January 20, 2015 at 18:02Not all antiviruses are equally useful: a webinar by Sergey Gordeychik and Vladimir Kropotov
A few days ago, the New York Times published an article on how evidence was obtained of North Korea's involvement in a massive attack on Sony Corporation. Back in 2010, US National Security Agency experts hacked into DPRK computer networks and secretly watched the activity of North Korean hackers.
In addition to sources in the special services, this version is also confirmed by documents previously published by Edward Snowden in the Spiegel magazine. NSA employees managed to infiltrate Chinese networks that connect North Korea’s Internet with the rest of the world, and spread the malware among local hacker groups.
According to the New York Times, NSA experts observed the first phishing attacks on Sony when the password of one of the corporation’s system administrators was stolen, which became the starting point of the implementation.
It is curious that in 2011 Sony was already subjected to massive hacking (and in 2010 it sued a regular participant of PHDays - Geohot), and reorganized the information security division, but this did not help. From September to November 2014, Koreans studied Sony’s internal network infrastructure, identifying servers with the most valuable information. The NSA did not think that things would go so far and did nothing. The consequences were very serious - the speech of Barack Obama, new sanctions against North Korea, harsh statements from the opposite side.
In this regard, it is worth recalling another series of targeted attacks related to targeted phishing. They were carried out by Chinese intelligence services against Tibetan and Uyghur activists, attacking the resources of organizations supporting Tibetan independence. As a result, the PRC authorities managed to identify individual conspirators, although they checked each file received by mail with antivirus programs. Precautions did not save them from being infected by exploits that exploit various vulnerabilities in Microsoft Office (Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, etc.).
Later, in some cases, the malicious program NetTraveler, which was developed for covert surveillance of the computer: recording keystrokes, copying documents and other actions, was downloaded to the victims' computer. Interestingly, NetTraveler was usedalso for espionage against governments, oil companies, research organizations of dozens of countries, from Australia to Belarus.
In our blog, we have repeatedly talked about the inefficiency of signature methods in the fight against targeted attacks. Its reasons are that there are simple ways to reduce the detectability of a malicious program, and signature databases are difficult to keep up to date with the growing volume of new and modified malware.
Tibetan human rights activists uploaded letters to VirusTotal in order to block viruses that were directly embedded in an electronic message, but this not only did not help, but also complicated the situation: all correspondence was saved on VirusTotal and after some time became public.
The topic of APT and targeted viral epidemics will be continued next Thursday by Sergey Gordeychik and Vladimir Kropotov at a free webinar. Positive Technologies experts will talk about targeted attacks from the point of view of “Augean stables cleaners,” the benefits of retrospective analysis, and the company's new product, PT Multiscanner.
The webinar will begin on January 22, 2015 at 14:00 (registration on the site ).
In addition to sources in the special services, this version is also confirmed by documents previously published by Edward Snowden in the Spiegel magazine. NSA employees managed to infiltrate Chinese networks that connect North Korea’s Internet with the rest of the world, and spread the malware among local hacker groups.
According to the New York Times, NSA experts observed the first phishing attacks on Sony when the password of one of the corporation’s system administrators was stolen, which became the starting point of the implementation.
It is curious that in 2011 Sony was already subjected to massive hacking (and in 2010 it sued a regular participant of PHDays - Geohot), and reorganized the information security division, but this did not help. From September to November 2014, Koreans studied Sony’s internal network infrastructure, identifying servers with the most valuable information. The NSA did not think that things would go so far and did nothing. The consequences were very serious - the speech of Barack Obama, new sanctions against North Korea, harsh statements from the opposite side.
In this regard, it is worth recalling another series of targeted attacks related to targeted phishing. They were carried out by Chinese intelligence services against Tibetan and Uyghur activists, attacking the resources of organizations supporting Tibetan independence. As a result, the PRC authorities managed to identify individual conspirators, although they checked each file received by mail with antivirus programs. Precautions did not save them from being infected by exploits that exploit various vulnerabilities in Microsoft Office (Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158, etc.).
Later, in some cases, the malicious program NetTraveler, which was developed for covert surveillance of the computer: recording keystrokes, copying documents and other actions, was downloaded to the victims' computer. Interestingly, NetTraveler was usedalso for espionage against governments, oil companies, research organizations of dozens of countries, from Australia to Belarus.
In our blog, we have repeatedly talked about the inefficiency of signature methods in the fight against targeted attacks. Its reasons are that there are simple ways to reduce the detectability of a malicious program, and signature databases are difficult to keep up to date with the growing volume of new and modified malware.
Tibetan human rights activists uploaded letters to VirusTotal in order to block viruses that were directly embedded in an electronic message, but this not only did not help, but also complicated the situation: all correspondence was saved on VirusTotal and after some time became public.
The topic of APT and targeted viral epidemics will be continued next Thursday by Sergey Gordeychik and Vladimir Kropotov at a free webinar. Positive Technologies experts will talk about targeted attacks from the point of view of “Augean stables cleaners,” the benefits of retrospective analysis, and the company's new product, PT Multiscanner.
The webinar will begin on January 22, 2015 at 14:00 (registration on the site ).