The third quarter of 2010 turned out to be more eventful than the preceding quarter. Over 600 million attempts to infect users’ computers with malicious and potentially unwanted programs were blocked during this period; an increase of 10% on the second quarter of this year. Out of all of the objects detected, over 534šmillion were malicious programs. There was an emergence of ultra- sophisticated malware in this quarter too. This was the first time we have seen malware which used not one, but five vulnerabilities at once to penetrate a system. It seems that the design specification for this malware included a self-protection mechanism that radically increased the likelihood of it being able to infect the target.
Malware writers have been actively investigating anti-hacker technologies, which resulted in new methods for evading protection being discovered. This has led to an escalation in the arms race between the cybercriminals and the IT security companies, causing the antivirus industry to actively create and develop new technologies for detection and disinfection in order to balance the threat.
In turn, this has increased competition in the underground segments traditionally targeted by cybercriminals which has subsequently diminished their profits and pushed ’professionals’ to search for new sources of illegal income. It seems that the cybercriminal community are gradually shifting their focus towards targeted attacks on organizations. These attacks are designed to disrupt the work of an organization for the purposes of blackmail and industrial espionage – anything which will bring significant profits for those conducting the attacks.
One of the most significant events of the quarter for the IT security industry could have come straight out of a scene from ’Die Hard 4’: it was the Stuxnet worm attack.
The worm was first detected at the beginning of June and instantly attracted the attention of IT security specialists from around the world. There were several reasons for this. Firstly, the worm's components included valid digital certificates. This meant that malware writers had, by nefarious means, managed to acquire private keys for digital certificates from reputable companies. Secondly, the worm used a zero-day vulnerability in LNK files in order to spread. This was apparent at first glance. However, researchers made many more interesting discoveries, including the fact that Stuxnet targeted three other zero-day vulnerabilities.
Once the worm’s code had been analysed, it became clear that it was designed to target Windows environments running very specific software, including SIMATIC, WinCC and PCS7 from Siemens AG. No malware had previous targeted such software, which is normally used to manage SCADA-based industrial control systems. Additionally, Stuxnet does not indiscriminately attack systems running WinCC. It targets only those that use Simatec programmable logic controllers and inverters from specific manufacturers.
So, what is the worm component which carries the malicious payload designed to do? It attempts to connect to WinCC using the default vendor password. The DLL file which the worm installs hooks some system functions and consequently influences operations in the management system of the industrial installation. Clearly, this malware is designed to perform industrial espionage rather than steal passwords, but theoretically, it could be used to create a diversion. Further analysis of the worm has shown that its main goal is to change the logic within Simatec PLCs embedded into inverters which are used to control the rotation speed of electric motors. These PLCs operate with very high speed motors that have limited applications, such as those in centrifuges.
Although the data obtained gives grounds for making assumptions as to the actual purpose of the attack, no solid proof exists. It should be noted that, as with the Aurora attack which we covered in the Q1 report, the attack by the Stuxnet worm is a targeted attack, even if the target still remains unclear. The question remains: ’Why?’ The fact is that organizations which are subjected to such attacks very rarely publish information about them as it could negatively influence their reputation. According to Siemens’ official data, fifteen client systems around the world were known to have been infected at the beginning of September 2010.
The very fact that organizations rarely make information about attacks public knowledge affects the work of the antivirus companies. In order to successfully combat targeted attacks, antivirus companies need information about how the malware behaves in the system, as signature-based detection methods against such attacks are relatively ineffective. Firstly, cybercriminals can always modify the malware using encryption and obfuscation in such a way that the malware can no longer be detected by signature alone. Secondly, antivirus companies may never actually get their hands on a sample of the malware, meaning that a precise signature will never be created. It is however, impossible to hide the malware's payload completely. Once the worm or the Trojan has reached its target, it will do exactly what it was designed to do: deliver its payload. This is when antivirus companies will be able to detect such malware through the use of behavioural analysis, the most important approach in the case of targeted attacks.
All of this indicates that the creators of Stuxnet are highly skilled. Stuxnet is a worm aimed at interfering with the operation of PLCs used within large enterprises. The worm exploits four zero-day vulnerabilities and contains a rootkit signed by certificates stolen from Realtec Semiconductors and JMicron. Further on we will discuss the details of these certificates. Such complex malware must have been designed with a significant target in mind, as large sums of money must have gone into its creation.
Digital certificates and signatures are the main methods used to ensure trust in the digital world. Digital signatures for executable files were first used in Windows NT: since then, Microsoft has actively promoted the use of digital signatures. A digital certificate makes it possible to confirm that a program is legitimate and to determine its source.
Naturally, whether or not a file is signed is very significant to antivirus companies. Files which are signed by a trusted vendor are, de facto, judged to be clean. This technology enables antivirus developers to not only keep the number of false positives to a minimum, but also effectively allocate resources when scanning a computer for infection.
Unfortunately, digital signatures present a whole range of problems. The certificate can be ‘cut’ from a legally signed file. Microsoft certificates are the most frequently ‘cut’. The trick is not new and is often used by virus writers. This quarter, for instance, the trick was performed by Zbot’s distributers, who ’cut’ the certificate from a legal file and joined it to the Zbot component. At first sight, such files appear to be legitimate. However, that is just first impressions. To sign a file, its hash-sum is used, which is unique for every object. When certificates are ‘cut’ as described above, the hash-sums of the file and the signature no longer match, invalidating the certificate. This enables fake certificates to be recognized. Most commonly, the cybercriminals attempt to mislead virus analysts and users by employing the certificate from a legitimate file signed by a well-known vendor. Such tricks are not rare; therefore it is important that antivirus solutions not only check the certificate’s presence, but that it matches the file as well.
The second issue is more complex - the cybercriminals can obtain a digital certificate quite legally, as can any other software developer, for example, for officially developing ‘software for the remote management of computers without GUIs’, which is in essence, a backdoor. This kind of ‘defense’ against detection is most popular with the authors of adware, riskware and Rogue AVs. After receiving the necessary key from the certification center, the cybercriminals can sign any of their creations with little effort. However, such a scenario allows antivirus companies to discover these ‘black sheep’ quite easily, by enabling them to effectively detect all files using this certificate.
As mentioned above, digital certificates are used by most major software developers. The information necessary to create a file signature is stored on vendors’ computers connected to the Internet. Last year we saw the results of programmers’ workstations infected by the concept virus Virus.Win32.Induc, which was integrated into programs in the early stages of code linking and compilation. On the same day that this virus was detected by anti-malware tools, hundreds of legitimate programs were detected as well. The situation is even worse with regard to certificates. A closed key is in essence a file, and can therefore be stolen just like any other virtual property. The detected Stuxnet components were signed with the help of Realtec Semiconductors and JMicron certificates. It is unknown how exactly the closed key fell into the hands of the cybercriminals, but it is clear that it could have been one of several possible ways. The cybercriminals could have bought these files from insiders or stolen them using a backdoor or some other similar piece of malware. Currently, certificate theft is one of the key features of a very common Trojan: Zbot (aka ZeuS).
Legitimate signatures are one of the reasons that Stuxnet successfully escaped detection by antivirus programs for quite a long time. Malware signed by valid certificates can easily circumvent even the modern protection mechanisms built into Windows 7. Thus, when a signed malicious driver or an ActiveX component is installed on a system, no warning window appears. The growing popularity of Windows 7, which according to Net Applications statistics makes up about 16% of the market, and the gradual decline of Windows XP, will result in increased problems with digital certificates. Judging by today’s trends, this might become one of the major problems awaiting us in 2011.
We shouldn’t forget that as well as everything that we have discussed so far, there are also other ways to evade integrated protection systems. In addition to the protective measures we have looked at, new versions of Windows have a mechanism to protect against the installation of unsigned drivers. However, the developers of Stuxnet were able to bypass the system, getting hold of well-known companies’ closed keys and signing all of the components of the rootkit. The virus writers that created the code for the TDSS Trojan, which our experts described in the second quarter of this year, took a different tack.
In August, a new version of this malicious program labeled TDL-4 was detected. The most interesting innovation is that the rootkit used to conceal the Trojan’s malicious actions can successfully run on 64-bit systems as well. The previous version, TDL-3, infected physical disk drivers, which allowed the rootkit to be downloaded immediately after the operating system launches. However, infecting drivers using such an approach results in a change of hash-sum, and consequently the digital signature does not correspond to the file anymore, which is detected by the protection tool embedded into 64-bit versions of Windows.
To evade this mechanism, the new version of TDSS infects the MBR area using technology similar to that used by the Sinowal bootkit. In this case the malicious code starts to execute even before the operating system is launched and can alter the system’s boot parameters, allowing unsigned drivers to be registered in the system. The rootkit loader determines under which system, 32-bit or 64-bit, the malicious program will be operating, writes the driver code to memory and registers it in the system. After this, the operating system containing the malicious code is booted up. The rootkit does not modify the nucleus areas, which are protected by a different PatchGuard technology integrated into the operating system.
Our forecast proved to be correct - infection and concealment technology has evidently become even more sophisticated, which in turn requires elaboration of any detection and treatment technologies for such malware. If malware and antivirus programs continue the struggle at still lower system levels, it is very probable that even the most daring of concepts for infecting BIOS’ and hypervisors will soon become an everyday reality.
Struggling with new and sophisticated malware is an arduous task for antivirus companies of any size, therefore, in addition to its main product range; Kaspersky Lab issued a new version of its free anti-rootkit utility, TDSSkiller, which among other things, detects and removes the most recent versions of TDSS. This protection utility is designed to complement Kaspersky Lab’s regular security products.
Last year we detailed the cybercriminals’ activities in the former soviet republics, where extorting money with the help of SMS-blockers has become especially popular. The scheme is very simple: the program, which is downloaded to users’ computers, prevents the operating system or the browser from working. To remove the program, the user is asked to send an SMS to a short number at the cost of anything up to one thousand rubles. In view of the huge number of victim users, Kaspersky Lab, along with several other antivirus companies, launched an unblocking service.
While antivirus vendors struggle to get to grips with the results of the cybercriminals’ illegal activities, the perpetrators themselves are being dealt with by law enforcement authorities: this quarter, a huge criminal group involved in the illegal use of SMS-blockers were arrested and detained. During late August 2010, ten people were arrested in Moscow and accused of creating SMS-blockers. According to information provided by the Russian Federation’s Ministry of Internal Affairs, the illegal profit that the gang made is estimated to be around 500million rubles.
A criminal case was initiated, but what it most important is that the accused parties will not only be tried under Article 273 of the Russian Federation Criminal Code, which is known to every hacker in Russia and which seldom results in imprisonment (“Development, use and dissemination of malicious computer programs”), but also under Article 159 (“Fraud”). The sum of 500million rubles is sufficient to be considered grand larceny, and if proved guilty, the accused might be sentenced to a far more severe punishment.
Such news cannot fail to make antivirus experts and representatives of law enforcement authorities that hunt for the cybercriminals happy. However, there is a down side to it. Last year, the organizers of an unprecedentedly large attack were arrested. They had illegally transferred over $9million from 2,100 ATMs in over 280 countries. (www.securelist.com/ru/blog/32304/Amerika_khochet_vernut_9_millionov). Some members of the criminal group were detained in the USA and are currently facing up to 20 years in jail and serious fines. Now let’s see what happened to one of organizers of the attack who was tried in Russia. The investigation has shown that this person is responsible for hacking into RBS Worldpay and copying credit card numbers and PIN-codes in order to make fake credit cards.
He was convicted of grand larceny, illegal access to computer information and stealing the bank’s confidential data. But here is the most interesting thing: though guilty of all of these crimes, he was given a suspended sentence and put on probation for 4 years. It turns out that in Russia you can get away with just a suspended sentence for the crime of stealing vast sums of money via the Internet. The same is very likely to happen with those involved in the SMS-blocker case, though we hope to be proven wrong.
In the money-stealing scheme described above, a key role was played by the people involved in laundering the stolen money: the accounts were set up in their names and they were the ones who withdrew the stolen money from the ATMs. These are often called ‘money mules’, and in last quarter’s report we revealed how the cybercriminals tried to recruit such people via a group on Facebook, which was 224 thousand people strong.
By the end of September, twenty people had been arrested in the USA – these were money mules who laundered money stolen using the Zbot Trojan (ZeuS). At the same time, a group of people were arrested in Great Britain for a similar money laundering scheme in which the criminals used information stolen by ZeuS. It should be noted that during the first few days of October, the ZeuS Trojan’s distributors became less active.
If law enforcement authorities continue to arrest cybercriminal gangs as they have been, we will face an intriguing autumn, with many newbie hackers having to think seriously about whether to follow their chosen career path.
Below we will look at the statistics concerning how various anti-malware components performed. All of the statistical data used in this report was collected via the distributed antivirus network Kaspersky Security Network (KSN). Information on malicious activity is continually being exchanged on a global basis by millions of users of Kaspersky Lab products located in 213 countries.
In the third quarter of 2010, Kaspersky Lab detected over 16.5 million exploits. This does not include modules with the functionality of exploits which were embedded inside worms and Trojan programs.
Let us examine the exploits used by the cybercriminals during the third quarter of 2010.
The two clear leaders are the exploits detected using heuristic methods, including proactive technologies. Exploits that take advantage of vulnerabilities in different versions of Adobe Reader are in third and ninth positions, and when combined, represent 12,5% of all detected exploits. Just as we expected, the exploits for the vulnerability CVE-2010-1885 in Windows Help and Support Center have rapidly become popular with virus writers. These exploits are in 4th and 8th positions and account for 12% of all exploits. A family of exploits using the Java vulnerability CVE-2010-0886 (4,8%) also made it into the Top 10.
Exploits for the CVE-2010-2568 vulnerability in LNK-files are the most interesting. Stuxnet pioneered this group. The vulnerability was detected around the end of July and a patch was released by Microsoft on 2 August. The vulnerability enables malicious programs to be distributed quite easily via removable media, primarily USB flash-drives. Until recently, to distribute malware via flash-drives, the cybercriminals resorted to specially created autorun.inf files. Such files can be detected quite readily by current antivirus technologies.
The vulnerability in LNK-files enables executables to be launched from a flash-drive without any action on the part of the user. The cybercriminals have created a special LNK-file for this purpose, which when displayed in the file manager, e.g. in Microsoft Explorer, will run the malicious code. The computer is infected as soon as a user opens the folder to view the contents of the infected device.
After the cybercriminals got to know about this wondrous opportunity, other virus writers also started to actively use it. In particular, we recorded Sality and Zbot (ZeuS) making use of the exploit for the vulnerability in LNK-files. This quarter, 6% of KSN users faced exploit attacks via the CVE-2010-2568 vulnerability.
In the third quarter of 2010, Kaspersky Lab detected over 31.4 million unpatched vulnerable applications and sites.
The Top 10 most common software vulnerabilities found on users’ computers are listed in the table below.
|№|| Secunia |
| Vulnerability |
and link to its
users can do
| Percentage |
| Date |
of publi- cation
| Threat |
|1||SA 37255||1||Sun Java JDK / JRE Multiple Vulnerabilities|| ||30.98%|| 12.02. |
|2||SA 40026||new||Adobe Flash Player Multiple Vulnerabilities|| ||26.97%|| 05.06. |
|3||SA 40907||new||Adobe Flash Player Multiple Vulnerabilities||Gain access to the system and execute random code with local user privileges||26.97%|| 11.08. |
|4||SA 31744||1||Microsoft Office OneNote URI Handling Vulnerability||Gain access to the system and execute random code with local user privileges||23.93%||2007-01-09||High|
|5||SA 38805||-4||Microsoft Office Excel Multiple Vulnerabilities||Gain access to the system and execute random code with local user privileges||21.83%||09.06.2009||High|
|6||SA 35377||-3||Microsoft Office Word Two Vulnerabilities||Gain access to the system and execute random code with local user privileges||20.18%|| 09.03. |
|7||SA 40034||new||Adobe Reader/Acrobat Multiple Vulnerabilities||Gain access to the system and execute random code with local user privileges||18.73%|| 05.01. |
|8||SA 37690||2||Adobe Reader/Acrobat Multiple Vulnerabilities|| ||15.28%|| 15.12. |
|9||SA 34572||-3||Microsoft PowerPoint OutlineTextRefAtom Parsing Vulnerability||Gain access to the system and execute random code with local user privileges||11.80%|| 09.09. |
|10||SA 40554||new||Microsoft Office Access ActiveX Controls Two Vulnerabilities||Gain access to the system and execute random code with local user privileges||11.17%|| 11.08. |
The updated rating included four new vulnerabilities: two in Adobe Flash Player products, one in Adobe Reader products and one in Microsoft Office products. As Microsoft and Adobe products are especially popular, nine of the ten leading vulnerabilities were detected in their programs: five in Microsoft, four in Adobe and only one in Oracle Java.
All of the vulnerabilities in the Top 10 allow cybercriminals to gain full access to the system. Generally speaking, any other functions offered by vulnerabilities are considered secondary.
Noticeably, the Top 10 still includes three vulnerabilities from 2009 and one from 2008. The vulnerability in first place was detected during the first quarter of 2010, which serves to illustrate just how slowly users update their systems.
All of the statistics presented in this chapter are based on data received from the web-antivirus module in Kaspersky Lab solutions which protects user’s computers from the moment a malicious program starts to download from an infected webpage.
In the third quarter of 2010 we recorded over 156million attempts to infect users’ computers in different countries around the world.
Over 60% of detected web objects are blacklisted links. The blacklist includes websites that host various malicious content and can be separated into two broad categories. The first category includes sites which actively employ social engineering techniques to lure unwary users into installing malware onto their computers. The second category includes sites which surreptitiously download malware onto the users’ computer and launch it. The latter use drive-by download methods based on exploiting vulnerabilities.
Fifth place is occupied by adware which was most actively distributed in four countries – the USA (28%), China (14%), India (6%) and the UK (4%).
Malware detected on the Internet can run on a number of platforms; the list of these platforms consists of 74 lines. However, the thing that stood out most was the appearance of the Android operating system in this list which was due to the detection of the first Trojan-SMS for mobiles running on Google’s Android platform. This program is distributed in the form of a player for downloading and showing adult videos. In order to perform its malicious task, the Trojan needs to be able to send SMSs. To this end, during the installation process the operating system displays a warning message on the handset’s display notifying the user that the program requires SMS functionality. If the user ignores this warning and continues to install the program it will do what it has been designed for –send paid SMSs to premium numbers.
The cybercriminals’ platforms of choice for the placement of malicious code are compromised legitimate websites and bulletproof ‘grey’ hosting sites that do not check owner’s credentials during the registration process or pay much attention to users’ complaints.
Internet resources hosting malware can be found in almost all countries of the world. However, 89% of detected platforms used for malware distribution are located in 10 countries.
In the third quarter of 2010, the list of countries with servers hosting malicious code remained completely unchanged. The USA retained its leading position with 4%, having provided ’shelter’ for a quarter of all malicious content, and the last three months have only seen a negligible shift in the countries’ positions. This can be explained by the fact that at present, Internet regulators are not taking any serious action that would noticeably affect the quantity of malware located on servers in these countries, in contrast to the firm approach taken by the Chinese authorities at the end of 2009.
It is an accepted fact that the Internet does not have borders and all Internet resources can be accessed from any part of the world. As a result, malware distributed via the Internet can infect any computer in any country.
Kaspersky Lab’s experts counted the percentage of KSN-connected computers on which attempted infections were blocked while users were surfing the Internet. The data received illustrates that the risk of infection varies in different countries.
The Top 10 countries where users were most often targeted by attempted infections distributed via the Internet
|Country|| The percentage |
of users whose computers
In the third quarter of 2010, the majority of attempted infections were detected in Russia: 52.8% of the Russian KSN-connected computers became targets for malicious attacks distributed via the Internet. Most often the cybercriminals used exploits in scripts to launch their attacks, and these were detected heuristically. In Belorussia, which is in second place on the list, the picture is almost identical. In China, the previous quarter’s scheme in which attacks were launched using Exploit.JS.Agent.bab was widely used again. If an attack is successful and the exploit is executed, a whole pack of malicious programs, including a rootkit, a downloader, Backdoor.Win32.Hupigon and a couple of programs targeting popular gaming accounts are downloaded to the user’s computer.
All of the statistics in this chapter are based upon on-access scanner data. In the third quarter of 2010, Kaspersky Lab solutions blocked over 235million attempts to infect KSN-connected computers.
The Top 5 behaviors according to OAS statistics
The distribution of malicious programs by behavior has not seen much change compared to the previous quarter. The activity of Worm.Win32.FlyStudio.cu, Worm.Win32.Mabezat.b, Worm.Win32.VBNA.b and Worm.Win32.Autoit.xl, which were mentioned in our earlier reports, put the worms in second position. Nothing dramatic occurred in the Trojan-Downloader camp either. The most popular programs in this category are written in Visual Basic and are detected as Trojan-Downloader.Win32.VB.eql.
Detection with the help of cloud technologies is worth mentioning. These technologies are used when neither a traditional nor a heuristic signature is contained within the IT security companies’ antivirus databases, but instead, the antivirus companies’ clouds do contain information about a malicious object. When this occurs, the detected object is named DangerousObject.Multi.Genric. In the third quarter of 2010, Trojan.Win32.FlyStudio.acr, Worm.Win32.AutoRun.bhxu, Trojan.Win32.VBKrypt.mm and Worm.Win32.Stuxnet.b, which are quite common malicious programs, were detected in this way and were named accordingly. During this period, the cloud provided protection to one in six KSN-connected users.
Events that occurred during the third quarter of 2010 suggest that we are on the threshold of a new era in the development of cybercrime. Our forecasts for last year which predicted malware would become more sophisticated proved to be correct.
The process of cyber-threat development has transcended many stages, the first of which was back in the nineties when hackers created viruses to garner recognition from their peers and a signature scanner was all that was required to combat these threats. The beginning of the second stage was marked by the appearance of new malware distribution technologies – via email and the Internet. This was a catalyst for subsequent changes in protection technologies – the response time of antivirus products became critical in the era of mass infections. This was also the time when virus writers turned to cybercrime. They became motivated by money and ordinary vandalism was replaced by data theft, blackmail and extortion – Internet users became a prime source of income for these emergent cybercriminals. This cybercriminal period saw the appearance of a vast number of sophisticated threats designed to steal financial information and virtual property.
What we see today is yet another new stage in the creation of viruses. We are in a period of transition from cybercrime to cyber-espionage and ultimately, to cyber-terrorism. The idea of mass infection as happened with the Klez, Medoom, Sasser, Kido and other worms is being replaced by highly specific, targeted attacks. The technologies behind such targeted attacks, whether sophisticated malware or social engineering techniques, could be described as the fabled silver bullet, allowing malware to bypass several layers of protection and hit just the one very important target. It is not just the concept that has changed, but the levels of the technologies employed are considerably higher too.
Targeted attacks are very hard to detect and classify. The most important factors in combating these types of attack are the level of user-awareness and the expertise of the IT security companies’ staff. A user should understand the necessity of antivirus protection, even if it does impact processing speeds slightly, otherwise all attempts to build an effective line of defense against targeted attacks are doomed to failure. Another important factor is the development of proactive technologies by IT security system vendors.
Stuxnet was not created for credential and document theft. It was designed specifically to gain control of critical industrial systems. This type of malware can only be developed by highly skilled and well-paid professionals. Acquiring the intellectual property of large corporations can be a very attractive prospect for real-world criminals and they will put up whatever money and resources are necessary in order to and finance and execute such virtual attacks.
We expect to see a rise in the amount of virus incidents caused by signed malware in the near future, and the increase in the share of 64-bit platforms will lead to gradual changes in rootkit technologies, until soon, most virus writers will be focusing on creating bootkits.