Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Why we are getting better
at catching nation-state
sponsored malware
Aleks Gostev &
Vitaly Kamluk
GReAT, Kaspersky Lab
Daily news...
Daily news...
Kaspersky Lab’s
published research
“Yet another APT”
● Since 2009, the number of APT campaign exposures
has increased considerably
● Different companies focu...
Adversary statistics
© 2013 Crowdstrike
This includes: Duqu, Stuxnet, Flame,
Regin or Equation, but also MiniDuke,
Turla, BE2, CosmicDuke and CozyDuke
At Kaspersk...
Side by side - Kaspersky Research
“Western APTs”
● Stuxnet
● Duqu
● Careto
● Flame
● Gauss
● Regin
● Equation
“Russian-spe...
Why is nation
state malware so
interesting?
The 1000 question:
Vitaly (ex-Kaspersky Lab)
Today’s hosts
Aleks (Kaspersky Lab)
Vitaly
● First of all: we are the best
● We have 0-day’s
● We have fiber taps
● Best programmers in the free world
● Smart...
Aleks
● Our budget is limited
● Good researchers are hard to find
● But!
● Our technologies are getting better - the cloud...
Side by side
Arguments
0-day’s
Vitaly
● An unlimited supply of 0-
days that will pwn even the
best defences
● Microsoft, Adobe, Oracle,
your_favo...
Crypto
Vitaly
● We pwn most crypto
● We sign our malware as
Microsoft or even your
certs :-)
● We sabotage crypto so we
ca...
Sophisticated, invisible malware
Vitaly
● Our malware is the best –
cybercrime malware is
laughable compared to ours
● Our...
There is no defense
Vitaly
● in practice, you can’t
defend against our attacks
● if we can’t hit you directly,
we’ll hack ...
The victims
Vitaly
● Our universal malware can
be used to infect
everyone: Belgacom,
Quisquater, Merkel’s aide
and terrori...
Steal everything
Vitaly
● We collect everything
● We extract metadata from all
your documents
● Our malware makes
screensh...
Interesting malware
Vitaly
● We like quality stuff
● Our code is the best
● We make no mistakes - most
of the the time :)
...
Takeaways!
● Sophistication attracts attention
● Hiding attracts attention
● Merkel’s aide attracts attention
● 0-day’s at...
Let’s vote?
The spooks are
winning, no chance
anti-malware
companies can keep
up with our elite
malware!
ITSec companies a...
Thanks!
Spies’ curse: “May we read about you
in Kaspersky Lab’s research!”
Upcoming SlideShare
Loading in …5
×

Why we are getting better at catching nation-state sponsored malware

612 views

Published on

Why we are getting better at catching nation-state sponsored malware

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Why we are getting better at catching nation-state sponsored malware

  1. 1. Why we are getting better at catching nation-state sponsored malware Aleks Gostev & Vitaly Kamluk GReAT, Kaspersky Lab
  2. 2. Daily news...
  3. 3. Daily news...
  4. 4. Kaspersky Lab’s published research
  5. 5. “Yet another APT” ● Since 2009, the number of APT campaign exposures has increased considerably ● Different companies focus on different things - eg, China ● Focusing on one thing makes you blind to the full picture or creates a distorted view of the real world situation ● This is the “safe” path
  6. 6. Adversary statistics © 2013 Crowdstrike
  7. 7. This includes: Duqu, Stuxnet, Flame, Regin or Equation, but also MiniDuke, Turla, BE2, CosmicDuke and CozyDuke At Kaspersky we took the “unsafe” path of analysing and detecting all APTs, no matter the origin
  8. 8. Side by side - Kaspersky Research “Western APTs” ● Stuxnet ● Duqu ● Careto ● Flame ● Gauss ● Regin ● Equation “Russian-speaking APTs” ● BlackEnergy 2/3 ● RedOctober ● TeamSpy ● Miniduke ● CosmicDuke ● Epic Turla ● CozyDuke
  9. 9. Why is nation state malware so interesting? The 1000 question:
  10. 10. Vitaly (ex-Kaspersky Lab) Today’s hosts Aleks (Kaspersky Lab)
  11. 11. Vitaly ● First of all: we are the best ● We have 0-day’s ● We have fiber taps ● Best programmers in the free world ● Smartest mathematicians and cryptographers ● Unlimited (ahem) budget ● And the best thing: it’s all legal :-)
  12. 12. Aleks ● Our budget is limited ● Good researchers are hard to find ● But! ● Our technologies are getting better - the cloud has opened new doors to catch your stuff ● We understand that we know very little ● Simple goal: protect our users
  13. 13. Side by side Arguments
  14. 14. 0-day’s Vitaly ● An unlimited supply of 0- days that will pwn even the best defences ● Microsoft, Adobe, Oracle, your_favorite_vendor - we have a 0-day for it ● Kernel exploits ● We just need to be successful once Aleks ● Finding your 0-days is our favorite activity! ● We actively hunt for them ● The more 0-days you use, the more likely we are to catch you ● We need to be successful every time
  15. 15. Crypto Vitaly ● We pwn most crypto ● We sign our malware as Microsoft or even your certs :-) ● We sabotage crypto so we can crack it faster ● We only use the best algorithms in our malware; the rest is for masses Aleks ● When you sign your malware as Microsoft, you subvert major trust principles; this will backfire ● MitM against Windows updates? Baaad... ● Elite crypto gives away your malware ● RC6? Use Camellia :)
  16. 16. Sophisticated, invisible malware Vitaly ● Our malware is the best – cybercrime malware is laughable compared to ours ● Our rootkits prevent anyone from detecting our malware ● We hide where you least expect us! –Registry, VFSes, raw disks… even firmware ;) Aleks ● The more you hide, the more likely you’ll trigger an alarm ● Anti-rootkit technology ● VFS detection and parsing ● Raw disk detection ● That firmware thing was surprising, OK ● Still working on it :)
  17. 17. There is no defense Vitaly ● in practice, you can’t defend against our attacks ● if we can’t hit you directly, we’ll hack your ISP ● if your ISP is not enough, we’ll hack your country ● if that’s not enough, we’ll put a satellite behind every telecom satellite Aleks ● let’s not forget the goal ● people very easily get dragged into “hack everything” traps ● “hey, I have an idea...” ● target protects themselves with antivirus ‘x’ or target uses Windows updates? ● Please do not subvert the trust people have in the IT Security industry or Software (Microsoft Windows) updates ● Flame MD5 attack was bad... :-(
  18. 18. The victims Vitaly ● Our universal malware can be used to infect everyone: Belgacom, Quisquater, Merkel’s aide and terrorists altogether ● We have a unique, modular platform for use against everyone ● “Make once, use many” Aleks ● Find once, find all ● Makes it easier to catch everything ● Worst: doesn’t give me any options ● Friendly advice: don’t use the same malware on Merkel’s aide and terrorists, it’s bad
  19. 19. Steal everything Vitaly ● We collect everything ● We extract metadata from all your documents ● Our malware makes screenshots, captures keyboard, audio and all your internet traffic ● Honestly speaking, we don’t need all this but it’s fun to collect :-) Aleks ● The more active your malware is, the more likely we’ll catch it ● Anti-keylogger tech ● Exfiltration is always a weak point ● Effectively, the more you collect the higher the chance we’ll catch you ● The media loves numbers :)
  20. 20. Interesting malware Vitaly ● We like quality stuff ● Our code is the best ● We make no mistakes - most of the the time :) ● We use only the best crypto ● We use compression ● We use kernel mode orchestrators ● Our malware never crashes - most of the time :) Aleks ● We are geeks ● We like to reverse engineer Chinese PlugX samples 5 days a week – NOT! ● We want to reverse the best kernel mode code ● We like to find mistakes :-) ● When you crash, you raise alarms ● QA could be better... :)
  21. 21. Takeaways! ● Sophistication attracts attention ● Hiding attracts attention ● Merkel’s aide attracts attention ● 0-day’s attract attention ● Crashes attract attention ● Mass infections attract attention ● Attacks against ITSec products attract the most attention - bad, bad, bad! ● We are just doing our jobs... :)
  22. 22. Let’s vote? The spooks are winning, no chance anti-malware companies can keep up with our elite malware! ITSec companies are winning, the situation is kind of bad for spooks nowadays.
  23. 23. Thanks! Spies’ curse: “May we read about you in Kaspersky Lab’s research!”

×