Over the past years, Kaspersky's Global Research and Analysis Team (GReAT) has shed light on some of the biggest APT campaigns, including RedOctober, Flame, NetTraveler, Miniduke, Epic Turla, Careto/Mask and others. While studying these campaigns we have also identified a number of 0-day exploits, including the most recent CVE-2014-0546. We were also among the first to report on emerging trends in the APT world, such as cyber mercenaries who can be contracted to launch lightning attacks or more recently, attacks through unusual vectors such as hotel Wi-Fi. Over the past years, Kaspersky Lab's GReAT team has monitoring more than 60 threat actors responsible for cyber-attacks worldwide, organizations which appear to be fluent in many languages such as Russian, Chinese, German, Spanish, Arabic, Persian and others.
By closely observing these threat actors, we put together a list of what appear to be the emerging threats in the APT world. We think these will play an important role in 2015 and deserve special attention, both from an intelligence point of view but also with technologies designed to stop them.The merger of cyber-crime and APT
For many years, cyber-criminal gangs focused exclusively on stealing money from end users. An explosion of credit card theft, hijacking of electronic payment accounts or online banking connections led to consumer losses in the worth hundreds of millions of dollars. Maybe this market is no longer so lucrative, or maybe the cybercriminal market is simply overcrowded, but it now seems like there is a struggle being waged for 'survival'. And, as usual, that struggle is leading to evolution.
What to expect: In one incident we recently investigated attackers compromised an accountant's computer and used it to initiate a large transfer with their bank. Although it might seem that this is nothing very unusual, we see a more interesting trend: Targeted attacks directly against banks, not their users.
In a number of incidents investigated by Kaspersky Lab experts from the Global Research and Analysis Team, several banks were breached using methods straight out of the APT playbook. Once the attackers got into the banks' networks, they collected enough information to enable them to steal money directly from the bank in several ways:
- Remotely commanding ATMs to dispense cash.
- Performing SWIFT transfers from various customer accounts,
- Manipulating online banking systems to perform transfers in the background.
These attacks are an indication of a new trend that is embracing APT style attacks in the cybercriminal world. As usual, cybercriminals prefer to keep it simple: they now attack the banks directly because that's where they money is. We believe this is a noteworthy trend that will become more prominent in 2015.Fragmentation of bigger APT groups
2014 saw various sources expose APT groups to the public eye. Perhaps the best-known case is the FBI indictment of five hackers on various computer crimes:
This public "naming and shaming" means we expect some of the bigger and "noisier" APT groups to shatter and break into smaller units, operating independently.
What to expect: This will result in a more widespread attack base, meaning more companies will be hit, as smaller groups diversify their attacks. At the same time, it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comments Crew and Wekby) will see more varied attacks from a wider range of sources.Evolving malware techniques
As computers become more sophisticated and powerful, operating systems also become more complex. Both Apple and Microsoft have spent a lot of time improving the security posture of their respective operating systems. Additionally, special tools such as Microsoft's EMET are now available to help thwart targeted attacks against software vulnerabilities.
With Windows x64 and Apple Yosemite becoming more popular, we expect APT groups to update their toolsets with more powerful backdoors and technologies to evade security solutions.
What to expect: Today, we are already seeing APT groups constantly deploying malware for 64-bit systems, including 64-bit rookits. In 2015, we expect to see more sophisticated malware implants, enhanced evasion techniques and more use of virtual file systems (such as those from Turla and Regin) to conceal precious tools and stolen data.
While we see these increases in advanced techniques, some attackers are moving in the opposite direction. While minimizing the number of exploits and amount of compiled code they introduce to compromised networks altogether, their work continues to require sophisticated code or exploit introduction at a stable entry into the enterprise, script tools and escalation of privilege of all sorts, and stolen access credentials at victim organizations.
As we saw with BlackEnergy 2 (BE2), attackers will actively defend their own presence and identity within victim networks once discovered. Their persistence techniques are becoming more advanced and expansive. These same groups will step up the amount and aggression of destructive last effort components used to cover their tracks, and they include more *nix support, networking equipment, and embedded OS support. We have already seen some expansion from BE2, Yeti, and Winnti actors.New methods of data exfiltration
The days when attackers would simply activate a backdoor in a corporate network and start siphoning terabytes of information to FTP servers around the world are long gone. Today, more sophisticated groups use SSL on a regular basis alongside custom communication protocols.
Some of the more advanced groups rely on backdooring networking devices and intercepting traffic directly for commands. Other techniques we have seen include exfiltration of data to cloud services, for instance via the WebDAV protocol (facilitates collaboration between users in editing and managing documents and files stored on web servers).
These in turn have resulted in many corporations banning public cloud services such as Dropbox from their networks. However, this remains an effective method of bypassing intrusion detection systems and DNS blacklists.
What to expect: In 2015, more groups to adopt use of cloud services in order to make exfiltration stealthier and harder to notice.New APTs from unusual places as more countries join the cyber arms race
In February 2014, we published research into Careto/Mask, an extremely sophisticated threat actor that appears to be fluent in Spanish, a language rarely seen in targeted attacks. In August, we also released a report on Machete, another threat actor using the Spanish language.
Before that, we were accustomed to observing APT actors and operators that are fluent in relatively few languages. Additionally, many professionals do not use their native language, preferring instead to write in perfect English.
In 2014, we observed a lot of nations around the world publicly expressing an interest in developing APT capabilities:
What to expect: Although we haven't yet seen APT attacks in Swedish, we do predict that more nations will join the "cyber-arms" race and develop cyber-espionage capabilities.Use of false flags in attacks
Attackers make mistakes. In the vast majority of the cases we analyze, we observe artifacts that provide clues about the language spoken by the attackers. For instance, in the case of RedOctober and Epic Turla, we concluded that the attackers were probably fluent in the Russian language. In the case of NetTraveler we came to the conclusion that attackers were fluent in Chinese.
In some cases, experts observe other meta features that could point toward the attackers. For example, performing file timestamp analysis of the files used in an attack may lead to the conclusion in what part of the world most of the samples were compiled.
However attackers are beginning to react to this situation. In 2014 we observed several "false flag" operations where attackers delivered "inactive" malware commonly used by other APT groups. Imagine a threat actor of Western origin dropping a malware commonly used by a "Comment Crew," a known Chinese threat actor. While everyone is familiar with the "Comment Crew" malware implants, few victims could analyze sophisticated new implants. That can easily mislead people into concluding that the victim was hit by the Chinese threat actor.
What to expect: In 2015, with governments increasingly keen to "name and shame" attackers, we believe that APT groups will also carefully adjust their operations and throw false flags into the game.Threat actors add mobile attacks to their arsenal
Although APT groups have been observed infecting mobile phones, this hasn't yet become a major trend. Perhaps the attackers wish to get data that isn't usually available on mobiles, or maybe not all of them have access to the technologies that can infect Android and iOS devices.
In 2014 we saw several new APT tools designed for infecting mobiles, for instance Hacking Team's Remote Control System mobile modules.
Additionally, during the Hong Kong protests in October 2014, attacks were seen against Android and iOS users which appear to be connected to APT operations.
Although a mobile phone might not have valuable documents and schematics, or geopolitical expansion plans for next 10 years, they can be a valuable source of contacts as well as listening points. We observed this with the RedOctober group, which had the ability to infect mobile phones and turn them into "Zakladka's", mobile bugs.
What to expect: In 2015, we anticipate more mobile-specific malware, with a focus on Android and jailbroken iOS.APT+Botnet: precise attack + mass surveillance
In general, APT groups are careful to avoid making too much noise with their operations. This is why the malware used in APT attacks is much less widespread than common crimeware such as Zeus, SpyEye and Cryptolocker.
In 2014 we observed two APT groups (Animal Farm and Darkhotel) using botnets in addition to their regular targeted operations. Of course, botnets can prove to be a vital asset in cyberwar and can be used to DDoS hostile countries; this has happened in the past. We can therefore understand why some APT groups might want to build botnets in addition to their targeted operations.
In addition to DDoS operations, botnets can also offer another advantage - mass surveillance apparatus for a "poor country". For instance, Flame and Gauss, which we discovered in 2012, were designed to work as a mass surveillance tool, automatically collecting information from tens of thousands of victims. The information would have to be analyzed by a supercomputer, indexed and clustered by keywords and topics; most of it would probably be useless. However, among those hundreds of thousands of exfiltrated documents, perhaps one provides key intelligence details, that could make a difference in tricky situations.
What to expect: In 2015 more APT groups will embrace this trend of using precise attacks along with noisy operations and deploy their own botnets.Targeting of hotel networks
The Darkhotel group is one of the APT actors known to have targeted specific visitors during their stay in hotels in some countries. Actually, hotels provide an excellent way of targeting particular categories of people, such as company executives. Targeting hotels is also highly lucrative because it provides intelligence about the movements of high profile individuals around the world.
Compromising a hotel reservation system is an easy way to conduct reconnaissance on a particular target. It also allows the attackers to know the room where the victim is staying, opening up the possibility of physical attacks as well as cyber-attacks.
It isn't always easy to target a hotel. This is why very few groups, the elite APT operators, have done it in the past and will use it as part of their toolset.
What to expect: In 2015, a few other groups might also embrace these techniques, but it will remain beyond the reach of the vast majority of APT players.Commercialization of APT and the private sector
Over the last few years, we published extensive research into malware created by companies such as HackingTeam or Gamma International, two of the best known vendors of "legal spyware". Although these companies claim to sell their software only to "trusted government entities", public reports from various sources, including Citizen Lab, have repeatedly shown that spyware sales cannot be controlled. Eventually, these dangerous software products end up in the hands of less trustworthy individuals or nations, who can use them for cyber-espionage against other countries or their own people.
The fact is that such activities are highly profitable for the companies developing the cyber-espionage software. They are also low risk because – so far – we have not seen a single case where one of these companies was convicted in a cyber-espionage case. The developers of these tools are usually out of the reach of the law, because the responsibility falls with the tool users, not the company that develops and facilitates the spying.
What to expect: It's a high-reward, low risk business that will lead to the creation of more software companies entering the "legal surveillance tools" market. In turn, these tools will be used for nation-on-nation cyber-espionage operations, domestic surveillance and maybe even sabotage.Conclusions
In general, 2014 was a rather sophisticated and diverse year for APT incidents. We discovered several zero-days, for instance CVE-2014-0515 which was used by a group we call "Animal Farm". Another zero-day we discovered was CVE-2014-0487, used by the group known as DarkHotel. In addition to these zero-days, we observed several new persistence and stealth techniques, which in turn resulted in the development and deployment of several new defense mechanisms for our users.
If we can call 2014 "sophisticated", the word for 2015 will be "elusive". We believe that more APT groups will become concerned with exposure and they will take more advanced measures to hide from discovery.
Finally, some of them will deploy false flag operations. We anticipate these developments and, as usual, will document them thoroughly in our reports.
Two years ago, we published our research into RedOctober, a complex cyber-espionage operation targeting diplomatic embassies worldwide. We named it RedOctober because we started this investigation in October 2012, an unusually hot month.
After our announcement in January 2013, the RedOctober operation was promptly shut down and the network of C&Cs was dismantled. As usually happens which these big operations, considering the huge investment and number of resources behind it, they don't just "go away" forever. Normally, the group goes underground for a few months, redesigns the tools and the malware and resume operations.
Since January 2013, we've been on the lookout for a possible RedOctober comeback. One possible hit was triggered when we observed Mevade, an unusual piece of malware that appeared late in 2013. The Mevade C&C name styles as well as some other technical similarities indicated a connection to RedOctober, but the link was weak. It wasn't until August 2014 that we observed something which made us wonder if RedOctober is back for good.Meet Cloud Atlas
In August 2014, some of our users observed targeted attacks with a variation of CVE-2012-0158 and an unusual set of malware. We did a quick analysis of the malware and it immediately stood out because of certain unusual things that are not very common in the APT world.
Some of the filenames used in the attacks included:
- FT - Ukraine Russia's new art of war.doc
- Катастрофа малайзийского лайнера.doc
- Diplomatic Car for Sale.doc
- Organigrama Gobierno Rusia.doc
- Информационное письмо.doc
- Форма заявки (25-26.09.14).doc
- Информационное письмо.doc
- Car for sale.doc
- Af-Pak and Central Asia's security issues.doc
At least one of them immediately reminded us of RedOctober, which used a very similarly named spearphish: "Diplomatic Car for Sale.doc". As we started digging into the operation, more details emerged which supported this theory.
Perhaps the most unusual fact was that the Microsoft Office exploit didn't directly write a Windows PE backdoor on disk. Instead, it writes an encrypted Visual Basic Script and runs it.
Cloud Atlas exploit payload - VBScript
This VBScript drops a pair of files on disk - a loader and an encrypted payload. The loader appears to be different every time and internal strings indicate it is "polymorphically" generated. The payload is always encrypted with a unique key, making it impossible to decrypt unless the DLL is available.
We observed several different spear-phishing documents that drop uniquely named payloads. For instance, the "qPd0aKJu.vbs" file MD5:
E211C2BAD9A83A6A4247EC3959E2A730 drops the following files:
DECF56296C50BD3AE10A49747573A346 - bicorporate - encrypted payload
D171DB37EF28F42740644F4028BCF727 - ctfmonrn.dll - loader
The VBS also adds a registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ setting the key "bookstore" to the value "regsvr32 %path%\ctfmonrn.dll /s", which ensures the malware runs every time at system boot.
Some of the DLL names we observed include:f4e15c1c2c95c651423dbb4cbe6c8fd5 - bicorporate.dll
649ff144aea6796679f8f9a1e9f51479 - fundamentive.dll
40e70f7f5d9cb1a669f8d8f306113485 - papersaving.dll
58db8f33a9cdd321d9525d1e68c06456 - previliges.dll
f5476728deb53fe2fa98e6a33577a9da - steinheimman.dll
Some of the payload names include:steinheimman
The payload includes an encrypted configuration block which contains information about the C&C sever:
The information from the config includes a WebDAV URL which is used for connections, a username and password, two folders on the WebDAV server used to store plugins/modules for the malware and where data from the victim should be uploaded.C&C communication
The Cloud Atlas implants utilize a rather unusual C&C mechanism. All the malware samples we've seen communicate via HTTPS and WebDav with the same server "cloudme.com", a cloud services provider. According to their website, CloudMe is owned and operated by CloudMe AB, a company based in Linköping, Sweden.
(Important note: we do not believe that CloudMe is in any way related to the Cloud Atlas group - the attackers simply create free accounts on this provider and abuse them for command-and-control).
Each malware set we have observed so far communicates with a different CloudMe account though. The attackers upload data to the account, which is downloaded by the implant, decrypted and interpreted. In turn, the malware uploads the replies back to the server via the same mechanism. Of course, it should be possible to reconfigure the malware to use any Cloud-based storage service that supports WebDAV.
Here's a look at one such account from CloudMe:
The data from the account:
The files stored in the randomly named folder were uploaded by the malware and contain various things, such as system information, running processes and current username. The data is compressed with LZMA and encrypted with AES, however, the keys are stored in the malware body which makes it possible to decrypt the information from the C&C.
We previously observed only one other group using a similar method – ItaDuke – that connected to accounts on the cloud provider mydrive.ch.Victim statistics: top 5 infected countries CloudAtlas RedOctober Russia 15 35 Kazakhstan 14 21 Belarus 4 5 India 2 14 Czech Republic 2 5 Similarities with RedOctober
Just like with RedOctober, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN). Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years.
Interestingly, some of the spear-phishing documents between Cloud Atlas and RedOctober seem to exploit the same theme and were used to target the same entity at different times.Cloud Atlas RedOctober
Both Cloud Atlas and RedOctober malware implants rely on a similar construct, with a loader and the final payload that is stored encrypted and compressed in an external file. There are some important differences though, especially in the encryption algorithms used – RC4 in RedOctober vs AES in Cloud Atlas.
The usage of the compression algorithms in Cloud Altas and RedOctober is another interesting similarity. Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the "scheduler" plugin uses it to decompress executable payloads from the C&C.
It turns out that the implementation of the algorithm is identical in both malicious modules, however the way it is invoked is a bit different, with additional input sanity checks added to the CloudAtlas version.
Another interesting similarity between the malware families is the configuration of the build system used to compile the binaries. Every binary created using the Microsoft Visual Studio toolchain has a special header that contains information about the number of input object files and version information of the compilers used to create them, the "Rich" header called so by the magic string that is used to identify it in the file.
We have been able to identify several RedOctober binaries that have "Rich" headers describing exactly the same layout of VC 2010 + VC 2008 object files. Although this doesn't necessarily mean that the binaries were created on the same development computer, they were definitely compiled using the same version of the Microsoft Visual Studio up to the build number version and using similar project configuration.Number of object files, CloudAtlas loader Number of object files, Red October Office plugin Number of object files,Red October Fileputexec plugin HEX compiler version Decoded compiler version 01 01 01 009D766F VC 2010 (build 30319) 01 01 01 009B766F VC 2010 (build 30319) 22 2E 60 00AB766F VC 2010 (build 30319) 5B 60 A3 00010000 – 05 07 11 00937809 VC 2008 (build 30729) 72 5C AD 00AA766F VC 2010 (build 30319) 20 10 18 009E766F VC 2010 (build 30319)
To summarize the similarities between the two:Cloud Atlas RedOctober Shellcode marker in spearphished documents PT@T PT@T Top target country Russia Russia Compression algorithm used for C&C communications LZMA LZMA C&C servers claim to be / redirect to BBC (mobile malware) BBC Compiler version VC 2010 (build 30319) VC 2010 (build 30319) (some modules)
Finally, perhaps the strongest connection comes from targeting. Based on observations from KSN, some of the victims of RedOctober are also being targeted by CloudAtlas. In at least one case, the victim's computer was attacked only twice in the last two years, with only two malicious programs – RedOctober and Cloud Atlas.
These and other details make us believe that CloudAtlas represents a rebirth of the RedOctober attacks.Conclusion
Following big announcements and public exposures of targeted attack operations, APT groups behave in a predictable manner. Most Chinese-speaking attackers simply relocate C&C servers to a different place, recompile the malware and carry on as if nothing happened.
Other groups that are more nervous about exposure go in a hibernation mode for months or years. Some may never return using the same tools and techniques.
However, when a major cyber-espionage operation is exposed, the attackers are unlikely to completely shut down everything. They simply go offline for some time, completely reshuffle their tools and return with rejuvenated forces.
We believe this is also the case of RedOctober, which makes a classy return with Cloud Atlas.
Kaspersky products detect the malware from the Cloud Atlas toolset with the following verdicts:
Several days ago, our products detected an unusual sample from the Destover family. The Destover family of trojans has been used in the high profile attacks known as DarkSeoul, in March 2013, and more recently, in the attack against Sony pictures in November 2014. We wrote about it on December 4th, including the possible links with the Shamoon attack from 2012.
The new sample is unusual in the sense it is signed by a valid digital certificate from Sony:
The signed sample has been previously observed in a non signed form, as MD5: 6467c6df4ba4526c7f7a7bc950bd47eb and appears to have been compiled in July 2014.
The new sample has the MD5 e904bf93403c0fb08b9683a9e858c73e and appears to have been signed on December 5th, 2014, just a few days ago.
Functionally, the backdoor contains two C&Cs and will alternately try to connect to both, with delays between connections:
- 208.105.226[.]235:443 - United States Champlain Time Warner Cable Internet Llc
- 203.131.222[.]102:443 - Thailand Bangkok Thammasat University
So what does this mean? The stolen Sony certificates (which were also leaked by the attackers) can be used to sign other malicious samples. In turn, these can be further used in other attacks. Because the Sony digital certificates are trusted by security solutions, this makes attacks more effective. We've seen attackers leverage trusted certificates in the past, as a means of bypassing whitelisting software and default-deny policies.
We've already reported the digital certificate to COMODO and Digicert and we hope it will be blacklisted soon. Kaspersky products will still detect the malware samples even if signed by digital certificates.
Stolen certificate serial number:
- 01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce
- 8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a
The end of the year is traditionally a time for reflection – for taking stock of our lives before considering what lies ahead. We'd like to offer our customary retrospective of the key events that shaped the threat landscape in 2014.1. Targeted attacks and malware campaigns
Targeted attacks are now an established part of the threat landscape, so it's no surprise to see them feature in our yearly review.
The complex cyber-espionage campaign called 'Careto' or 'The Mask' (Careto is Spanish slang for 'ugly face' or 'mask') was designed to steal sensitive data from specific organizations. The victims of the attack included government agencies, embassies, energy companies, research institutions, private equity firms and activists from 31 countries around the world. Careto included a sophisticated backdoor Trojan capable of intercepting all communication channels and of harvesting all kinds of data from infected computers – including encryption keys, VPN configurations, SSH keys, RDP files and some unknown file types that could be related to bespoke military/government-level encryption tools. The code was highly modular, allowing the attackers to add new functionality at will. There are versions of the backdoor for Windows and Mac OS X and we also found references in some modules indicating that there might be versions for Linux, iOS and Android. As with any sophisticated campaign of this sort, attribution is difficult. Use of the Spanish language in the code doesn't help, since Spanish is spoken in many parts of the world. Also, it's possible that its use is an intentional piece of misdirection. However, the very high degree of professionalism of the group behind this attack is unusual for cybercriminal groups – one indicator that Careto could be a state-sponsored campaign. Like previous targeted attack campaigns, the roots of Careto stretch back well before the threat first came to light: we believe that the attackers have been active since 2007.
Early in March there was widespread discussion among security researchers about a cyber-espionage campaign called 'Epic Turla'. Researchers at G-DATA believed the malware may have been created by Russian special services; while research carried out by BAE Systems linked it to malware identified as 'Agent.btz' that dates back to 2007 and was used in 2008 to infect the local networks of US military operations in the Middle East. Our initial analysis of Epic Turla focused on the malware's use of USB flash drives to store stolen data that can't be sent directly over the Internet to the attackers' Command-and-Control (C2) server. The worm writes a file called 'thumb.dd' to all USB flash drives connected to an infected computer. If the flash drive is subsequently inserted into another computer, the 'thumb.dd' file is copied to the new computer. Epic Turla isn't the only malware that is aware of 'thumb.dd'. This is one of the files in the 'USB Stealer module' in Red October. Looking back further, Gauss and miniFlame were aware of 'thumb.dd and looked for the file on USB flash drives. You can find a chart showing the points of comparison here. We think it's likely that there are tens of thousands of USB flash drives around the world containing files called 'thumb.dd' created by this malware.
In our subsequent analysis of Epic Turla we explained how the attackers use social engineering to spread the malware and highlighted the overall structure of the campaign. The attackers use spear-phishing emails to trick their victims into installing a backdoor on their computer. Some of these include zero-day exploits – one affecting Adobe Acrobat Reader and the other a privilege escalation vulnerability in Windows XP and Windows Server 2003. They also use watering-hole attacks that deploy a Java exploit, Adobe Flash exploits and Internet Explorer exploits, or trick victims into running fake 'Flash Player' malware installers. Depending on the IP address of the victim, the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. Unsurprisingly, the choice of web sites reflects the specific interests of the attackers (as well as the interests of the victims). However, our analysis showed that the Epic Turla backdoor is just the first stage of the infection. It is used to deploy a more sophisticated backdoor known as the 'Cobra/Carbon system' (named 'Pfinet' by some anti-malware products). The unique knowledge to operate these two backdoors indicates a clear and direct connection between them: one is used to gain a foothold and validate the high-profile victim. If the victim proves to be of interest to the attackers, the compromised computer is upgraded to the full Carbon system. You can find an overview of the Epic Turla campaign here:
In June we reported on our research into an attack on the clients of a large European bank that resulted in the theft of half a million euros in just one week. We named this 'Luuuk', after the path in the administration panel used in the C2 server. Although we were unable to obtain the malware used to infect the victims, we believe the criminals used a banking Trojan that performed 'Man-in-the-Browser' operations to steal the victims' credentials through a malicious web injection. Based on the information available in some of the log files, the malware stole usernames, passwords and one-time passcodes (OTP) in real time. The attackers used the stolen credentials to check the victim's account balance and perform malicious transactions automatically, probably operating in the background of a legitimate banking session. The stolen money was then transferred automatically to pre-defined money mule accounts. The classification of pre-defined money mules used by the attackers was very interesting. There were four different money mule groups, each defined by the amount of money the mules in the group could accept – probably a reflection of the level of trust between them. We identified 190 victims in total, most of them located in Italy and Turkey. The sums stolen from each victim ranged from €1,700 to €39,000; and amounted to €500,000.
Although the attackers removed all sensitive components soon after our investigation started, we believe that this represents a change of infrastructure rather than a complete shutdown of the operation. The cybercriminals behind the campaign are highly professional and very active. They have also shown proactive operational security activities, changing tactics and removing traces when discovered. The investigation into this campaign, which we reported to the bank concerned and to the appropriate law enforcement agencies, is ongoing.
The end of June saw the re-activation of a targeted attack campaign from early 2013, called 'MiniDuke'. The original campaign stood out for several reasons. It included a custom backdoor written in the 'old school' Assembler programming language. The attack was managed using an unusual command-and-control (C2) infrastructure: it made use of multiple redundancy paths, including Twitter accounts. The developers transferred their updated executables hidden inside GIF files.
Targets of the new operation, known as 'CosmicDuke', or 'TinyBaron', include government, diplomatic, energy, military and telecom operators. But unusually the list of victims also includes those involved in the trafficking and reselling of illegal substances, including steroids and hormones. It's not clear why: maybe the customizable backdoor was made available as so-called 'legal spyware', or it was available in the underground market and was purchased by various rivals in the pharmaceutical business to spy on each other.
Victim geography (Miniduke and CosmicDuke)
The malware spoofs popular applications designed to run in the background - including file information, icons and even file size. The backdoor itself is compiled using 'BotGenStudio' - a customizable framework that allows the attackers to enable and disable components when the bot is constructed. The malware not only steals files with specific extensions, but also harvests passwords, history, network information, address books, information displayed on the screen (screenshots are made every five minutes) and other sensitive data. Each victim is assigned a unique ID, making it possible to push specific updates to individual victims.
The malware is protected with a custom obfuscated loader which heavily consumes CPU resources for 3-5 minutes before passing execution to the payload. This makes it hard to analyze. But it also drains the resources needed by security software to emulate the malware's execution. On top of its own obfuscator, the malware makes heavy use of encryption and compression based on the RC4 and LZRW algorithms. They are implemented slightly differently to the standard versions - we believe that this is done deliberately to mislead researchers. The internal configuration of the malware is encrypted, compressed and serialized as a complicated registry-like structure, which has various record types including strings, integers and internal references. Stolen data uploaded to the C2 server is split into small chunks (of around 3KB), which are compressed, encrypted and placed in a container to be uploaded to the server. If it's a large file, it may be placed into several hundred different containers that are all uploaded independently. It's likely that these data chunks are parsed, decrypted, unpacked, extracted and reassembled on the attacker's side. While this method might add an overhead, the layers of additional processing ensure that very few researchers will get to the original data. This method also offers increased reliability against network errors.
In July we published an in-depth analysis of a targeted attack campaign that we dubbed 'Crouching Yeti' – also known as 'Energetic Bear', because researchers from CrowdStrike had suggested that the attackers were located in Russia: we don't think there's enough evidence to confirm this one way or the other. This campaign, active since late 2010, has so far targeted the following sectors: industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology. So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 different victim organizations – mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.
The attackers behind Crouching Yeti use various types of malware (all designed to infect systems running Windows) to infiltrate their victims, extend their reach within the target organizations and steal confidential data, including intellectual property and other strategic information. The malware used includes special modules to collect data from specific industrial IT environments. Infected computers connect to a large network of hacked web sites that host malware modules, hold information about victims and send commands to infected systems. The attackers use three methods to infect their victims. These include a legitimate software installer re-packaged to include a malicious DLL file; spear-phishing e-mails; and watering-hole attacks.
Technology is now an integral part of our lives, so it's hardly surprising to see a cyber-dimension to conflicts around the world. This is especially true of the Middle East, where geo-political conflicts have intensified in recent years. In August we reported on the increase in malware activity in Syria from early 2013. The victims of these attacks are not only located in Syria: the malware has also been seen in Turkey, Saudi Arabia, Lebanon, Palestine, the United Arab Emirates, Israel, Morocco, France and the United States. We were able to track the C2 servers of the attackers to IP addresses in Syria, Russia, Lebanon, the United States and Brazil. In total, we found 110 files, 20 domains and 47 IP addresses associated with the attacks.
It's clear that the groups involved in the attacks are well organized. So far the attackers have made use of established malware tools rather than developing their own (although they use a variety of obfuscation methods to bypass simple signature-based detection). However, we think it's likely that the number and sophistication of malware used in the region is likely to increase.
In November we published our analysis of the 'Darkhotel' APT, a campaign that has been operating for almost a decade, targeting thousands of victims across the globe. 90% of the infections we have seen are in Japan, Taiwan, China, Russia and Hong Kong, but we have also seen infections in Germany, the USA, Indonesia, India, and Ireland.
The campaign employs varying degrees of targeting. First, they use spear-phishing e-mails and zero-day exploits to infiltrate organizations from different sectors, including Defense Industrial Base (DIB), government and Non-Governmental Organizations (NGOs). Second, they spread malware indiscriminately via Japanese P2P (peer-to-peer) file-sharing sites. Third, they specifically target business executives who are traveling overseas and staying at hotels in a number of countries: using a two-step infection process, the attackers first identify their victims and then download further malware to the computers of more significant targets, designed to steal confidential data from the infected computer.2. Our homes and other vulnerabilities
Exploiting unpatched vulnerabilities remains one of the key mechanisms used by cybercriminals to install malicious code on victims' computers. This relies on the existence of vulnerabilities in widely-used software and the failure of individuals or businesses to patch applications.
This year vulnerabilities were discovered in two widely-used open source protocols, known as 'Heartbleed' and 'Shellshock' respectively. Heartbleed, a flaw in the OpenSSL encryption protocol, lets an attacker read the contents of the memory, and intercept personal data, on systems using vulnerable versions of the protocol. OpenSSL is widely-used to secure Internet-based communications, including web, e-mail, instant messaging and Virtual Private Networks (VPN), so the potential impact of this vulnerability was huge. As often happens when there's a risk that personal data might have been exposed, there was a rush to change passwords. Of course, this could only be effective once an online provider had taken steps to patch OpenSSL and thereby secure their systems – otherwise any new password would be just at risk from attackers trying to exploit the vulnerability. We offered some perspectives on the impact of the flaw two months after its disclosure.
In September, the information security world faced a red alert following the discovery of the Shellshock vulnerability (also known as 'Bash'). The flaw allows an attacker to remotely attach a malicious file to a variable that is executed when the Bash command interpreter is invoked (Bash is the default shell on Linux and Mac OS X systems). The high impact of this vulnerability, coupled with the ease with which it could be exploited, caused considerable concern. Many people compared it to Heartbleed. However, unlike Heartbleed, Shellshock provided full system control – not just the ability to steal data from the memory. It didn't take long for attackers to try and take advantage of the vulnerability – we discussed some early examples soon after it was discovered. In most cases attackers remotely attacked web servers hosting CGI (Common Gateway Interface) scripts that have been written in Bash or pass values to shell scripts. However, it remains possible that the vulnerability could have an impact on a Windows-based infrastructure. Unfortunately, the problem wasn't confined only to web servers. Bash is widely used in the firmware of devices that now take for granted in our everyday lives. This includes routers, home appliances and wireless access points. Some of these devices can be difficult or impossible to patch.
The Internet is becoming woven into the fabric of our lives – literally, in some cases, as connectivity is embedded into everyday objects. This trend, known as the 'Internet of Things', has attracted more and more attention. It can seem very futuristic, but the Internet of Things is actually closer than you may think. The modern home today is likely to have a handful of devices connected to the local network that aren't traditional computers – devices such as a smart TV, a printer, a games console, a network storage device or some kind of media player/satellite receiver.
One of our security researchers investigated his own home, to determine whether it was really cyber-secure. He looked at several pieces of household kit, including network-attached storage (NAS) devices, smart TV, router and satellite receiver, to see if they were vulnerable to attack. The results were striking. He found 14 vulnerabilities in the network-attached storage devices, one in the smart TV and several potentially hidden remote control functions in the router. You can read the full details here. It's important that we all understand the potential risks associated with using network devices – this applies to individuals and businesses alike. We also need to understand that our information is not secure just because we use strong passwords or run software to protect against malicious code. There are many things over which we have no control, and to some degree we are in the hands of software and hardware vendors. For example, not all devices include automated update checks – sometimes consumers are required to download and install new firmware. This is not always an easy task. Worse still, it's not always possible to update a device (most devices investigated during this research had been discontinued more than a year before).3. The continuing exponential growth of mobile malware
We have seen dramatic growth in the numbers of mobile malware in recent years. In the period from 2004-13 we analyzed almost 200,000 mobile malware code samples. In 2014 alone we analyzed a further 295,539 samples. However, this doesn't give the whole picture. These code samples are re-used and re-packaged: in 2014 we saw 4,643,582 mobile malware installation packs (on top of the 10,000,000 installation packs we had seen in the period 2004-13). The number of mobile malware attacks per month increased tenfold – from 69,000 per month in August 2013 to 644,000 in March 2014 (see Mobile Cyber Threats, Kaspersky Lab and INTERPOL Joint Report, October 2014).
53% of all mobile malware detections are now related to malware capable of stealing money. One of the more notable examples is Svpeng, designed to steal money from customers of three of Russia's biggest banks. The Trojan waits until a customer opens an online banking app and replaces it with its own, to try and obtain the customer's login details. It also tries to steal credit card data by displaying its own window over the Google Play app and asking for card details. Another is Waller which, in addition to behaving like a typical SMS Trojan, steals money from QIWI wallets on infected devices.
Cybercriminals have also diversified their efforts to make money from their victims, using methods that have been well-established on desktops and laptops. This includes ransomware Trojans. Fake anti-virus apps are another example of an established approach now being applied to mobile devices. Finally, this year saw the appearance of the first Trojan that is managed through a C2 server hosted in the Tor network. The Torec backdoor is a modification of the commonly-used Tor client, Orbot. The benefit, of course, is that the C2 server can't be shut down.
Until recently, nearly all malware targeting iOS was designed to exploit 'jailbroken' devices.
However, the recent appearance of the 'WireLurker' malware has shown that iOS is not immune from attack.
Mobile devices are now integrated into the fabric of our lives, so it's hardly surprising that the development of mobile malware is underpinned by a cybercrime business that includes malware writers, testers, app designers, web developers and botnet managers.4. Your money or your file(s)
The number of ransomware programs has been growing in recent years. Some simply block access to the victim's computer and demand a ransom payment in order to restore normal access. But many go further than this, encrypting data on the computer. One recent example is 'ZeroLocker'. ZeroLocker encrypts nearly all the files on the victim's computer and adds the extension '.encrypt' to encrypted files (although it doesn't encrypt files located in directories containing the words 'Windows', 'WINDOWS', 'Program Files', 'ZeroLocker' or 'Destroy' and doesn't encrypt files larger than 20MB in size). The Trojan uses a 160-bit AES key to encrypt files. Once the files are encrypted, it runs the 'cipher.exe' utility to remove all unused data from the drive. Both these things make file recovery very difficult. The cybercriminals behind ZeroLocker demand an initial $300 worth of Bitcoins to decrypt the file. If the victim does not pay promptly the fee increases to $500 and $1,000 as time goes on.
Another ransomware program that we analyzed this year is Onion. Not only does this Trojan use the Tor network to hide its C2 servers, but it also supports full interaction with Tor without any input from the victim. Other programs like this communicate with the Tor network by launching (sometimes by injecting code into other processes) the legitimate 'tor.exe' file. By contrast Onion implements this communication as part of the malware code itself. Onion also uses an unorthodox cryptographic algorithm that makes file decryption impossible, even if traffic between the Trojan and the C2 server is intercepted. This Trojan not only uses asymmetric encryption, it also uses a cryptographic protocol known as ECDH (Elliptic Curve Diffie-Hellman). This makes decryption impossible without the master private key – which never leaves the cybercriminals' controlled server.
This year the use of ransomware programs has been extended to devices running Android. The first version of Svpeng, for example, discovered early in 2014, blocks the phone, claiming that the victim was viewing child pornography and demanding a 'fine' of $500 to unlock the phone. A subsequent modification of this malware, discovered in June 2014, completely blocks the device, so that it can only be turned off by pressing down the 'Off' button for a long time – and the Trojan loads again as soon as the device has been switched on again. This version was aimed mainly at victims in the US, but we also saw victims in the UK, Switzerland, Germany, India and Russia. This version demands a payment of $200 to unblock the phone, payment to be made using MoneyPak vouchers. The ransom demand screen displays a photograph of the victim, taken using the frontal camera. Another Trojan, called 'Koler', discovered in May 2014, uses the same approach – blocking access to the device and demanding a ransom payment of between $100 and $300 to unblock the phone. Like Svpeng, this Trojan displays a message claiming to be from the police – it targets victims in more than 30 countries around the world, using local 'police' messages.
Koler's distribution infrastructure
The first Android Trojan to encrypt data, called 'Pletor', appeared in May 2014. This Trojan uses the AES encryption algorithm to encrypt the contents of the phone's memory card and then displays a ransom demand on the screen, payable using the victim's QIWI Visa wallet, MoneXy or standard transfer of money to a telephone number. This Trojan mainly targets victims in Russia and Ukraine (although we have seen victims in other former Soviet republics) and demands the equivalent of around $300 in rubles or hryvnia.
Ransomware operations rely on their victims paying up. Don't do it! Instead, make regular backups of your data. That way, if you ever fall victim to a ransomware program (or a hardware problem that stops you accessing your files) you will not lose any of your data.5. Cha-ching! Using malware to get money from ATMs
Malware for ATMs is not new. The first malware of this kind, called 'Skimer', was found in 2009 – this targeted ATMs in Eastern Europe running a Windows-based operating system. This used undocumented functions to print details of cards inserted in the infected machine and to open cassettes using a master card command. We saw further ATM malware in Brazil, in 2010 ('SPSniffer'): this collected PIN numbers in outdated ATMs using PIN pads that weren't using strong cryptographic protection. Then last year we saw a further family of ATM malware ('Atmer'), designed to steal money from ATMs in Mexico.
This year, at the request of a financial institution, we carried out a forensic investigation into a new attack on ATMs in Asia, Europe and Latin America. The operation was in two stages. The cybercriminals gain physical access to the ATMs and use a bootable CD to install the malware, called 'Tyupkin'; then they reboot the machine to load the malware, putting them in control of the ATM. The malware then runs in an infinite loop, waiting for a command.
To make the scam less obvious, the malware only accepts commands at specific times on Sunday and Monday nights. The attackers can then enter a combination of digits on the ATM keyboard, make a call to the malware operators, enter a further set of numbers and then collect the cash dispensed by the ATM.
Video Footage obtained from security cameras at the infected ATMs showed the methodology used to access cash from the machines. A unique digit combination key based on random numbers is freshly generated for every session: this ensures that no one outside the gang can accidentally profit from the fraud. Then the malicious operator receives instructions by phone from another member of the gang who knows the algorithm and is able to generate a session key based on the number shown: this ensures that the mules collecting the cash do not try to go it alone. When the correct key is entered, the ATM shows how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. Then it dispenses 40 bank notes at a time from the chosen cassette.
The upswing in ATM attacks in recent years is a natural evolution from the more well-established method of using physical skimmers to capture data from cards used in ATMs that have been tampered with. Unfortunately, many ATMs run operating systems with known security weaknesses. This makes physical security even more important; and we would urge all banks to review the physical security of their ATMs.6. Windows XP: forgotten but not gone?
Support for Windows XP ended on 8 April: this means no new security updates, no security hotfixes, free or paid assisted support options or online technical content updates. Sadly, there are still a lot of people running Windows XP – our data suggests that Windows XP accounts for around 18% of infections. This is a lot of people wide open to attack now that security patches have dried up. Effectively, every vulnerability discovered since April is a zero-day vulnerability – that is, one for which there is no chance of a patch. This problem will be compounded as application vendors stop developing updates for Windows XP. Every unpatched application will become yet another potential point of compromise, further increasing the potential attack surface. In fact, this process has already started: the latest version of Java no longer supports Windows XP.
Every Windows XP vulnerability discovered since April is a zero-day vulnerability #KLReportTweet
It might seem that the simple and obvious solution is to upgrade to a newer operating system. But even though Microsoft gave plenty of notice about the end of support, it's not difficult to see why migration to a new operating system might be difficult for some businesses. On top of the cost of switching, it may also mean investing in new hardware and even trying to replace a bespoke application developed specifically for the company – one that will not run on a later operating system. So it's no surprise see some organizations paying for continued XP support.
Of course, an anti-virus product will provide protection. But this only holds good if by 'anti-virus' we mean a comprehensive Internet security product that makes use of proactive technology to defend against new, unknown threats – in particular, functionality to prevent the use of exploits. A basic anti-virus product, based largely on signature-based scanning for known malware, is insufficient. Remember too that, as times goes by, security vendors will implement new protection technologies that may well not be Windows XP-compatible.
Anyone still running Windows XP should see this as a stop-gap, while they finalize a migration strategy. Malware writers will undoubtedly target Windows XP while significant numbers of people continue to run it, since an un-patched operating system will offer them a much bigger window of opportunity. Any Windows XP-based computer on a network offers a weak point that can be exploited in a targeted attack on the company – if compromised this will become a stepping-stone into the wider network.
There's no question that switching to a newer operating system is inconvenient and costly - for individuals and businesses. But the potential risk of using an increasingly insecure operating system is likely to outweigh the inconvenience and cost.7. Beneath the layers of the onion
Tor (short for The Onion Router) is software designed to allow someone to remain anonymous when accessing the Internet. It has been around for some time, but for many years was used mainly by experts and enthusiasts. However, use of the Tor network has spiked this year, in large part because of growing concerns about privacy. Tor has become a helpful solution for those who, for any reason, fear surveillance and the leakage of confidential information. However, our investigations highlighted the fact that Tor is also attractive for cybercriminals, who value the anonymity it offers.
We started seeing cybercriminals actively using Tor to host their malicious infrastructure in 2013. In addition to malware, we found many related resources, including C2 servers, administration panels and more. By hosting their servers in the Tor network, cybercriminals make them harder to identify, blacklist and eliminate. There's also a Tor-based underground marketplace, including the buying and selling of malware and stolen personal data – typically paid for using the crypto-currency Bitcoin, enabling cybercriminals to remain untraceable. Tor allows cybercriminals to conceal the operation of the malware they use, to trade in cybercrime services and launder their illegal profits.
In July we published our analysis of a ransomware Trojan, called 'Onion' that broke new ground in its use of Tor.
Developers of Android-based malware have also started to use Tor. The Torec Trojan, a malware variation of the popular Orbot Tor client, uses a domain in the .onion pseudo zone as a C2 server. Some modifications of the Pletor ransomware Trojan also use the Tor network to communicate with the cybercriminals managing the scam.
Cybercriminals can't always operate with impunity, despite using Tor, as demonstrated by the recent global law enforcement operation against a number of Tor-based cybercrime services ('Operation Onymous').
This begs the question of how the police agencies involved were able to compromise a supposedly 'impenetrable' network – because, in theory at least, there's no way of knowing the physical location of a web server behind a hidden service that someone visits. However, there are ways to compromise a hidden service that don't involve attacking the Tor architecture itself, as we discussed here. A Tor-based service can only remain secure if it's properly configured, if it's free from vulnerabilities or configuration errors and the web application doesn't have any flaws.8. The good, the bad and the ugly
Unfortunately, software isn't neatly divided between good and bad programs. There's always the risk that software developed for legitimate purposes might be misused by cybercriminals. At the Kaspersky Security Analyst Summit 2014 in February we outlined how improper implementation of anti-theft technologies residing in the firmware of commonly used laptops and some desktop computers could become a powerful weapon in the hands of cybercriminals. Our research started when a Kaspersky Lab employee experienced repeated system process crashes on one of his personal laptops, related to instability in modules belonging to the Computrace software developed by Absolute Software. Our colleague hadn't installed the software and didn't even know it was present on the laptop. This caused us concern because, according to an Absolute Software white paper, the installation should be done by the owner of the computer or their IT service. On top of this, while most pre-installed software can be permanently removed or disabled by the owner of the computer, Computrace is designed to survive a professional system cleanup and even a hard disk replacement. Moreover, we couldn't simply dismiss this as a one-off occurrence because we found similar indications of Computrace software running on personal computers belonging to some of our researchers and some enterprise computers. As a result, we decided to carry out an in-depth analysis.
When we first looked at Computrace, we mistakenly thought it was malicious software, because it uses so many tricks that are popular in current malware. Indeed, in the past this software has been detected as malware although at present most anti-malware companies whitelist Computrace executables.
In our view, strong authentication and encryption must be built into a powerful legal surveillance tools #KLReportTweet
We believe that Computrace was designed with good intentions. However, our research shows that vulnerabilities in the software could allow cybercriminals to misuse it. In our view, strong authentication and encryption must be built into such a powerful tool. We found no evidence that Computrace modules had been secretly activated on the computers we analyzed. But it's clear that there are a lot of computers with activated Computrace agents. We believe that it's the responsibility of manufacturers, and Absolute Software, to notify these people and explain how they can deactivate the software if they don't wish to use it. Otherwise, these orphaned agents will continue to run unnoticed and will provide opportunities for remote exploitation.
In June, we published the results of our research into a piece of 'legal' software called Remote Control System (RCS) developed by the Italian company HackingTeam. We discovered a feature that can be used to fingerprint its C2 servers. This allowed us to scan the entire IPv4 space and find all the IP addresses of RCS C2 servers across the globe. We found 326 in total, the greatest number of them located in the US, Kazakhstan and Ecuador. Several IPs were identified as 'government'-related, based on their WHOIS information. Of course, we can't be sure that the servers located in a specific country are being used by law enforcement agencies in that country, but this would make sense: after all, it would avoid cross-border legal problems and avoid the risk of servers being seized by others. We also found a number of mobile malware modules coming from HackingTeam, for Android, iOS, Windows Mobile and BlackBerry. They are all controlled using the same configuration type – a good indication that they are related and belong to the same product family. Unsurprisingly, we were particularly interested in those relating to Android and iOS, because of the popularity of those platforms.
The modules are installed using infectors – special executables for either Windows or Mac OS that run on already-infected computers. The iOS module supports only 'jailbroken' devices. This does limit its ability to spread, but the method of infection used by RCS means that an attacker can run a jailbreaking tool (such as Evasi0n) from the infected computer to which the phone is connected – as long as the device isn't locked. The iOS module allows an attacker to access data on the device (including e-mail, contacts, call history, cached web pages), to secretly activate the microphone and to take regular camera shots. This gives complete control over the whole environment in and around a victim's computer.
We seek to detect and remediate any malware attack, regardless of its origin or purpose #KLReportTweet
The Android module is protected by the DexGuard optimizer/obfuscator, so it was difficult to analyze. But we were able to determine that it matches the functionality of the iOS module, plus offering support for hijacking information from the following applications: 'com.tencent.mm', 'com.google.android.gm', 'android.calendar', 'com.facebook', 'jp.naver.line.android' and 'com.google.android.talk'.
This new data highlighted the sophistication of such surveillance tools. Our policy in relation to such tools is very clear. We seek to detect and remediate any malware attack, regardless of its origin or purpose. For us, there's no such thing as 'right' or 'wrong' malware; and we've issued public warnings about the risks of so-called 'legal' spyware in the past. It's imperative that these surveillance tools don't fall into the wrong hands – that's why the IT security industry can't make exceptions when it comes to detecting malware.9. Privacy and security
The ongoing tension between privacy and security has continued to make headlines.
Among the usual steady stream of security breaches this year, it's not really surprising that the incident that attracted most attention was the theft and subsequent publication of explicit photographs of various Hollywood celebrities. This story highlights the dual responsibility of providers and individuals in securing data stored online. It seems that the theft was made possible by a loophole in iCloud security: the 'Find My iPhone' interface lacked any limitation on the number of password attempts, allowing attackers to brute-force the passwords of the victims. Apple closed up this loophole soon afterwards. However, the attack would not have been possible had the victims not used weak passwords. We increasingly live our lives online. But many of us fail to consider the implications of storing personal data online. The security of a cloud service depends on the provider. The moment we entrust our data to a third-party service, we automatically lose some control over it. It's important to cherry-pick the data we store in the cloud and decide what data is automatically moved from our devices to the cloud.
The issue of passwords is one that keeps surfacing. If we choose a password that is too easy to guess, we leave ourselves wide open to identify theft. The problem is compounded if we recycle the same password across multiple online accounts – if one account is compromised, they're all at risk! This is why many providers, including Apple, Google and Microsoft, now offer two-factor authentication – i.e. requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings. Two-factor authentication certainly enhances security – but only if it's required, rather than just being an option.
Two-factor authentication enhances security – but only if it's required, rather than being an option #KLReportTweet
There's always a trade-off between security and ease of use. In an effort to strike this balance, Twitter recently launched its Digits service. Customers no longer need to create a username and password combination in order to sign in to an app. Instead, they simply enter their phone number. They receive a one-time passcode to confirm each transaction – this code is read automatically by the app. Twitter is effectively making itself a go-between, verifying the identity of the customer for the app provider. There are several benefits. Consumers no longer have to worry about creating a login and password combination to set up an account with an app provider; and they don't need to have an e-mail address. App developers don't need to create their own framework for verifying logins; and they won't lose potential customers who don't use e-mail. Twitter gets more visibility into what its customers are interested in. In addition, the fact that no passwords are stored on the app provider's server is also a plus: a breach of an app provider's server will not result in the loss of personal data belonging to customers. However, if someone loses their device, or if it's stolen, the number verification will still work – and anyone with access to the device will be able to access an app in the same way as the legitimate owner. That said, it doesn't represent a step backwards in security compared to the traditional username and password method. Currently, mobile apps don't force a login each time an app is run anyway, so if someone steals a phone, and the owner isn't using a PIN, passcode or fingerprint, the thief has access to everything – e-mail, social networks and apps. In other words, security is dependent on a single-point-of-failure – the PIN, passcode or fingerprint used to access the device itself.
In response to increasing concerns about privacy, the developers of the 'pwnedlist.com' web site created an easy to use interface where people can check to see if their e-mail addresses and passwords have been stolen and published online. This year they have made this a chargeable service.
The response of both Apple and Google to growing fears about loss of privacy was to enable default encryption of data on iOS and Android devices, something that some law enforcement agencies believe plays into the hands of cybercriminals – making it easier for them to evade detection.10. International law enforcement: co-operation brings results
Cybercrime has become an established part of life, on the back of the ever-increasing online activities we engage in. It's tempting to imaging that cybercriminals are able to operate with impunity, but the actions of law enforcement agencies can have a significant impact on their activities. International co-operation is particularly important, given the global nature of cybercrime. This year there have been some notable police successes.
In June 2014 an operation involving law enforcement agencies of several countries, including the UK's NCA (National Crime Agency) and the FBI, was able to take down the global network of computers responsible for managing the 'GameoverZeus' botnet. The police operation ('Operation Tovar') disrupted the communications underlying the botnet, thereby preventing the cybercriminals from controlling it. GameoverZeus was one of the largest operating botnets based on the code of the Zeus banking Trojan. In addition to infecting computers with the Zeus Trojan and stealing login credentials for online e-mail accounts, social networks, online banking and other online financial services, the botnet also distributed the 'Cryptolocker' ransomware program. The police campaign offered victims a breathing-space in which to clean their computers.
Earlier this year Kaspersky Lab contributed to an alliance of law enforcement and industry organizations, co-ordinated by the NCA, to disrupt the infrastructure behind the 'Shylock' Trojan. The Shylock banking Trojan, so-called because its code contains excerpts from Shakespeare's The Merchant of Venice, was first discovered in 2011. Like other well-known banking Trojans Shylock is a man-in-the-browser attack designed to steal banking login credentials from the computers of bank customers. The Trojan uses a pre-configured list of target banks, located in different countries around the world.
In November, Operation Onymous resulted in the take-down of dark markets running within the Tor network.
Recently, an interesting malicious sample was uploaded to a multi-scanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle. That puzzle is "Turla", one of the most complex APTs in the world.
We have written previously about the Turla APT with posts about their Epic Turla operations and Agent.btz inspiration . So far, every single Turla sample we've encountered was designed for the Microsoft Windows family, 32 and 64 bit operating systems. The newly discovered Turla sample is unusual in the fact that it's the first Turla sample targeting the Linux operating system that we have discovered.
This newly found Turla component supports Linux for broader system support at victim sites. The attack tool takes us further into the set alongside the Snake rootkit and components first associated with this actor a couple years ago. We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet.
The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.Md5 Size Verdict Name 0994d9deb50352e76b0322f48ee576c6 627.2 kb N/A (broken file) 14ecd5e6fc8e501037b54ca263896a11 637.6 kb HEUR:Backdoor.Linux.Turla.gen
General executable characteristics:
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped
Statically linked libraries:
- glibc2.3.2 - the GNU C library
- openssl v0.9.6 - an older OpenSSL library
- libpcap - tcpdump's network capture library
Hardcoded C&C, known Turla activity: news-bbc.podzone[.]org
The domain has the following pDNS IP: 220.127.116.11
Note: the C&C domain is currently sinkholed by Kaspersky Lab.
The sample is a stealth backdoor based on the cd00r sources.
This Turla cd00r-based malware maintains stealth without requiring elevated privileges while running arbitrary remote commands. It can't be discovered via netstat, a commonly used administrative tool. It uses techniques that don't require root access, which allows it to be more freely run on more victim hosts. Even if a regular user with limited privileges launches it, it can continue to intercept incoming packets and run incoming commands on the system.Startup and Execution
To start execution, the process requires two parameters: ID (a numeric value used as a part of the "magic packet for authentication") and an existing network interface name. The parameters can be inputted two different ways: from STDIN, or from dropper a launching the sample. This is NOT a command-line parameter, it's a real prompt asking the attacker user to provide the input parameters. After the ID and interface name are entered and the process launched, the backdoor's process PID is returned. Here is a screenshot of this simple interface:
While there is no initial network callback, a section of code maintains a hardcoded c2 string "news-bbc.podzone[.]org". This fully qualified domain name was first set up in 2010, suggesting that this binary is fairly recent in the string of Turla campaigns. Also, while we haven't seen additional file download activity from this server by this tool, it likely participated as a file server of sorts.Magic Packets for Remote Command Execution
The module statically links PCAP libraries, and uses this code to get a raw socket, applies a filter on it, and captures packets, checking for a specific condition (the *original cd00r first used this method, based on ports and SYN-packets). This condition is expressed here (it is based on the ID value input at startup by the attacker):ID = 123 Filter = (tcp[8:4] & 0xe007ffff = 0xe003bebe) or (udp[12:4] & 0xe007ffff = 0xe003bebe) ID = 321 Filter = (tcp[8:4] & 0xe007ffff = 0x1bebe) or (udp[12:4] & 0xe007ffff = 0x1bebe)
In simple terms, it checks for an ACK number in the TCP header, or the second byte from the UDP packet body.
If such a packet is received and the condition check is successful, execution jumps to the packet payload contents, and it creates a regular socket. The backdoor handles this socket as a file with read/write operations. It's not the typical recv/send used in this code. It uses this new socket to connect to the source address of the "magic packets". Then it reports its own PID and IP to the remote address, and starts an endless loop for receiving remote commands. When a command arrives, it is executed with a "/bin/sh -c " script.Unused Code
The sample contains much unused code (at least, it isn't called directly from within the backdoor's code). Also, this sample has duplicate code, for instance - getting IP interface. This unfinished programming again tells us the sample is similar to a debug or beta version.
Much of the unused code is related to file I/O:
- parsing('/root/.tmpware') – parsing, syntax check (begin, end, table) – reads (fscanf) file by format "%*s %o %s", where %o %s is mode and pathname. Then these parameters are passed to chmod(pathname, mode). E.g. sample changes format of files, specified in some other structured file.
chmod(fd, 140h) – only owner
The descriptor then is used everywhere in the code for reading and writing various files. The sample writes to available file paths:PATH=/bin:/usr/bin:/usr/local/bin:/usr/openwin/bin:/usr/ucb/bin:/ usr/ccs/bin
Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet.
This specific module appears to have been put together from public sources with some added functionality from the attackers. Some of the malicious code appears to be inactive, perhaps leftovers from older versions of the implant. Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity.
The discovery of this Turla module rises one big question: how many other unknown Turla variants exist?
Update: Since the publishing of this blogpost, we have discovered another Linux Turla module, which apparently represents a different malware generation than the previously known samples:
The new sample was heuristically detected by our product due to similarities with the previously discovered samples.Md5 Size Verdict Name 19fbd8cbfb12482e8020a887d6427315 801,561 bytes HEUR:Backdoor.Linux.Turla.gen Related research:
- BAE Systems - The Snake Campaign
- Kaspersky Lab - The Epic Turla Operation
- "TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos" by CIRCL.LU
- "Uroburos: the snake rootkit", technical analysis by deresz and tecamac
- Agent.BTZ - A Source of Inspiration?
All statistics used in this report were obtained using Kaspersky Security Network (KSN) a distributed antivirus network based on the work of various components of Kaspersky Lab's anti-malware protection. The data was collected from KSN users who agreed to transfer it. Millions of Kaspersky Lab products users from 213 countries and territories worldwide participate in the global exchange of information about malicious activity.
The data presented covers the period from November 2013 to October 2014.The year in figures
- According to KSN data, Kaspersky Lab products detected and neutralized a total of 6,167,233,068 threats during the reported period.
- A total of 3,693,936 attempts to infect Mac OS X- based computers were blocked by Kaspersky Lab products.
- Kaspersky Lab solutions blocked 1,363,549 attacks on Android-based devices.
- Kaspersky Lab solutions repelled 1,432,660,467 attacks launched from online resources located all over the world.
- To carry out their attacks, cybercriminals used 9,766,119 unique hosts.
- 44% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US and Germany.
- 38% of user computers were subjected to at least one web attack over the year.
- A total of 1,910,520 attempts to launch banking malware on user computers were neutralized in 2014.
- Kaspersky Lab's web antivirus detected 123,054,503 unique malicious objects: scripts, exploits, executable files, etc.
- Kaspersky Lab's antivirus solutions detected a total of 1,849,949 unique malicious and potentially unwanted objects.
During the reporting period Kaspersky Lab detected the following:
- 4,643,582 malicious installation packets
- 295,539 new malicious mobile programs
- 12,100 mobile banking Trojans
Overall from the beginning of November 2013 to the end of October 2014 Kaspersky Lab warded off 1,363,549 unique attacks. For the same period in 2012-2013 the figure was 335,000 unique attacks. There were four times as many attacks on Android devices compared with the previous 12 months.
19% of Android users encountered a mobile threat at least once during the year - nearly one in five users.
53% of Android-attacks used mobile Trojans designed to steal the user's money (SMS Trojans and banking Trojans).Geography of mobile threats
Attacks by malicious mobile software were recorded in more than 200 countries.
Percentage from total number of attacked users
TOP 10 countries by number of attacked usersCountry % of attacked users* 1 Russia 45.7% 2 India 6.8% 3 Kazakhstan 4.1% 4 Germany 4.0% 5 Ukraine 3.0% 6 Vietnam 2.7% 7 Iran 2.3% 8 UK 2.2% 9 Malaysia 1.8% 10 Brazil 1.6%
*percentage of attacked users in the country from total number of attacked users
Russia maintained its leading position in terms of the number of users attacked.
The number of recorded attacks greatly depends on the number of users in a country. To evaluate the danger of infection by mobile malware in various countries we counted the percentage of malicious applications among the total number applications that users tried to install. This method produced very different results from those shown above.
TOP 10 countries by risk of infectionCountry* % of malicious applications 1 Vietnam 2.34% 2 Poland 1.88% 3 Greece 1.70% 4 Kazakhstan 1.62% 5 Uzbekistan 1.29% 6 Serbia 1.23% 7 Armenia 1.21% 8 Czech Republic 1.02% 9 Morocco 0.97% 10 Malaysia 0.93%
* Countries where the number of downloaded applications was less than 100,000 were excluded from these results
Vietnam leads this rating: 2.34% of all applications that users tried to download were malicious.
Russia, which suffered by far the most attacks, was only 22nd in terms of risk of infection with 0.69%.
In Spain the risk of infection was 0.54%, in Germany 0.18% and in the UK 0.16%, in Italy 0.09% and in the USA 0.07%. The situation is best of all in Japan, where only 0.01% of all applications that users tried to install proved to be malicious.TOP 20 mobile threats of 2014 Name % of attacks 1 Trojan-SMS.AndroidOS.Stealer.a 18.0% 2 RiskTool.AndroidOS.MimobSMS.a 7.1% 3 DangerousObject.Multi.Generic 6.9% 4 RiskTool.AndroidOS.SMSreg.gc 6.7% 5 Trojan-SMS.AndroidOS.OpFake.bo 6.4% 6 AdWare.AndroidOS.Viser.a 5.9% 7 Trojan-SMS.AndroidOS.FakeInst.a 5.4% 8 Trojan-SMS.AndroidOS.OpFake.a 5.1% 9 Trojan-SMS.AndroidOS.FakeInst.fb 4.6% 10 Trojan-SMS.AndroidOS.Erop.a 4.0% 11 AdWare.AndroidOS.Ganlet.a 3.8% 12 Trojan-SMS.AndroidOS.Agent.u 3.4% 13 Trojan-SMS.AndroidOS.FakeInst.ff 3.0% 14 RiskTool.AndroidOS.Mobogen.a 3.0% 15 RiskTool.AndroidOS.CallPay.a 2.9% 16 Trojan-SMS.AndroidOS.Agent.ao 2.5% 17 Exploit.AndroidOS.Lotoor.be 2.5% 18 Trojan-SMS.AndroidOS.FakeInst.ei 2.4% 19 Backdoor.AndroidOS.Fobus.a 1.9% 20 Trojan-Banker.AndroidOS.Faketoken.a 1.7%
10 out of the 20 programs in this rating are SMS Trojans from the following families: Stealer, OpFake, FakeInst, Agent and Erop.
Trojan-SMS.AndroidOS.Stealer.a were among the most widespread families throughout the year and finished up on top of the annual ranking by a considerable margin.
This SMS Trojan spread very actively. After May 2014 the number of Stealer attacks matched the total number of attacks involving all other SMS Trojans.
The number of users attacked with Trojan-SMS.AndroidOS.Stealer.a and all other SMS Trojans (November 2013 - October 2014)Reduction in attacks by SMS Trojans
As before, SMS Trojans are the single biggest component in the flow of mobile malware; in our figures they have 23.9% of the total.
Distribution of mobile threats by type (Kaspersky Lab collection)
However, as the above diagram shows, in the second half of 2014 there were fewer attacks with SMS Trojans. As a result for the year their amount reduced by 12.3%.
Let's look in a bit more detail at the change in distribution of the SMS Trojans that are most popular with cybercriminals (other than Stealer.a).
Number of users attacked by popular SMS Trojans (November 2013 — October 2014)
May saw a sharp fall in the number of SMS Trojans detected in Russia, where attacks with the use of SMS Trojans are particularly widespread. The fall was caused by a change in the way paid messages work in Russia. In May 2014 mobile operators in Russia were forced to use an Advice of Charge (AoC) mechanism. Now when a mobile device sends a message to a paid number the operator must inform the device owner of the cost of the service and get confirmation of the payment.
As a result, SMS Trojans are less profitable and their criminal nature is clearly exposed. Now the only way to make a profit is to use Trojans that can send an SMS to a premium rate number and then intercept the operator's request and return a confirmation on behalf of the user.
As a result partners in several semi-legal programs, which had earlier distributed applications with SMS Trojan functionality, left this business. Their operating model had been based on badly explained conditions for the provision of paid services, or subscription and service charges that were simply not indicated.
We can assume that Russian creators of SMS Trojans who found themselves out of work will have to look for new projects. Some of them might switch to attacking users in other countries and some to working on more serious malware such as banking programs. Hopefully at least some of them will turn their backs on the underworld and will put their skills to lawful use.
The changes in distribution patterns are clearly visible with once-popular SMS trojans like OpFake.bo, FakeInst.a and OpFake.a. They used to be seen in 10-20,000 attacks a month; now the numbers are 1-2,000.Mobile banking Trojans
During the period in question we detected 12,100 mobile banking Trojans — nine times as many as than in 2013.
Number of mobile banking Trojans in the Kaspersky Lab collection (November 2013 — October 2014)
45,032 users were attacked with mobile banking Trojans at least once in the course of the year.
And the number of countries under attack is growing: at least one attack using a mobile banking Trojan was recorded in 90 different countries worldwide.
Geography of mobile banking threats (number of attacked users in the period November 2013 — October 2014)
TOP 10 countries for banking Trojan attacksCountry Number of attacked users % of all attacks* 1 Russia 39,561 87.85% 2 Kazakhstan 1,195 2.65% 3 Ukraine 902 2.00% 4 USA 831 1.85% 5 Belorus 567 1.26% 6 Germany 203 0.45% 7 Lithuania 201 0.45% 8 Azeraijan 194 0.43% 9 Bulgaria 178 0.40% 10 Uzbekistan 125 0.28%
* Perentage of attacked users in each country from the total all attacked users
Russia has retained its place as the leader in this rating.Threats designed for Mac OS X
In 2014 Kaspersky Lab security products designed to protect Mac OS X-based computers blocked 3,693,936 infection attempts.
Kaspersky Lab experts detected 1,499 new malicious programs for Mac OS X, 200 samples more than in the previous year.
Every second user of Kaspersky Lab products was exposed to a malicious attack.
An average Mac user encountered 9 threats during the year.TOP 20 threats designed for Mac OS X Name % of attacks* 1 AdWare.OSX.Geonei.b 9.04% 2 Trojan.Script.Generic 5.85% 3 Trojan.OSX.Vsrch.a 4.42% 4 Trojan.Script.Iframer 3.77% 5 AdWare.OSX.Geonei.d 3.43% 6 DangerousObject.Multi.Generic 2.40% 7 AdWare.OSX.Vsrch.a 2.18% 8 Trojan.Win32.Generic 2.09% 9 AdWare.OSX.FkCodec.b 1.35% 10 Trojan.OSX.Yontoo.i 1.29% 11 Trojan-PSW.Win32.LdPinch.ex 0.84% 12 AdWare.Win32.Yotoon.heur 0.82% 13 Trojan.OSX.Yontoo.j 0.80% 14 Exploit.Script.Generic 0.76% 15 AdWare.OSX.Bnodlero.a 0.58% 16 AdWare.JS.Agent.an 0.57% 17 Trojan.OSX.Yontoo.h 0.52% 18 Exploit.PDF.Generic 0.51% 19 AdWare.Win32.MegaSearch.am 0.50% 20 Trojan.Win32.AutoRun.gen 0.43%
* The percentage of users attacked by the malicious program of all attacked users
Almost half of our TOP 20 programs, including the one in first place, were occupied by AdWare programs. As a rule, these malicious programs arrive on users' computers alongside legitimate programs if they are downloaded from a software store rather than from the official website of the developer. These legitimate programs might become a carrier for the AdWare-module: once installed on the user's computer it can add advertising links to browser bookmarks, change the default search engine, add contextual advertising, etc.
Interestingly, 8th place is occupied by Trojan.Win32.Generic which affects Windows OS. This is probably because this particular Trojan can penetrate into virtual machines that run under Windows.
In 2014 the experts detected several interesting malicious programs for Mac OS X that should be mentioned separately.
- Backdoor.OSX.Callme – a backdoor that provides the fraudster with remote access to the system and at the same time steals contact lists, apparently, to find new victims. It is distributed in the body of a specially designed MS Word document: when run it installs the backdoor via the vulnerability in the system.
- Backdoor.OSX.Laoshu – a malicious program which makes screenshots every minute. This backdoor is signed by the trusted certificate of the developer which means the creators of the program were about to place it in the AppStore.
- Backdoor.OSX.Ventir – a multi-module Trojan spy with a hidden remote control function. It includes the keystrokes interception driver logkext, the source code for which is publicly available.
- Trojan.OSX.IOSinfector – used to install the mobile version of Trojan-Spy.IPhoneOS.Mekir (OSX/Crisis).
- Trojan-Ransom.OSX.FileCoder – the first file coder for OS X. It is a conditionally working prototype produced by an author who, for whatever reason, decided to abandon malware development.
- Trojan-Spy.OSX.CoinStealer – the first malicious program designed to steal bitcoins for OS X. It imitates different bitcoin utilities built from open source code while it installs a malicious browser extension and/or a patched version of bitcoin-qt.
- Trojan-Downloader.OSX.WireLurker – an unusual piece of malware designed to steal victims' data. It attacks not only Mac-based computers but iOS-based devices connected to them. There is also a Windows-based version of this malicious program. It is distributed via a well-known Chinese store that sells apps for OS X and iOS.
The geography of attacks on Mac OS X users in 2014 (based on the number of all attacked users)
The TOP 10 of countries under attackCountry Number of attacked users % of all attacks* 1 USA 98,077 39.14% 2 Germany 31,466 12.56% 3 Japan 13,808 5.51% 4 UK 13,763 5.49% 5 Russia 12,207 4.87% 6 France 9,239 3.69% 7 Switzerland 6,548 2.61% 8 Canada 5,841 2.33% 9 Brazil 5,558 2.22% 10 Italy 5,334 2.13%
* The percentage of users attacked per country
The USA (39.14%) tops this rating, perhaps because of the popularity of Apple computers in the country. Germany (12.56%) came second followed by Japan (5.51%).Vulnerable applications used by fraudsters
The graph of vulnerable applications shown below is based on information about the exploits blocked by our products. These exploits were used by hackers in Internet attacks and when compromising local applications, including those installed on mobile devices.
The distribution of exploits used by fraudsters, by type of application attacked, 2014
In 2014, the fraudsters most often exploited Oracle Java vulnerabilities. However, the popularity of Java vulnerabilities declined steadily throughout the year, and its overall share was less than half of last year's figure – 45% against 90.5% 12 months ago. This might be due to the closure of old vulnerabilities and a lack of information about any new ones.
Second place was occupied by the Browsers category (42%) which includes exploits for Internet Explorer, Google Chrome, Mozilla Firefox, etc. According to the quarterly ratings, for much of 2014 this was the leading category but it didn't quite outstrip the large number of Java exploits in late 2013 and early 2014.
Adobe Reader exploits were in third place (5%). These vulnerabilities are exploited in drive-by attacks via the Internet, and PDF exploits form part of many exploit packs.
During the year, we saw a decrease in the number of attacks using exploit packs. There may be several reasons for this, including the arrests of some of their developers. In addition, many exploit packs have stopped attacking computers protected by Kaspersky Lab products (exploit packs check the victim computer and halt the attack if a Kaspersky Lab solution is installed on it). Despite this, exploitation of vulnerabilities remains one of the main ways to deliver malicious software on the user's computer.Online threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect Windows users when malicious code attempts to download from a malicious/infected website. Malicious websites are deliberately created by cybercriminals; infected sites include those with user-contributed content (such as forums) as well as legitimate resources that have been hacked
In 2014, there were 1,432,660,467 attacks launched from online resources #KLReportTweet
In 2014, there were 1,432,660,467 attacks launched from online resources located all over the world. It means that Kaspersky Lab products protected users an average of 3,925,097 times per day during their Internet sessions.
The main attack method - via exploit packs - gives attackers an almost guaranteed opportunity to infect the user computer if it is not protected with a security solution and if it has at least one popular and vulnerable (not updated) application installed.Online threats in the banking sector
During the reporting period, Kaspersky Lab solutions blocked 1,910,520 attacks attempting to launch malware capable of stealing money from online banking accounts.
The number of computers attacked by financial malware, November 2013-October 2014
Noticeably, the number of attacks grew considerably in May and June 2014. This might have been be caused by an increase in online banking activity at the beginning of the holiday season as well as by the main sport event of the year – the World Cup-2014 in Brazil – where cybercriminals used financial malware to steal tourists' payment data.
A total of 16,552,498 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in 2014.The geography of attacks
The geography of banking malware attacks in 2014
The TOP 20 countries by the number of attacked users:Country Number of attacked users 1 Brazil 299,830 2 Russia 251,917 3 Germany 155,773 4 India 98,344 5 USA 92,224 6 Italy 88,756 7 UK 54,618 8 Vietnam 50,040 9 Austria 44,445 10 Algeria 33,640 The TOP 10 banking malware families
The table below shows the programs most commonly used in 2014 to attack online banking users, based on the number of reported infection attempts:Name Number of attacked users 1 Trojan-Spy.Win32.Zbot 742,794 2 Trojan-Banker.Win32.ChePro 192,229 3 Trojan-Banker.Win32.Lohmys 121,439 4 Trojan-Banker.Win32.Shiotob 95,236 5 Trojan-Banker.Win32.Agent 83,243 6 Trojan-Banker.AndroidOS.Faketoken 50,334 7 Trojan-Banker.Win32.Banker 41,665 8 Trojan-Banker.Win32.Banbra 40,836 9 Trojan-Spy.Win32.SpyEyes 36,065 10 Trojan-Banker.HTML.Agent 19,770
Zeus (Trojan-Spy.Win32.Zbot) remained the most widespread banking Trojan. It kept its leading position in quarterly ratings so its 1st place in the TOP 10 for 2014 is not a surprise. Second came Trojan-Banker.Win32.ChePro, followed by Trojan-Banker.Win32.Lohmys. Both families have the same functionality and are spread via spam messages with a theme related to online banking (for example, an invoice from an online banking service). The email includes a Word document with the attached picture: clicking on the picture launches malicious code execution.
Trojan-Banker.Win32.Shiotob was in 4th place. This malicious program is most often spread via spam messages and is designed to monitor traffic in order to intercept payment data.
The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.
Although three quarters of attacks targeting users' money were carried out with the help of banking malware these are not the only financial threats.
Distribution of attacks targeting user money by malware type, 2014
Bitcoin wallet theft was the second most popular banking threat (14%). Yet another threat related to crypto currency is Bitcoin mining software (10%) which uses computing resources to generate bitcoins.The TOP 20 malicious objects detected online
In 2014, Kaspersky Lab's web antivirus detected 123,054,503 unique malicious objects: scripts, exploits, executable files, etc.
We identified the 20 malicious programs most actively involved in online attacks launched against computers in 2014. These 20 accounted for 95.8% of all online attacks.Name* % of all attacks** 1 Malicious URL 73.70% 2 Trojan.Script.Generic 9.10% 3 AdWare.Script.Generic 4.75% 4 Trojan.Script.Iframer 2.12% 5 Trojan-Downloader.Script.Generic 2.10% 6 AdWare.Win32.BetterSurf.b 0.60% 7 AdWare.Win32.Agent.fflm 0.41% 8 AdWare.Win32.Agent.aiyc 0.38% 9 AdWare.Win32.Agent.allm 0.34% 10 Adware.Win32.Amonetize.heur 0.32% 11 Trojan.Win32.Generic 0.27% 12 AdWare.Win32.MegaSearch.am 0.26% 13 Trojan.Win32.AntiFW.b 0.24% 14 AdWare.JS.Agent.an 0.23% 15 AdWare.Win32.Agent.ahbx 0.19% 16 AdWare.Win32.Yotoon.heur 0.19% 17 AdWare.JS.Agent.ao 0.18% 18 Trojan-Downloader.Win32.Generic 0.16% 19 Trojan-Clicker.JS.Agent.im 0.14% 20 AdWare.Win32.OutBrowse.g 0.11%
* These statistics represent detection verdicts from the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local data
** The percentage of all web attacks recorded on the computers of unique users
As is often the case, the TOP 20 is largely made up of objects used in drive-by attacks, as well as adware programs. 73.7% of all verdicts identified links from these black lists.
Noticeably, in 2014 there was an increase in the number of advertising programs in the TOP 20, up from 5 to 12 compared to the previous year and accounting for 8.2% of all malicious objects detected online (+7.01 percentage points). The growth in the amount of advertising programs, along with their aggressive distribution schemes and their efforts to counteract anti-virus detection, has become the trend of 2014.
In 2014, #Kaspersky Lab's web antivirus detected 123,054,503 unique malicious objects #KLReportTweet
The Trojan-Clicker.JS.Agent.im verdict is also connected to advertising and all sorts of "potentially unwanted" activities. This is how scripts placed on Amazon Cloudfront to redirect users to pages with advertising content are detected. Links to these scripts are inserted by adware and various extensions for browsers, mainly on users' search pages. The scripts can also redirect users to malicious pages containing recommendations to update Adobe Flash and Java - a popular method of spreading malware.The TOP 10 countries where online resources are seeded with malware
The following stats are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.
In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In 2014, Kaspersky Lab solutions blocked 1,432,660,467 web-attacks #KLReportTweet
In 2014, Kaspersky Lab solutions blocked 1,432,660,467 attacks launched from web resources located in various countries around the world. To carry out their attacks, the fraudsters used 9,766,119 unique hosts, 838,154 hosts or 8% fewer than in 2013.
87% of notifications about attacks blocked by antivirus components were received from online resources located in 10 countries. This is 5 percentage points more than in the previous year.
The distribution of online resources seeded with malicious programs in 2014
In 2014, the TOP 10 rating of countries where online resources are seeded with malware remained largely unchanged from the previous year. However four countries changed places: Germany and Russia swapped, with the Germans climbing to 2nd and Russia dropping to fourth. Ukraine overtook Britain to move up to 5th.
44% of all web attacks came from resources located in the USA and Germany.Countries where users face the greatest risk of online infection
In order to assess the countries in which users most often face cyber threats, we calculated how often Kaspersky users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection that computers are exposed to in different countries across the globe, providing an indicator of the aggressiveness of the environment facing computers in different parts of the world.
The TOP 20 countries where users face the greatest risk of online infectionCountry* % of unique users** 1 Russia 53.81% 2 Kazakhstan 53.04% 3 Azerbaijan 49.64% 4 Vietnam 49.13% 5 Armenia 48.66% 6 Ukraine 46.70% 7 Mongolia 45.18% 8 Belarus 43.81% 9 Moldova 42.41% 10 Kyrgyzstan 40.06% 11 Germany 39.56% 12 Algeria 39.05% 13 Qatar 38.77% 14 Tadjikistan 38.49% 15 Georgia 37.67% 16 Saudi Arabia 36.01% 17 Austria 35.58% 18 Lithuania 35.44% 19 Sri Lanka 35.42% 20 Turkey 35.40%
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000)
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country
The year 2014 saw a change of leader in the TOP 20: the rating was topped by Russia where 53.81% of users faced the risk of online infection.
Last year's leader, Azerbaijan, fell to 3rd position (49.64%).
Uzbekistan, Malaysia, Greece and Italy dropped out of the TOP 20. Among the newcomers were Mongolia, Qatar, Saudi Arabia, Turkey and Lithuania.
All countries can be divided into three groups expressing different levels of infection risk.
- The high risk group (over 41%)
- The risk group (21-40%)
- The low risk group (0-20.9%)
In 2014, this group includes nine countries from the TOP 20, compared to 15 countries in 2013.
This group includes 111 countries; among them are Kyrgyzstan (40.1%), Germany (39.6%), Qatar (38.8%), Tajikistan (38.5%), Georgia (37.7), Saudi Arabia (36%), Turkey (35. 4%), France (34.9%), India (34.8%), Spain (34.4%), USA (33.8%), Canada (33.4%), Australia (32.5% ), Brazil (32.1%), Poland (31.7%), Italy (31.5%), Israel (30.2%), China (30.1%), the UK (30%), Egypt (27.8%), Mexico (27.5%), the Philippines (27.2%), Croatia (26.2%), Pakistan (26.1%), Romania (25.7%), Japan (21. 2%), Argentina (21. 1%).
The 39 countries with the safest online surfing environments include Sweden (19.5%), Denmark (19.2%), Uruguay (19.5%) and a number of African countries.
In 2014, 38.3% of computers were attacked at least once while their owners were online.
On average, the risk of being infected while surfing the Internet decreased by 3.3 percentage points over the year. This may be caused several factors:
- Firstly, developers of browsers and search engines realized the necessity of securing their users and started to contribute to the fight against malicious sites
- Secondly, many exploit packs have started to check if Kaspersky Lab's product is installed on the user's computer. If it is, the exploits do not even try to attack the computer.
- Thirdly, users using more and more mobile devices and tablets to surf the Internet.
In addition, the number of attacks using exploit packs slightly decreased: arresting the developers of these packs was not in vain. However there are no grounds to expect some drastic change in the situation with exploits: they are still the main technique used to deliver malware, including for targeted attacks. The Internet remains the major source of malware for users in most countries.Local threats
Local infection statistics for user computers are a very important indicator. This data points to threats that have penetrated the Windows operating system through something other than the Internet, email, or network ports.
This section contains an analysis of the statistical data obtained based on antivirus scans of files on the hard drive at the moment they are created or accessed, and the results of scanning various removable data storages.The TOP 20 malicious objects detected on user computers
In 2014, Kaspersky Lab's antivirus solutions detected 1,849,949 unique malicious and potentially unwanted objects.Name % of unique attacked users* 1 DangerousObject.Multi.Generic 26.04% 2 Trojan.Win32.Generic 25.32% 3 AdWare.Win32.Agent.ahbx 12.78% 4 Trojan.Win32.AutoRun.gen 8.24% 5 Adware.Win32.Amonetize.heur 7.25% 6 Virus.Win32.Sality.gen 6.69% 7 Worm.VBS.Dinihou.r 5.77% 8 AdWare.MSIL.Kranet.heur 5.46% 9 AdWare.Win32.Yotoon.heur 4.67% 10 Worm.Win32.Debris.a 4.05% 11 AdWare.Win32.BetterSurf.b 3.97% 12 Trojan.Win32.Starter.lgb 3.69% 13 Exploit.Java.Generic 3.66% 14 Trojan.Script.Generic 3.52% 15 Virus.Win32.Nimnul.a 2.80% 16 Trojan-Dropper.Win32.Agent.jkcd 2.78% 17 Worm.Script.Generic 2.61% 18 AdWare.Win32.Agent.aljt 2.53% 19 AdWare.Win32.Kranet.heur 2.52% 20 Trojan.WinLNK.Runner.ea 2.49%
These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who consented to submit their statistical data.
* The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected
The DangerousObject.Multi.Generic verdict, which is used for malware detected with the help of cloud technologies, is in 1st place (26.04%). Cloud technologies work when the antivirus databases do not yet contain either signatures or heuristics to detect a malicious program but the company's cloud antivirus database already includes the information about the object. In fact, this is how the latest malware is detected.
The notorious worm Net-Worm.Win32.Kido dropped out of the TOP 20. In general the proportion of viruses continues to decrease: for example, last year Virus.Win32.Sality.gen affected 13.4% of users while in 2014 – only 6.69%.
Both this rating and the rating of web detections show that advertising programs are becoming more common. In 2014, the number of users who encountered adware doubled from the previous year and reached 25,406,107. At the same time advertising programs are becoming both more intrusive and more dangerous. Some of them "cross the border" into the category of potentially unwanted programs and are assigned a "harsher" verdict. For example, Trojan-Dropper.Win32.Agent.jkcd (16th place), in addition to displaying ads and changing search results, can download malware on the computer.Countries where users face the highest risk of local infection
For each country we calculated the number of file antivirus detections the users faced during the year. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
The TOP 20 countries by the level of infectionCountry* %** 1 Vietnam 69.58% 2 Mongolia 64.24% 3 Nepal 61.03% 4 Bangladesh 60.54% 5 Yemen 59.51% 6 Algeria 58.84% 7 Iraq 57.62% 8 Laos 56.32% 9 India 56.05% 10 Cambodia 55.98% 11 Afghanistan 55.69% 12 Egypt 54.54% 13 Saudi Arabia 54.37% 14 Kazakhstan 54.27% 15 Pakistan 54.00% 16 Syria 53.91% 17 Soudan 53.88% 18 Sri Lanka 53.77% 19 Myanma 53.34% 20 Turkey 52.94%
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* When calculating, we excluded countries where there are fewer than 10,000 Kaspersky Lab users
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products
The TOP 4 countries for risk of local infection remained largely unchanged from the previous year: Vietnam was in 1st position; Mongolia and Bangladesh changed places – Bangladesh moved down from 2nd to 4th position while Mongolia climbed from 4th to 2nd place.
Djibouti, Maldives, Mauritania, Indonesia, Rwanda and Angola left the TOP 20. The newcomers were Yemen, Saudi Arabia, Kazakhstan, Syria, Myanmar and Turkey.
Within the TOP 20 countries at least one malicious object was found on an average of 58.7% of computers, hard drives or removable media belonging to KSN users. The 2013 figure was 60.1%.
Countries can be divided into four risk categories for local threats.
- Maximum risk (over 60%): four countries including Vietnam (69.6%), Mongolia (64.2%), Nepal (61.0%) and Bangladesh (60.5%).
- High risk (41-60%): 83 countries including India (56.0%), Kazakhstan (54.3%), Turkey (52.9%), Russia (52.0%), China (49.7%), Brazil (46.5%), Belarus (45.3%), Mexico (41.6%), the Philippines (48.4%).
- Moderate local infection rate (21-40.99%): 70 countries including Spain (40.9%), France (40.3%), Poland (39.5%), Lithuania (39.1%), Greece (37.8%), Portugal (37.7%), Korea (37.4%), Argentina (37.2%), Italy (36.6%), Austria (36.5%), Australia (35.3%), Canada (34.8%), Romania (34. 5%), the US (34.4%), the UK (33.8%), Switzerland (30.8%), Hong Kong (30.4%), Ireland (29.7%), Uruguay (27.8% ), the Netherlands (26.4%), Norway (25.1%), Singapore (23.5%), Japan (22.9%), Sweden (23%), Denmark (21.3%)
- Low local infection rate (0- 20.99%): 3 countries including Finland (20%), Cuba (19.1%) and Seychelles (19%).
The 10 safest countries were:Country %* 1 Seychelles 19.03% 2 Cuba 19.08% 3 Finland 20.03% 4 Denmark 21.34% 5 Japan 22.89% 6 Sweden 22.98% 7 Czech Republic 23.13% 8 Singapore 23.54% 9 Martinique 25.04% 10 Norway 25.13%
* The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products
In 2014, three new countries appeared in this TOP 10 — Martinique, Singapore and Sweden. Slovakia, Slovenia and Malta dropped out of the rating.
In 2014, on average, 23% of user machines were attacked in the 10 safest countries at least once #KLReportTweet
On average, 23% of user machines were attacked in the 10 safest countries at least once during the year. This is 4.2 percentage points more than last year.
This week, for the first time, the FBI issued a Flash warning about a destructive wiper activity, used in the attack on Sony Pictures Entertainment. Samples of this Destover malware contained configuration files created on systems using Korean language packs.
Since the attack, further information about the malware has surfaced in one form or another, but some details, such as those relating to the previous activity of the prime suspects, are still to be examined.
So, while Sony Pictures silently completes its costly clean-up efforts and prepares to release "The Interview", let's discuss some of the malware functionality, glaring similarities with other wiper events, and some of the suspect group's previous activity.
The first thing to note is that destructive activity targeting the networks of large organizations is clearly becoming more commonplace. Previous major wiper malware is discussed here. For these, most of the related events occurred in the Middle East and the Korean Peninsula. We also noted a separate Eastern European BE2 ICS environment-related wiping event, covered in more detail here. And it's hard to ignore the complete customer data wipe of Code Spaces in Great Britain by a cybercriminal holding them for ransom, as reported here.
The malware involved in the Sony Entertainment attack is called Trojan Destover and is capable of wiping disk drives and MBR.Destover Wiper Functionality
The most interesting aspects of the destructive functionality of the malware are related to the selection and storage/delivery of the drivers that are now used repeatedly in these kinds of sabotage attacks.
The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself. There are implications for data recovery in this. In the case of the DarkSeoul malware, the overwritten data could be restored using a method similar to the restoration of the Shamoon 'destroyed' data. Destover data recovery is likely to be the same.
The chain of intermediary components leading to the destructive payload follows multiple stages (which have previously been described elsewhere), with capabilities set to run in several modes, just like Shamoon:
- The sample is run on a 32-bit OS for the first time.
- The sample is run on a 32-bit OS as a self-installed service, with one of several code paths.
- The sample is run on a 64-bit OS as a self-installed service.
On a first run, it creates the 'Backup and Restore Management' Windows brmgmtsvc service, adds its own executable and sets a startup '-i' switch. It also drops several copies of itself and starts each of them with a different switch: -m, -d, and -w.
-m (mbr overwrite):
This attempts to connect with the three IP addresses. Even if this is unsuccessful, process execution takes place.
It fetches its resource that contains the compressed EldoS RawDisk driver, and writes it out to the temp directory as a 'usbdrv3.sys'.
It then installs the driver as the usbdrv3 service 'USB 3.0 Host Controller'.
After this, it starts the driver service and closes its service handle.
It then creates a filehandle to the driver with write permissions:
and writes to that handle with 64k strings of '0xAAAAAAAA'. ← note that the issue of a lengthy license key (#99E2428…) is discussed in our Shamoon The Wiper - part ii blogpost.
It then creates new threads, each of which attempts to connect to any possible physical drive letter and overwrite them as well.
-d (data overwrite):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It gets the logical drives and traverses recursively through them, identifying all data files. If it is not .exe or .dll, the process overwrites file contents with '0x0df0adba' in a 20k chunk. This overwrite is completed from user mode, without the EldoS drivers.
It then attempts to delete the data file using the win32 api 'DeleteFileW'. As it recurses through all the system's directories, it attempts to delete .exe and .dll files.
-w (web server):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It stops the Windows Terminal Services from the cmd line: 'cmd.exe /c net stop termservice /y'
Then finds resource#85, decompresses and writes contents out to 'c:\windows\iissvr.exe'.
It launches the iissvr.exe process and exits.
iissvr is what it seems to be - a web server that maintains an encoded JPG, HTML and WAV file. It listens on Port 80 and serves these files. The full graphic and scrolling green warning can be found later in the article. The decoded jpg here:
Lastly, after a two hour sleep, the original service restarts the machine with a call to ExitWindowsEx(EWX_REBOOT|EWX_FORCE, 0). This forces an exit but delays the shutdown itself while system state file creation occurs.Commonalities Across Wipers
Just like Shamoon, the Destover wiper drivers are commercially available EldoS RawDisk driver files.
Just like Shamoon, the Destover wiper drivers are maintained in the droppers' resource section.
Just like Shamoon, the DarkSeoul wiper event included vague, encoded psuedo-political messages used to overwrite disk data and the master boot record (MBR).
Just like DarkSeoul, the Destover wiper executables were compiled somewhere between 48 hours prior to the attack and the actual day of attack. It is highly unlikely that the attackers spear-phished their way into large numbers of users, and highly likely that they had gained unfettered access to the entire network prior to the attack.
The Shamoon components were compiled in a similarly tight timeframe prior to their deployment. The CompiledOn timestamps all fall within five days of their executables' detonation. Nearly all were compiled on Aug 10, 2012 (between 00:17:23 and 02:46:22) and set to detonate on Aug 15, 2012. That is a tight window to quietly deploy these binaries considering the fact that tens of thousands of machines were destroyed with this payload.
In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own. All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.
Images from the DarkSeoul 'Whois' and Destover 'GOP' groups included a 'Hacked by' claim, accompanied by a "warning" and threats regarding stolen data. Both threatened that this was only the beginning and that the group will be back. It appears that original skeletal artwork was also included in both.
Whois team graphics and warning:
GOP team graphics and warning:
Differences between the Destover and DarkSeoul Wiper attacks include Destover's lack of *nix scripts to erase partitions across Linux systems.
The above list of commonalities does not, of course, prove that the crew behind Shamoon is the same as the crew behind both DarkSeoul and Destover. But it should be noted that the reactionary events and the groups' operational and toolset characteristics all carry marked similarities. And, it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognizable similarities.Network activity
Related beacon destinations were published as:
However, directly related samples perform callbacks to a number of other IP addresses as well. Kaspersky Security Network (KSN) data presents a complete lack of malware being served from any of these addresses in the past:
The connections appear arbitrary and inconsequential to the execution of the malicious package. Some are not currently active. These IPs all appear to be oddly selected.
Some of these addresses are known to have performed RDP Scans in the recent past. In late 2012, 18.104.22.168 was a known RDP brute forcing network scanner. The server is hosted at an IP address in Poland, maintained at that provider since 1996.
In early 2014, 22.214.171.124 was hosted in Italy and served as a 'Hide My Ass' premium and free proxy server over port 443. The malware attempts to connect to that server on ports 8000 and 8080, and currently no resources are available.
126.96.36.199 also previously served as a free SOCKS proxy in 2011 and 2012. Often, these sorts of resources were misused by spammers and blackhat SEO scammers.Previous Backdoors
The DarkSeoul campaigns have been linked to several families of Trojans and backdoors, all used over the course of several years. Some links are much stronger than others:
- Concealment Troy
Trojans:MD5 Size CompiledOn Kaspersky name d1c27ee7ce18675974edf42d4eea25c6 262 kb 2014.11.22 00:06:54 Trojan.Win32.Destover.a 2618dd3e5c59ca851f03df12c0cab3b8 430 kb 2014.11.22 00:05:02 Trojan.Win32.Destover.d 760c35a80d758f032d02cf4db12d3e55 244 kb 2014.11.22 04:11:08 Trojan.Win32.Destover.c b80aa583591eaf758fd95ab4ea7afe39 304 kb 2014.11.24 04:12:55 Trojan.Win32.Destover.b e1864a55d5ccb76af4bf7a0ae16279ba 112 kb 2014.11.13 02:05:35 Backdoor.Win32.DestoverServ.a
6aeac618e29980b69721158044c2e544 (32-bit), signed by the EldoS Corporation
86e212b7fc20fc406c692400294073ff (64-bit), signed by the EldoS Corporation
Certificate (6aeac618e29980b69721158044c2e544 32-bit and
- Exclusive: FBI warns of 'destructive' malware in wake of Sony attack
- Dissecting Operation Troy: Cyberespionage in South Korea, McAfee, 2013 (PDF)
- Darkseoul/Jokra Analysis And Recovery, Fidelis Cybersecurity, 2013 (PDF)
- Analyzing Unknown Malware
- DarkSeoul - Jokra - MBR wiper samples
- Shamoon The Wiper: Further Details (Part II)
Following the release of our report on the Regin nation-state cyber operation, questions were raised about whether anti-malware companies deliberately withheld information -- and detections -- at the request of governments and customers. A similar question was raised by Bruce Schneier in 2013.
Let's get the most important issue out of the way immediately. We have never been asked by a customer or a government entity to whitelist or stop detecting any specific malware sample. We'd never comply with such a request, no matter the source.
This simply does not happen. In some cases, investigations into advanced targeted attacks include NDAs (non-disclosure agreements) with customers and we are bound to maintain confidentiality but that never affects adding detection and protecting our entire customer base from threats.
So, why did it take two years for us to release a report on Regin? Without proper context, it may appear that researchers kept something really important in the dark for an inordinately long time. However, security research -- not unlike law enforcement investigations -- requires meticulous scrutiny and analysis and in many cases, it's important to watch the crime unfold in real-time to build a proper case.
In our case, without unlimited resources and the fact that we're tracking multiple APT actors simultaneously (Careto/Mask, EpicTurla, Darkhotel, Miniduke/Cosmicduke, to name a few), this becomes a process that takes months, even years, to gain a full understanding of a cyber-operation.
Sean Sullivan from F-Secure provided a perfect description of APT research, comparing it to the work of paleontologists that find some bones of a dinosaur. Everyone may have a bone but nobody has the full skeleton.
In the case of Regin, what we first discovered in 2012 was a slightly damaged bone from unknown part of a monster living in a mysterious mountain lake.
(courtesy of southampton.ac.uk)
Someone finding a bone might discard it and keep traveling, but in security research we collect things. The original discovery went to our collection of things stored in the backyard. We have many of these fractured bones from unseen monsters or maybe harmless creatures. Sometimes we hear about other bone fragments being discovered by others and this pushes us to take a closer look but at the early stages, without enough evidence to draw meaningful conclusions, it doesn't make sense to go public about discoveries until you confirm that the monsters are real, big and dangerous.
We keep working in various channels to collect different artifacts that may or may not match some of the pieces in our collection. Sometimes we join efforts with other "paleontologists" and share our discoveries. Once we collect enough of bones from a monster to understand potential size, danger and possible habitat, we can start the next phase which is a real active investigation that might lead us to the mysterious mountain lake.
A comprehensive APT research project consists of several stages:
- Adding detection for known modules
- Collecting samples
- Reversing the samples
- Decrypting sophisticated encryption and compression schemes
- Understanding lateral movement
- Outlining multiple attack stages in the correct order
- Mapping C&C infrastructure
- Setting up sinkholes
- Analyzing collected traffic and communication protocols
- Crawling other hosts that understand the same protocol
- Taking down and acquiring images of C&C servers
- Identifying victims, sending out notifications to victims and global CERTs
- Applying forensic analysis and extracting logs, stolen files, other components
- Collecting and analyzing data from KSN, C&C servers, individual victims who are willing to work with us, sinkholes, crawlers, etc.
- Writing a comprehensive report
If we are lucky we can find a monster in-the-wild that is the best source for scientific study. In most cases, including Regin, we observe and learn from the behavior of a live monster. We record every single step and intention.
At the same time, we can take it down and study it in a lab like zoologists. However, in many research investigations, we can see only a skeleton of a monster. We have to put everything together and reconstruct how the monster moved, what was it habits, what species it attacked, and how these attacks were coordinated. Simply put, this requires time and patience.
In addition, when we analyze the characteristics of a certain creature, we understand that the evolution goes on and there are other species like the subject, live and kicking somewhere in a manner that's not visible at all.
While some of the Regin samples got on our radar early and we continued to find additional samples and artifacts during the research, we are convinced there are others that are currently unknown and undiscovered. Little was known about their life and existence in the past but we know they were out there by finding some tiny fragments over time. And we have to refer to paleontology again, because in the overall picture we have discovered just a small part of the entire beast, but have enough to to release a public alert.
Like Regin, sometimes we find that we had been detecting pieces of malware for several years before realizing that it was a part of global cyber-espionage campaign. One good example is the story of RedOctober. We had been detecting components of RedOctober long before we figured out that it was being used in targeted attacks against diplomatic, governmental and scientific research organizations.
At Kaspersky Lab, we are processing hundreds of thousands of samples every day. The art of figuring out which ones are significant and further yet which ones belong together as part of a big APT attack is akin to finding needles in a huge haystack and then figuring out which ones belong to the same knitting set. We are grateful for every needle we discover, because this makes the world a little safer.
In 2015, we expect to see another stage in the evolution of cyber-criminal activity with the adoption of APT tactics and techniques in financially motivated online criminal activity.
During a recent investigation, we discovered an attack in which an accountant's computer was compromised and used to initiate a large transfer with a financial institution. It represented the emergence of an interesting trend: targeted attacks directly against banks.
We are seeing an upsurge in malware incidents where banks are being breached using methods coming directly from the APT playbook. Once the attackers got into the banks' networks, they siphon enough information to allow them to steal money directly from the bank in several ways:
- Remotely commanding ATMs to dispose cash.
- Performing SWIFT transfers from various customers accounts,
- Manipulating online banking systems to perform transfers in the background.
A new trend is embracing #APT style attacks in the cybercriminal world.Tweet
Such attacks are an indication of a new trend that is embracing APT style attacks in the cybercriminal world.APT groups fragment, diversify attacks
The naming-and-shaming of APT groups in 2014 led to the public exposure and indictment of a hacking group that allegedly carried out cyber-espionage against U.S. businesses.
We expect to see a shift in 2015 where the bigger, noisy #APT groups splinter into smaller units, operating independently of each other.Tweet
As security research teams continue to push for exposure of nation-state APT crews, we expect to see a shift in 2015 where the bigger, noisy APT groups splinter into smaller units, operating independently of each other. This in turn will result in a more widespread attack base, meaning more companies will be hit, as the smaller groups diversify their attacks. At the same time it means that bigger companies that were previously compromised by two or three major APT groups (eg. Comment Crew and Webky) will see more diverse attacks, coming from more sources.Old code, new (dangerous) vulnerabilities
Recent allegations of deliberate tampering and accidental failures in crypto implementations ("goto fail"), and critical vulnerabilities in essential software (Shellshock, Heartbleed, OpenSSL) have left the community suspicious of unaudited software. The reaction has been to either launch independent audits of key software or have security researchers poke them in search of critical vulnerabilities (tantamount to an unofficial audit). This means that 2015 will be another year of new, dangerous vulnerabilities appearing in old code, exposing the Internet infrastructure to menacing attacks.Escalation of ATM and PoS attacks
Attacks against cash machines (ATM) seemed to explode this year with several public incidents and a rush by law enforcement authorities globally to respond to this crisis. A corollary of this publicity is an awareness that ATMs are ripe for the taking and cybercriminals are sure to notice. As most of these systems are running Windows XP and also suffer from frail physical security, they are incredibly vulnerable by default and, as the impersonal gatekeepers of the financial institutions' cash, cybercriminals are bound to come knocking here first.
The next stage will see attackers compromising the networks of banks and using that level of access to manipulate #ATM #machines in real time.Tweet
In 2015, we expect to see further evolution of these ATM attacks with the use of APT techniques to gain access to the "brain" of cash machines. The next stage will see attackers compromising the networks of banks and using that level of access to manipulate ATM machines in real time.Mac Attacks: OS X botnets
Despite efforts by Apple to lock down the Mac operating system, we continue to see malicious software being pushed via torrents and pirated software packages. The increasing popularity of Mac OS X devices is turning heads in the criminal world, making it more appealing to develop malware for this platform.
The increasing popularity of #MacOS X devices is turning heads in the criminal world, making it more appealing to develop malware.Tweet
The closed-by-default ecosystem makes it harder for this malware to successfully take hold of the platform, but there remains a subsection of users who'll gladly disable Mac OS X security measures – especially people who use pirated software. This means that those looking to hijack OS X systems for a variety of reasons know that they simply need to bundle their malware with desirable software (probably in the form of a key generator) to enjoy widespread success. Due to widespread beliefs about the security of the OS X platform, these systems are also unlikely to have an antimalware solution installed that will flag the infection so once the malware is installed, so it's likely to go unnoticed for a very long time.Attacks against ticketing machines
Incidents such as the NFC hack on Chilean public transport show an interest in abusing public resources such as transportation systems. Some hackers won't be looking to turn a profit from these types of attacks and will be satisfied to get some free rides and 'stick it to the man' by sharing this ability with others. However, ticketing systems are being shown to be vulnerable (many of them running Windows XP) and in many cities handle credit card transaction data directly. We expect to see bolder attacks on these systems to either game the system or steal credit card data for themselves.Attacks against virtual payment systems
Conventional wisdom tells us that cybercriminals are looking to monetize their daring exploits as simply and efficiently as possible. What better target than virtual payment systems in their infancy? As some countries like Ecuador rush to adopt virtual payment systems, we expect criminals to leap at every opportunity to exploit these. Whether social engineering the users, attacking the endpoints (cellphones in many cases), or hacking the banks directly, cybercriminals will jump all over directly monetized attacks and virtual payment systems will end up bearing the brunt.
We expect to the appearance of vulnerability warnings about weaknesses in #Apple #Pay, virtual wallets and other virtual payment systems.Tweet
These fears can also be extended to the new Apple Pay, which uses NFC (Near Field Communications) to handle wireless consumer transactions. This is a ripe market for security research and we expect to the appearance of vulnerability warnings about weaknesses in Apple Pay, virtual wallets and other virtual payment systems.Apple Pay
Previous attacks have focused on NFC payment systems but, thanks to limited adoption, these have reaped limited rewards. Apple Pay is bound to change that. The enthusiasm over this new payment platform is going to drive adoption through the roof and that will inevitably attract many cybercriminals looking to reap the rewards of these transactions. Apple's design possesses and increased focus on security (like virtualized transaction data) but we'll be very curious to see how hackers will exploit the features of this implementation.Compromising the Internet of Things
Attacks against the Internet of Things (IoT) have been limited to proof-of-concepts and (sometimes overhyped) warnings that smart televisions and refrigerators will be targeted by hackers to create botnets or launch mischievous attacks.
In 2015, there will surely be in-the-wild attacks against networked printers and other #connected #devices.Tweet
As more and more of these connected devices become available, we expect to see a wider discussion about security and privacy, especially among businesses in this space. In 2015, there will surely be in-the-wild attacks against networked printers and other connected devices that can help an advanced attacker to maintain persistence and lateral movement within a corporate network. We expect to see IoT devices form part of an APT group's arsenal, especially at high-value targets where connectivity is being introduced to the manufacturing and industrial processes.
On the consumer side, IoT attacks will be limited to demonstrations of weaknesses in protocol implementations and the possibility of embedding advertising (adware/spyware?) into smart TV programming.
Most phishing emails that aim to steal bank and e-payment data are written in English. However, we are seeing more and more fraudulent messages written in other languages, suggesting that the number of attacks targeting users in non-English speaking countries is growing. Here is an example of a fake notification in Japanese, supposedly sent on behalf of a major bank of Japan.
The text of the fake message warned users of a possible leak of their personal data. They were also told that the bank system security had been updated to protect their accounts so they had to follow the link and enter their login details and passwords on the bank's site to ensure their accounts weren't blocked. The information entered in the phishing form was sent to the fraudsters who got access to the personal account of the victims and could control their money via the online banking system.
The 'From' field of the email specified an address registered on a well-known free mail service from a Taiwanese (.tw) domain. The address of the phishing page in the body of the message was similar to the official web address of the bank but the real address of the page to which the user was redirected was different. Since the fraudulent page was designed to look like the bank's official page, users could only spot the trick if they paid close attention to the suspicious address in the browser.
A month later our colleagues registered a similar phishing mass mailing.
The sender's address looked genuine. The text informed recipients that the bank had updated its security system and users should follow the link to confirm their account details. That link went to the same phishing link as in the first example but this time the forgery was much more like a genuine link. Only a careful user would spot the difference.
In September there was a significant event in the IT industry - the iPhone 6 smartphone was presented to the public and put on sale. Not surprisingly, this was big news in the cybercriminal and spamming community as well and throughout the quarter we saw a sharp increase in spam about the famous brand. The number of phishing messages claiming to come from popular Apple services also significantly increased around the release date.
Spammers started offering the new smartphone long before its official release - as a prize for participating in questionnaires and special offers, as a gift when purchasing goods or using services offered in spam; the stylish accessory was the prize in various lotteries and featured in many false win notifications. Finally the iPhone 6 was offered for unbelievably low prices (compared to the official price).
Compared to the previous models the design of the iPhone 6 has several noticeable changes - including the size of the screen. This caused a burst of spam from factories producing all manner of accessories, actively offering protective cases and the like in the new size.
This all shows how a single event can trigger an increase in many different kind of spam, both swindles and adverts. In many cases it was also a powerful hook to draw attention to letters; the mere mention of the new iPhone in the subject header greatly increased the chances of the message being read.Spam as a way to steal mail addresses
The last quarter saw several leaks of account logins and passwords from major mail systems. The data appeared on the net, which worried users and prompted lively discussions about confidentiality. At the same time the companies owning the mail services announced that most of the published data was from long abandoned accounts and the few that were still active were probably hijacked by phishing.
We note that the ID data for an email account doesn't just give wrongdoers access to the owners' personal correspondence and their address books; it also opens up other services provided by the mail host. Logins and passwords for other resources could also fall into unwelcome hands, especially those for social networks and online stores registered to that mailbox. The demand for email logins and passwords is underlined by the volume of phishing communications we have found that were designed specifically for this purpose that. In the third quarter we encountered phishing letters using various methods to con people out of their data. Here are a few examples:
- Communications in which a phishing HTML-page is inserted directly into the letter.
- Communications with phishing links in the text of the letter. The false link might be tied to a text fragment or shown in the text of the letter. Often the swindlers place phishing pages on specially created third-level domains.
- Communications in which an email address and password have to be sent to a specific electronic address.
Among the most popular tricks used for stealing data are warnings about exceeding the size of a mailbox, system updates and blocking mailboxes. And although these phishing letters frequently imitate communications from specific mail services the great majority of them are just general requests to confirm logins and passwords for email addresses. Probably this is because the conmen are sending false warnings to a whole database of addresses at once rather than going through the unprofitably time-consuming process of selecting specific mail services.Spam is going beyond mail
Offers to conduct marketing campaign that will develop business and attract new clients is a popular and widespread trend in spam. Typically these involve mass mailshots to advertise services. Increasingly, though, these campaigns are moving away from mail services and email addresses and targeting mobiles and smartphones.
In the third quarter of 2014 spammers started offering SMS and instant messaging advertising more often. Does this mean that classic email spam is going to take a back seat and surrender its predominance to SMS spam? Having analyzed the link between SMS spam and email spam we came to the conclusion that this is unlikely. Firstly, more and more countries are alert to the problem of SMS spam and taking legislative measures banning this type of mass advertising. Secondly there is an obvious connection between all the media platforms used to distribute unwanted adverts and classic email spam.
The fact is, to find customers for their new products spammers continue to use old-fashioned techniques — with the help of spam mailings. There is even a specific type of email sendout in which spammers offer to buy readymade databases of electronic addresses and telephone numbers created using specific criteria to target a specific audience. There are also phishing mailshots aimed at collecting the personal data of users and organizations with the aim of consolidating them into databases for sale or use in mailshots. In this way spam is used to collect data for databases that are then offered for sale or used to send more spam. Spammers continue to use classic email spam to sell telephone numbers for use in SMS spam, and find buyers for their services.
Social networks are another media platform where spam distribution is growing. These have audiences in the millions and are gaining popularity all the time. At the same time hundreds of thousands of these accounts are "dead souls" - bots created specially for sending spam and stealing personal data from real users. In the last quarter we increasingly found spam content in apparently legal formal communications from social networks. What is happening is that almost all accounts in social networks are linked to the email addresses of their owners and messages distributed within the network are sent by email. The contents of such messages are typical spam: "Nigerian" stories of millions of dollars available to a helpful contact, offers of financial help to start a business or simply adverts for various goods.
This suggests that SMS mailshots and messages in social networks are not new types of spam but new methods that spammers have developed to deliver advertising to users. These are, in one way or another, linked to email spam. Moreover spammers can send the same message by various channels, which creates the impression of an increase in the overall quantity of unwanted adverts being sent.New developments in "Nigerian" spam
In the third quarter conmen used the political situation in Ukraine and the media storm around the Ebola virus as inspiration for their "Nigerian-style" tales. Politics is a popular topic for this type of conman, as can be seen by the large percentage of letters discussing political themes or well-known public figures. It's not surprising, then, that the situation in Ukraine was actively used during the third quarter. When creating the supposed authors of these messages the conmen didn't just invent Ukrainians in various professions; they also conjured up politicians and businessmen offering cash rewards for help in transferring or investing large sums of money.
Letters concerning the Ebola virus were usually sent in the name of individuals from West Africa infected with the deadly virus. But there were unusual variations, for example invitations to related conferences. Regardless of the author of the letter and the convincing tales within the aim of the conmen does not change from year to year — to relieve the victims of their money.Malicious email attachments
Top 10 malicious programs sent by email,
third quarter of 2014
In the third quarter of 2014 Trojan.JS.Redirector.adf was the malicious program most often distributed via email, according to our ranking. It appears as an HTML page which, when opened by users, redirects them to an infected site. There it usually offers to load Binbot — a service for the automatic trading of binary options, which are currently popular on the net. The malware spreads via email in a passwordless ZIP archive.
Next comes Trojan-Spy.HTML.Fraud.gen. This program was top of the list for several previous quarters but has finally been pushed down. Trojan-Spy.HTML.Fraud.gen is a phishing HTML page on which the user is asked to enter their confidential data. All the entered information is then sent to cybercriminals. Compared to the last quarter the figure for this malware has fallen by 0.62 percentage points.
In third place is Trojan.Win32.Yakes.fize, a Trojan loader of the Dofoil type. Its relative, Trojan-Downloader.Win32.Dofoil.dx, is in fourth. Malware programs of this type download another malicious program onto the user's computer, start it and use it to steal assorted user information, especially passwords.
In fifth and ninth places are two members of the universal bot module family Andromeda/Gamarue - Backdoor.Win32.Androm.enji and Backdoor.Win32.Androm.euqt. The main features of these malware programs are the ability to download, store and run executable files, downloading and loading DLL (without saving on disk), downloading plugins and the capability of updating and deleting themselves. The bot's functionality is enhanced with a system of plugins which can be downloded by the cybercriminals whenever necessary.
The sixth and seventh positions are taken by Trojan.Win32.Bublik.clhs and Trojan.Win32.Bublik.bwbx respectively. These are modifications of the well-known Bublik malware— a Trojan-loader that downloads a malicious file onto the user's computer and launches it.
In eighth place is the mail worm Email-Worm.Win32.Bagle.gt. The main function of all mail worms is to collect email addresses from infected computers. A mail worm of the Bagle family can also accept remote commands to install other malicious programs.
Our rating is completed by Trojan-Banker.Win32.ChePro.ink. This downloader is created in the form of a CPL-applet (a control panel component) and downloads Trojans designed to steal confidential financial information. Most programs of this type are aimed at Brazilian and Portuguese banks.Distribution of email malware by family
As regards the most popular families of malicious programs, their email distribution is as follows:
TOP 10 families of malware programs distributed by email,
third quarter of 2014
Heading the rating is the Andromeda family, which accounts for 12.35% of all malware. In second place is ZeuS/Zbot: members of this family are designed for attacks on servers and users' computers and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions it is most often used to steal banking information. It can also install CryptoLocker - a malicious program that extorts money to decrypt users' data.
Bublik, which often loads Zbot, also made the top 10 most frequently encountered malware families.Countries targeted by malicious mailshots
Distribution of email antivirus activations by country,
third quarter 2014
In the third quarter there were some changes in the countries targeted by mailshots with malicious contents. Now we see Germany in top spot with 10.11%. Britain drops to second, losing 1.22 percentage points compared to the second quarter. In the third place is the USA, down 1.77 percentage points.
Russia, which in the second quarter was in 19th place with 1.48%, climbed to 6th place this quarter (4.25%); the share of malicious spam directed at the country increased almost threefold.Special features of malicious spam Ice Bucket Challenge
During the past quarter cybercriminals continued to use high profile events to attract attention to mailshots containing malware. This time around the Ice Bucket Challenge, a hugely popular summer campaign, was one of these events. The aim of this campaign was to raise awareness of amyotrophic lateral sclerosis, and also to collect funds to research the disease. An enormous number of people took part, many of them famous: actors, politicians, sportsmen and women, businessmen, and musicians poured ice-cold water over themselves, uploading videos of the process and passing the baton on further. At the peak of its popularity conmen got involved, seeing the campaign as a chance to attract attention to their malicious communications.
As a result unsuspecting users began to receive letters with offers to join the ALS association and change their lives, as thousands of others had already done. The recipients were offered an inspiring video to watch, located in an archive attached to the letter. But in place of the promised video a malicious program such as Backdoor.Win32.Androm.eu.op lay in wait. Such programs allow cybercriminals to infect computers, which often become part of botnets."Malicious messages" from booking systems
In the third quarter of 2014 cybercriminals sent some seasonal malicious spam tying in with the themes of the summer holidays. Spam traffic featured false messages from hotels, booking services and airlines in English and German. Traditionally the conmen try to convince users that a ZIP archive contains information about hotel bookings or air tickets.
Among others we found false communications from American Airlines; executable files were attached to letters that contained malware from the Net-Worm.Win32.Aspxor family. These net worms can send spam, download and run other programs, collect valuable data from the victim's computer (saved passwords, mail and FTP accounts) and also automatically search for vulnerable sites for further infections to keep spreading the bot.
Forged letters in German, supposedly sent by an Internet portal for booking hotels in Germany, contained the malware Trojan-Spy.Win32.Ursnif. This Trojan steals confidential data and is capable of monitoring net traffic, loading and running other malware programs and also switching off several system applications.Malware in ARJ archives
In September we detected a major malicious mailout with an unusual attachment for spam letters — an archive in ARJ format. It should be noted that this choice of file archiver was probably made precisely because of the unusual file format. The criminals assumed users would be aware of the potential dangers of ZIP and RAR archive attachments but may be less suspicious of an unfamiliar tag. Furthermore the ARJ archiver allows the file size to be reduced considerably and its source code is available to all for study and modification.
The cybercriminals sent several types of malicious letter within one mailout. These were an announcement about receipt of a fax, an account statement from a specific company and a personal communication with a greeting in the body of the letter. All the letters had an attachment in the form of a malicious program from the family Trojan-Downloader.Win32.Cabby, which distracts victims with an RTF or DOC document and loads a malware program from the ZeuS/Zbot family at the same. All attachment filenames were generated using the same format. To give the letters a unique feel the cybercriminals changed several fragments of the text and the antivirus automatic signature.
The proportion of spam in email traffic,
April – September 2014
The proportion of spam in email traffic according to the figures for the third quarter of 2014 was 66.9%, which is 1.7 percentage points lower than in the previous quarter. The greatest amount of spam was sent in August and the least in September.Spam source countries
Countries that are sources of spam,
third quarter 2014
In the third quarter of 2014 the USA remained the country that was the biggest source of spam, sending almost 14% of unwanted mail. In second place was Russia with 6.1%. Completing the trio of leaders was Vietnam with almost the same amount as Russia at 6% of the world's spam.
The distribution of sources of spam had few surprises. China (5.1%), Argentina (4.1%), and Germany (3.5) made it into the top ten with Brazil in tenth place at 2.9%.The size of spam letters
The sizes of spam letters,
third quarter 2014
The distribution of spam by size has hardly changed from the second quarter. The leaders remain very short letters of up to 1 Kb, which are quick and easy to handle in mass mailings. The proportion of these letters increased by 4.6 percentage points.
There was a slight reduction in the proportion of letters in the size range 2 Kb — 5 Kb — by 4.8 percentage points. There was also a small reduction in the amount of spam in the 5-10 Kb range, by 2.5 percentage points. However there was a 1.7 percentage point increase in the share of letters with a size of 10-20 Kb.Phishing
In the third quarter of 2014 the computers of users of Kaspersky Lab products recorded 71,591,006 instances that triggered the "Antiphishing" system. This is 11.5 million more than in the last quarter.
As in the second quarter, the largest single group of users subjected to phishing attacks was in Brazil — the number was up 3.53 percentage points to 26.73%.
The geography of phishing attacks*,
third quarter of 2014
* The percentage of users on whose computers the "Antiphishing" system was triggered out of the total number of users of Kaspersky Lab products in the country
Top 10 countries by percentage of attacked users:Country % of users 1 Brazil 26.73% 2 India 20.08% 3 Australia 19.37% 4 France 18.08% 5 UAE 17.13% 6 Canada 17.08% 7 Kazakhstan 16.09% 8 China 16.05% 9 UK 15.58% 10 Portugal 15.34%
There was a noticeable increase in attacked users in China (+4.74%), Australia (+3.27%), the UAE (+2.83%) and Canada (+1.31%).Organisations under attack
The statistics on the targets of phishing attacks are based on the triggering of the heuristic component of the "Antiphishing" system. The heuristic component of the "Antiphishing" system is triggered when the user follows a link to a phishing page and there is no information about this page in the Kaspersky Lab databases. For this it is not important how the page was entered, as the result of clicking on a link in a phishing letter, a social network message or, for example, as the result of an action of a malicious program. As a result of the triggering the user sees a warning of the possible threat in the browser.
As before, the "Email and search portals" category (previously known as "Global Internet portals") was the group of organizations most often subject to phishing attacks. However the share for this category has dropped sharply – by 22.15 percentage points – and in the third quarter it stands at 28.54%.
Distribution of organisations subject to phishing attacks,
third quarter of 2014
In the third quarter of 2014 the "Online finance" category saw a 13.39 percentage point rise to 38.23%. Within its sub-categories there were increases for the second quarter in a row for "Banks" (+6.16%), "Payment systems" (+5.85%) and "Online shops" (+3.18%).
Distribution of phishing attacks on payment systems,
third quarter 2014
Phishing attacks on payment systems are particularly attractive because conmen can get their hands directly on their victims' money. Paypal was the most frequently targeted payment system (32.08%) with Visa (31.51%) close behind and American Express in third with 24.83%.
Phishing attacks on the users of payment systems are often conducted by sending false letters, apparently written by representatives of the financial organizations. These letters contain threats to block the account or stop account activity and are designed to startle users into a rash response, which could include transferring confidential information to cybercriminals.
An example of a phishing letter with a threat to block the victim's account
In this example the letter was sent from a suspicious address that didn't match Paypal's usual mailing address. There was a threat to the user that the account would be blocked if account data was not renewed, and a request to follow the link and enter personal data on the page that opened.
Phishing page imitating a Paypal website page
Following the link the user sees a page imitating the layout of the official Paypal website, with a form for the entry of personal data. However the connection to this page is not protected, which is shown by the lack of HTTPS in the address line and the indicated IP address does not belong to Paypal.Top 3 attacked organizations Organization % of phishing links 1 Google 10.34% 2 Facebook 10.21% 3 Yahoo! 6.36%
The top three target organizations remain Google, Facebook and Yahoo!, however there have been changes within the top three. The numbers for Google (10.34%) and Facebook (10.21%) have increased slightly: these organizations have gone up a place in step. Yahoo!, which was the undisputed leader in the first half of 2014, has dropped down to third — the figure for the organization decreased by 24.62% to 6.36%.Hot topics in phishing
Apple was not in the top three, although it climbed in the rating of organizations subject to phishing attacks to reach fourth place with a figure of 1.39% (+0.98%). At the beginning of September the company was involved in a major scandal, connected with leaked photographs of famous people from its iCloud storage servcie. Apple dismissed rumours about the presence of vulnerabilities in the service leading to leaked data; it could be the result of a phishing attack targeting users of Apple products (it is not clear whether this was a targeted attack or if hackers were simply lucky that there were several stars among their victims).
In addition, the new iPhone 6 and 6 Plus were announced on 9 September. Major events in a company usually attract additional interest from swindlers so it is not surprising that we recorded a growth in the number of false communications sent in the name of representatives of Apple services such as iTunes and iCloud.
Conmen used the name of the company to attract users' attention and frequently used the same letter format, changing only the name of the Apple service.
Number of daily phishing attacks imitating pages of Apple resources,
second and third quarters of 2014
Apple uses a two stage check for Apple ID to protect the personal data of users, including the registration of one or several trusted devices. The two stage check eliminates the possibility of unsanctioned access to or alteration of the user's registered details and prevents outsiders from making purchases by using stolen registration details. On 5 September Apple announced that it would soon be taking additional safety measures which would inform users of suspicious activity on their accounts.
Example phishing pages requesting Apple ID data
Among other things, users can improve their safety by attentively studying any page that asks for confidential information. Attention should be paid to the presence of a protected connection and whether the domain belongs to Apple. It is worth considering what information is being requested - conmen frequently ask for information unrelated to what is needed for using Apple ID; they often ask for bank card details under the pretext of linking them to the account. In these cases if the users independently supply the swindlers with financial information Apple's defenses cannot protect them from the consequences.
Example of a phishing page imitating an Apple request for confirmation of personal informationConclusion
The share of spam in email traffic for the third quarter of 2014 was 66.9%, which is 1.7 percentage points less than in the last quarter.
The topics of spam in the third quarter strongly reflected major news events such as the release of the iPhone 6, political developments in Ukraine, the leak of network passwords from major mail services, the Ice Bucket Challenge campaign and the summer holiday season. Major world events are also actively exploited in "Nigerian" spam.
The three leading source countries for spam sent across the world are the USA (14%), Russia (6.1%) and Vietnam (6%).
The rankings of malware programs sent by email, according to third quarter figures, are headed by Trojan.JS.Redirector.adf (2.8%), which sends users to an infected site. Among the families of malicious programs the Andromeda family was the leader with a 12.35% share of all malware. Users in Germany experience more attacks than those anywhere else.
The third quarter saw spam traffic consisting of phishing letters aimed at trying to steal logins and passwords for email accounts, and the release of the new iPhone saw a flare up of phishing communications apparently sent from the Apple iTunes and iCloud services.
In order to install their malicious programs on users' computers in the third quarter cybercriminals sent out not only false communications from hotel booking services and airlines but also letters with long unused file archivers.
The growth of phishing attacks on organizations involved in online financial operations continued (banks, payment systems, online shops). There was a significant reduction in the number of attacks on organizations from the category "Email and search portals", down to 28.54%. There was also a noticeable reduction in the proportion of attacks directed at Yahoo!, one of the organizations in this category.
A long time has passed since we published our analysis of threats for home network devices. Since then, the situation has significantly changed - alas, not for the better. Back in 2011, we were concerned mainly about the security of SOHO routers, DSL modems and wifi access points. Today, we are talking about the whole Internet-of-Things, which includes every single machine, appliance or gadget that is able to communicate over the Internet.
Let's recall what kind of threats for network devices we were aware of at the end of 2011:
- DNS poisoning, drive-by pharming and SOHO pharming: exploitation of vulnerabilities in a web interface of a router/modem to change its DNS settings in order to redirect users to malicious websites
- UPnP & SNMP based attacks: exploitation of vulnerabilities and implementation issues in widely used protocols in order to get access to the device
- Malicious binaries: Linux-based DDoS (Distributed Denial of Service) tools, especially customized to run on routers; router botnets, capable of conducting a wide range of attacks; worms, infecting routers and spreading through the network
And now, let's look at the year 2014 and see which of our predictions came true...More SOHO pharming attacks
True. There have been numerous attacks utilizing a router's DNS settings to obtain users banking credentials and redirect users to malicious websites. Just to name a few of the biggest incidents:
- January 2014: huge SOHO pharming campaign affecting a wide range of routers from several manufacturers all over the world.The attackers exploited a variety of vulnerabilities to change the DNS settings of more than 300 000 devices, mainly located in Vietnam, India and Thailand, but also in several countries in Europe, both Americas and Africa. As a result, all traffic from behind the compromised routers was redirected to the malicious servers, enabling cybercriminals to decide if users should be pointed to the original version of the website they requested, or to the phishing/malicious one.
- February 2014: another large scale campaign using the DNS poisoning technique. This time the attack was highly targeted and the goals of the cybercriminals were strictly defined: the attack was designed to steal the banking credentials from users of five popular Polish banks. In this case the number of infected routers was about 100 and most of them were located in Poland and Russia. When users tried to log into the online banking website, they were redirected to a modified site which requested them to provide the confidential information.
- September 2014: classical drive-by pharming attack targeting home routers in Mexico and Brazil. This attack started with malicious email, spammed to a large number of Portuguese-speaking users, in which cybercriminals tried to lure the recipient to click on the link to malicious website. The HTML script on this website was designed to try several combinations of default credentials to access the configuration of the router and change its DNS settings. If this approach failed, the script displayed a pop up, asking user to enter the router credentials manually.
True. We have discovered more malware samples that are affecting MIPS routers, and – more importantly – samples developed in such a way that they might be compiled for different platforms (MIPS, ARM, Intel, PPC, SuperH, etc.) and run on different kinds of Linux-based devices. A couple of examples:
- Aidra – an open source DDoS tool, designed to scan modems/routers and create a botnet from exploitable devices. There are currently several Aidra binaries in the wild, compiled for different platforms (MIPS, ARM, PPC, SuperH), which means that this worm has been customized to be able to infect Internet-of-Things devices.
- Darlloz – a Linux worm and bot designed for MIPS, ARM and Intel architectures, spreading through a PHP-CGI vulnerability to randomly generated IP addresses and capable of downloading and running additional code. It communicates with the malicious operator by opening a backdoor on TCP port 58455 and waiting for commands. It infected more than 30 000 devices, mainly in the US and China, and – as it was proven later – was used to install crypto-currency mining software (cpuminer), at least on Intel x86 devices.
- The Moon worm – a mysterious worm, spreading through a remote authentication bypass exploit in the implementation of the HNAP protocol in Linksys E-Series routers. This malware collects information about the device and communicates with its C&C (Command and Control) servers using quotes and images from the 2009 sci-fi movie called "The Moon". The IP ranges that the worm scans, in order to exploit them, are hard-coded in the binary and include about 670 networks, most of which belong to certain DSL and cable modem ISPs in different countries.
Figure 1 – Aidra - open source DDoS tool
Figure 2a – Darlloz worm, code compiled for ARM architecture
Figure 2b – Darlloz worm, same code snipped, compiled for x86 architecture
Figure 3 – The Moon worm, strings related to The Moon movie
True. The story published in the German c't magazine revealed the first router malware that was trying to make persistent changes to the router firmware. The malware consisted of several Linux shell scripts that were responsible for downloading the modified version of the firmware, overwriting the original image and rebooting the router. The malicious firmware came with a modified init script, which launched a sniffing tool (dsniff) on the infected machine, capturing traffic and sending all the intercepted data to the C&C FTP server. This malware was found to be affecting not only routers but also other Linux-based embedded devices, such as Dreambox DVB receivers.
Figure 4 – Flasher, script replacing the original firmware
Figure 5 – Flasher, script running the sniffer and uploading the data to FTP serverCross-platform and multi-platform malware
True. Malware and botnets traditionally associated with Windows machines only, now start to use routers and other Internet enabled devices for different malicious purposes:
- The Sality virus was found to incorporate SOHO routers in its replication process, by using DNS poisoning method to redirect users to infected files. In this case, the malware used was Windows malware similar to the DNSChanger Trojan.
- The Black Energy 2 botnet also got an IoT upgrade: it started to use additional plugins which are designed to run on Linux-based MIPS and ARM devices. These modules are capable of performing DDoS attacks, stealing passwords, scanning ports in the network and sniffing traffic. They are communicating with C&C servers and are able to execute specified shell commands and download and launch additional binaries. We have recently published an in-depth analysis of Black Energy 2, where you can find much more details about it.
True. Several critical vulnerabilities affecting Internet-of-Things devices were discovered and reported to the vendors this year. Just to name a few:
- Rom-0 vulnerability in ZyXEL routers, which allows an attacker to download the router's configuration file without any authentication
- CVE-2014-2719 vulnerability in ASUS wireless routers, which allows an attacker to retrieve the router's credentials
- 15 zero-day vulnerabilities in 10 different SOHO router models, revealed at the Defcon 22's SOHOpelessly Broken contest
- Our colleague, David Jacoby, found interesting zero-days in the devices he uses at home.
- We also need to remember that the Heartbleed and Shellshock vulnerabilities affect some Linux-based network devices and internet-of-Things devices as well.
But what is even more scary than the growth in discovered vulnerabilities, is the fact that certain vendors seem to implement hardcoded firmware backdoors in their products, providing cybercriminals with an easy way-in, especially to devices that no longer receive any updates.
As we can see, the security situation of the network devices didn't much improve since 2011. Most of our predictions came true: the threats are on the rise and cybercriminals widen their interest not only to home routers and modems, but to the whole Internet-of-Things. Although both the vendos and the ISPs are slowly realizing the threat and trying to make their devices more secure, there is still a lot to do. For example, one of the very serious issues is that most of the older devices are not receiving firmware updates anymore, so if there is any new attack vector discovered, users can do literally nothing to protect themselves against it, unless they decide to purchase an (often expensive) newer version of the device, that is still being supported. This issue is not easy to fix: for the vendors, it wouldn't really be cost-effective to support each of the devices they offer for a long period of time; and without the software patches, there is not much to do to secure these devices from the customer's side. Times has changed, and we need to come up with a new security model for Internet of Things, as the old one is not working properly anymore.
To learn, how to protect your home network, please read the guidelines put together by my colleague, David Jacoby.
Our homes today look more like small offices. We have tons of different devices connected to our network, everything from storage devices and network equipment to wireless network printers. The entire "home entertainment" industry is getting connected: it is very difficult to buy a TV, DVD or Blu-ray player that's does not have WIFI… the same thing goes for the gaming industry: all new gaming consoles require Internet connectivity.
I do love the fact that we are applying new technology to old concepts, and improving functionality. I personally even have my old retro computers connected to the Internet - and we are talking about old computers such as Commodore 64, Amiga 500 and Atari computers - because I love the fact of adding new functionality to old things.
And as we know, with great power comes great responsibility. But this is not something that the consumer product vendors are really adopting when adding extra functionality to their "old" products. I did some research where I looked into the devices that were connected to my own home network, and the result was extremely scary! Within minutes I was able to fully compromise some of my devices, turning them into zombie machines in botnets, bypassing all the security and accessing files on storage devices that I did not have the authority to access.
Many people still believe that these attacks are difficult, and require someone to sit on the same network as your devices, for example on your private WIFI connection, but this is false perception. There are very easy and effective ways to compromise the network of connected devices behind your personal firewall remotely over the Internet.
My colleague, Marta Janus, also did some very interesting research where she looked into the (in)security of home modems and routers, and we both came to the same conclusion. We need to act now! This is not a futuristic problem, this problem exists now. Cybercriminals are exploiting these weaknesses right now and the industry is not doing enough about this.
This is not only a technical problem that can be resolved with a patch. Consumers in general are very bad at understanding how these network connected devices should be installed. All of these devices have different usage, and because of that also require different network configurations. We are very lazy, and without proper installation instructions we simple connect the devices to our network; and when that is done, we consider the installation complete.
What is happening is that you are sharing the same network configuration among all devices. This results, for example, in having a TV, Blu-ray player and network storage device on the same network as the laptop you use to do online banking, home finances, online shopping and maybe even work.
The vendors also need to take more responsibility when shipping consumer products. Most people don't understand that the support lifecycle of these devices is only about six months; after that there will be no more updates or support from the vendor, because they need to support the next upcoming products.
From talking to friends and family, it's clear that they have a problem realizing that this is actually a threat! People still believe that it's always "someone else" who will get infected with malicious code, or who will get their credit card details or identity stolen. Please wake up to the real world - this is happening right here, right now! Some really good examples of these types of attacks are:
- Customers to one of the largest ISPs in Sweden were sent vulnerable routers by the ISP, allowing attackers to remotely compromise the device though a "god-like" account with an very weak password; and all devices had the same account with the same password.
- A large amount of money was stolen from the customers of five popular Polish banks, following an attack in which cybercriminals changed the settings of hundreds of vulnerable SOHO routers in order to redirect users to the fake banking websites.
- Malware (Psyb0t) targeted home SOHO routers exploiting software weaknesses, but also weak passwords in the administrative interface - turning the device into a zombie in a botnet.
- Malware (BlackEnergy2) implemented additional modules, designed to run on Internet-of-Things devices, in order to perform DDoS (Distributed Denial of Service) attacks, steal passwords and sniff network traffic.
- Malware (Flasher) replaced the firmware on vulnerable SOHO devices with a modified system image that eavesdrops on users' network activity.
As researchers it is very easy to identify security weaknesses and flame the vendors about them, but it is a bit more challenging to come up with an effective conclusion. Together with Marta, we compiled a little list of easy tips and tricks that you should apply if you have network connected devices. It's only general tips because finding one solution that works on multiple devices is very complex; all products look and feel different and have different usages.
- Change default passwords on the device; attackers will try to exploit this!
- If possible try to update the firmware to the latest version!
- If you do not use the network connectivity on the device, TURN IT OFF! If you use it, or if it's necessary for the device to work, make sure that there is NO REMOTE ACCESS to the management interface of the device from the outside world.
- Apply strong network segmentation for your connected devices
- Does the device require access to the INTERNET?
- Does the device, for example a TV, require access to the same network as your personal data?
- Switch off unnecessary features. Contemporary IoT devices usually implement a variety of different functionalities, some of which you might not even be aware of. It's good practice, after buying each new device, to learn about all its features and disable the ones that you are not going to use. Having all the features enabled increases the potential attack surface.
- Read The Fascinating Manual. Every device is shipped with a manual, which documents its features and configuration settings. Also, there is usually a lot of additional documentation available online. To keep your home secure, you should always familiarize yourself with any new device that you are going to incorporate into your network and take all the recommended steps to make the device as secure as possible.
- Please contact the support team of the vendor if you do have questions. When buying consumer products, you also pay for support. Use it! They will offer guidance for your specific device!
In the spring of 2012, following a Kaspersky Lab presentation on the unusual facts surrounding the Duqu malware, a security researcher contacted us and mentioned that Duqu reminded him of another high-end malware incident. Although he couldn't share a sample, the third-party researcher mentioned the "Regin" name, a malware attack that is now dreaded by many security administrators in governmental agencies around the world.
For the past two years, we've been tracking this most elusive malware across the world. From time to time, samples would appear on various multi-scanner services, but they were all unrelated to each other, cryptic in functionality and lacking context.
It's unknown exactly when the first samples of Regin were created. Some of them have timestamps dating back to 2003.
The victims of Regin fall into the following categories:
- Telecom operators
- Government institutions
- Multi-national political bodies
- Financial institutions
- Research institutions
- Individuals involved in advanced mathematical/cryptographical research
So far, we've observed two main objectives from the attackers:
- Intelligence gathering
- Facilitating other types of attacks
While in most cases, the attackers were focused on extracting sensitive information, such as e-mails and documents, we have observed cases where the attackers compromised telecom operators to enable the launch of additional sophisticated attacks. More about this in the GSM Targeting section below.
Perhaps one of the most publicly known victims of Regin is Jean Jacques Quisquater (https://en.wikipedia.org/wiki/Jean-Jacques_Quisquater), a well-known Belgian cryptographer. In February 2014, Quisquater announced he was the victim of a sophisticated cyber intrusion incident. We were able to obtain samples from the Quisquater case and confirm they belong to the Regin platform.
Another interesting victim of Regin is a computer we are calling "The Magnet of Threats". This computer belongs to a research institution and has been attacked by Turla, Mask/Careto, Regin, Itaduke, Animal Farm and some other advanced threats that do not have a public name, all co-existing happily on the same computer at some point.Initial compromise and lateral movement
The exact method of the initial compromise remains a mystery, although several theories exist, which include man-in-the-middle attacks with browser zero-day exploits. For some of the victims, we observed tools and modules designed for lateral movement. So far, we have not encountered any exploits. The replication modules are copied to remote computers by using Windows administrative shares and then executed. Obviously, this technique requires administrative privileges inside the victim's network. In several cases, the infected machines were also Windows domain controllers. Targeting of system administrators via web-based exploits is one simple way of achieving immediate administrative access to the entire network.The Regin platform
In short, Regin is a cyber-attack platform which the attackers deploy in the victim networks for ultimate remote control at all possible levels.
The platform is extremely modular in nature and has multiple stages.
Regin platform diagram
The first stage ("stage 1") is generally the only executable file that will appear in victim' systems. Further stages are stored either directly on the hard drive (for 64 bit systems), as NTFS Extended Attributes or registry entries. We've observed many different stage 1 modules, which sometimes have been merged with public sources to achieve a type of polymorphism, complicating the detection process.
The second stage has multiple purposes and can remove the Regin infection from the system if instructed so by the 3rd stage.
The second stage also creates a marker file that can be used to identify the infected machine. Known filenames for this marker are:
Stage 3 exists only on 32 bit systems - on 64 bit systems, stage 2 loads the dispatcher directly, skipping the third stage.
Stage 4, the dispatcher, is perhaps the most complex single module of the entire platform. The dispatcher is the user-mode core of the framework. It is loaded directly as the third stage of the 64-bit bootstrap process or extracted and loaded from the VFS as module 50221 as the fourth stage on 32-bit systems.
The dispatcher takes care of the most complicated tasks of the Regin platform, such as providing an API to access virtual file systems, basic communications and storage functions as well as network transport sub-routines. In essence, the dispatcher is the brain that runs the entire platform.
A thorough description of all malware stages can be found in our full technical paper.Virtual File Systems (32/64-bit)
The most interesting code from the Regin platform is stored in encrypted file storages, known as Virtual File Systems (VFSes).
During our analysis we were able to obtain 24 VFSes, from multiple victims around the world. Generally, these have random names and can be located in several places in the infected system. For a full list, including format of the Regin VFSes, see our technical paper.Unusual modules and artifacts
With high-end APT groups such as the one behind Regin, mistakes are very rare. Nevertheless, they do happen. Some of the VFSes we analyzed contain words which appear to be the respective codenames of the modules deployed on the victim:
- legspinv2.6 and LEGSPINv2.6
Another module we found, which is a plugin type 55001.0 references another codename, which is U_STARBUCKS:
The most interesting aspect we found so far about Regin is related to an infection of a large GSM operator. One VFS encrypted entry we located had internal id 50049.2 and appears to be an activity log on a GSM Base Station Controller.
According to the GSM documentation (http://www.telecomabc.com/b/bsc.html): "The Base Station Controller (BSC) is in control of and supervises a number of Base Transceiver Stations (BTS). The BSC is responsible for the allocation of radio resources to a mobile call and for the handovers that are made between base stations under his control. Other handovers are under control of the MSC."
Here's a look at the decoded Regin GSM activity log:
This log is about 70KB in size and contains hundreds of entries like the ones above. It also includes timestamps which indicate exactly when the command was executed.
The entries in the log appear to contain Ericsson OSS MML (Man-Machine Language as defined by ITU-T) commands.
Here's a list of some commands issued on the Base Station Controller, together with some of their timestamps:
Descriptions for the commands:
- rxmop - check software version type;
- rxmsp - list current call forwarding settings of the Mobile Station;
- rlcrp - list off call forwarding settings for the Base Station Controller;
- rxble - enable (unblock) call forwarding;
- rxtcp - show the Transceiver Group of particular cell;
- allip - show external alarm;
- dtstp - show DIgital Path (DIP) settings (DIP is the name of the function used for supervision of the connected PCM (Pulse Code Modulation) lines);
- rlstc - activate cell(s) in the GSM network;
- rlstp - stop cell(s) in the GSM network;
- rlmfc - add frequencies to the active broadcast control channel allocation list;
- rlnri - add cell neightbour;
- rrtpp - show radio transmission transcoder pool details;
The log seems to contain not only the executed commands but also usernames and passwords of some engineering accounts:
In total, the log indicates that commands were executed on 136 different cells. Some of the cell names include "prn021a, gzn010a, wdk004, kbl027a, etc...". The command log we obtained covers a period of about one month, from April 25, 2008 through May 27, 2008. It is unknown why the commands stopped in May 2008 though; perhaps the infection was removed or the attackers achieved their objective and moved on. Another explanation is that the attackers improved or changed the malware to stop saving logs locally and that's why only some older logs were discovered.Communication and C&C
The C&C mechanism implemented in Regin is extremely sophisticated and relies on communication drones deployed by the attackers throughout the victim networks. Most victims communicate with another machine in their own internal network, through various protocols, as specified in the config file. These include HTTP and Windows network pipes. The purpose of such a complex infrastructure is to achieve two goals: give attackers access deep into the network, potentially bypassing air gaps and restrict as much as possible the traffic to the C&C.
Here's a look at the decoded configurations:
In the above table, we see configurations extracted from several victims that bridge together infected machines in what appears to be virtual networks: 17.3.40.x, 50.103.14.x, 51.9.1.x, 18.159.0.x. One of these routes reaches out to the "external" C&C server at 188.8.131.52.
The numbers right after the "transport" indicate the plugin that handles the communication. These are in our case:
- 27 - ICMP network listener using raw sockets
- 50035 - Winsock-based network transport
- 50037 - Network transport over HTTP
- 50051 - Network transport over HTTPS
- 50271 - Network transport over SMB (named pipes)
The machines located on the border of the network act as routers, effectively connecting victims from inside the network with C&Cs on the internet.
After decoding all the configurations we've collected, we were able to identify the following external C&Cs.C&C server IP Location Description 184.108.40.206 Taiwan, Province Of China Taichung Chwbn 220.127.116.11 India, Chetput Chennai Network Operations (team-m.co) 18.104.22.168 India, Thane Internet Service Provider 22.214.171.124 Belgium, Brussels Perceval S.a.
One particular case includes a country in the Middle East. This case was mind-blowing so we thought it's important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to-peer network. The P2P network includes the president's office, a research center, educational institution network and a bank.
These victims spread across the country are all interconnected to each other. One of the victims contains a translation drone which has the ability to forward the packets outside of the country, to the C&C in India.
This represents a rather interesting command-and-control mechanism, which is guaranteed to raise very little suspicions. For instance, if all commands to the president's office are sent through the bank's network, then all the malicious traffic visible for the president's office sysadmins will be only with the bank, in the same country.
Over the past two years, we collected statistics about the attacks and victims of Regin. These were aided by the fact that even after the malware is uninstalled, certain artifacts are left behind which can help identify an infected (but cleaned) system. For instance, we've seen several cases where the systems were cleaned but the "msrdc64.dat" infection marker was left behind.
So far, victims of Regin were identified in 14 countries:
In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.
From the map above, Fiji and Kiribati are unusual, because we rarely see such advanced malware in such remote, small countries. In particular, the victim in Kiribati is most unusual. To put this into context, Kiribati is a small island in the Pacific, with a population around 100,000.
More information about the Regin victims is available through Kaspersky Intelligent Services. Contact: firstname.lastname@example.orgAttribution
Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. While attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin, certain metadata extracted from the samples might still be relevant.
As this information could be easily altered by the developers, it's up to the reader to attempt to interpret this: as an intentional false flag or a non-critical indicator left by the developers.
More information about Regin is available to Kaspersky Intelligent Services' clients. Contact: email@example.comConclusions
For more than a decade, a sophisticated group known as Regin has targeted high-profile entities around the world with an advanced malware platform. As far as we can tell, the operation is still active, although the malware may have been upgraded to more sophisticated versions. The most recent sample we've seen was from a 64-bit infection. This infection was still active in the spring of 2014.
The name Regin is apparently a reversed "In Reg", short for "In Registry", as the malware can store its modules in the registry. This name and detections first appeared in anti-malware products around March 2011.
From some points of view, the platform reminds us of another sophisticated malware: Turla. Some similarities include the use of virtual file systems and the deployment of communication drones to bridge networks together. Yet through their implementation, coding methods, plugins, hiding techniques and flexibility, Regin surpasses Turla as one of the most sophisticated attack platforms we have ever analysed.
The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today's world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.
Kaspersky products detect modules from the Regin platform as: Trojan.Win32.Regin.gen and Rootkit.Win32.Regin.
If you detect a Regin infection in your network, contact us at: firstname.lastname@example.org
Another ransomware has been spotted in the wild lately, branded as 'CoinVault'. This one involves some interesting details worth mentioning, including the peculiar characteristic of offering the free decryption of one of the hostage files as a sign of good faith.
Technically, the malware writers have taken a lot of measures to slow down the analysis of the sample. Even though it was made with Microsoft's .NET framework, it takes a while to reach the core of their malicious application. Upon opening the initial sample in 'IL Spy', we find that the program starts by using a string key which is passed to a decryption method, which will ultimately get the executable code.
A byte array is also passed as a parameter to the 'EncryptOrDecrypt' method, which in conjunction with the key will output a final byte array with the malware's much needed code.
Implementing these functions in Visual Studio is as easy as copy/paste, so we execute the methods gotten from the source code and set a breakpoint to check what the decryption method is doing. A '77', '90' in decimal tells us we are on the right track since when converting these numbers to hexadecimal we get '4D', '5A', which is the magic number for DOS executable files identified by the ASCII string 'MZ'. We dump all the bytes to an executable file in disk for further analysis.
We get a file called 'SHIELD runner', serving as a 'RunPE' helper application. A 'RunPE' application serves to execute files on the fly, meaning that a memory stream is created from an input and executed directly without first storing the file to disk. This is useful for malware writers that want to avoid leaving traces behind, and as we'll soon see, it's not all this file has to offer.
Although we'll carry on with our investigation into the ransomware code, there's a noteworthy string embedded in the SHIELD runner executable, 'd:\Users\dennis…'.
In the same way as before, a string key and a byte array are used to generate yet another executable file. As you can see, the cybercriminals have gone to great lengths in order to slow down the analysis and hide the malicious payload for as long as possible.
Not only do we have the usual 'RunPE' functions but also a nice additional set of methods that will help the malware detect analysis tools and virtualized environments. It checks for 'Sandboxie', 'Wireshark', 'Winsock Packet Editor' and even checks whether the machine's name is 'MALTEST'. Fortunately, none of these conditions are met in my environment so we are good to go.
But wait…. there's more! The detection of the virtualized environment will cause the execution to stop and the malicious payload to be hidden.
Using PowerShell, we are going to check if the malware can actually detect our environment. Apparently it can, so we'll need to carry out some simple modifications in order to continue the analysis process.
We can fix this easily from VMWare's configuration VMX file, setting the option 'SMBIOS.reflectHost = TRUE'. Running out PowerShell checks again, we witness the good news and are ready to go even further.
Repeating the process of string key and byte array decryption and dumping the memory at just the right time pays off and we finally end up with the set of files that will be used during the infection.
The CoinVault 'Locker' has two main Windows forms: the main one telling us to pay in order to recover the victim's files and 'frmGetFreeDecrypt' which is used to decrypt one of the victim's files as a way to demonstrate that we can in fact recover our precious information if we comply in a timely manner.
However, before the 'Locker' analysis we'll need to deobfuscate it (at least a little bit). The malware writers display some sense of humor here: if the analyst has gone through this much trouble to reach this point it seems he's welcome as suggested by the phrase, 'Your worst nightmare'. Moreover, they are keen enough to leave a banner signaling the obfuscation utility they used. In this case we are dealing with the ever popular 'Confuser', in its version 126.96.36.199.
Certainly, this is confusing… but we can make it better. So, we go from something that resembles a Chinese manuscript to readable source code.
We now can see, amongst the many (many) methods and delegates inside the assembly some relevant code regarding the file encryption. .NET's 'System.Security.Cryptography.RijndaelManaged' namespace is used (amongst others) revealing symmetric encryption functionality.
We can even get a glance at how the PRNG was implemented and some internal details of the malicious application.
When we are finally shown the 'Locker' executable, a connection is made to a dynamic domain. During the analysis, two addresses were present: 'cvredirect.no-ip.net' and 'cvredirect.ddns.net'. They are currently offline and this hampers the 'Locker' functionality, since upon traffic analysis inspection we were able to see that a hardware ID is sent to the C&C in order to use a dynamic file encryption password. I guess now we can understand why the malware is checking for Wireshark in the system. After all, cybercriminals wouldn't want you to take a peek at how their business is getting done.
At this point, if everything went well (for the cybercriminals) your personal documents and files have been encrypted and a payment is demanded in less than 24 hours or the price will rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual.
Is this your worst nightmare? If you don't have an updated anti-malware suite and (just in case) a backup of your most important files, it might just be.
Kaspersky detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. We have already seen similar malicious applications in the past (regarding functionality) such as 'TorrentLocker', and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.
This year's 17th Association of anti-Virus Asia Researchers international conference, "AVAR 2014" came back to Sydney, Australia with the theme "Security Down-Under". The event was held here also in 2003.
The arrival hall at Sydney airport did indeed look like this:
More than 170 attendees related to the anti-virus industry, CERTs, law enforcement and academia from around the world had plenty of opportunities to network and exchange thoughts and ideas.
The keynote, delivered by Graham Cluley, included a part where everybody was invited to join in singing "The anti-virus industry song".
The presentations covered subjects like the current global anti-malware ecosystem, the mobile cybercriminal underground market in a certain country, details about the Dragonfly threat actor and much more (see the link below for more information).
Kaspersky Lab's Roman Unuchek did present his research about Android banking botnets.
Colleagues from ESET did a great job organizing not only the conference but also an entertaining gala dinner at the "Power House Museum".
Another highlight was the "after party" in a Bavarian Beer Cafe. That turned into a kind of power house as well when some attendees of the AVAR 2014 got on stage and rocked the place.
Last but not least there was also an opportunity to see a bit of Sydney's scenery and wild life during a tour.
We are looking forward to the next AVAR in 2015, which will be held in Vietnam.
It took some time but they're finally here – Brazilian cybercriminals have started to target their attacks towards mobile banking users. This week we spotted the first Trojan banker targeting Brazilian users of Android devices. Two malicious applications meant to pass for apps from local Banks were hosted on Google Play.
According FEBRABAN (the local Federation of Banks), more than 6 million Brazilians are using mobile banking regularly, so it's not surprising to find malware targeting mobile users. In fact, Brazil was crowned the country most attacked by banking malware in our Q3 threat evolution report:
This move by Brazilian bad guys was predictable and awaited as a natural development in the local malware scene. In 2012, we witnessed attacks using phishing pages in mobile format and now a bag guy using the name "Governo Federal" (Federal Government) was able to publish 2 malicious apps in the Play store:
Both apps used the name of two very popular public Brazilian Banks – the first app was published on October 31st and registered 80 installations. The second was published on November 10th and had only 1 installation.
To create the malicious app, the (lazy) bad guy decided to use "App Inventor": a free platform that allows anyone to create their own mobile Android application, no technical knowledge required. The result is an app big in size and full of useless code. But both apps had the function to load the logos of the targeted Banks and open a frame – the phishing page programmed to capture the user's credentials. Simple, but effective, as mobile banking users in Brazil still use single authentication, without tokens or OTPs, where only the account number and password are required.
The phishing pages of the targeted Banks were hosted on a hacked website. A good soul removed them and inserted an alert to the visitors stating: "Este é um aplicativo Falso, denuncie este app", meaning "This is a fake app, please report it". As a result, when the user downloads, installs and opens the fake banking app, this message is displayed inside, instead of the original phishing page:
We reported both apps to Google, and they promptly removed them from the Play Store. We detect both apps as Trojan-Banker.AndroidOS.Binv.a (MD5s: 00C79B15E024D1B32075E0114475F1E2 and A18AC7C62C5EFD161039DB29BFDAA8EF) and we're quite sure that these are only the first crude attempts of many more to come.
Thanks to my colleague Roman Unucheck for the valuable help in this case.
In July we published our in-depth analysis into a targeted attack campaign that we dubbed 'Crouching Yeti'. This campaign is also known as 'Energetic Bear'.
This campaign, which has been active since late 2010, has so far targeted the following sectors: industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology. So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 different organisations – mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.
The list of victims suggests that the attackers behind Crouching Yeti are pursuing strategic targets. Nevertheless, the attackers have also shown an interest in not-so-obvious institutions too.
The attackers behind Crouching Yeti use various types of malware (all designed to infect systems running Windows) to infiltrate their victims, extend their reach within the target organisations and steal confidential data, including intellectual property and other strategic information. Infected computers connect to a large network of hacked web sites that host malware modules, hold information about victims and send commands to infected systems.
The attackers use three methods to infect their victims. First, they use a legitimate software installer, re-packaged to include a malicious DLL file. Such modified self-extracting archive files could be uploaded directly to a compromised server, or they could be sent directly to someone within the target organisation by e-mail. Second, they use spear-phishing to deliver a malicious XDP (XML Data Package) file containing a Flash exploit (CVE-2011-0611). Third, they use watering-hole attacks. Hacked web sites use several exploits (CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723) to redirect visitors to malicious JAR or HTML files hosted on other sites maintained by the attackers. The term 'watering-hole' is applied to a web site that is likely to be visited by potential victims. These web sites are compromised in advance by the attackers – the site is injected to install malware on the computers of anyone visiting the compromised site.
One malicious program used by the attackers, the Havex Trojan, includes special modules to collect data from specific industrial IT environments. The first of these is the OPC scanner module. This module is designed to collect the extremely detailed data about the OPC servers running in the local network. OPC (Object Linking and Embedding (OLE) for Process Control) servers are typically used where multiple industrial automation systems are operating. This module is accompanied by a network scanning tool. This module scans the local network, looks for all computers listening on ports related to OPC/SCADA (Supervisory Control and Data Acquisition) software, and tries to connect to such hosts in order to identify which potential OPC/SCADA system is running. It then transmits all the data it finds to the Command-and-Control (C2) servers used by the attackers to manage the campaign.
While analysing the code, we looked for clues that might point to the identity of the attackers.
A timestamp analysis of 154 files revealed that most of the samples were compiled between 06:00 and 16:00 UTC. This could match any country in Europe. We also looked at the language used by the attackers. The malware contains strings in English (written by non-native English speakers). There were also some clues pointing indicating possible French and Swedish speaker. But unlike several other researchers who looked at Crouching Yeti, we didn't find anything that would enable us to conclude with certainty that the attackers are of Russian origin. There's a lack of Cyrillic content (or transliteration) across the 200 malicious binaries and related operational content – in contrast to what we found when looking at earlier targeted attack campaigns, including Red October, MiniDuke, CosmicDuke, the Snake and TeamSpy.An Epic tale of cyber-espionage
For more than a year Kaspersky Lab has been researching a sophisticated cyber-espionage campaign that we call 'Epic Turla'. This campaign, which dates back to 2012, targets government institutions, embassies, military, research and educational organizations and pharmaceutical companies. Most of the victims are located in the Middle East and Europe, although we have seen victims elsewhere, including the United States. Altogether, we have found several hundred victim's IP addresses in more than 45 countries.
When we published our initial research into this campaign, it was unclear how victims of the attack were becoming infected. In in our latest research, published in August, we outlined the infection mechanisms used by Epic Turla and how they fit within the structure of the overall campaign.
The attackers use social engineering tricks to infect their victims –specifically spear-phishing and watering-hole attacks.
Some of the spear-phishing e-mails include zero-day exploits. The first of these, affecting Adobe Acrobat Reader (CVE-2013-3346), allows the attackers to arbitrarily execute code on the victim's computer. The second, a privilege escalation vulnerability in Windows XP and Windows Server 2003 (CVE-2013-5065), provides the Epic Turla backdoor with administrator rights on the victim's computer. In addition, the attackers trick their victims into running malware installers with an SCR extension – sometimes packed using RAR. When the unsuspecting victims open an infected file, a backdoor is installed on their computer, giving the attackers full control.
The cybercriminals behind Epic Turla also use watering-hole attacks that deploy a Java exploit (CVE-2012-1723), Adobe Flash exploits and Internet Explorer exploits. There are others that use social engineering to trick victims into running fake 'Flash Player' malware installers. Depending on the IP address of the victim, the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials. We have seen more than 100 injected web sites. Unsurprisingly, the choice of web sites reflects the specific interests of the attackers (as well as the interests of the victims). For example, many infected Spanish web sites belong to local governments.
Once the computer is infected, the Epic Turla backdoor (known also as 'WorldCupSec', 'TadjMakhal', 'Wipbot' and 'Tadvig') immediately connects to the C2 server to send a pack containing the victim's system information. Based on the summary information sent to the C2 server, the attackers deliver pre-configured batch files containing a series of commands to be executed on the infected computer. The attackers also upload custom lateral movement tools (including a specific keylogger and RAR archiver), as well as standard utilities such as a DNS query tool from Microsoft.
Our analysis revealed that the Epic Turla backdoor is just the first stage of a wider infection process. It is used to deploy a more sophisticated backdoor known as the 'Cobra/Carbon system' (named 'Pfinet' by some anti-malware products). After some time, the attackers went further, using the Epic Turla implant to update the Carbon configuration file with a different set of C2 servers. The unique knowledge to operate these two backdoors indicates a clear and direct connection between them: one is used to gain a foothold and validate the high-profile victim. If the victim proves to be of interest to the attackers, the compromised computer is upgraded to the full Carbon system.
Here's an overview of the whole Epic Turla cyber-espionage campaign:
Attributing these attacks is always very difficult. However, some aspects of the code tell us something about the attackers. It's clear that they are not native English speakers. They commonly misspell words and phrases, such as:
'Password it's wrong!'
'File is not exists'
'File is exists for edit'
There are also other indicators that hint at the origin of the attackers. For example, some of the backdoors have been compiled on a system with the Russian language. In addition, the internal name of one of the Epic Turla backdoors is 'Zagruzchik.dll', which means 'bootloader' or 'load program' in Russian. Finally, the Epic Turla 'mother ship' control panel sets the code page to 1251, which is used for Cyrillic characters.NetTraveler gets a birthday makeover
We have discussed this targeted attack campaign, which has now been active for 10 years, on several occasions.
Earlier this year we observed an increase in the number of attacks on Uyghur and Tibetan activists, using an updated version of the NetTraveler backdoor. The attackers use spear-phishing e-mails to lure their victims: e-mails include a Microsoft Word document that contains the CVE-2012-0158 exploit. This drops the main module ('net.exe') onto the computer, which in turn installs a number of other files, including the main C2 module. This module is registered as a service ('Windowsupdata') by means of a Windows batch file called 'dot.bat'. The format of the malware configuration file has also been updated and it's clear that the attackers have taken steps to try and conceal the configuration (but the encryption they used is weak).
The focus of the attackers has changed over time. For much of its existence, the main targets of NetTraveler were diplomatic, government and military organisations. More recently, its cyber-espionage activities have focused more on organisations involved in space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.
A focus on Uyghur and Tibetan activists remains a core part of the attackers' activities.The Syrian malware house of cards
Technology is now an integral part of our lives, so it's hardly surprising to see a cyber-dimension to conflicts around the world. This is especially true of the Middle East, where geo-political conflicts have intensified in recent years. Kaspersky Lab's Global Research and Analysis Team analysed the recent increase in malware activity in Syria.
The people behind these attacks use social engineering tricks to lure their victims into opening infected files. They use e-mail, Skype messages, Facebook posts and YouTube videos.
They use a variety of 'hooks' – preying on their victims' trust in social networking forums, their curiosity about news related to the conflict in Syria, their fear of the government and their lack of technical awareness.
Examples include a disturbing video on YouTube showing injured victims of recent bombings that also invites people to download a malicious program from a public file-sharing web site. We also found a set of compressed files on a popular social networking site which, when extracted, revealed a database containing a list of activists and wanted individuals in Syria. The download link for this database application was included in the information section of a video published on 9 November 2013. The attackers also make use of fake security solutions to trick their victims – including a fake anti-virus program called 'Ammazon Internet Security' and a Trojanised version of a legitimate network monitoring tool, Total Network Monitor. They don't just spread fake security applications – we've also seen fake versions of the Whatsapp and Viber instant messaging apps.
The attackers use a number of well-known remote administration tools (RATs), malicious programs that allow a remote 'operator' to control a compromised computer as if they had physical access to it. These tools are widely used in cybercrime attacks of all kinds and even in some state-sponsored attacks. The RATs used in this campaign include 'ShadowTech', 'Xtreme', 'NjRAT',' Bitcoment', 'Dark Comet' and 'Blackshades'. The malware is used to monitor the victims, to gather information and, in some cases, to try and shut down their operations.
The victims of these attacks are not only located in Syria. The attacks have also been seen in Turkey, Saudi Arabia, Lebanon, Palestine, United Arab Emirates, Israel, Morocco, France and the United States.
We were able to track the C2 servers of the attackers to IP addresses in Syria, Russia, Lebanon, the United States and Brazil. In total, we found 110 files, 20 domains and 47 IP addresses associated with the attacks.
The number of attacks has grown markedly over the last year. In addition, it's clear that the groups involved in the attacks are well organised. So far the attackers have made use of established malware tools rather than developing their own (although they use a variety of obfuscation methods to bypass simple signature-based detection). However, we think it's likely that the number and sophistication of malware used in the region is likely to increase.
You can find our full report on this malware here.Malware stories Shylock – a pound of your flesh
Earlier this year Kaspersky Lab contributed to an alliance of law enforcement and industry organizations, co-ordinated by the United Kingdom National Crime Agency (NCA), to disrupt the infrastructure behind the Shylock Trojan. This partnership shows how global cooperation on cybercrime can produce positive results.
The Shylock banking Trojan, so-called because its code contains excerpts from Shakespeare's The Merchant of Venice, was first discovered in 2011. Like other well-known banking Trojans such as Zeus, SpyEye and Carberp, Shylock is a man-in-the-browser attack designed to steal banking login credentials from the computers of bank customers. The Trojan uses a pre-configured list of target banks, located in different countries around the world.
The Trojan injects fake data entry fields into web pages when they load on the victim's browser. Victims are typically tricked into running the malware by clicking on malicious links. Shylock then seeks to access funds held in business or personal bank accounts, and transfers them to accounts under the control of the attackers.
The focus of the cybercriminals changed over time. When Shylock first appeared, it was aimed mainly at victims in the UK and, during the course of 2012, spread to other countries in Europe and to the United States. By the end of 2013, the cybercriminals were more focused on developing markets such as Brazil, Russia and Vietnam. You can find more information, including data on the spread of the malware, here.
All banking Trojans, Shylock included, target bank customers, hoping to take advantage of what is often the least protected element of any financial transaction – i.e. the human. That's why it's important that security starts at home – we all need to secure our computers effectively.Your money or your file(s)!
The number of ransomware programs has been growing in recent years – not all of them focused on computers running Windows. Some, including the ones targeting Android devices, tend to simply block access to the device and demand a ransom payment in order to unlock the device.
But many ransomware programs go further than this, encrypting data on the victim's computer. One recent example is ZeroLocker.
Unlike most ransomware programs, which encrypt a pre-defined list of file types, ZeroLocker encrypts nearly all the files on the victim's computer and adds the extension '.encrypt' to encrypted files. ZeroLocker doesn't encrypt files located in directories containing the words 'Windows', 'WINDOWS', 'Program Files', 'ZeroLocker' or 'Destroy' and doesn't encrypt files larger than 20MB in size.
ZeroLocker generates a 160-bit AES key to encrypt all files. The key space is somewhat limited because of the way the key is generated, but it's still large enough to make general brute –forcing unfeasible. After encrypting files, the malware runs the 'cipher.exe' utility to remove all unused data from the drive, making file recovery much more difficult. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet, is sent to the server used by the cybercriminals. There's an indication that the C2 configuration contains some errors that might prevent successful decryption – another reason why paying the ransom is a bad idea.
The encryption key, along with other information, is sent by means of a GET request, rather than a POST. This results in a 404 error on the server. This could mean that the server isn't storing the information, suggesting that the victims will probably not get their files back, even if they pay the ransom.
Several other URLs that the malware tries to get also result in 404 errors. This suggests that the operation may still be in its infancy. If and when these errors are fixed, we may see ZeroLocker deployed on a larger scale.
The cybercriminals behind ZeroLocker demand an initial $300 worth of Bitcoins to decrypt the file. If the victim does not pay promptly the fee increases to $500 and $1,000 as time goes on.
There's a Bitcoin wallet hard-coded inside the binary, but the malware tries to fetch a new wallet address from the C2 server, probably to make it harder to trace how successful the operation is and where the money goes. None of the Bitcoin wallet addresses we looked at had any transactions associated with them. Since the C2 server provides Bitcoin wallet information, it's possible that the attackers are able to use a unique wallet for each victim.
Another ransomware program that we analysed recently is Onion. This malicious program uses the tried-and-tested method used by other recent ransomware programs – encrypting the victim's data and demanding a ransom payment in Bitcoin.
However, it also breaks new ground. First, Onion uses the anonymous Tor network to hide its C2 servers. This makes it harder to track down the cybercriminals behind the malware. Other malware has used Tor in the past, but this Trojan stands apart because it supports full interaction with Tor without any input from the victim. Other programs like this communicate with the Tor network by launching (sometimes by injecting code into other processes) the legitimate 'tor.exe' file. By contrast Onion implements this communication as part of the malware code itself.
Onion also uses an unorthodox cryptographic algorithm that makes file decryption impossible, even if traffic between the Trojan and the C2 server is intercepted. This Trojan not only uses asymmetric encryption, it also uses a cryptographic protocol known as ECDH (Elliptic Curve Diffie-Hellman). This makes decryption impossible without the master private key – which never leaves the cybercriminals' controlled server. Further details can be found in our report on the Onion Trojan.
These things combined make the Onion Trojan technically advance and very dangerous.
Ransomware operations rely on their victims paying up. Don't do it! Instead, make regular backups of your data. That way, if you ever fall victim to a ransomware program (or a hardware problem that stops you accessing your files) you will not lose any of your data.Why one of our security researchers hacked his own home
The Internet is becoming woven into the fabric of our lives – literally, in some cases, as connectivity is embedded into everyday objects. This trend, known as the 'Internet of Things', has attracted more and more attention as hackers and researchers probe the technologies integrated into cars, hotels, home alarm systems and refrigerators and more – looking for vulnerabilities.
Sometimes the Internet of things can seem remote. But it's often closer than we think. The modern home today is likely to have a handful of devices connected to the local network that aren't traditional computers, tablets or cellphones – devices such as a smart TV, a printer, a gaming console, a network storage device or some kind of media player/satellite receiver.
One of our security researchers, David Jacoby, investigated his own home, to determine whether it was really cyber-secure. He looked at several devices, including network-attached storage (NAS) devices, smart TV, router and satellite receiver, to see if they were vulnerable to attack. The results were striking. David found 14 vulnerabilities in the network-attached storage devices, one in the smart TV and several potentially hidden remote control functions in the router.
The most severe vulnerabilities were found in the network-attached storage devices. Several of them would allow an attacker to remotely execute system commands with the highest administrative privileges. The tested devices also had weak default passwords, stored passwords in plain text and included configuration files with the wrong permissions. The default administrator password for one of the devices contained just one digit! And another device even shared the entire configuration file, containing encrypted passwords, with everyone on the network!
David was also able to upload a file to an area of storage memory that's inaccessible to an ordinary user. If an attacker uploaded a malicious file to this area, the compromised device would become a source of infection for other devices connecting to this NAS – a home PC, for example – and could even serve as a DDoS (Distributed Denial of Service) bot in a botnet. On top of this, the only way to delete this file was by using the same vulnerability –even for a technical specialist this is no simple task.
When David looked at his smart TV, he discovered that communication between the TV and the TV vendor's servers isn't encrypted – potentially opening the way for a Man-in-the-Middle attack that could result in an unsuspecting consumer transferring money to fraudsters while trying to buy content via the TV. As a proof of concept exercise, David was able to replace one of the icons on the smart TV graphic interface with a picture. Normally the widgets and thumbnails are downloaded from the TV vendor's servers but since the connection isn't encrypted, this information could be modified by a third party. He also discovered that the smart TV is able to execute Java code that, in combination with the ability to intercept the exchange of traffic between the TV and Internet, could result in exploit-driven malicious attacks.
The DSL router, used to provide wireless Internet access for all other home devices, contained several dangerous features hidden from its owner. Some of these hidden functions could potentially give an attacker remote access to any device in a private network. What's more, sections of the router's web interface called 'Web Cameras', 'Telephony Expert Configure', 'Access Control', 'WAN-Sensing' and 'Update' are 'invisible' and cannot be adjusted by the owner of the device. They can only be accessed by exploiting a rather generic vulnerability that makes it possible to travel between sections of the interface (these are basically web pages, each with its own alphanumeric address) by brute-forcing the numbers at the end of the address. Originally these functions were implemented for the convenience of the owner of the device: the remote access function makes it fast and easy for an ISP (Internet Service Provider) to troubleshoot and resolve technical problems on the device. But this convenient feature could become a security risk if the controls fell into the wrong hands.
In line with our policy of responsible disclosure, Kaspersky Lab hasn't disclosed the names of vendors whose products were investigated as part of this research. All vendors were informed about the existence of the vulnerabilities and Kaspersky Lab specialists work closely with vendors to help them remediate any vulnerabilities discovered.
It's important that we all understand the potential risks associated with using network devices – this applies to individuals and businesses alike. We also need to understand that our information is not secure just because we use strong passwords or run software to protect against malicious code. There are many things over which we have no control, and to some degree we are in the hands of software and hardware vendors. For example, not all devices include automated update checks – sometimes consumers are required to download and install new firmware. This is not always an easy task. Worse still, it's not always possible to update a device (most devices investigated during this research had been discontinued more than a year before).
You can find some advice on how to reduce the risk of attack in this summary of David Jacoby's article.Web security and data breaches: ShellShock
In September, the information security world faced a red alert following the discovery of the 'Bash' vulnerability (also known as 'ShellShock'). Bash, a Unix shell written in 1989, is the default shell on Linux and Mac OS X. The flaw (CVE-2014-6271) allows an attacker to remotely attach a malicious file to a variable that is executed when the Bash command interpreter is invoked. The high impact of this vulnerability, coupled with the ease with which it can be exploited, make it very powerful. Some have compared it to the 'Heartbleed' vulnerability. However, Bash is much easier to exploit than Heartbleed and, whereas Heartbleed only allowed an attacker to steal data from the memory of a vulnerable computer, Shellshock could provide full system control.
It didn't take long for attackers to try and take advantage of the vulnerability – we discussed some early examples soon after it was discovered. In most cases attackers remotely attacked web servers hosting CGI (Common Gateway Interface) scripts that have been written in Bash or pass values to shell scripts. However, it is possible that the vulnerability could have an impact on a Windows-based infrastructure.
Nor is the problem confined only to web servers. Bash is widely used in the firmware of devices that now take for granted in our everyday lives. This includes routers, home appliances and wireless access points. Some of these devices can be difficult, or impossible to patch – as discussed above.
You can find guidance on how to update vulnerable systems here.Statistics
All statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to transfer it. Millions of Kaspersky Lab products users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.Q3 in figures
- According to KSN data, Kaspersky Lab products detected and neutralized a total of 1,325,106,041 threats in the third quarter of 2014.
- Kaspersky Lab solutions repelled 367,431,148 attacks launched from online resources located all over the world
- Kaspersky Lab's web antivirus detected 26,641,747 unique malicious objects: scripts, exploits, executable files, etc.
- 107,215,793 unique URLs were recognized as malicious by web antivirus components.
- 33% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US.
- Kaspersky Lab's antivirus solutions detected a total of 116,710,804 unique malicious and potentially unwanted objects.
- Kaspersky Lab mobile security products detected
- 461,757 installation packages;
- 74,489 new malicious mobile programs;
- 7,010 mobile banking Trojans.
In Q3 2014 Kaspersky Lab mobile security products detected 74,489 new malicious mobile programs, 14.4% more than in the second quarter.
At the same time, fewer installation packages were detected.
Number of installation packages and new malicious mobile programs detected in Q1-Q3 2014
In the first half of 2014, there were a little more than 11 malicious installation packages on the average associated with each malicious program but in Q3 there were 6.2 million.
Using multiple installation packages for one mobile malicious program is typical of SMS-Trojan distributors. For example, attackers have used up to 70,000 packets for one version of Stealer.a. The decrease in the number of malicious installation packages is probably related to the reduced proportion of this malware in the flow of new mobile malicious programs decreased (see below).Distribution of mobile threats by type
Distribution of mobile threats by type in Q2 and Q3 2014
The rating of malware objects for mobile devices for the third quarter of 2014 was headed by RiskTool. This claimed 26.5% of detections, a rise of 8.6 percentage points. These are legal applications that are potentially dangerous for the user – if they are used carelessly, or manipulated by a cybercriminal they could lead to financial losses.
Second came Adware, potentially unwanted advertising applications (19.4%); their contribution went down 7.9 pp.
SMS-Trojans were in 3rd place: their share declined by 7.2pp from the previous quarter.
In Q3, while Adware and SMS-Trojans were less widely seen, we observed a sharp rise in the percentage of banking Trojans: their share in the flow of mobile malware has risen from 2.2% to 9.2% which placed this category 4th in the rating.Top 20 malicious mobile programs Name % of attacks* 1 Trojan-SMS.AndroidOS.Stealer.a 15.63% 2 RiskTool.AndroidOS.SMSreg.gc 14.17% 3 AdWare.AndroidOS.Viser.a 10.76% 4 Trojan-SMS.AndroidOS.FakeInst.fb 7.35% 5 RiskTool.AndroidOS.CallPay.a 4.95% 6 Exploit.AndroidOS.Lotoor.be 3.97% 7 DangerousObject.Multi.Generic 3.94% 8 RiskTool.AndroidOS.MimobSMS.a 3.94% 9 Trojan-SMS.AndroidOS.Agent.ao 2.78% 10 AdWare.AndroidOS.Ganlet.a 2.51% 11 Trojan-SMS.AndroidOS.OpFake.a 2.50% 12 RiskTool.AndroidOS.SMSreg.de 2.36% 13 Trojan-SMS.AndroidOS.FakeInst.ff 2.14% 14 Trojan-SMS.AndroidOS.Podec.a 2.05% 15 Trojan-SMS.AndroidOS.Erop.a 1.53% 16 RiskTool.AndroidOS.NeoSMS.a 1.50% 17 Trojan.AndroidOS.Agent.p 1.47% 18 Trojan-SMS.AndroidOS.OpFake.bo 1.29% 19 RiskTool.AndroidOS.SMSreg.hg 1.19% 20 Trojan-Ransom.AndroidOS.Small.e 1.17%
*The percentage of all attacks recorded on the mobile devices of unique users.
The top 20 is no longer so heavily dominated by SMS Trojans: in Q2 2014 these malicious programs occupied 15 places in the rating while in Q3 there were only 8. Trojan-SMS.AndroidOS.Stealer.a topped the previous quarter's rating with 25.42% of all attacks but in Q3 it accounted for only 16.63% of attacks.
RiskTool representatives occupied 6 positions in the Top 20, with RiskTool.AndroidOS.SMSreg.gc (14.17%) in second place.
7th came DangerousObject.Multi.Generic (3.94%), demonstrating how new malicious applications are detected by Kaspersky Security Network cloud technologies that enable our product to quickly respond to new unknown threats.Mobile banking Trojans
In the third quarter, we detected 7010 mobile banking Trojans, 3.4 times more than last quarter.
Number of mobile banking Trojans detected, Q1-Q3 2014
The number of countries attacked by banking Trojans also increased: in Q2 mobile banking Trojan attacks were detected in 31 countries while in Q3 there were 70.
The geography of mobile banking threats, Q3 2014
(the number of attacked users)
The top 10 countries attacked by banking TrojansCountry % of all attacks* 1 Russia 83.85% 2 USA 7.09% 3 Ukraine 1.79% 4 Belarus 1.18% 5 Kazakhstan 0.92% 6 Republic of Korea 0.68% 7 Germany 0.62% 8 China 0.50% 9 UK 0.50% 10 Saudi Arabia 0.35%
* The percentage of users attacked per country
Italy dropped out of the Top 10 while Saudi Arabia appeared in 10th place.
Russia maintained its traditional lead here, although it was 7.85pp on before. At the same time the contribution of the other Top 10 members grew slightly: mobile cybercriminals are gradually extending their area of activity.The geography of mobile threats
In Q3 2014 mobile malicious attacks were detected at least once in 205 countries.
The geography of infection by mobile banking Trojans, Q3 2014
(the percentage of all attacked users)
The Top 10 of attacked countriesCountry % of attacks* 1 Russia 44.0% 2 India 7.6% 3 Germany 5.6% 4 Iran 3.4% 5 Vietnam 3.1% 6 Kazakhstan 3.1% 7 Ukraine 2.7% 8 Malaysia 1.9% 9 Brazil 1.7% 10 USA 1.7%
* The percentage of users attacked per country
Russia remained the most heavily targeted nation with 44% of all attacks. India (7.6%) returned to second place. For the first time in 2014 Iran (3.4%) and the USA (1.7%) entered the Top 10 while Poland, France, Spain and Mexico were the Q3 outsiders.Vulnerable applications used by fraudsters
The rating of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by hackers in Internet attacks and when compromising local applications, including those installed on mobile devices.
The distribution of web-exploits used by fraudsters, by type of application attacked, Q3 2014
Of all registered attempts to use vulnerabilities, 47% involved vulnerabilities in browsers. Almost every exploit pack includes an exploit for Internet Explorer.
Java exploits are in second place. Java vulnerabilities are used in drive-by attacks via the Internet and new Java exploits are part of many exploit packs although no new Java vulnerabilities have been made public for almost a year. In Q3 of this year, 28% of attempts to use vulnerabilities targeted Java; in the first quarter the figure was 29%.
Next come Adobe Reader exploits (12%). These vulnerabilities are also exploited in drive-by attacks via the Internet and PDF exploits feature in many exploit packs.Online threats (Web-based attacks)
The statistics in this section were derived from web antivirus components that protect users when malicious code attempts to download from a malicious/infected website. Malicious websites are deliberately created by malicious users; infected sites include those with user-contributed content (such as forums) as well as legitimate resources that have been hacked.Online threats in the banking sector
During the reporting period, Kaspersky Lab solutions blocked 696,977 attacks that attempted to launch malware capable of stealing money from online banking accounts. This figure represents a 24.9% decrease compared to Q2 (927,568).
The number of computers attacked by financial malware, Q3 2014
The number of attacks gradually declined throughout the quarter: in June 244,490 attacks were blocked while in September this figure was 218,384 (-11%).
A total of 2,466,952 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q3 2014.The geography of attacks
The geography of banking malware attacks in Q2 2014
(by number of attacked users in the country)
The Top 10 countries by the number of attacked users:Countries Number of users 1 Brazil 90176 2 Russia 57729 3 Germany 55225 4 Italy 32529 5 India 24975 6 USA 22340 7 Austria 22013 8 Vietnam 13495 9 UK 11095 10 China 9060
Brazil remained the country where users are most often attacked by banking malware, even if its share was down one third. Russia stayed in second place. Italy dropped to 4th position while Germany rose to 3rd place: the number of attacked users in this country grew by 1.5 times.The Top 10 banking malware families
The table below shows the programs most commonly used to attack online banking users in Q3 2014, based on the number of reported infection attempts:Verdict Number of notifications Number of users Trojan-Spy.Win32.Zbot 1381762 285559 Trojan-Banker.Win32.ChePro 322928 92415 Trojan-Banker.Win32.Shiotob 123150 24839 Trojan-Banker.Win32.Agent 49563 23943 Trojan-Banker.HTML.PayPal 117692 21138 Trojan-Spy.Win32.SpyEyes 73496 19113 Trojan-Banker.Win32.Lohmys 47188 16619 Trojan-Banker.Win32.Banker 39892 12673 Trojan-Banker.Win32.Banbra 20563 9646 Backdoor.Win32.Sinowal 18921 8189
Zeus (Trojan-Spy.Win32.Zbot) remained the most widespread banking Trojan although the number of attacks involving this malicious the program, as well as the number of attacked users, nearly halved compared with the previous quarter.
In Q3, 3rd place was occupied by Trojan-Banker.Win32.ShiotobThis malicious program is most often spread via spam messages and is designed to monitor traffic in order to intercept payment data. Nine out of 10 malware families represented in the table work by injecting random HTML code into the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.
Financial threats are not restricted to malware that attacks online banking services.
Distribution of attacks targeting user money by malware type, Q3 2014
Bitcoin wallet theft was the second most frequently used method of stealing e-money: its popularity grew from 8% in the previous quarter to 15% in Q3. Yet another threat related to crypto currency is Bitcoin mining software (11%) which uses computing resources to generate bitcoins.The Top 20 malicious objects detected online
In the third quarter of 2014, Kaspersky Lab's web antivirus detected 26,641,747 unique malicious objects: scripts, exploits, executable files, etc.
We identified the 20 most active malicious programs involved in online attacks launched against user computers. These 20 accounted for 96.2% of all attacks on the Internet.
The Top 20 malicious objects detected onlineName* % of all attacks** 1 Malicious URL 59.83% 2 AdWare.Script.Generic 14.46% 3 Trojan.Script.Generic 13.13% 4 Trojan.Script.Iframer 1.77% 5 AdWare.Win32.Agent.fflm 1.23% 6 Trojan-Downloader.Script.Generic 1.02% 7 AdWare.Win32.Agent.allm 1.02% 8 AdWare.JS.Agent.ao 0.78% 9 AdWare.JS.Agent.an 0.55% 10 AdWare.Win32.Agent.aiyc 0.32% 11 AdWare.Win32.OutBrowse.g 0.32% 12 Trojan.Win32.Generic 0.30% 13 AdWare.Win32.Amonetize.bcw 0.23% 14 AdWare.Win32.Amonetize.cmg 0.18% 15 AdWare.Win32.Yotoon.heur 0.18% 16 Trojan-Downloader.Win32.Generic 0.15% 17 AdWare.Win32.Amonetize.cmd 0.14% 18 Trojan-Dropper.Win32.Agent.lefs 0.12% 19 AdWare.Win32.Linkun.j 0.11% 20 AdWare.Win32.Amonetize.aik 0.09%
* These statistics represent detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local data.
** The percentage of all web attacks recorded on the computers of unique users.
As is often the case, the Top 20 is largely made up of objects used in drive-by attacks, as well as adware programs. 59.8% of all verdicts fell on links from these black lists.The Top 10 countries where online resources are seeded with malware
The following stats are based on the physical location of the online resources that were used in attacks and blocked by antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host might become a source of one or more web attacks.
In order to determine the geographical source of web-based attacks domain names are matched up against actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In Q3 2014, Kaspersky Lab solutions blocked 367,431,148 attacks launched from web resources located in various countries around the world. 87% of the online resources used to spread malicious programs are located in 10 countries. This is 1.3 percentage points less than in the previous quarter.
The distribution of online resources seeded with malicious programs in Q3 2014
The Top 10 rating of countries where online resources are seeded with malware saw major changes from the previous quarter: Canada (-7 pp) and Ireland (-0.7 pp) dropped out of the Top 10. China reentered the Top 10 with 1.87% and settled in 7th. Switzerland (1.03%) was Q3's other newcomer.
The most significant changes happened to the USA, which climbed to the top of the rating with a +11.2pp swing, and Germany (-9 pp), which dropped from 1st to 3rd place.Countries where users face the greatest risk of online infection
In order to assess in which countries users face cyber threats most often, we calculated how often Kaspersky users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection that computers are exposed to in different countries across the globe, providing an indicator of the aggressiveness of the environment in which computers work in different countries.Country* % of unique users ** 1 Russia 46.68% 2 Kazakhstan 45.92% 3 Azerbaijan 43.50% 4 Armenia 41.64% 5 Ukraine 40.70% 6 Iran 39.91% 7 Vietnam 38.55% 8 Belarus 38.08% 9 Moldova 36.64% 10 Algeria 36.05% 11 Tadjikistan 36.05% 12 Kyrgyzstan 33.59% 13 Mongolia 33.59% 14 Qatar 30.84% 15 Uzbekistan 29.22% 16 Georgia 29.17% 17 Turkey 28.91% 18 UAE 28.76% 19 Indonesia 28.59% 20 Germany 28.36%
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
**Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.
In the third quarter of 2014 Croatia, Tunisia and Spain dropped out of the Top 20. The newcomers of the rating were UAE (28.76%), Indonesia (28.59%) and Germany (28.36%) which occupied the last three positions in the chart.
The countries with the safest online surfing environments were Singapore (10.5%), Sweden (12.4%), Denmark (13.2%), Japan (13.3%), South Africa (16.0%), Finland (16.1%), and the Netherlands (16.6%).
On average, 29.5% of computers connected to the Internet were subjected to at least one web attack during the past three months.Local threats
Local infection statistics for user computers are a very important indicator. This data points to threats that have penetrated a computer system through something other than the Internet, email, or network ports.
This section contains an analysis of the statistical data obtained based on antivirus scans of files on the hard drive at the moment they are created or accessed, and the results of scanning various removable data storages.
In Q3 2014, Kaspersky Lab's antivirus solutions detected 116,710,804 unique malicious and potentially unwanted objects.The Top 20 malicious objects detected on user computers Name* % of unique attacked users** 1 Trojan.Win32.Generic 18.95% 2 DangerousObject.Multi.Generic 18.39% 3 AdWare.MSIL.Kranet.heur 11.61% 4 AdWare.Win32.Agent.ahbx 5.77% 5 Trojan.Win32.AutoRun.gen 4.81% 6 AdWare.Win32.Kranet.heur 4.68% 7 AdWare.NSIS.Zaitu.heur 4.51% 8 Worm.VBS.Dinihou.r 4.51% 9 Virus.Win32.Sality.gen 4.08% 10 AdWare.Win32.Yotoon.abs 4.03% 11 AdWare.Win32.IBryte.dolh 3.14% 12 AdWare.Win32.Agent.aljt 3.12% 13 AdWare.Win32.Agent.allm 3.11% 14 AdWare.Win32.Yotoon.heur 3.10% 15 Adware.Win32.Amonetize.heur 2.86% 16 AdWare.Win32.Agent.heur 2.80% 17 WebToolbar.JS.Condonit.a 2.59% 18 Worm.Win32.Debris.a 2.56% 19 AdWare.Win32.Kranet.c 2.55% 20 Trojan.Script.Generic 2.51%
*These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products that have consented to submit their statistical data.
**The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.
This ranking usually includes verdicts given to adware programs: in Q3 they occupied thirteen places in the Top 20.
Worms distributed via removable media were 8th and 18th in the ranking.
Viruses were represented by only one verdict Virus.Win32.Sality.gen which came 9th in the Top 20.
Q3 2014 saw a considerable increase in the number of Kaspersky Lab's file antivirus detections of adware programs and components that actively participate in distributing these programs and evading antivirus detection.Countries where users face the highest risk of local infection Country* % of unique users** 1 Vietnam 61.89% 2 Bangladesh 55.01% 3 Mongolia 54.13% 4 Nepal 53.08% 5 Algeria 51.71% 6 Cambodia 51.26% 7 Afghanistan 50.59% 8 Laos 50.55% 9 Yemen 50.38% 10 Pakistan 50.35% 11 Egypt 49.65% 12 India 49.44% 13 Iraq 49.33% 14 Iran 48.85% 15 Ethiopia 47.87% 16 Myanmar 46.71% 17 Sri Lanka 46.67% 18 Syria 46.24% 19 Qatar 46.03% 20 Tunisia 45.36%
These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.
*When calculating, we excluded countries where there are fewer than 10,000 Kaspersky Lab users.
**The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.
The Top 20 in this category continues to be dominated by countries in Africa, the Middle East and South East Asia. Vietnam ranks first, as was the case in Q2 2014 (61.89%).
Mongolia (54.13%) moved down one step to third place, giving way to Bangladesh which ranked second with 55.01% of unique users in the country with computers that blocked local threats.
Qatar (46.03%) was Q3's newcomer. Myanmar (46.71%) and Sri Lanka (46.67%) reentered the Top 20 while Saudi Arabia, Turkey and Djibouti left the rating.
In the third quarter of 2014 local threats were detected on 44.4% of computers in Russia.
The safest countries in terms of local infection risks are: Japan (15%), Sweden (16.4%), Denmark (16.5%), Finland (18%), and Singapore (19.7%).
An average of 37.2% of computers faced at least one local threat during the quarter, which is 4.4 pp more than in Q2 2014.
The recent shutdown of SilkRoad 2.0 was just a small part of the events affecting the Tor network that unfolded last week.
Tor-related communities, such as privacy enthusiasts, but also cybercriminals (of course!), expressed worry after a global law enforcement operation targeted a number of illegal services based on Tor.
Operation Onymous, coordinated by Europol's European Cybercrime Centre (EC3), the FBI, the U.S. Immigration and Customs Enforcement's (ICE), Homeland Security Investigations (HSI) and Eurojust, resulted in 17 arrests of vendors and administrators running these online marketplaces and more than 410 hidden services being taken down.
The official announcement about Operation Onymous is available on the Europol website.
Here's an incomplete list of .onion services that were taken down during this operation: Alpaca, Black Market, Blue Sky, Bungee 54, CannabisUK, Cloud Nine, Dedope, Fake Real Plastic, FakeID, Farmer1, Fast Cash!, Flugsvamp, Golden Nugget, Hydra, Pablo Escobar Drugstore, Pandora, Pay Pal Center, Real Cards, Silk Road 2.0, Smokeables, Sol's Unified USD Counterfeit's, Super Note Counter, Tor Bazaar, Topix, The Green Machine, The Hidden Market and Zero Squad.
Examples of seized .onion sites
At the sametime , reports appeared about a number of Tor nodes being seized by authorities:
Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator.
You can read more on The Tor Blog about their Thoughts and Concerns about Operation Onymous.The current state of the Dark Web
Of course, the takedown only affected some Onion sites - many are still alive. Right now there are 4 times more hidden websites online in the Tor network than those that were shutdown.
Cybercrime, just like any other illegal activity, is hard to eradicate completely. Whenever illegal services are taken down, the gap created will always be filled by other criminals willing to profit from the opportunity. The reality we have to accept is that there will always be demand for such services.
The following graph shows the amount of new .onion addresses appearing each day. After the takedown on November 7th, we noticed a higher than regular spike in the number of new hidden services being set-up.
We've also analyzed the lifetime of the Onion-sites which were taken down last week. On average, most of them were alive for at least 200 days, but usually not more than 300 days - which the following graph shows. Just some were online for less than 2 months.
The most intriguing question which is raised by the media is – what exceptional tools one needs to compromise a hidden service? In theory, when you visit a hidden service, there is no way of knowing (either for you or for anyone else) the physical location of the web server behind it. For the theory to remain solid, three conditions must be met:
- The hidden service must be properly configured
- The web server should be impenetrable - no vulnerabilities or configuration errors
- The web application should have no flaws
If any of the 3 conditions is not met, it's quite easy for a skilled person to essentially hack into that server and start to dig further.
Anyone familiar with Dark Net websites knows how poorly coded many of these websites can be. Just because a website's physical location is obscured by Tor hidden services, it doesn't mean this website's security is bullet-proof. Vulnerabilities such as SQL injection will always be present if the coding isn't done properly.
The first scenario to compromise a hidden service would be to successfully exploit such a bad coded application. It is then possible to compromise the real server where the hidden service is stored, get information about its physical location or, more preferable, install a backdoor that could collect information of what's going on the server for weeks.
There is absolutely no need to try to and look for vulnerabilities in Tor itself, it's much easier to find a misconfiguration of services or flaws in the web application. People who control illegal Dark Net sites usually rely on Tor capabilities for security, but this will never save them from bugs in 3rd party applications or their own mistakes.
Another possible scenario is to infect the administrator of an illegal site with spyware, get full access to his computer and from there get all the required information about his true identity.
This could be easier than it seems: for example, if a vulnerability is found in a hidden service, it is possible to rig it's admin page with an exploit and wait for when the drug shop administrator will access his site. Then he would be infected with malware as a result of this highly targeted waterhole attack.
Another way is to infiltrate the illegal service posing as a regular customer, by creating an account and even buying something in there, to create reputation. When the time comes to do some communication with the hidden service's support account (about the quality of the product, for instance), they can start using social engineering or even send a spearfishing message rigged with an exploit.
There are a lot of ways to compromise a hidden service, without attacking Tor's architecture itself. Of course, the possibility of having a serious security vulnerability in Tor itself should not be completely excluded either.
The Stuxnet cyber-sabotage operation remains one of the favorite discussion subjects of security researchers everywhere. Considered the first known cyber-weapon, Stuxnet targeted the Iranian nuclear program using a subtle and well designed mechanism.
For background, see our previous reports on the Stuxnet saga:
- The Day The Stuxnet Died
- Myrtus and Guava: Episode 1
- Myrtus and Guava: Episode 2
- Myrtus and Guava, Episode 3
- Myrtus and Guava, Episode 4
- Myrtus and Guava: Episode 5
- Myrtus and Guava, Episode MS10-061
- Myrtus and Guava: the epidemic, the trends, the numbers
- Back to Stuxnet: The Missing Link
One of the reasons to revisit the Stuxnet subject is the publication (November 11th, 2014) of the book "Countdown to Zero Day" by journalist Kim Zetter.
We are quite excited about the book which includes new and previously undisclosed information about Stuxnet. Some of the information is actually based on interviews conducted by Kim Zetter with members of Kaspersky Lab's Global Research and Analysis Team. To complement the book release, we've decided to also publish new technical information about some previously unknown aspects of the Stuxnet attack.
Even though Stuxnet was discovered more than four years ago, and has been studied in detail with the publication of many research papers. However, is still not known for certain what object was originally targeted by the worm. It is most likely that Stuxnet was intended to affect the motors that drive uranium enrichment centrifuges. But where were those centrifuges located – in the Natanz plant or, perhaps, in Fordow? Or some other place?
The story of the earliest known version of the worm – "Stuxnet 0.5" – is outside the scope of this post; we are going to focus on the best known variants created in 2009 and 2010. (The differences between them are discussed in our 2012 publication - Back to Stuxnet: the missing link).
In February 2011, Symantec published a new version of its W32.Stuxnet Dossier report. After analyzing more than 3,000 files of the worm, Symantec established that Stuxnet was distributed via five organizations, some of which were attacked twice – in 2009 and 2010.
Screenshot from the Symantec report
The Symantec experts were able extract this information due to a curious feature of the worm. When infecting a new computer, Stuxnet saves information about the infected system's name, Windows domain and IP address. This information is stored in the worm's internal log and is augmented with new data when the next victim is infected. As a result, information on the path travelled by the worm can be found inside Stuxnet samples and used to establish from which computer the infection began to spread.
Example of information found in a Stuxnet file
While Symantec did not disclose the names of the organizations in its report, this information is essential for a proper understanding of how the worm was distributed.
We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worm's different variants in 2009 and 2010. Perhaps an analysis of their activity can explain why they became "patients zero" (the original, or zero, victims)."Domain A"
The Stuxnet 2009 version (we will refer to it as Stuxnet.a) was created on June 22, 2009. This information is present in the worm's body – in the form of the main module's compilation date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file and infecting the first computer almost completely rules out infection via USB drive – the USB stick simply can't have passed from the worm's authors to the organization under attack in such a short time.
The infected machine had the name "KASPERSKY" and it was part of the "ISIE" domain.
When we first saw the computer's name, we were very much surprised. The name could mean that the initial infection affected some server named after our anti-malware solution installed on it. However, the name of the local domain, ISIE, provided us with a little bit of information that might help to determine the organization's real name.
Assuming that the victim was located in Iran, we conjectured that it could be the Iranian Society of Industrial Engineers (ISIE) or an organization affiliated with it, the Iranian institute of Industrial Engineering (IIIE). But could it have been some other ISIE located in some place other than Iran? Given that our anti-malware solution had been used on the infected computer, we considered the possibility that ISIE might even be a Russian company.
It took us a long time to establish what organization it really was, but ultimately we succeeded in identifying it with a high degree of certainty.
It is called Foolad Technic Engineering Co (FIECO). It is an Iranian company with headquarters in Isfahan. The company creates automated systems for Iranian industrial facilities (mostly those producing steel and power) and has over 300 employees.
Screenshot from the company's website
The company is directly involved with industrial control systems.
- Implementing bench scale and pilot scale projects, such as data
communication between PLC existing in a plant and a remote point
through internet, by defining home page on a CP (Communication Processor)
card connected to a S7 CPU.
- Implementing different network structures, such as, As interface, profibus
DP, Ethernet, MPI, profibus PA In electronic and light communication channels.
Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems.
In 2010, that same organization was attacked again – this time using the third version of Stuxnet, created on April 14, 2010. On April 26, the same computer as in 2009 – "KASPERSKY.ISIE" – was infected again.
This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. not only as one of the shortest paths to the worm's final target, but as an exceptionally interesting object for collecting data on Iran's industry."Domain B"
One more organization was attacked multiple times – once in 2009 and twice in 2010. Essentially, each of the three Stuxnet variants was used to infect this target. In this case, the attackers were even more persistent than in the case of Foolad Technical Engineering Co.
It should be noted that it was this victim that was the patient zero of the 2010 global epidemic. This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet – first in Iran, then across the globe. Curiously, when that same organization was infected in June 2009 and in May 2010, the worm hardly spread at all. We share our thoughts on the reasons for that below.
Take the most widespread variant – Stuxnet 2010 (a.k.a. Stuxnet.b). It was compiled on March 1, 2010. The first infection took place three weeks later – on March 23.
In addition to the computer's name and the domain name, Stuxnet has recorded the machine's IP number. The fact that the address changed on March 29, may indicate, albeit indirectly, that it was a laptop which connected to the company's local network once in a while.
But what company is it? The domain name –"behpajooh" – immediately gives us the answer: Behpajooh Co. Elec & Comp. Engineering.
Like Foolad Technic, this company is located in Isfahan and it also develops industrial automation systems. Clearly, we are also dealing with SCADA/PLC experts here.
Screenshot from the company's website
While collecting information about Behpajooh Co, we discovered one more curious thing - a 2006 article published in a Dubai (UAE) newspaper called Khaleej Times.
According to the article, a Dubai firm was accused of smuggling bomb components into Iran. The Iranian recipient of the shipment was also named – it was a certain "Bejpajooh Inc" from Isfahan.
So why did Stuxnet spread most actively as a result of the March 2010 Behpajooh infection? We believe the answer lies in the second organization in the chain of infections that started from Behpajooh.
As the screenshot above shows, on April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO. A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above - Behpajooh and Foolad Technic - are based.
Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months. For example, the analysis of logs shows that by July 2010 this branch of the infection reached computers in Russian and Belarusian companies."Domain С"
On July 7, 2009, Stuxnet 2009 hit yet another target. With it, it was designed to start the path to its ultimate intended mission. The victim computer was named "applserver" (application server?), located in the domain NEDA.
In this case, it was pretty easy to identify the victim organization. Beyond any doubt, it was the Neda Industrial Group, an organization that was put on the sanctions list by the U.S. Ministry of Justice, and charged with the illegal export of prohibited entities into Iran with potential military applications. This company's complete dossier is available on the Iran Watch site.
When tracking the chain of Stuxnet propagation, one of the group's branch organizations raises special interest: "Allegedly the controlling entity of Nedaye Micron Electronic Company in Tehran, Iran and Neda Overseas Electronics LLC in Dubai, UAE; provides services in industrial automation for power plants, the cement industry, and the oil, gas and petrochemical sector; established in the mid 1980s under the name NEDA Computer Products Incorporated as a fully private joint stock company".
Neda was attacked only once, in July 2009, and Stuxnet never left that organization, according to the infection logs available to us. However, to leave the organization may have not been its purpose in this case. As noted earlier, the capability of stealing information about STEP 7 projects from infected systems was of special interest to the creators of Stuxnet."Domain D"
The fourth victim in 2009 was infected on July 7, the same day when Neda was compromised. Interestingly, the infection started with the server, if we judge by the computer name – SRV1 in domain CGJ, just like it did in the Neda case.
So, what is CGJ? We spent quite some time combing through search engines and social networks, and we are practically confident that is Control-Gostar Jahed Company, another Iranian company operating in industrial automation.
Control Gostar Jahed (CGJ) (Private Joint Stock, Since 1383) Founded with the aim of localization of industrial automation technology, and employing the technical know-how and execution power of 30 full-time personnel in the Tehran office and more than 50 workshop personnel, has achieved a high capacity in providing engineering and technical services.
The companys major focus over the years has been on the following domains:
- Design, procurement, construction, programming and commissioning of control systems (DCS, PLC, ESD, F&G)
- Design, manufacture and installation of low voltage fixed and sliding panels (using the products of CUBIC Denmark)
- Upgrading hardware, software and optimization of industrial automation systems
- Consulting services and basic and detailed design of electrical and instrumentation systems
- Installation of electrical and control systems
Unlike Neda Group, Control-Gostar Jahed Company is not on the sanctions list. It was probably chosen as a target because of its impressive cooperation ties with the largest Iranian businesses in oil production, metallurgy and energy supplies.
This organization was attacked only once in 2009. That infection did not leave the target's corporate network and makes up the smallest part of all known Stuxnet propagation lines."Domain E"
The fifth and the last "Patient Zero" victim stands out when judged by the numbers of originally infected systems. Unlike in all above cases, the attack in this case started from three computers at once, on the same day (May 11, 2010), but at different times.
Information from three different Stuxnet files
KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at least two servers involved in this case too.
Such an pattern of infection makes us practically confident that email was not used as the primary infection vector. The chances are very small that the infection started from a user receiving an email containing an attachment with an exploit.
So what is Kala? There are two most verisimilar answers to this, and we do not know which is the correct one. Both are about companies affected by sanctions and directly related to Iran's nuclear program.
However, Kala Electric (a.k.a. Kalaye Electric Co.) looks like the most probable victim. This is in fact an ideal target for an attack, given Stuxnet's main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran's nuclear program, and the logic of the worm's propagation.
Of all other companies, Kala Electric is named as the main manufacturer of the Iranian uranium enrichment centrifuges, IR-1.
The company does not have a web-site, but there is quite some information available about its activities: that is one of the key structures within the entire Iranian nuclear program.
Also, quite detailed information is available on the ISIS (Institute for Science and International Security) site at www.isisnucleariran.org.
Based on Iran's revised declaration about this site, originally, Kalaye Electric was a private company that was bought by the Atomic Energy Organization of Iran (AEOI). The name "Kalaye Electric" means "electric goods," implying that Iran kept the original name to help disguise the true purpose of the facility.
Iran declared that Kalaye Electric became the primary IR-1 centrifuge development and testing site after such work was moved in 1995 from the Tehran Nuclear Research Center. The IAEA has reported that between 1997 and 2002, Iran assembled and tested IR-1 centrifuges at Kalaye
Since moving many centrifuge research and development activities to the Pilot Fuel Enrichment Plant (PFEP) at Natanz, Kalaye Electric has remained an important centrifuge research and development site.
Satellite images of Kala Electric operation facilities are also available; these are considered to be the site where the centrifuges were developed and tested.
Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target. It is in fact surprising that this organization was not among the targets of the 2009 attacks.Summary
Stuxnet remains one of the most interesting pieces of malware ever created. In the digital world, one might say it is the cyber equivalent of the atomic attacks on Nagasaki and Hiroshima from 1945.
For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain "high profile" companies was the solution and it was probably successful.
Unfortunately, due to certain errors or design flaws, Stuxnet started infecting other organizations and propagate over the internet. The attacks lost control of the worm, which infected hundreds of thousands of computers in addition to its designated targets.
Of course, one of the biggest remaining questions is - were there any other malware like Stuxnet, or was it one-of-a-kind experiment? The future will tell for sure.