Your SlideShare is downloading. ×

Kaseya Connect 2012 – A Kaspersky Researcher Perspective


Published on

2012 – A Kaspersky Researcher Perspective - A Survey of 2011 Malware Activity and Looking Forward into 2012 …

2012 – A Kaspersky Researcher Perspective - A Survey of 2011 Malware Activity and Looking Forward into 2012
Presented by: Kurt Baumgartner

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Note that most 2011 topics easily could have been avoided
  • Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Zbot outbreak: root cause, risk to the business, suggestions.
  • Note that most 2011 topics easily could have been avoided
  • Note that most 2011 topics easily could have been avoided
  • Note that most 2011 topics easily could have been avoided
  • Note that most 2011 topics easily could have been avoided
  • Note that most 2011 topics could have been avoided “easily”
  • Note that most 2011 topics easily could have been avoided
  • Transcript

    • 1. 2012 – A Kaspersky Researcher PerspectiveA Survey of 2011 Malware Activity and Looking Forward into 2012Kurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis
    • 2. An Explosive 2011 and Expecting 2012A Discussion• 2011 - A Perfectly Horrid Infosec Backdrop • Hacktivism – Lulzsec and the Anonymous Brands • Kido/Conficker and Sality Live On • Targeted Attacks and the APT • Mobile Malware Ascendency • Flashfake – An OS X Botnet Grows • Blackhole Sucks in Victims and the Phoenix Re-arises• 2012 - Your Customers’ Heartburn • Q1 – Root/Bootkits (Zaccess, Tdss, Pihar), New Infector • Blackhole, Fakeav, Zbot, ZeroAccess(+variants) • Targeted Attacks and the APT • BYOD – Mobile Exploitation and Spyware • Dark and Stormy
    • 3. 2011 - A Perfectly Horrid Infosec Backdrop
    • 4. Hacktivism 2011Branded Breakins• Major Intrusion Incidents and DoS Events, most preventable • Sony and the Cloud – 101,000,000 • Stratfor • HBGary Federal • ManTech • InfraGard Local Chapters • Certificate Authorities (?) – Comodogate and Diginotar• Webapp SQLi, weak passwords, configuration mistakes• Policy, process, and training
    • 5. Top Local Infectors 2011KSN Top Infection Stats - Autorun Spreaders and File Infectors • Kido/Conficker 2011 • ~17% of all unique locally attacked/infected systems reporting (Net- Worm.Win32.Kido.ih+ir) • Sality 2011 • ~16% of all unique locally attacked/infected systems reporting (Virus.Win32.Sality.aa+bh+ag) • Close to 80% of WAV detections are heuristic or “cloud based”
    • 6. 2011 Targeted Attacks and the APTSuccessful Attacks Made Headline News Throughout the Year• Targeted Attack Incidents Made Big Headlines • The APT, Reconnaissance, Spearphish and Intrusions, Backdoors and Exfiltration Operations • What’s new here? Varying levels of nation-state support targeting non- mil organizations (your customers) over multi-year project timeframes • Headline News… RSA, Mantech, Northrup Grumman, at least eighty “unnamed” law firms, Tibetan and Uyghur NGOs, any and all google-able CN political groups outside the mainland, human rights orgs like Amnesty International, various government websites, Mitsubishi Heavy Industries…the list goes on
    • 7. Mobile Malware AscendencyAndroid Android Android• Wild growth of Android itself (15 million tablets, 60 million phones Q4)• Our virlib approaches 2,000 Android trojans (end of 2011)• Offensive Security Research and Weaponized Exploits• The Mod Community• Android Spyware
    • 8. Growing an OS X BotnetFlashfake Spreads via Apple’s Slowly Updated Java Client• Flashfake – 700,000 node OS X botnet• No viruses for Apple? Think differently about that.
    • 9. Blackhole Sucks in Victims and the Phoenix Re-arisesCommodity Exploit Packs and MaaS• Exploit Packs and Web-Delivered Mass Exploitation • Blackhole Exploit Pack, Eleonore, Phoenix • Unpatched, vulnerable, browser-accessible software – Java, Adobe Reader and Flash, XML Parsers, QuickTime, Browser Vulns • ZeroAccess (+variants), Zeus+SpyEye, FakeAv
    • 10. Enabling Their AdversariesEnabling “Easily” Preventable Effective Attack Activity 2011 • Weak Passwords (Morto) • Improper Resource Configuration • Unnecessary share access, unlimited access control, autorun • Flawed web apps == SQLi • Missing Software Patches and Security Updates • Microsoft (Windows, IE, Office) and third party software – Java, Adobe (Reader+Flash) == Exploit packs/commodity attacks and spearphishing • Partially Protected Environments • Missing security suites, mix of products, sometimes improperly installed on top of each other • No Incident Response Plan, no Public Response Plan!
    • 11. Design Mistakes 2011Enabling Effective Malware Attacks 15% Network shares 5% configuration 15% 5% Missing security 0% patches Multiple AV products Partially protected environment 35% Firmware vulnerability 25% FreewareSource: Kaspersky Lab GERT – Global Emergency Response Team, Alexey Polyakov
    • 12. 2012 – What Will Keep Them Up At Night
    • 13. 2012 – Keeping Your Customers Up at NightHeatburn Overview• Q1 KSN Stats – Rootkits/Bootkits (Zaccess, Tdss, Pihar), Nimnul joins Kido and Sality, MOAR Mass Exploitation (Blackhole, Phoenix)• Mass Targeted Attacks• BYOD – Mobile Exploitation and Spyware• Dark and Stormy
    • 14. 2012 Q1 US KSN StatisticsStarting off the year somewhat expectedly
    • 15. 2012 Q1 US – Detection NumbersMass Web Based Exploitation and Local Infections • Different from our global statistics • Every month of Q1 2012, the generic, heuristic and cloud based webav detections far outweigh local detections. This is good, in way. • Local detections Q1 2012 (US Only). Spyware, root/bootkits: Jan Feb March April Zbot Win64.Tdss Win64.Tdss Zbot Zaccess Pihar Pihar Win64.Tdss Kido Kido Kido Pihar FakeAv Sality Sality Kido Tepfer Sinowal Sinowal Zaccess
    • 16. 2012 Q1 US – Starting Off Somewhat ExpectedlyMass Exploitation/Infections • Nimnul/Ramnit joins Kido and Sality on list of massively prevalent infectors – may stay to replace Qbot over 2011 • Bootkits (Tdss, Pihar, Sinowal), Rootkits (Zeroaccess/Maxx++/Click2) • Blackhole and Phoenix mods • FakeAv
    • 17. 2012 Q1 US – Starting Off Somewhat ExpectedlyMass Exploitation/Infections • Nimnul/Ramnit joins Kido and Sality on list of massively prevalent infectors – may stay to replace Qbot over 2011 • Distributed as gamehacks/cheats, utility/application crackz over filesharing sites like MediaFire and Ziddu, many others
    • 18. MOAR Mass ExploitationBlackhole, Fakeav, Zbot, ZeroAccess(+variants) • Active development, additions for Java, Flash, Reader, HCP exploitation • How victims are redirected to Blackhole web sites: vulnerable Wordpress pages, major web service malvertizements/banner ads • Java exploits have become de facto primary module • Maturing market for 0day, half day, and packs – Blackhole, Phoenix, Bleeding Life, Eleonore, Bomba, Nice Pack, etc • ROP techniques, EMET evasion development • Classic and custom shellcode releases • International law differences and forums continue to provide necessary space and communications. Bitcoin need? Nah ah. Webmoney, Liberty Reserve, etc
    • 19. ZeroAccess/Max++/Click2 Attacks in the USMulti-component malware • Distribution increasing in the US • Multiple rootkit components at sensitive low level insertions, system driver infection, dynamic kernel module loading, encrypted “file system” storage within system – no viral or worming components • Crypted P2P traffic in more recent variants • Exploit pack delivery, P2P network serialz/crackz delivery. Also *very* popular, phony codecs and raunchy spoofed video titles • Detection tools like gmer make for quick id of the problem (although “Technical Details” pages on some AV vendors are outdated) • Mostly all “bundles” include click fraud component, claims of additional stealers being downloaded that I haven’t seen
    • 20. Zbot – Two Factor Auth, Corp Defenses DefeatedUpdated, customized spyware incidents• Spammed email containing typical IRS, DHL, UPS, etc, themes and attachment• Zbot hooks necessary in-process (mostly web browser) functions, steals datafrom encrypted banking sessions)• Customized scripts downloaded, targeting specific banks• Money wired to overseas banks in select regions• Incident contributors? AV was not updated, portions of it disabled(easily preventable)
    • 21. Corporate Spyware in 2012Absolutely• Not just Zeus:Spyeye, Carberp, Nimnul/Ramnit, ZeroAccess payloads?, Spitmo/Zitmo• Similar or same delivery schemes may be less effective into late 2012 • Spoofing spams or TA bait – BBB, IRS, DHL, Facebook, meeting requests • Crack and keygen sites+redirects to compromised legitimate sites • 2012 changes – spam volumes supplemented with focused browser delivery, IM/FB messaging
    • 22. Targeted Attacks and the APTSocial EngineeringTime and People Flush - Just Enough Technology to Get the Job DoneArray of Exfiltration Tools and Techniques
    • 23. Targeted Attacks - The RSA Security HackOverview - how did this happen?
    • 24. Targeted Attacks – Harpooning a WhaleCustomization to better hit targets - Spearphishing with better chum $91 million message(Q1 profit margin difference estimate + Q2 earnings call)
    • 25. Targeted Attacks – Harpooning a WhaleOffensive Security Research Investment - Poison Ivy was a Kid’s Hobby• Poison Ivy RAT sprouted in the media throughout 2011• Why Poison Ivy? What are its origins?• ChaseNET “forums” founded by previous Evil Eye Software Th3ChaS3r Members included ksv, shapeless, Heike, Digerati (busted in Operation Bot Roast II because of mistaken C2 config file update)…• “ShapeLeSS” joined ChaseNET as 18 year old Swedish kid in late October 2005, coded Poison Ivy. “Codius” assumes the project years later, continues to distribute it for free• Stable, available, and free builder, crypters, and SDK• Quantifiable, reliable, low/no investment tool• Defenders playing catchup(!)
    • 26. Targeted Attacks – Harpooning a WhalePoison Ivy was a Kid’s Hobby
    • 27. Targeted Attacks – Harpooning a WhaleCurrently, data exfiltration on the cheap • Post-exploitation, Poison Ivy and other tools to establish foothold • Download other free/open source tools to impersonate users, elevate privileges, collect data from network, lateral network movement • Encode, archive collected data • Check in with series of C2 for activity commands – Facebook, Google Code, Image Files (jpg, gif, etc) • FTP PUT / HTTP POST encoded data over proxied connections to drop servers controlled via RDP and VNC
    • 28. The Apple of the APTs EyeOSX and the APT• Multiple Targeted Attacks and OS X-based Exploits • More NGO attacks from the APT – Tibetan and Uyghur groups as frequent targets, usually on Wintel platform • Backdoor.OSX.Sabpub, Backdoor.OSX.MaControl, etc • Sabpub efforts are currently active, more ongoing…
    • 29. Targeted Attacks in 2012?Absolutely. Without a Doubt • 0day or known exploits - just enough to get the job done? More than PIvy? • Repeated wintel spearphish tactics eventually become less effective. Supplemented with possibly IM and focused browser based attacks. 2012 Target systems also run OS X, Linux, Android • Increased 2012 offsec investment and activity
    • 30. BYOD and ConsumerizationThe corporate network just walked out the door
    • 31. BYOD 2012Defense set aside for convenience • IE6 and clunky WinXPSP2 workstations begin to disappear. Other trees produce lower hanging fruit • More data copied to more mobile devices than ever before (over 300 million Android activated as of Feb 2012) – policies. iPhones at around 250-300 million sold (“activated”?) • Where will this “fruit” hang for corp mobile users? • Exploitation with different purposes than “mods” begins in 2012 • Most likely Android, limited iPhone/iPad incidents • Data exfiltration from the platform begins in 2012 • The new dumpster triple pike - outright device theft
    • 32. Dark and StormyTrouble behind and trouble ahead
    • 33. Cloud Security 2012Dark and Stormy • 2011 Dropbox pushed configuration mistake to production, no password required to access 25 million user accounts’ storage • Sony’s cloud services breach, early 2011 - 101 million user accounts • More VMWare source code dumped in 2012 • Is underlying VMWare cloud infrastructure at risk? Is the related breach known or will focus on a potential set of major incidents fade away? • Recent public VMWare Exploit PoC release - six step VMware High- Bandwidth Backdoor ROM Overwrite EoP, Derek Soeder (CVE-2012-1515) • Xen VM exploitation released at Defcon, nothing reported Itw to-date • 2012 - economic, scalable vision of “the cloud” may look past the cold security lessons of past, remote, complex systems • VM-aware malware - now with added functionality for different purposes
    • 34. Thank You Questions, comments?Kurt Baumgartner, Senior Security ResearcherGlobal Research and Analysis