Toll Free: 1-866-989-9119
Under Attack
DDoS Threats
Articles

Targeted malware grows ever more sophisticated

Up until now, malware writers have been motivated by money. The era of malware-writing for fun was over long, long ago.
Malware can be separated into two groups _ those which steal directly from the users, via credit card numbers or fund transfers, for example, and those which take over computing power to sell in the underground market for spam, DDOS (distributed denial of service attack), pay-per-click fraud and more, according to Stefan Tanase from Kaspersky Great (Global Research and Analysis Team) EEMEA (Europe, Middle East and Africa).
But this year, a new trend is emerging _ that of cyber criminals not stealing money, but information such as plans, documents and trade secrets, usually through very targeted attacks.
This kind of attack hit the headlines when Google was attacked by Aurora. Such was the power of the attack that it was enough to make even a giant like Google change its policy to one of the world's biggest markets, in this case China.
The problem with targeted attacks is just that _ they are targeted. The industry is not dealing with epidemics. Often, just one lethal injection is enough. Worse, even when targeted companies are aware of the attacks, they often do not report them as they are afraid of bad publicity.
Classic AV signature scanning is pretty much useless here, as targeted malware will always be unique.
The criminal will conduct reconnaissance and find out which anti-virus is used in the company. Then they develop a new and undetectable attack, mix it with deadly social engineering techniques and deliver it. Once inside the network, they gain access, browse for documents and extract information.
The reconnaissance stage used to be time-consuming but today with social-networking sites such as Facebook and Linked In, much of the information needed is there and it can be as simple as dropping an infected USB drive when someone is out for dinner or in the car park, for instance.
Yet all this has changed again in the past two months with the Stuxnet worm. Stuxnet is so much bigger than Aurora, no longer targets a computer being used by an employee, but instead targets computers controlling Scada networks _ automation in factories and power plants, for example. It could do something such as alter the cooling of a plant or even modify the robots of a production line so factories may make products with modifications nobody knows about.
What is amazing is that Stuxnet uses two different rootkit technologies. One is in the controlling PC to prevent the Stuxnet worm from being seen. It also uses four zero-day attacks and two more vulnerabilities to enable elevation of privileges.
An infected PC will neither see the Stuxnet work nor the malicious code it is injecting into the programmable logic controllers (PLC).
Stuxnet spreads through USB sticks, which is the only way to infiltrate factories with networks not connected to the open Internet.
Infected machines then become part of the Stuxnet Botnet and the controller can steal codes, documents and designs and inject new orders into the PLC.
The authors of Stuxnet were not out to steal, but to modify, but in order to modify, first you need to see what the code is doing.
Stuxnet can spread through versions of Windows from XP to Windows 7.
"This is unheard of. If a malware used one zero day, that was amazing, but malware using four zero-days is mind-blowing," Tanase said.
And the intrigue continues. The files were signed with real digital signatures, stolen from real companies, in this case J-Micron and Realtek. Malware is rarely signed and the fact that they were signed with real stolen certificates from two companies in the same industrial park in Taiwan is fuelling conspiracy theories. Did someone break into Realtek and J-Micron? Did they have insider access? Or did someone just drop a couple of infected USB drives in the parking lot?
The certificates were later revoked, but only after Stuxnet was discovered. This marks another milestone and poses a new dilemma for security experts, whether signed code and certificates can be trusted at all.
And what of the target? The biggest point of infection for Stuxnet was Iran or India, depending on when. But infections were global and Tanase believes Iran was targeted as it had by far the highest infection rate per capita. What exactly was targeted is not known.
Today, the command and control for Stuxnet has been taken offline, but it still has peer-to-peer control. Someone can still inject updates into the Botnet as long as infected machines are out there. What it was used for, what its payload was and whether it had already accomplished its task or not, is anyone's guess.
"Stuxnet brings targeted attacks to a whole new level of sophistication," said Tanase.
"I'm not just making these allegations when you look at what's being applied: Four zero-days, two stolen certificates and using SCADA networks as a target. They had to have immense technical resources, and to get those certificates is probably the reason people suspect nation state involvement."
Stuxnet is the first moment where cyber crime is moving from pickpocketing to something that can really affect national infrastructure. Attacks like Stuxnet are too complicated to become mainstream.
Source
« Back to Articles