into their social engineering traps. Use the best anti-malware protection and keep your wits about you when browsing and looking for the content. By the way, if you want to see a live broadcasting, probably you may use one of these legitimate councils.

You may follow me on twitter: @dimitribest

Attacks before system startup

Mon, 06/16/2014 - 13:34

A major objective pursued by malware writers when developing malicious code is to make it start as early as possible, enabling it to make key modifications to the operating system's code and system drivers, such as installing hooks, before the antivirus product's components initialize. As a result, malware and anti-malware products play cat and mouse of sorts, since they operate at the same level: the operating system, system drivers and rootkits all operate in kernel mode.

Bootkits currently represent the most advanced technology available to cybercriminals. It enables malicious code to start before the operating system loads. The technology is implemented in numerous malicious programs.

We have written about bootkits (such as XPAJ and TDSS (TDL4)) several times. The latest bootkit-related publication so far describes scenarios of targeted attacks based on the bootkit technology as implemented in The Mask campaign. However, such papers are not released often and some experts may get the impression that bootkits, like file viruses, are 'dead', that Trusted Boot has done its job and that the threat is no longer relevant.

Nevertheless, bootkits do exist; they are in demand on the black market and are extensively used by cybercriminals for purposes which include conducting targeted attacks.


Fragment of TDSS loader code in MBR

Statistics

First, let's have a look at KSN statistics. The table below represents a ranking of malicious programs that we detect as Rootkit.Boot.*, for the period from May 19, 2013 to May 19, 2014.

Family Users Notifications Rootkit.Boot.Cidox 45797 60787 Rootkit.Boot.Pihar 25490 75320 Rootkit.Boot.Harbinger 19856 34427 Rootkit.Boot.Sinowal 18762 420549 Rootkit.Boot.SST 8590 73079 Rootkit.Boot.Tdss 5388 19071 Rootkit.Boot.Backboot 4344 9148 Rootkit.Boot.Wistler 4230 13014 Rootkit.Boot.Qvod 1189 1727 Rootkit.Boot.Xpaj 690 2483 Rootkit.Boot.Mybios 442 5073 Rootkit.Boot.Plite 422 648 Rootkit.Boot.Trup 300 7395 Rootkit.Boot.Prothean 217 1407 Rootkit.Boot.Phanta 167 5475 Rootkit.Boot.GoodKit 120 131 Rootkit.Boot.Smitnyl 100 3934 Rootkit.Boot.Stoned 69 96 Rootkit.Boot.Geth 60 166 Rootkit.Boot.Nimnul 53 84 Rootkit.Boot.Niwa 37 121 Rootkit.Boot.Fisp 35 344 Rootkit.Boot.CPD 25 39 Rootkit.Boot.Lapka 19 21 Rootkit.Boot.Yurn 8 18 Rootkit.Boot.Aeon 6 6 Rootkit.Boot.Mebusta 5 5 Rootkit.Boot.Khnorr 4 4 Rootkit.Boot.Sawlam 4 7 Rootkit.Boot.Xkit 4 20 Rootkit.Boot.Clones 1 1 Rootkit.Boot.Finfish 1 1 Total 136435 734601

Most bootkits are proactively detected using behavior-based technology as early as at the stage of their installation in the system. Alternatively, they can be detected the first time the antivirus product performs an automatic scan after system startup, resulting in the active infection removal procedure being launched. Note that the statistics shown above include only infected Master Boot Record detections. The figures also include data received from previously infected machines on which our antivirus solution was installed after the machines were infected.

It can be seen in the table above that derivatives of TDSS - Pihar and SST - are among the TOP 5 bootkits detected. The Harbinger bootkit, which 'covers' adware, is in the third position and Sinowal is in fourth place in the ranking. First place is occupied, with a considerable lead, by Rootkit.Boot.Cidox. Since Cidox has played a special role in bootkit evolution, we will discuss its story in greater detail.

Cidox: publicly available code

Cidox is offered as a supplement to other malicious programs and is used to protect the malware with which it is distributed. This means that the bootkit is not used to build its own botnet TDSS-style.

The initial versions of the malware were included in Kaspersky Lab antivirus databases three years ago, on June 28, 2011. Back then, Cidox was a breakthrough in malicious technology, because it was the first to infect VBR rather than MBR.

Cidox was used to protect the banking Trojan Carberp, among other malicious programs. When the Carberp source code was published, the bootkit's source code was 'leaked' as well. As a result, Cidox re-enacted the story of the infamous ZeuS (Zbot) Trojan. While the 'leak' of ZeuS source code made it much easier to steal money from online banking systems, the publication of Cidox source code has meant that any more or less experienced programmer can have a go at writing malware which operates at the lowest level, before operating system startup.


Fragment of Cidox source code

Cidox is currently used to load and protect a variety of malware, including crimeware, blockers and malware designed to steal money in online banking systems.

Targeted attacks

The Mask campaign mentioned above was not a unique case of bootkits being used in targeted attacks. A while ago, we wrote about HackingTeam, a company whose software (including bootkits) is used when conducting police operations in various countries around the globe. Another company, FinFisher, offers similar services, while the software developed by it also includes a bootkit - Rootkit.Boot.Finfish, which happens to be in last place on our ranking.


List of products and services from FinFisher's official website

An analysis of products offered by FinFisher was presented in a Kaspersky Lab paper prepared for a Virus Bulletin conference. The presentation can be found on the VB website.

BIOS. A quest for new starting points

The never-ending struggle between antivirus solutions and malicious code is leading both the former and the latter to the next phase in their evolution. Malware writers have to search for new starting points, with the BIOS becoming one of these. However, things have hardly moved past test research, because mass modification of the BIOS is an 'inconvenient' operation for malware writers, which requires considerable effort to perform and can therefore be used only in highly targeted attacks.

What dreams may come

The classical BIOS system is now essentially a relict that is difficult to use and has numerous limitations. This was why a completely new unified modular interface, UEFI, was developed by the UEFI Forum consortium based on specifications initially provided by Intel.

What UEFI offers:

  • Support for modern equipment.
  • Modular architecture.
  • EFI Byte Code - architecture and drivers that are independent of the CPU type (x86, x86-64, ARM/ARMv8).
  • Various extensions for UEFI, which are loaded from different media, including portable devices.
  • Development using a high-level programming language (a dialect of C).
  • Secure Boot.
  • Network booting.

We also recommend reading about the 10 most common misconceptions about UEFI.

The following operating systems support UEFI:

  • Linux using elilo or a special version of the GRUB boot loader.
  • FreeBSD.
  • Apple Mac OS X for Intel-compatible systems (v10.4 and v10.5 provide partial support, while v10.8 provides complete support).
  • Microsoft Windows, starting from Windows Server 2008 and Windows Vista SP1 x86-64. Microsoft Windows 8 supports UEFI, including 32 bit UEFI, as well as secure boot.

In short, what does UEFI offer? A simple, easy to understand, well-documented, unified and convenient method of development without resorting to 16-bit assembly programming.

From the viewpoint of an anti-malware solution, UEFI is a very good place to implement something like a rescue disk. First, the rescue disk's code will run before the operating system and boot loader start; second, UEFI offers easy hard drive access, as well as more or less easy network access; third, a simple and easy-to-understand GUI can be created. Just what the doctor ordered when one has to deal with sophisticated and actively resisting threats such as bootkits.

From the viewpoint of malicious code developers, all of the above is also advantageous for a bootkit, enabling it to provide more reliable protection for malware. At least until firmware developers take care to implement proper protection.

However, before moving on to protection functionality, we would like to address one important issue. Equipment manufacturers develop their firmware themselves and make their own decisions regarding support for optional features offered by the UEFI specification. Such features include, first and foremost, protecting firmware in SPI Flash from modification and secure boot. In the case of UEFI, we have the classical problem of Convenience vs. Security.

Threats and protections mechanisms

It comes as no surprise that, as UEFI became universally implemented, it attracted the interest of independent researchers as a potential attack vector (one, two, three). The list of possible penetration points is quite extensive and includes compromising (injecting, replacing or infecting) OS boot loaders and EFI, compromising UEFI drivers, directly accessing SPI Flash from the operating system and many others. In the case of booting in UEFI+Legacy (CSM) mode, old methods of infecting the system used by bootkit developers remain effective. It is also quite obvious that if the pre-boot execution environment is compromised, all the Windows security mechanisms, such as Patch Guard, driver signature verification etc., are rendered useless.

The UEFI specification version 2.2 included a new secure boot protocol, which was to provide a secure pre-boot execution environment, as well as protection against malicious code being executed from potentially vulnerable points.

The secure boot protocol defines the process used to verify the modules being loaded, such as drivers, the OS boot loader and applications. These modules should be signed with a special key and the digital signature should be verified before loading a module. The keys used to verify modules should be stored in a dedicated database protected against penetration, such as a TPM. Keys can be added or modified using other keys, which provide a secure method of modifying the database itself.

Based on the above, implementation of the following security mechanisms by firmware and operating system developers can be regarded as optimal from the security viewpoint:

  • Protecting SPI Flash against malicious modification. Disabling support for upgrading firmware from the operating system.
  • Blocking access to critical UEFI sections, including most environment variables.
  • Completely abandoning the use of CSM.
  • Protecting the system volume containing UEFI drivers, boot loader and applications from malicious modification.
  • Operating system and firmware developers should implement and enable Secure Boot (as well as the Trusted Boot mechanism implemented in Windows OS).
  • Protecting the key storage from modification.
  • Protecting the mechanism used to update the database in which keys are stored from spoofing and other types of attacks.
  • Implementing protection against "Evil Maid" attacks, which involve physical access to the computer.
  • Using the expertise accumulated by leading anti-malware companies and implementing anti-malware technologies at the firmware level.

However, it should be kept in mind that as more advanced protection mechanisms are implemented, cybercriminals will come up with more advanced attacks against UEFI. The methods currently used are based on replacing the UEFI boot loader for the Windows 8 operating system. During its initialization, the malicious OS loader loads a replaced loader into memory, disables Patch Guard security mechanisms and driver signature verification using one method or another, sets the necessary hooks and passes control to the original loader code.

In the case of Mac OS using full-disk encryption, an original approach is used, which is based on implementing a simple UEFI keylogger to obtain the secret passphrase entered by the user on the keyboard to decrypt contents of the hard drive at system startup. In all other respects, the method based on replacing or infecting the system boot loader is applicable in this case, as well.

Conclusion

Bootkits have evolved from Proof-of-Concept development to mass distribution and have now effectively become open-source software. Launching malicious code from the Master Boot Record (MBR) or the Volume Boot Record (VBR) enables cybercriminals to control all the stages of OS startup. This type of infection has essentially become standard for malware writers. Its implementation is based on proven, well-researched technologies. Importantly, these technologies are available on a variety of resources in the form of source code. In the future, this may lead to a significant increase in the amount of malware based on these technologies, with only minor changes in individual programs' logic of operation. We expect to see new modifications of TDSS and Cridex, which are already familiar to cybercriminals. We are also concerned that such malware might be used in other types of attacks perpetrated by cybercriminals, e.g., in systems which use Default Deny technologies.

Crucially, the state-of-the-art anti-malware technologies implemented in our products are successful in combating such infections. Since it is hard to predict now what specific methods of masking, blocking or resisting anti-malware products will be invented by cybercriminals in the near future, implementing anti-malware technologies at the firmware level, in combination with the protection mechanisms described above, will enable security solutions to neutralize rootkits and bootkits before malicious code is able to take control. In addition, incorporating an anti-malware module in UEFI will simplify the process of removing infection and the development of new methods for detecting newly-developed bootkits that use new, advanced masking techniques, as well as rootkits which interfere with the operation of the system or the anti-malware solution.

P.S. Special thanks from the authors to Vasily Berdnikov for his help in researching material for this paper.

Blog: Attacks before system startup

Mon, 06/16/2014 - 03:35

Blog: Cybercriminals targeting obsolete Japanese blogging tool

Thu, 06/12/2014 - 06:00
Cybercriminals are very actively targeting web sites which are not well-managed, so as to abuse them for their malicious activities. Damage to web sites in Japan has increased since last year, which is alarming to Japanese Internet users. Kaspersky Labs Japan has observed more than 2,800 compromised web sites between January and March 2014. WordPress is a popular blogging tool worldwide, but it is often plagued by vulnerabilities which can result in compromised web sites . A similar Japanese-made tool, “Web Diary Professional” (WDP), also experiences such problems. WDP is widely used in Japan, with its Japanese user interface and tutorials.However, it is no longer supported. A new tool has already been introduced as its successor, and the developers have recommended that people migrate. However, a significant number of web site administrators are still using the obsolete WDP, exposing themselves to the threats of cybercriminals.

Analysis: Social network frauds

Wed, 06/11/2014 - 10:00
In 2013 phishing sites imitating social network websites were to blame for more than 35% of cases when the Anti-phishing heuristic component was triggered.

Blog: Microsoft Updates June 2014 - Almost 60 IE and GDI+/TrueType RCE

Tue, 06/10/2014 - 13:34

Microsoft fixes a much smaller set of software product code this month for "Critical" vulnerabilities, and a handful for "Important" fixes. But whoa, almost 60 remote code execution flaws exist in the six versions of Internet Explorer and the Microsoft components that render fonts on your system! Not only is that a very long list of memory corruption issues, but one of the IE bugs reports, credited to Peter Van Eeckhoutte, is over 180 days old. The fix and testing effort must have been a large one over the past few months.

Blog: The first mobile encryptor Trojan

Mon, 06/09/2014 - 07:00

Blog: Area41, formerly known as ...

Mon, 06/02/2014 - 10:11

Gruezi from Zurich, Switzerland, where the Area41 conference is currently being held. Area41 doesn't ring a bell? Well, this event went under a renaming process and was formerly known as Hashdays, that took place in Lucerne. However, the steering team behind it still is the DEFCON Switzland group. And they have found a fantastic venue! The Komplex457 building oozes that indie type of atmosphere, that makes you feel right at home.

Analysis: Children online: the security formula

Thu, 05/29/2014 - 07:00
Many parents are only too aware of the dangers lurking online and want to shield their children from harmful content. But how do they go about it?

Analysis: Spam in April 2014

Wed, 05/28/2014 - 07:00
The percentage of spam in email traffic in April came to 71.1%, which is 7.6 percentage points more than in the March.

Blog: Fake WeChat - New Trojan-Banker

Tue, 05/27/2014 - 11:00

Blog: Scammer of a Lonely Heart

Tue, 05/27/2014 - 10:36
Users in a particular rush to find love online are paying dearly as a popular referral service is flooded with spam bots promising to fulfill fantasies at a deceptively low price.

Pages