Malware RSS Feed

IT threat evolution Q3 2014

Malware Alerts - Tue, 11/18/2014 - 05:10

 PDF version

Overview Targeted attacks and malware campaigns On the trail of the Yeti

In July we published our in-depth analysis into a targeted attack campaign that we dubbed 'Crouching Yeti'. This campaign is also known as 'Energetic Bear'.

This campaign, which has been active since late 2010, has so far targeted the following sectors:  industrial/machinery, manufacturing, pharmaceutical, construction, education and information technology.  So far there have been more than 2,800 victims worldwide, and we have been able to identify 101 different organisations – mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.

The list of victims suggests that the attackers behind Crouching Yeti are pursuing strategic targets.  Nevertheless, the attackers have also shown an interest in not-so-obvious institutions too.

The attackers behind Crouching Yeti use various types of malware (all designed to infect systems running Windows) to infiltrate their victims, extend their reach within the target organisations and steal confidential data, including intellectual property and other strategic information.  Infected computers connect to a large network of hacked web sites that host malware modules, hold information about victims and send commands to infected systems.

The attackers use three methods to infect their victims.  First, they use a legitimate software installer, re-packaged to include a malicious DLL file.  Such modified self-extracting archive files could be uploaded directly to a compromised server, or they could be sent directly to someone within the target organisation by e-mail.  Second, they use spear-phishing to deliver a malicious XDP (XML Data Package) file containing a Flash exploit (CVE-2011-0611).  Third, they use watering-hole attacks.  Hacked web sites use several exploits (CVE-2013-2465, CVE-2013-1347, and CVE-2012-1723) to redirect visitors to malicious JAR or HTML files hosted on other sites maintained by the attackers.  The term 'watering-hole' is applied to a web site that is likely to be visited by potential victims.  These web sites are compromised in advance by the attackers – the site is injected to install malware on the computers of anyone visiting the compromised site.

One malicious program used by the attackers, the Havex Trojan, includes special modules to collect data from specific industrial IT environments.  The first of these is the OPC scanner module. This module is designed to collect the extremely detailed data about the OPC servers running in the local network. OPC (Object Linking and Embedding (OLE) for Process Control) servers are typically used where multiple industrial automation systems are operating.  This module is accompanied by a network scanning tool.  This module scans the local network, looks for all computers listening on ports related to OPC/SCADA (Supervisory Control and Data Acquisition) software, and tries to connect to such hosts in order to identify which potential OPC/SCADA system is running. It then transmits all the data it finds to the Command-and-Control (C2) servers used by the attackers to manage the campaign.

While analysing the code, we looked for clues that might point to the identity of the attackers.

A timestamp analysis of 154 files revealed that most of the samples were compiled between 06:00 and 16:00 UTC.  This could match any country in Europe.  We also looked at the language used by the attackers.  The malware contains strings in English (written by non-native English speakers).  There were also some clues pointing indicating possible French and Swedish speaker.  But unlike several other researchers who looked at Crouching Yeti, we didn't find anything that would enable us to conclude with certainty that the attackers are of Russian origin.  There's a lack of Cyrillic content (or transliteration) across the 200 malicious binaries and related operational content – in contrast to what we found when looking at earlier targeted attack campaigns, including Red October, MiniDuke, CosmicDuke, the Snake and TeamSpy.

An Epic tale of cyber-espionage

For more than a year Kaspersky Lab has been researching a sophisticated cyber-espionage campaign that we call 'Epic Turla'.  This campaign, which dates back to 2012, targets government institutions, embassies, military, research and educational organizations and pharmaceutical companies.  Most of the victims are located in the Middle East and Europe, although we have seen victims elsewhere, including the United States.  Altogether, we have found several hundred victim's IP addresses in more than 45 countries.

When we published our initial research into this campaign, it was unclear how victims of the attack were becoming infected.  In in our latest research, published in August, we outlined the infection mechanisms used by Epic Turla and how they fit within the structure of the overall campaign.

The attackers use social engineering tricks to infect their victims –specifically spear-phishing and watering-hole attacks.

Some of the spear-phishing e-mails include zero-day exploits.  The first of these, affecting Adobe Acrobat Reader (CVE-2013-3346), allows the attackers to arbitrarily execute code on the victim's computer.  The second, a privilege escalation vulnerability in Windows XP and Windows Server 2003 (CVE-2013-5065), provides the Epic Turla backdoor with administrator rights on the victim's computer.  In addition, the attackers trick their victims into running malware installers with an SCR extension – sometimes packed using RAR.  When the unsuspecting victims open an infected file, a backdoor is installed on their computer, giving the attackers full control.

The cybercriminals behind Epic Turla also use watering-hole attacks that deploy a Java exploit (CVE-2012-1723), Adobe Flash exploits and Internet Explorer exploits.  There are others that use social engineering to trick victims into running fake 'Flash Player' malware installers.  Depending on the IP address of the victim, the attackers serve Java or browser exploits, signed fake Adobe Flash Player software or a fake version of Microsoft Security Essentials.  We have seen more than 100 injected web sites. Unsurprisingly, the choice of web sites reflects the specific interests of the attackers (as well as the interests of the victims). For example, many infected Spanish web sites belong to local governments.

Once the computer is infected, the Epic Turla backdoor (known also as 'WorldCupSec', 'TadjMakhal', 'Wipbot' and 'Tadvig') immediately connects to the C2 server to send a pack containing the victim's system information.   Based on the summary information sent to the C2 server, the attackers deliver pre-configured batch files containing a series of commands to be executed on the infected computer.   The attackers also upload custom lateral movement tools (including a specific keylogger and RAR archiver), as well as standard utilities such as a DNS query tool from Microsoft.

Our analysis revealed that the Epic Turla backdoor is just the first stage of a wider infection process.  It is used to deploy a more sophisticated backdoor known as the 'Cobra/Carbon system' (named 'Pfinet' by some anti-malware products).  After some time, the attackers went further, using the Epic Turla implant to update the Carbon configuration file with a different set of C2 servers.  The unique knowledge to operate these two backdoors indicates a clear and direct connection between them:  one is used to gain a foothold and validate the high-profile victim.  If the victim proves to be of interest to the attackers, the compromised computer is upgraded to the full Carbon system.

Here's an overview of the whole Epic Turla cyber-espionage campaign:

Attributing these attacks is always very difficult.  However, some aspects of the code tell us something about the attackers.  It's clear that they are not native English speakers.  They commonly misspell words and phrases, such as:

'Password it's wrong!'
'File is not exists'
'File is exists for edit'

There are also other indicators that hint at the origin of the attackers.  For example, some of the backdoors have been compiled on a system with the Russian language.  In addition, the internal name of one of the Epic Turla backdoors is 'Zagruzchik.dll', which means 'bootloader' or 'load program' in Russian.  Finally, the Epic Turla 'mother ship' control panel sets the code page to 1251, which is used for Cyrillic characters.

NetTraveler gets a birthday makeover

We have discussed this targeted attack campaign, which has now been active for 10 years, on several occasions.

Earlier this year we observed an increase in the number of attacks on Uyghur and Tibetan activists, using an updated version of the NetTraveler backdoor.  The attackers use spear-phishing e-mails to lure their victims:  e-mails include a Microsoft Word document that contains the CVE-2012-0158 exploit.  This drops the main module ('net.exe') onto the computer, which in turn installs a number of other files, including the main C2 module.  This module is registered as a service ('Windowsupdata') by means of a Windows batch file called 'dot.bat'.  The format of the malware configuration file has also been updated and it's clear that the attackers have taken steps to try and conceal the configuration (but the encryption they used is weak).

The focus of the attackers has changed over time.  For much of its existence, the main targets of NetTraveler were diplomatic, government and military organisations.  More recently, its cyber-espionage activities have focused more on organisations involved in space exploration, nano-technology, energy production, nuclear power, lasers, medicine and communications.

A focus on Uyghur and Tibetan activists remains a core part of the attackers' activities.

The Syrian malware house of cards

Technology is now an integral part of our lives, so it's hardly surprising to see a cyber-dimension to conflicts around the world.  This is especially true of the Middle East, where geo-political conflicts have intensified in recent years.  Kaspersky Lab's Global Research and Analysis Team  analysed the recent increase in malware activity in Syria.

The people behind these attacks use social engineering tricks to lure their victims into opening infected files.  They use e-mail, Skype messages, Facebook posts and YouTube videos.

They use a variety of 'hooks' – preying on their victims' trust in social networking forums, their curiosity about news related to the conflict in Syria, their fear of the government and their lack of technical awareness.

Examples include a disturbing video on YouTube showing injured victims of recent bombings that also invites people to download a malicious program from a public file-sharing web site.  We also found a set of compressed files on a popular social networking site which, when extracted, revealed a database containing a list of activists and wanted individuals in Syria.  The download link for this database application was included in the information section of a video published on 9 November 2013.  The attackers also make use of fake security solutions to trick their victims – including a fake anti-virus program called 'Ammazon Internet Security' and a Trojanised version of a legitimate network monitoring tool, Total Network Monitor.  They don't just spread fake security applications – we've also seen fake versions of the Whatsapp and Viber instant messaging apps.

The attackers use a number of well-known remote administration tools (RATs), malicious programs that allow a remote 'operator' to control a compromised computer as if they had physical access to it.  These tools are widely used in cybercrime attacks of all kinds and even in some state-sponsored attacks.  The RATs used in this campaign include 'ShadowTech', 'Xtreme', 'NjRAT',' Bitcoment', 'Dark Comet' and 'Blackshades'.  The malware is used to monitor the victims, to gather information and, in some cases, to try and shut down their operations.

The victims of these attacks are not only located in Syria.  The attacks have also been seen in Turkey, Saudi Arabia, Lebanon, Palestine, United Arab Emirates, Israel, Morocco, France and the United States.

We were able to track the C2 servers of the attackers to IP addresses in Syria, Russia, Lebanon, the United States and Brazil.  In total, we found 110 files, 20 domains and 47 IP addresses associated with the attacks.

The number of attacks has grown markedly over the last year.  In addition, it's clear that the groups involved in the attacks are well organised.  So far the attackers have made use of established malware tools rather than developing their own (although they use a variety of obfuscation methods to bypass simple signature-based detection).  However, we think it's likely that the number and sophistication of malware used in the region is likely to increase.

You can find our full report on this malware here.

Malware stories Shylock – a pound of your flesh

Earlier this year Kaspersky Lab contributed to an alliance of law enforcement and industry organizations, co-ordinated by the United Kingdom National Crime Agency (NCA), to disrupt the infrastructure behind the Shylock Trojan.  This partnership shows how global cooperation on cybercrime can produce positive results.

The Shylock banking Trojan, so-called because its code contains excerpts from Shakespeare's The Merchant of Venice, was first discovered in 2011.  Like other well-known banking Trojans such as Zeus, SpyEye and Carberp, Shylock is a man-in-the-browser attack designed to steal banking login credentials from the computers of bank customers.  The Trojan uses a pre-configured list of target banks, located in different countries around the world.

The Trojan injects fake data entry fields into web pages when they load on the victim's browser.  Victims are typically tricked into running the malware by clicking on malicious links.  Shylock then seeks to access funds held in business or personal bank accounts, and transfers them to accounts under the control of the attackers.

The focus of the cybercriminals changed over time.  When Shylock first appeared, it was aimed mainly at victims in the UK and, during the course of 2012, spread to other countries in Europe and to the United States.  By the end of 2013, the cybercriminals were more focused on developing markets such as Brazil, Russia and Vietnam.  You can find more information, including data on the spread of the malware, here.

All banking Trojans, Shylock included, target bank customers, hoping to take advantage of what is often the least protected element of any financial transaction – i.e. the human.  That's why it's important that security starts at home – we all need to secure our computers effectively.

Your money or your file(s)!

The number of ransomware programs has been growing in recent years – not all of them focused on computers running Windows.  Some, including the ones targeting Android devices, tend to simply block access to the device and demand a ransom payment in order to unlock the device.

But many ransomware programs go further than this, encrypting data on the victim's computer.  One recent example is ZeroLocker.

Unlike most ransomware programs, which encrypt a pre-defined list of file types, ZeroLocker encrypts nearly all the files on the victim's computer and adds the extension '.encrypt' to encrypted files.  ZeroLocker doesn't encrypt files located in directories containing the words 'Windows', 'WINDOWS', 'Program Files', 'ZeroLocker' or 'Destroy' and doesn't encrypt files larger than 20MB in size.

ZeroLocker generates a 160-bit AES key to encrypt all files.  The key space is somewhat limited because of the way the key is generated, but it's still large enough to make general brute –forcing unfeasible.  After encrypting files, the malware runs the 'cipher.exe' utility to remove all unused data from the drive, making file recovery much more difficult.  The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet, is sent to the server used by the cybercriminals.  There's an indication that the C2 configuration contains some errors that might prevent successful decryption – another reason why paying the ransom is a bad idea.

The encryption key, along with other information, is sent by means of a GET request, rather than a POST.  This results in a 404 error on the server.  This could mean that the server isn't storing the information, suggesting that the victims will probably not get their files back, even if they pay the ransom.

Several other URLs that the malware tries to get also result in 404 errors.  This suggests that the operation may still be in its infancy.  If and when these errors are fixed, we may see ZeroLocker deployed on a larger scale.

The cybercriminals behind ZeroLocker demand an initial $300 worth of Bitcoins to decrypt the file.  If the victim does not pay promptly the fee increases to $500 and $1,000 as time goes on.

There's a Bitcoin wallet hard-coded inside the binary, but the malware tries to fetch a new wallet address from the C2 server, probably to make it harder to trace how successful the operation is and where the money goes.  None of the Bitcoin wallet addresses we looked at had any transactions associated with them.  Since the C2 server provides Bitcoin wallet information, it's possible that the attackers are able to use a unique wallet for each victim.

Another ransomware program that we analysed recently is Onion.  This malicious program uses the tried-and-tested method used by other recent ransomware programs – encrypting the victim's data and demanding a ransom payment in Bitcoin.

However, it also breaks new ground.  First, Onion uses the anonymous Tor network to hide its C2 servers.  This makes it harder to track down the cybercriminals behind the malware.  Other malware has used Tor in the past, but this Trojan stands apart because it supports full interaction with Tor without any input from the victim.  Other programs like this communicate with the Tor network by launching (sometimes by injecting code into other processes) the legitimate 'tor.exe' file.  By contrast Onion implements this communication as part of the malware code itself.

Onion also uses an unorthodox cryptographic algorithm that makes file decryption impossible, even if traffic between the Trojan and the C2 server is intercepted.  This Trojan not only uses asymmetric encryption, it also uses a cryptographic protocol known as ECDH (Elliptic Curve Diffie-Hellman).  This makes decryption impossible without the master private key – which never leaves the cybercriminals' controlled server.  Further details can be found in our report on the Onion Trojan.

These things combined make the Onion Trojan technically advance and very dangerous.

Ransomware operations rely on their victims paying up.  Don't do it!  Instead, make regular backups of your data.  That way, if you ever fall victim to a ransomware program (or a hardware problem that stops you accessing your files) you will not lose any of your data.

Why one of our security researchers hacked his own home

The Internet is becoming woven into the fabric of our lives – literally, in some cases, as connectivity is embedded into everyday objects.  This trend, known as the 'Internet of Things', has attracted more and more attention as hackers and researchers probe the technologies integrated into cars, hotels, home alarm systems and refrigerators and more – looking for vulnerabilities.

Sometimes the Internet of things can seem remote. But it's often closer than we think.  The modern home today is likely to have a handful of devices connected to the local network that aren't traditional computers, tablets or cellphones – devices such as a smart TV, a printer, a gaming console, a network storage device or some kind of media player/satellite receiver.

One of our security researchers, David Jacoby, investigated his own home, to determine whether it was really cyber-secure.  He looked at several devices, including network-attached storage (NAS) devices, smart TV, router and satellite receiver, to see if they were vulnerable to attack.  The results were striking.  David found 14 vulnerabilities in the network-attached storage devices, one in the smart TV and several potentially hidden remote control functions in the router.

The most severe vulnerabilities were found in the network-attached storage devices.  Several of them would allow an attacker to remotely execute system commands with the highest administrative privileges.  The tested devices also had weak default passwords, stored passwords in plain text and included configuration files with the wrong permissions.  The default administrator password for one of the devices contained just one digit!  And another device even shared the entire configuration file, containing encrypted passwords, with everyone on the network!

David was also able to upload a file to an area of storage memory that's inaccessible to an ordinary user.  If an attacker uploaded a malicious file to this area, the compromised device would become a source of infection for other devices connecting to this NAS – a home PC, for example – and could even serve as a DDoS (Distributed Denial of Service) bot in a botnet. On top of this, the only way to delete this file was by using the same vulnerability –even for a technical specialist this is no simple task.

When David looked at his smart TV, he discovered that communication between the TV and the TV vendor's servers isn't encrypted – potentially opening the way for a Man-in-the-Middle attack that could result in an unsuspecting consumer transferring money to fraudsters while trying to buy content via the TV.  As a proof of concept exercise, David was able to replace one of the icons on the smart TV graphic interface with a picture.  Normally the widgets and thumbnails are downloaded from the TV vendor's servers but since the connection isn't encrypted, this information could be modified by a third party.  He also discovered that the smart TV is able to execute Java code that, in combination with the ability to intercept the exchange of traffic between the TV and Internet, could result in exploit-driven malicious attacks.

The DSL router, used to provide wireless Internet access for all other home devices, contained several dangerous features hidden from its owner.  Some of these hidden functions could potentially give an attacker remote access to any device in a private network.  What's more, sections of the router's web interface called 'Web Cameras', 'Telephony Expert Configure', 'Access Control', 'WAN-Sensing' and 'Update' are 'invisible' and cannot be adjusted by the owner of the device.  They can only be accessed by exploiting a rather generic vulnerability that makes it possible to travel between sections of the interface (these are basically web pages, each with its own alphanumeric address) by brute-forcing the numbers at the end of the address.  Originally these functions were implemented for the convenience of the owner of the device:  the remote access function makes it fast and easy for an ISP (Internet Service Provider) to troubleshoot and resolve technical problems on the device.  But this convenient feature could become a security risk if the controls fell into the wrong hands.

In line with our policy of responsible disclosure, Kaspersky Lab hasn't disclosed the names of vendors whose products were investigated as part of this research.  All vendors were informed about the existence of the vulnerabilities and Kaspersky Lab specialists work closely with vendors to help them remediate any vulnerabilities discovered.

It's important that we all understand the potential risks associated with using network devices – this applies to individuals and businesses alike.  We also need to understand that our information is not secure just because we use strong passwords or run software to protect against malicious code.  There are many things over which we have no control, and to some degree we are in the hands of software and hardware vendors.   For example, not all devices include automated update checks – sometimes consumers are required to download and install new firmware.  This is not always an easy task.  Worse still, it's not always possible to update a device (most devices investigated during this research had been discontinued more than a year before).

You can find some advice on how to reduce the risk of attack in this summary of David Jacoby's article.

Web security and data breaches: ShellShock

In September, the information security world faced a red alert following the discovery of the 'Bash' vulnerability (also known as 'ShellShock').  Bash, a Unix shell written in 1989, is the default shell on Linux and Mac OS X.  The flaw (CVE-2014-6271) allows an attacker to remotely attach a malicious file to a variable that is executed when the Bash command interpreter is invoked.  The high impact of this vulnerability, coupled with the ease with which it can be exploited, make it very powerful.  Some have compared it to the 'Heartbleed' vulnerability.  However, Bash is much easier to exploit than Heartbleed and, whereas Heartbleed only allowed an attacker to steal data from the memory of a vulnerable computer, Shellshock could provide full system control.

It didn't take long for attackers to try and take advantage of the vulnerability – we discussed some early examples soon after it was discovered.  In most cases attackers remotely attacked web servers hosting CGI (Common Gateway Interface) scripts that have been written in Bash or pass values to shell scripts.  However, it is possible that the vulnerability could have an impact on a Windows-based infrastructure.

Nor is the problem confined only to web servers. Bash is widely used in the firmware of devices that now take for granted in our everyday lives.  This includes routers, home appliances and wireless access points.  Some of these devices can be difficult, or impossible to patch – as discussed above.

You can find guidance on how to update vulnerable systems here.


All statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to transfer it. Millions of Kaspersky Lab products users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Q3 in figures
  • According to KSN data, Kaspersky Lab products detected and neutralized a total of 1,325,106,041 threats in the third quarter of 2014.
  • Kaspersky Lab solutions repelled 367,431,148  attacks launched from online resources located all over the world
  • Kaspersky Lab's web antivirus detected 26,641,747 unique malicious objects: scripts, exploits, executable files, etc.
  • 107,215,793 unique URLs were recognized as malicious by web antivirus components.
  • 33% of web attacks neutralized by Kaspersky Lab products were carried out using malicious web resources located in the US.
  • Kaspersky Lab's antivirus solutions detected a total of 116,710,804 unique malicious and potentially unwanted objects.
  • Kaspersky Lab mobile security products detected
    • 461,757 installation packages;
    • 74,489 new malicious mobile programs;
    • 7,010 mobile banking Trojans.
Mobile threats

In Q3 2014 Kaspersky Lab mobile security products detected 74,489 new malicious mobile programs, 14.4% more than in the second quarter.

At the same time, fewer installation packages were detected.

Number of installation packages and new malicious mobile programs detected in Q1-Q3 2014

In the first half of 2014, there were a little more than 11 malicious installation packages on the average associated with each malicious program but in Q3 there were 6.2 million.

Using multiple installation packages for one mobile malicious program is typical of SMS-Trojan distributors. For example, attackers have used up to 70,000 packets for one version of Stealer.a. The decrease in the number of malicious installation packages is probably related to the reduced proportion of this malware in the flow of new mobile malicious programs decreased (see below).

Distribution of mobile threats by type

Distribution of mobile threats by type in Q2 and Q3 2014

The rating of malware objects for mobile devices for the third quarter of 2014 was headed by RiskTool. This claimed 26.5% of detections, a rise of 8.6 percentage points. These are legal applications that are potentially dangerous for the user – if they are used carelessly, or manipulated by a cybercriminal they could lead to financial losses.

Second came Adware, potentially unwanted advertising applications (19.4%); their contribution went down 7.9 pp.

SMS-Trojans were in 3rd place: their share declined by 7.2pp from the previous quarter.

In Q3, while Adware and SMS-Trojans were less widely seen, we observed a sharp rise in the percentage of banking Trojans: their share in the flow of mobile malware has risen from 2.2% to 9.2% which placed this category 4th in the rating.

Top 20 malicious mobile programs   Name % of attacks* 1 Trojan-SMS.AndroidOS.Stealer.a 15.63% 2 RiskTool.AndroidOS.SMSreg.gc 14.17% 3 AdWare.AndroidOS.Viser.a 10.76% 4 Trojan-SMS.AndroidOS.FakeInst.fb 7.35% 5 RiskTool.AndroidOS.CallPay.a 4.95% 6 3.97% 7 DangerousObject.Multi.Generic 3.94% 8 RiskTool.AndroidOS.MimobSMS.a 3.94% 9 2.78% 10 AdWare.AndroidOS.Ganlet.a 2.51% 11 Trojan-SMS.AndroidOS.OpFake.a 2.50% 12 2.36% 13 Trojan-SMS.AndroidOS.FakeInst.ff 2.14% 14 Trojan-SMS.AndroidOS.Podec.a 2.05% 15 Trojan-SMS.AndroidOS.Erop.a 1.53% 16 RiskTool.AndroidOS.NeoSMS.a 1.50% 17 Trojan.AndroidOS.Agent.p 1.47% 18 1.29% 19 RiskTool.AndroidOS.SMSreg.hg 1.19% 20 Trojan-Ransom.AndroidOS.Small.e 1.17%

*The percentage of all attacks recorded on the mobile devices of unique users.

The top 20 is no longer so heavily dominated by SMS Trojans: in Q2 2014 these malicious programs occupied 15 places in the rating while in Q3 there were only 8. Trojan-SMS.AndroidOS.Stealer.a  topped the previous quarter's rating with 25.42% of all attacks but in Q3 it accounted for only 16.63% of attacks.

RiskTool representatives occupied 6 positions in the Top 20, with RiskTool.AndroidOS.SMSreg.gc (14.17%) in second place.

7th came  DangerousObject.Multi.Generic (3.94%), demonstrating how new malicious applications are detected by Kaspersky Security Network cloud technologies that enable our product to quickly respond to new unknown threats.

Mobile banking Trojans

In the third quarter, we detected 7010 mobile banking Trojans, 3.4 times more than last quarter.

Number of mobile banking Trojans detected, Q1-Q3 2014

The number of countries attacked by banking Trojans also increased: in Q2 mobile banking Trojan attacks were detected in 31 countries while in Q3 there were 70.

The geography of mobile banking threats, Q3 2014
(the number of attacked users)

The top 10 countries attacked by banking Trojans

  Country % of all attacks* 1 Russia 83.85% 2 USA 7.09% 3 Ukraine 1.79% 4 Belarus 1.18% 5 Kazakhstan 0.92% 6 Republic of Korea 0.68% 7 Germany 0.62% 8 China 0.50% 9 UK 0.50% 10 Saudi Arabia 0.35%

* The percentage of users attacked per country

Italy dropped out of the Top 10 while Saudi Arabia appeared in 10th place.

Russia maintained its traditional lead here, although it was 7.85pp on before. At the same time the contribution of the other Top 10 members grew slightly: mobile cybercriminals are gradually extending their area of activity.

The geography of mobile threats

In Q3 2014 mobile malicious attacks were detected at least once in 205 countries.

The geography of infection by mobile banking Trojans, Q3 2014
(the percentage of all attacked users)

The Top 10 of attacked countries

  Country % of attacks* 1 Russia 44.0% 2 India 7.6% 3 Germany 5.6% 4 Iran 3.4% 5 Vietnam 3.1% 6 Kazakhstan 3.1% 7 Ukraine 2.7% 8 Malaysia 1.9% 9 Brazil 1.7% 10 USA 1.7%

* The percentage of users attacked per country

Russia remained the most heavily targeted nation with 44% of all attacks. India (7.6%) returned to second place. For the first time in 2014 Iran (3.4%) and the USA (1.7%) entered the Top 10 while Poland, France, Spain and Mexico were the Q3 outsiders.

Vulnerable applications used by fraudsters

The rating of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by hackers in Internet attacks and when compromising local applications, including those installed on mobile devices.

The distribution of web-exploits used by fraudsters, by type of application attacked, Q3 2014

Of all registered attempts to use vulnerabilities, 47% involved vulnerabilities in browsers. Almost every exploit pack includes an exploit for Internet Explorer.

Java exploits are in second place. Java vulnerabilities are used in drive-by attacks via the Internet and new Java exploits are part of many exploit packs although no new Java vulnerabilities have been made public for almost a year. In Q3 of this year, 28% of attempts to use vulnerabilities targeted Java; in the first quarter the figure was 29%.

Next come Adobe Reader exploits (12%). These vulnerabilities are also exploited in drive-by attacks via the Internet and PDF exploits feature in many exploit packs.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users when malicious code attempts to download from a malicious/infected website. Malicious websites are deliberately created by malicious users; infected sites include those with user-contributed content (such as forums) as well as legitimate resources that have been hacked.

Online threats in the banking sector

During the reporting period, Kaspersky Lab solutions blocked 696,977 attacks that attempted to launch malware capable of stealing money from online banking accounts. This figure represents a 24.9% decrease compared to Q2 (927,568).

The number of computers attacked by financial malware, Q3 2014

The number of attacks gradually declined throughout the quarter: in June 244,490 attacks were blocked while in September this figure was 218,384 (-11%).

A total of 2,466,952 notifications of malicious activity by programs designed to steal money via online access to bank accounts were registered by Kaspersky Lab security solutions in Q3 2014.

The geography of attacks

The geography of banking malware attacks in Q2 2014
(by number of attacked users in the country)

The Top 10 countries by the number of attacked users:

  Countries Number of users 1 Brazil 90176 2 Russia 57729 3 Germany 55225 4 Italy 32529 5 India 24975 6 USA 22340 7 Austria 22013 8 Vietnam 13495 9 UK 11095 10 China 9060

Brazil remained the country where users are most often attacked by banking malware, even if its share was down one third. Russia stayed in second place. Italy dropped to 4th position while Germany rose to 3rd place: the number of attacked users in this country grew by 1.5 times.

The Top 10 banking malware families

The table below shows the programs most commonly used to attack online banking users in Q3 2014, based on the number of reported infection attempts:

Verdict Number of notifications Number of users Trojan-Spy.Win32.Zbot 1381762 285559 Trojan-Banker.Win32.ChePro 322928 92415 Trojan-Banker.Win32.Shiotob 123150 24839 Trojan-Banker.Win32.Agent 49563 23943 Trojan-Banker.HTML.PayPal 117692 21138 Trojan-Spy.Win32.SpyEyes 73496 19113 Trojan-Banker.Win32.Lohmys 47188 16619 Trojan-Banker.Win32.Banker 39892 12673 Trojan-Banker.Win32.Banbra 20563 9646 Backdoor.Win32.Sinowal 18921 8189

Zeus (Trojan-Spy.Win32.Zbot) remained the most widespread banking Trojan although the number of attacks involving this malicious the program, as well as the number of attacked users, nearly halved compared with the previous quarter.

In Q3, 3rd place was occupied by Trojan-Banker.Win32.ShiotobThis malicious program is most often spread via spam messages and is designed to monitor traffic in order to intercept payment data. Nine out of 10 malware families represented in the table work by injecting random HTML code into the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.

Financial threats are not restricted to malware that attacks online banking services.

Distribution of attacks targeting user money by malware type, Q3 2014

Bitcoin wallet theft was the second most frequently used method of stealing e-money: its popularity grew from 8% in the previous quarter to 15% in Q3. Yet another threat related to crypto currency is Bitcoin mining software (11%) which uses computing resources to generate bitcoins.

The Top 20 malicious objects detected online

In the third quarter of 2014, Kaspersky Lab's web antivirus detected 26,641,747 unique malicious objects: scripts, exploits, executable files, etc.

We identified the 20 most active malicious programs involved in online attacks launched against user computers. These 20 accounted for 96.2% of all attacks on the Internet.

The Top 20 malicious objects detected online

  Name* % of all attacks** 1 Malicious URL 59.83% 2 AdWare.Script.Generic 14.46% 3 Trojan.Script.Generic 13.13% 4 Trojan.Script.Iframer 1.77% 5 AdWare.Win32.Agent.fflm 1.23% 6 Trojan-Downloader.Script.Generic 1.02% 7 AdWare.Win32.Agent.allm 1.02% 8 0.78% 9 0.55% 10 AdWare.Win32.Agent.aiyc 0.32% 11 AdWare.Win32.OutBrowse.g 0.32% 12 Trojan.Win32.Generic 0.30% 13 AdWare.Win32.Amonetize.bcw 0.23% 14 AdWare.Win32.Amonetize.cmg 0.18% 15 AdWare.Win32.Yotoon.heur 0.18% 16 Trojan-Downloader.Win32.Generic 0.15% 17 AdWare.Win32.Amonetize.cmd 0.14% 18 Trojan-Dropper.Win32.Agent.lefs 0.12% 19 AdWare.Win32.Linkun.j 0.11% 20 AdWare.Win32.Amonetize.aik 0.09%

* These statistics represent detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local data.
** The percentage of all web attacks recorded on the computers of unique users.

As is often the case, the Top 20 is largely made up of objects used in drive-by attacks, as well as adware programs. 59.8% of all verdicts fell on links from these black lists.

The Top 10 countries where online resources are seeded with malware

The following stats are based on the physical location of the online resources that were used in attacks and blocked by antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host might become a source of one or more web attacks.

In order to determine the geographical source of web-based attacks domain names are matched up against actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2014, Kaspersky Lab solutions blocked 367,431,148 attacks launched from web resources located in various countries around the world. 87% of the online resources used to spread malicious programs are located in 10 countries. This is 1.3 percentage points less than in the previous quarter.

The distribution of online resources seeded with malicious programs in Q3 2014

The Top 10 rating of countries where online resources are seeded with malware saw major changes from the previous quarter: Canada (-7 pp) and Ireland  (-0.7 pp) dropped out of the Top 10. China reentered the Top 10 with 1.87% and settled in 7th. Switzerland (1.03%) was Q3's other newcomer.

The most significant changes happened to the USA, which climbed to the top of the rating with a +11.2pp swing, and Germany (-9 pp), which dropped from 1st to 3rd place.

Countries where users face the greatest risk of online infection

In order to assess in which countries users face cyber threats most often, we calculated how often Kaspersky users encountered detection verdicts on their machines in each country. The resulting data characterizes the risk of infection that computers are exposed to in different countries across the globe, providing an indicator of the aggressiveness of the environment in which computers work in different countries.

  Country* % of unique users ** 1 Russia 46.68% 2 Kazakhstan 45.92% 3 Azerbaijan 43.50% 4 Armenia 41.64% 5 Ukraine 40.70% 6 Iran 39.91% 7 Vietnam 38.55% 8 Belarus 38.08% 9 Moldova 36.64% 10 Algeria 36.05% 11 Tadjikistan 36.05% 12 Kyrgyzstan 33.59% 13 Mongolia 33.59% 14 Qatar 30.84% 15 Uzbekistan 29.22% 16 Georgia 29.17% 17 Turkey 28.91% 18 UAE 28.76% 19 Indonesia 28.59% 20 Germany 28.36%

These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
**Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the third quarter of 2014 Croatia, Tunisia and Spain dropped out of the Top 20. The newcomers of the rating were UAE (28.76%), Indonesia (28.59%) and Germany (28.36%) which occupied the last three positions in the chart.

The countries with the safest online surfing environments were Singapore (10.5%), Sweden (12.4%), Denmark (13.2%), Japan (13.3%), South Africa (16.0%), Finland (16.1%), and the Netherlands (16.6%).

On average, 29.5% of computers connected to the Internet were subjected to at least one web attack during the past three months.

Local threats

Local infection statistics for user computers are a very important indicator. This data points to threats that have penetrated a computer system through something other than the Internet, email, or network ports.

This section contains an analysis of the statistical data obtained based on antivirus scans of files on the hard drive at the moment they are created or accessed, and the results of scanning various removable data storages.

In Q3 2014, Kaspersky Lab's antivirus solutions detected 116,710,804 unique malicious and potentially unwanted objects.

The Top 20 malicious objects detected on user computers   Name* % of unique attacked users** 1 Trojan.Win32.Generic 18.95% 2 DangerousObject.Multi.Generic 18.39% 3 AdWare.MSIL.Kranet.heur 11.61% 4 AdWare.Win32.Agent.ahbx 5.77% 5 Trojan.Win32.AutoRun.gen 4.81% 6 AdWare.Win32.Kranet.heur 4.68% 7 AdWare.NSIS.Zaitu.heur 4.51% 8 Worm.VBS.Dinihou.r 4.51% 9 Virus.Win32.Sality.gen 4.08% 10 AdWare.Win32.Yotoon.abs 4.03% 11 AdWare.Win32.IBryte.dolh 3.14% 12 AdWare.Win32.Agent.aljt 3.12% 13 AdWare.Win32.Agent.allm 3.11% 14 AdWare.Win32.Yotoon.heur 3.10% 15 Adware.Win32.Amonetize.heur 2.86% 16 AdWare.Win32.Agent.heur 2.80% 17 WebToolbar.JS.Condonit.a 2.59% 18 Worm.Win32.Debris.a 2.56% 19 AdWare.Win32.Kranet.c 2.55% 20 Trojan.Script.Generic 2.51%

*These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products that have consented to submit their statistical data.
**The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a malicious program was detected.

This ranking usually includes verdicts given to adware programs: in Q3 they occupied thirteen places in the Top 20.

Worms distributed via removable media were 8th and 18th in the ranking.

Viruses were represented by only one verdict Virus.Win32.Sality.gen which came 9th in the Top 20.

Q3 2014 saw a considerable increase in the number of Kaspersky Lab's file antivirus detections of adware programs and components that actively participate in distributing these programs and evading antivirus detection.

Countries where users face the highest risk of local infection   Country* % of unique users** 1 Vietnam 61.89% 2 Bangladesh 55.01% 3 Mongolia 54.13% 4 Nepal 53.08% 5 Algeria 51.71% 6 Cambodia 51.26% 7 Afghanistan 50.59% 8 Laos 50.55% 9 Yemen 50.38% 10 Pakistan 50.35% 11 Egypt 49.65% 12 India 49.44% 13 Iraq 49.33% 14 Iran 48.85% 15 Ethiopia 47.87% 16 Myanmar 46.71% 17 Sri Lanka 46.67% 18 Syria 46.24% 19 Qatar 46.03% 20 Tunisia 45.36%

These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data includes detections of malicious programs located on users' computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

*When calculating, we excluded countries where there are fewer than 10,000 Kaspersky Lab users.
**The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

The Top 20 in this category continues to be dominated by countries in Africa, the Middle East and South East Asia. Vietnam ranks first, as was the case in Q2 2014 (61.89%).

Mongolia (54.13%) moved down one step to third place, giving way to Bangladesh which ranked second with 55.01% of unique users in the country with computers that blocked local threats.

Qatar (46.03%) was Q3's newcomer. Myanmar (46.71%) and Sri Lanka (46.67%) reentered the Top 20 while Saudi Arabia, Turkey and Djibouti left the rating.

In the third quarter of 2014 local threats were detected on 44.4% of computers in Russia.

The safest countries in terms of local infection risks are: Japan (15%), Sweden (16.4%), Denmark (16.5%), Finland (18%), and Singapore (19.7%).

An average of 37.2% of computers faced at least one local threat during the quarter, which is 4.4 pp more than in Q2 2014.

Law Enforcement Agencies in Tor: Impact Over the Dark Web

Malware Alerts - Thu, 11/13/2014 - 05:00

The recent shutdown of SilkRoad 2.0 was just a small part of the events affecting the Tor network that unfolded last week.

Tor-related communities, such as privacy enthusiasts, but also cybercriminals (of course!), expressed worry after a global law enforcement operation targeted a number of illegal services based on Tor.

Operation Onymous, coordinated by Europol's European Cybercrime Centre (EC3), the FBI, the U.S. Immigration and Customs Enforcement's (ICE), Homeland Security Investigations (HSI) and Eurojust, resulted in 17 arrests of vendors and administrators running these online marketplaces and more than 410 hidden services being taken down.

The official announcement about Operation Onymous is available on the Europol website.

Here's an incomplete list of .onion services that were taken down during this operation: Alpaca, Black Market, Blue Sky, Bungee 54, CannabisUK, Cloud Nine, Dedope, Fake Real Plastic, FakeID, Farmer1, Fast Cash!, Flugsvamp, Golden Nugget, Hydra, Pablo Escobar Drugstore, Pandora, Pay Pal Center, Real Cards, Silk Road 2.0, Smokeables, Sol's Unified USD Counterfeit's, Super Note Counter, Tor Bazaar, Topix, The Green Machine, The Hidden Market and Zero Squad.

Examples of seized .onion sites

At the sametime , reports appeared about a number of Tor nodes being seized by authorities:

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of disappeared and there is another report by an independent relay operator.

You can read more on The Tor Blog about their Thoughts and Concerns about Operation Onymous.

The current state of the Dark Web

Of course, the takedown only affected some Onion sites - many are still alive. Right now there are 4 times more hidden websites online in the Tor network than those that were shutdown.

Cybercrime, just like any other illegal activity, is hard to eradicate completely. Whenever illegal services are taken down, the gap created will always be filled by other criminals willing to profit from the opportunity. The reality we have to accept is that there will always be demand for such services.

The following graph shows the amount of new .onion addresses appearing each day. After the takedown on November 7th, we noticed a higher than regular spike in the number of new hidden services being set-up.

We've also analyzed the lifetime of the Onion-sites which were taken down last week. On average, most of them were alive for at least 200 days, but usually not more than 300 days - which the following graph shows. Just some were online for less than 2 months.

What does this mean for the Tor network and the Dark Web?

The most intriguing question which is raised by the media is – what exceptional tools one needs to compromise a hidden service? In theory, when you visit a hidden service, there is no way of knowing (either for you or for anyone else) the physical location of the web server behind it. For the theory to remain solid, three conditions must be met:

  1. The hidden service must be properly configured
  2. The web server should be impenetrable - no vulnerabilities or configuration errors
  3. The web application should have no flaws

If any of the 3 conditions is not met, it's quite easy for a skilled person to essentially hack into that server and start to dig further.

Anyone familiar with Dark Net websites knows how poorly coded many of these websites can be. Just because a website's physical location is obscured by Tor hidden services, it doesn't mean this website's security is bullet-proof. Vulnerabilities such as SQL injection will always be present if the coding isn't done properly.

The first scenario to compromise a hidden service would be to successfully exploit such a bad coded application. It is then possible to compromise the real server where the hidden service is stored, get information about its physical location or, more preferable, install a backdoor that could collect information of what's going on the server for weeks.

There is absolutely no need to try to and look for vulnerabilities in Tor itself, it's much easier to find a misconfiguration of services or flaws in the web application. People who control illegal Dark Net sites usually rely on Tor capabilities for security, but this will never save them from bugs in 3rd party applications or their own mistakes.

Another possible scenario is to infect the administrator of an illegal site with spyware, get full access to his computer and from there get all the required information about his true identity.

This could be easier than it seems: for example, if a vulnerability is found in a hidden service, it is possible to rig it's admin page with an exploit and wait for when the drug shop administrator will access his site. Then he would be infected with malware as a result of this highly targeted waterhole attack.

Another way is to infiltrate the illegal service posing as a regular customer, by creating an account and even buying something in there, to create reputation. When the time comes to do some communication with the hidden service's support account (about the quality of the product, for instance), they can start using social engineering or even send a spearfishing message rigged with an exploit.

There are a lot of ways to compromise a hidden service, without attacking Tor's architecture itself. Of course, the possibility of having a serious security vulnerability in Tor itself should not be completely excluded either.

Stuxnet: Zero Victims

Malware Alerts - Tue, 11/11/2014 - 06:30

The Stuxnet cyber-sabotage operation remains one of the favorite discussion subjects of security researchers everywhere. Considered the first known cyber-weapon, Stuxnet targeted the Iranian nuclear program using a subtle and well designed mechanism.

For background, see our previous reports on the Stuxnet saga:

One of the reasons to revisit the Stuxnet subject is the publication (November 11th, 2014) of the book "Countdown to Zero Day" by journalist Kim Zetter.

We are quite excited about the book which includes new and previously undisclosed information about Stuxnet. Some of the information is actually based on interviews conducted by Kim Zetter with members of Kaspersky Lab's Global Research and Analysis Team. To complement the book release, we've decided to also publish new technical information about some previously unknown aspects of the Stuxnet attack.

Even though Stuxnet was discovered more than four years ago, and has been studied in detail with the publication of many research papers. However, is still not known for certain what object was originally targeted by the worm. It is most likely that Stuxnet was intended to affect the motors that drive uranium enrichment centrifuges. But where were those centrifuges located – in the Natanz plant or, perhaps, in Fordow? Or some other place?

The story of the earliest known version of the worm – "Stuxnet 0.5" – is outside the scope of this post; we are going to focus on the best known variants created in 2009 and 2010. (The differences between them are discussed in our 2012 publication - Back to Stuxnet: the missing link).

In February 2011, Symantec published a new version of its W32.Stuxnet Dossier report. After analyzing more than 3,000 files of the worm, Symantec established that Stuxnet was distributed via five organizations, some of which were attacked twice – in 2009 and 2010.

Screenshot from the Symantec report

The Symantec experts were able extract this information due to a curious feature of the worm. When infecting a new computer, Stuxnet saves information about the infected system's name, Windows domain and IP address. This information is stored in the worm's internal log and is augmented with new data when the next victim is infected. As a result, information on the path travelled by the worm can be found inside Stuxnet samples and used to establish from which computer the infection began to spread.

Example of information found in a Stuxnet file

While Symantec did not disclose the names of the organizations in its report, this information is essential for a proper understanding of how the worm was distributed.

We collected Stuxnet files for two years. After analyzing more than 2,000 of these files, we were able to identify the organizations that were the first victims of the worm's different variants in 2009 and 2010. Perhaps an analysis of their activity can explain why they became "patients zero" (the original, or zero, victims).

"Domain A"

The Stuxnet 2009 version (we will refer to it as Stuxnet.a) was created on June 22, 2009. This information is present in the worm's body – in the form of the main module's compilation date. Just a few hours after that, the worm infected its first computer. Such a short time interval between creating the file and infecting the first computer almost completely rules out infection via USB drive – the USB stick simply can't have passed from the worm's authors to the organization under attack in such a short time.

The infected machine had the name "KASPERSKY" and it was part of the "ISIE" domain.

When we first saw the computer's name, we were very much surprised. The name could mean that the initial infection affected some server named after our anti-malware solution installed on it. However, the name of the local domain, ISIE, provided us with a little bit of information that might help to determine the organization's real name.

Assuming that the victim was located in Iran, we conjectured that it could be the Iranian Society of Industrial Engineers (ISIE) or an organization affiliated with it, the Iranian institute of Industrial Engineering (IIIE). But could it have been some other ISIE located in some place other than Iran? Given that our anti-malware solution had been used on the infected computer, we considered the possibility that ISIE might even be a Russian company.

It took us a long time to establish what organization it really was, but ultimately we succeeded in identifying it with a high degree of certainty.

It is called Foolad Technic Engineering Co (FIECO). It is an Iranian company with headquarters in Isfahan. The company creates automated systems for Iranian industrial facilities (mostly those producing steel and power) and has over 300 employees.

Screenshot from the company's website

The company is directly involved with industrial control systems.

- Implementing bench scale and pilot scale projects, such as data
communication between PLC existing in a plant and a remote point
through internet, by defining home page on a CP (Communication Processor)
card connected to a S7 CPU.
- Implementing different network structures, such as, As interface, profibus
DP, Ethernet, MPI, profibus PA In electronic and light communication channels.

Clearly, the company has data, drawings and plans for many of Iran's largest industrial enterprises on its network. It should be kept in mind that, in addition to affecting motors, Stuxnet included espionage functionality and collected information on STEP 7 projects found on infected systems.

In 2010, that same organization was attacked again – this time using the third version of Stuxnet, created on April 14, 2010. On April 26, the same computer as in 2009 – "KASPERSKY.ISIE" – was infected again.

This persistence on the part of the Stuxnet creators may indicate that they regarded Foolad Technic Engineering Co. not only as one of the shortest paths to the worm's final target, but as an exceptionally interesting object for collecting data on Iran's industry.

"Domain B"

One more organization was attacked multiple times – once in 2009 and twice in 2010. Essentially, each of the three Stuxnet variants was used to infect this target. In this case, the attackers were even more persistent than in the case of Foolad Technical Engineering Co.

It should be noted that it was this victim that was the patient zero of the 2010 global epidemic. This organization's infection in the course of the second attack (in March 2010) led to the widest distribution of Stuxnet – first in Iran, then across the globe. Curiously, when that same organization was infected in June 2009 and in May 2010, the worm hardly spread at all. We share our thoughts on the reasons for that below.

Take the most widespread variant – Stuxnet 2010 (a.k.a. Stuxnet.b). It was compiled on March 1, 2010. The first infection took place three weeks later – on March 23.

In addition to the computer's name and the domain name, Stuxnet has recorded the machine's IP number. The fact that the address changed on March 29, may indicate, albeit indirectly, that it was a laptop which connected to the company's local network once in a while.

But what company is it? The domain name –"behpajooh" – immediately gives us the answer: Behpajooh Co. Elec & Comp. Engineering.

Like Foolad Technic, this company is located in Isfahan and it also develops industrial automation systems. Clearly, we are also dealing with SCADA/PLC experts here.

Screenshot from the company's website

While collecting information about Behpajooh Co, we discovered one more curious thing - a 2006 article published in a Dubai (UAE) newspaper called Khaleej Times.

According to the article, a Dubai firm was accused of smuggling bomb components into Iran. The Iranian recipient of the shipment was also named – it was a certain "Bejpajooh Inc" from Isfahan.

So why did Stuxnet spread most actively as a result of the March 2010 Behpajooh infection? We believe the answer lies in the second organization in the chain of infections that started from Behpajooh.

As the screenshot above shows, on April 24, 2010 Stuxnet spread from the corporate network of Behpajooh to another network, which had the domain name MSCCO. A search for all possible options led us to the conclusion that the most likely the victim is Mobarakeh Steel Company (MSC), Iran's largest steel maker and one of the largest industrial complexes operating in Iran, which is located not far from Isfahan, where the two victims mentioned above - Behpajooh and Foolad Technic - are based.

Stuxnet infecting the industrial complex, which is clearly connected to dozens of other enterprises in Iran and uses an enormous number of computers in its production facilities, caused a chain reaction, resulting in the worm spreading across thousands of systems in two or three months. For example, the analysis of logs shows that by July 2010 this branch of the infection reached computers in Russian and Belarusian companies.

"Domain С"

On July 7, 2009, Stuxnet 2009 hit yet another target. With it, it was designed to start the path to its ultimate intended mission. The victim computer was named "applserver" (application server?), located in the domain NEDA.

In this case, it was pretty easy to identify the victim organization. Beyond any doubt, it was the Neda Industrial Group, an organization that was put on the sanctions list by the U.S. Ministry of Justice, and charged with the illegal export of prohibited entities into Iran with potential military applications. This company's complete dossier is available on the Iran Watch site.

When tracking the chain of Stuxnet propagation, one of the group's branch organizations raises special interest: "Allegedly the controlling entity of Nedaye Micron Electronic Company in Tehran, Iran and Neda Overseas Electronics LLC in Dubai, UAE; provides services in industrial automation for power plants, the cement industry, and the oil, gas and petrochemical sector; established in the mid 1980s under the name NEDA Computer Products Incorporated as a fully private joint stock company".

Neda was attacked only once, in July 2009, and Stuxnet never left that organization, according to the infection logs available to us. However, to leave the organization may have not been its purpose in this case. As noted earlier, the capability of stealing information about STEP 7 projects from infected systems was of special interest to the creators of Stuxnet.

"Domain D"

The fourth victim in 2009 was infected on July 7, the same day when Neda was compromised. Interestingly, the infection started with the server, if we judge by the computer name – SRV1 in domain CGJ, just like it did in the Neda case.

So, what is CGJ? We spent quite some time combing through search engines and social networks, and we are practically confident that is Control-Gostar Jahed Company, another Iranian company operating in industrial automation.

Control Gostar Jahed (CGJ) (Private Joint Stock, Since 1383) Founded with the aim of localization of industrial automation technology, and employing the technical know-how and execution power of 30 full-time personnel in the Tehran office and more than 50 workshop personnel, has achieved a high capacity in providing engineering and technical services.
The companys major focus over the years has been on the following domains:
- Design, procurement, construction, programming and commissioning of control systems (DCS, PLC, ESD, F&G)
- Design, manufacture and installation of low voltage fixed and sliding panels (using the products of CUBIC Denmark)
- Upgrading hardware, software and optimization of industrial automation systems
- Consulting services and basic and detailed design of electrical and instrumentation systems
- Installation of electrical and control systems

Unlike Neda Group, Control-Gostar Jahed Company is not on the sanctions list. It was probably chosen as a target because of its impressive cooperation ties with the largest Iranian businesses in oil production, metallurgy and energy supplies.

This organization was attacked only once in 2009. That infection did not leave the target's corporate network and makes up the smallest part of all known Stuxnet propagation lines.

"Domain E"

The fifth and the last "Patient Zero" victim stands out when judged by the numbers of originally infected systems. Unlike in all above cases, the attack in this case started from three computers at once, on the same day (May 11, 2010), but at different times.

Information from three different Stuxnet files

KALASERVER, ANTIVIRUSPC, NAMADSERVER: judging by the names, there were at least two servers involved in this case too.

Such an pattern of infection makes us practically confident that email was not used as the primary infection vector. The chances are very small that the infection started from a user receiving an email containing an attachment with an exploit.

So what is Kala? There are two most verisimilar answers to this, and we do not know which is the correct one. Both are about companies affected by sanctions and directly related to Iran's nuclear program.

Well, one possibility could be Kala Naft. A dossier for this company is available on the Iran Watch site.

However, Kala Electric (a.k.a. Kalaye Electric Co.) looks like the most probable victim. This is in fact an ideal target for an attack, given Stuxnet's main objective (which is to render uranium enrichment centrifuges inoperable), available information on Iran's nuclear program, and the logic of the worm's propagation.

Of all other companies, Kala Electric is named as the main manufacturer of the Iranian uranium enrichment centrifuges, IR-1.

The company does not have a web-site, but there is quite some information available about its activities: that is one of the key structures within the entire Iranian nuclear program.

Also, quite detailed information is available on the ISIS (Institute for Science and International Security) site at

Based on Iran's revised declaration about this site, originally, Kalaye Electric was a private company that was bought by the Atomic Energy Organization of Iran (AEOI). The name "Kalaye Electric" means "electric goods," implying that Iran kept the original name to help disguise the true purpose of the facility.

Iran declared that Kalaye Electric became the primary IR-1 centrifuge development and testing site after such work was moved in 1995 from the Tehran Nuclear Research Center. The IAEA has reported that between 1997 and 2002, Iran assembled and tested IR-1 centrifuges at Kalaye

Since moving many centrifuge research and development activities to the Pilot Fuel Enrichment Plant (PFEP) at Natanz, Kalaye Electric has remained an important centrifuge research and development site.

Satellite images of Kala Electric operation facilities are also available; these are considered to be the site where the centrifuges were developed and tested.


Thus, it appears quite reasonable that this organization of all others was chosen as the first link in the infections chain intended to bring the worm to its ultimate target. It is in fact surprising that this organization was not among the targets of the 2009 attacks.


Stuxnet remains one of the most interesting pieces of malware ever created. In the digital world, one might say it is the cyber equivalent of the atomic attacks on Nagasaki and Hiroshima from 1945.

For Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear program, the attackers had a tough dilemma to solve: how to sneak the malicious code into a place with no direct internet connections? The targeting of certain "high profile" companies was the solution and it was probably successful.

Unfortunately, due to certain errors or design flaws, Stuxnet started infecting other organizations and propagate over the internet. The attacks lost control of the worm, which infected hundreds of thousands of computers in addition to its designated targets.

Of course, one of the biggest remaining questions is - were there any other malware like Stuxnet, or was it one-of-a-kind experiment? The future will tell for sure.


Subscribe to RIT Information Security aggregator