Our analysis, “TDL4 – Top Bot” by Sergey Golovanov and Igor Soumenkov, has rightly been getting a lot of attention. It’s an excellent analytical article which uncovers a very sophisticated and complex malware TDL-4 which is the latest version of TDSS.
Some commentators and other security researchers however, focusing on our use of the word “indestructible” in the article, seem to think that we believe the malware is indestructible. This is clearly not the case – that’s why we put the word in inverted commas. In fact, our own TDSS Killer can remove the malware.
The key line from the article is, “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”
It is the botnet which the owners want to bullet proof. To help achieve this TDL-4 uses its own encryption algorithm for communication between infected computers within the botnet:
“The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.”
On top of this, it uses a publicly accessible file exchange network, the KAD network for peer to peer communications between infected computers. In this way even if the command and control servers are shut down the owners of the botnet will still be in control of the botnet.
Hopefully this has cleared up any misunderstandings relating to the article.
The US Senate and the International Monetary Fund (IMF) are just the latest in a growing line of high profile companies that have been subjected to a targeted cyberattack. Sony made unwelcome headline news when it had to shut down its PlayStation network after hackers were able to steal customer information, including addresses, dates of birth, etc. In that case over 70 million people’s details were exposed. Other examples include Citibank, where personal information was stolen also; and Google, who disclosed that some Gmail accounts had been compromised. How many of us keep usernames and passwords for different sites such as online banking and shopping in our Gmail or Hotmail accounts?
Going back 10 years and more we saw malware like the, “I love you,” Netsky and Bagel grabbing the headlines. The motives behind those threats though were very different. It was more akin to graffiti, wanting to infect as many people as they could and become infamous too.
The recent attacks demonstrate that the bad guys are not interested in an ”infect all” strategy any more, but rather using more targeted methods. They do not just go after financial information like bank logins or credit card details; they’re in fact collecting everything they can get hold of. As we predicted at the beginning of the year, we are now in an age of "steal everything”.
It's obvious what the criminals will do with stolen credit card details, but what about my date of birth, my address or even my hobbies? Well one thing they can do is what we call spear phishing; and this seems to be how the IMF was compromised in the first place.
This form of attack is where an individual or organisation is singled out, usually via email. Now most of us receive lots of spam emails and we simply delete them. But what if you get an email that purports to be from your bank/credit card company and to prove it they put the last 4 digits of your credit card number and your date of birth? This looks much more credible and we are more likely to click on any links in the email. Such a link may contain malware. This in turn would also be finely tuned to the target's operating system and applications that run on it. They could get information of this kind by trawling social networks for titbits of information and/or even calling staff at the organisation. By creating a specific piece of malware just to target one organisation, it stays under the radar of security companies and law enforcement agencies. In the case of the IMF it looks like it may have been there unnoticed for several months!
So what do we need to learn from these targeted attacks? First, if we are seeing more high profile attacks you can bet that there are a greater number of low profile attacks that don’t make the headlines. Small organisations do not expect to be targeted and are also less likely to have elaborate IT security defences in place.
Second, technical solutions can never be enough. Education must play a key part too. Staff awareness is essential in any modern organisation. We need to foster a culture of security awareness so that people know what kinds of social engineering tricks are commonly used. By doing this we are more likely to get buy-in from staff for what we are trying to achieve. So, for example, when they get a reminder to change their password and for it to be a specific length and complexity, they will understand the importance of following the advice, instead of just ignoring it.