I apologize, upon further reflection I do not feel comfortable providing advice about hacking, malware, or other illegal activities
1. 2012 – A Kaspersky Researcher Perspective
A Survey of 2011 Malware Activity and Looking Forward into 2012
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com
2. An Explosive 2011 and Expecting 2012
A Discussion
• 2011 - A Perfectly Horrid Infosec Backdrop
• Hacktivism – Lulzsec and the Anonymous Brands
• Kido/Conficker and Sality Live On
• Targeted Attacks and the APT
• Mobile Malware Ascendency
• Flashfake – An OS X Botnet Grows
• Blackhole Sucks in Victims and the Phoenix Re-arises
• 2012 - Your Customers’ Heartburn
• Q1 – Root/Bootkits (Zaccess, Tdss, Pihar), New Infector
• Blackhole, Fakeav, Zbot, ZeroAccess(+variants)
• Targeted Attacks and the APT
• BYOD – Mobile Exploitation and Spyware
• Dark and Stormy
4. Hacktivism 2011
Branded Breakins
• Major Intrusion Incidents and DoS Events, most preventable
• Sony and the Cloud – 101,000,000
• Stratfor
• HBGary Federal
• ManTech
• InfraGard Local Chapters
• Certificate Authorities (?) – Comodogate and Diginotar
• Webapp SQLi, weak passwords, configuration mistakes
• Policy, process, and training
5. Top Local Infectors 2011
KSN Top Infection Stats - Autorun Spreaders and File Infectors
• Kido/Conficker 2011
• ~17% of all unique locally attacked/infected systems reporting (Net-
Worm.Win32.Kido.ih+ir)
• Sality 2011
• ~16% of all unique locally attacked/infected
systems reporting
(Virus.Win32.Sality.aa+bh+ag)
• Close to 80% of WAV detections are
heuristic or “cloud based”
6. 2011 Targeted Attacks and the APT
Successful Attacks Made Headline News Throughout the Year
• Targeted Attack Incidents Made Big Headlines
• The APT, Reconnaissance, Spearphish and Intrusions, Backdoors and
Exfiltration Operations
• What’s new here? Varying levels of nation-state support targeting non-
mil organizations (your customers) over multi-year project timeframes
• Headline News…
RSA, Mantech, Northrup Grumman, at least eighty “unnamed” law
firms, Tibetan and Uyghur NGOs, any and all google-able CN political
groups outside the mainland, human rights orgs like Amnesty
International, various government websites, Mitsubishi Heavy
Industries…the list goes on
7. Mobile Malware Ascendency
Android Android Android
• Wild growth of Android itself (15 million tablets, 60 million phones Q4)
• Our virlib approaches 2,000 Android trojans (end of 2011)
• Offensive Security Research and Weaponized Exploits
• The Mod Community
• Android Spyware
8. Growing an OS X Botnet
Flashfake Spreads via Apple’s Slowly Updated Java Client
• Flashfake – 700,000 node OS X botnet
• No viruses for Apple? Think differently about that.
9. Blackhole Sucks in Victims and the Phoenix Re-arises
Commodity Exploit Packs and MaaS
• Exploit Packs and Web-Delivered Mass Exploitation
• Blackhole Exploit Pack, Eleonore, Phoenix
• Unpatched, vulnerable, browser-accessible software – Java, Adobe
Reader and Flash, XML Parsers, QuickTime, Browser Vulns
• ZeroAccess (+variants), Zeus+SpyEye, FakeAv
10. Enabling Their Adversaries
Enabling “Easily” Preventable Effective Attack Activity 2011
• Weak Passwords (Morto)
• Improper Resource Configuration
• Unnecessary share access, unlimited access control, autorun
• Flawed web apps == SQLi
• Missing Software Patches and Security Updates
• Microsoft (Windows, IE, Office) and third party software – Java,
Adobe (Reader+Flash) == Exploit packs/commodity attacks and
spearphishing
• Partially Protected Environments
• Missing security suites, mix of products, sometimes improperly
installed on top of each other
• No Incident Response Plan, no Public Response Plan!
13. 2012 – Keeping Your Customers Up at Night
Heatburn Overview
• Q1 KSN Stats – Rootkits/Bootkits (Zaccess, Tdss, Pihar), Nimnul joins Kido
and Sality, MOAR Mass Exploitation (Blackhole, Phoenix)
• Mass Targeted Attacks
• BYOD – Mobile Exploitation and Spyware
• Dark and Stormy
14. 2012 Q1 US KSN Statistics
Starting off the year somewhat expectedly
15. 2012 Q1 US – Detection Numbers
Mass Web Based Exploitation and Local Infections
• Different from our global statistics
• Every month of Q1 2012, the generic, heuristic and cloud based webav
detections far outweigh local detections. This is good, in way.
• Local detections Q1 2012 (US Only). Spyware, root/bootkits:
Jan Feb March April
Zbot Win64.Tdss Win64.Tdss Zbot
Zaccess Pihar Pihar Win64.Tdss
Kido Kido Kido Pihar
FakeAv Sality Sality Kido
Tepfer Sinowal Sinowal Zaccess
16. 2012 Q1 US – Starting Off Somewhat Expectedly
Mass Exploitation/Infections
• Nimnul/Ramnit joins Kido and Sality on
list of massively prevalent infectors – may
stay to replace Qbot over 2011
• Bootkits (Tdss, Pihar, Sinowal), Rootkits
(Zeroaccess/Maxx++/Click2)
• Blackhole and Phoenix mods
• FakeAv
17. 2012 Q1 US – Starting Off Somewhat Expectedly
Mass Exploitation/Infections
• Nimnul/Ramnit joins Kido and Sality on list of massively prevalent
infectors – may stay to replace Qbot over 2011
• Distributed as gamehacks/cheats, utility/application crackz over
filesharing sites like MediaFire and Ziddu, many others
18. MOAR Mass Exploitation
Blackhole, Fakeav, Zbot, ZeroAccess(+variants)
• Active development, additions for Java, Flash, Reader, HCP
exploitation
• How victims are redirected to Blackhole web sites: vulnerable
Wordpress pages, major web service malvertizements/banner ads
• Java exploits have become de facto primary module
• Maturing market for 0day, half day, and packs –
Blackhole, Phoenix, Bleeding Life, Eleonore, Bomba, Nice Pack, etc
• ROP techniques, EMET evasion development
• Classic and custom shellcode releases
• International law differences and forums continue to provide
necessary space and communications. Bitcoin need? Nah ah.
Webmoney, Liberty Reserve, etc
19. ZeroAccess/Max++/Click2 Attacks in the US
Multi-component malware
• Distribution increasing in the US
• Multiple rootkit components at sensitive low level insertions, system
driver infection, dynamic kernel module loading, encrypted “file
system” storage within system – no viral or worming components
• Crypted P2P traffic in more recent variants
• Exploit pack delivery, P2P network serialz/crackz delivery. Also *very*
popular, phony codecs and raunchy spoofed video titles
• Detection tools like gmer make for quick id of the problem (although
“Technical Details” pages on some AV vendors are outdated)
• Mostly all “bundles” include click fraud component, claims of additional
stealers being downloaded that I haven’t seen
20. Zbot – Two Factor Auth, Corp Defenses Defeated
Updated, customized spyware incidents
• Spammed email containing typical IRS, DHL, UPS, etc, themes and attachment
• Zbot hooks necessary in-process (mostly web browser) functions, steals data
from encrypted banking sessions)
• Customized scripts downloaded, targeting specific banks
• Money wired to overseas banks in select regions
• Incident contributors? AV was not updated, portions of it disabled
(easily preventable)
21. Corporate Spyware in 2012
Absolutely
• Not just Zeus:
Spyeye, Carberp, Nimnul/Ramnit, ZeroAccess payloads?, Spitmo/Zitmo
• Similar or same delivery schemes may be less effective into late 2012
• Spoofing spams or TA bait – BBB, IRS, DHL, Facebook, meeting requests
• Crack and keygen sites+redirects to compromised legitimate sites
• 2012 changes – spam volumes supplemented with focused browser
delivery, IM/FB messaging
22. Targeted Attacks and the APT
Social Engineering
Time and People Flush - Just Enough Technology to Get the Job Done
Array of Exfiltration Tools and Techniques
23. Targeted Attacks - The RSA Security Hack
Overview - how did this happen?
24. Targeted Attacks – Harpooning a Whale
Customization to better hit targets - Spearphishing with better chum
$91 million message
(Q1 profit margin difference estimate + Q2 earnings call)
25. Targeted Attacks – Harpooning a Whale
Offensive Security Research Investment - Poison Ivy was a Kid’s Hobby
• Poison Ivy RAT sprouted in the media throughout 2011
• Why Poison Ivy? What are its origins?
• ChaseNET “forums” founded by previous Evil Eye Software Th3ChaS3r
Members included ksv, shapeless, Heike, Digerati (busted in Operation Bot
Roast II because of mistaken C2 config file update)…
• “ShapeLeSS” joined ChaseNET as 18 year old Swedish kid in late October
2005, coded Poison Ivy. “Codius” assumes the project years later, continues to
distribute it for free
• Stable, available, and free builder, crypters, and SDK
• Quantifiable, reliable, low/no investment tool
• Defenders playing catchup(!)
27. Targeted Attacks – Harpooning a Whale
Currently, data exfiltration on the cheap
• Post-exploitation, Poison Ivy and other tools to establish foothold
• Download other free/open source tools to impersonate users, elevate
privileges, collect data from network, lateral network movement
• Encode, archive collected data
• Check in with series of C2 for activity commands – Facebook, Google
Code, Image Files (jpg, gif, etc)
• FTP PUT / HTTP POST encoded data over proxied connections to drop
servers controlled via RDP and VNC
28. The Apple of the APTs Eye
OSX and the APT
• Multiple Targeted Attacks and OS X-based Exploits
• More NGO attacks from the APT – Tibetan and Uyghur groups as
frequent targets, usually on Wintel platform
• Backdoor.OSX.Sabpub, Backdoor.OSX.MaControl, etc
• Sabpub efforts are currently active, more ongoing…
29. Targeted Attacks in 2012?
Absolutely. Without a Doubt
• 0day or known exploits - just enough to
get the job done? More than PIvy?
• Repeated wintel spearphish tactics eventually become less effective.
Supplemented with possibly IM and focused browser based attacks.
2012 Target systems also run OS X, Linux, Android
• Increased 2012 offsec investment and activity
31. BYOD 2012
Defense set aside for convenience
• IE6 and clunky WinXPSP2 workstations begin to disappear. Other trees
produce lower hanging fruit
• More data copied to more mobile devices than ever before (over 300 million
Android activated as of Feb 2012) – policies. iPhones at around 250-300
million sold (“activated”?)
• Where will this “fruit” hang for corp mobile users?
• Exploitation with different purposes than “mods” begins in 2012
• Most likely Android, limited iPhone/iPad incidents
• Data exfiltration from the platform begins in 2012
• The new dumpster triple pike - outright device theft
33. Cloud Security 2012
Dark and Stormy
• 2011 Dropbox pushed configuration mistake to production, no password
required to access 25 million user accounts’ storage
• Sony’s cloud services breach, early 2011 - 101 million user accounts
• More VMWare source code dumped in 2012
• Is underlying VMWare cloud infrastructure at risk? Is the related breach
known or will focus on a potential set of major incidents fade away?
• Recent public VMWare Exploit PoC release - six step VMware High-
Bandwidth Backdoor ROM Overwrite EoP, Derek Soeder (CVE-2012-1515)
• Xen VM exploitation released at Defcon, nothing reported Itw to-date
• 2012 - economic, scalable vision of “the cloud” may look past the cold
security lessons of past, remote, complex systems
• VM-aware malware - now with added functionality for different purposes
34. Thank You
Questions, comments?
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com
Notas del editor
Note that most 2011 topics easily could have been avoided
Slide #8Duration: 10 secThis was general information. Now,few practical examples. The first is Zbot outbreak: root cause, risk to the business, suggestions.
Note that most 2011 topics easily could have been avoided
Note that most 2011 topics easily could have been avoided
Note that most 2011 topics easily could have been avoided
Note that most 2011 topics easily could have been avoided
Note that most 2011 topics could have been avoided “easily”
Note that most 2011 topics easily could have been avoided