March 11, 2013 at 18:26Technology fight with MiniDuke. Simple protection against complex threats?
Just a year ago, many were convinced that targeted attacks (not to be confused with cyber weapons ) were aimed exclusively at American and Western European companies. However, the exposure of the Red October cyber operation by Kaspersky Lab experts dispelled the myth of the narrow geographical focus of such threats.
Another proof of the magnitude was not long in coming. February 27, Kaspersky Lab published a new reportto investigate a series of cyber espionage incidents against government agencies and academic institutions around the world. The malware MiniDuke continues to attack its victims from Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland and other countries today. Specially for Habr, a report on this new threat was prepared by Vladimir Zapolyansky, deputy head of the global research center, head of the technology positioning department of Kaspersky Lab .
A tweet for an account created by team server operators and containing a specific tag that marks an encrypted URL for use by backdoors.
To infiltrate a victim’s computer, MiniDuke uses an exploit for recently discovered0-day vulnerability CVE-2013-0640 in PDF Adobe Reader 9, 10, 11. After opening a pdf file received via e-mail, a malicious program module of small size (20 Kb) penetrates the computer. A characteristic feature of the attack is that this module is written in Assembler in a style popular with virus authors in the late 90s and early 2000s, and is very rarely used today.
After penetration, the program communicates with its creators through the microblogging service Twitter, where it searches for tweets in accounts created in advance by the attackers. Following the links published on Twitter, she downloads the bulk of the malicious code. Downloading is carried out in several stages, after which the malicious code begins to function as a Backdoor, thereby opening the attacker with access to any data on the victim’s computer.
Today, many anti-virus companies are blocking MiniDuke with signature or heuristic methods. However, this detection of malicious code became possible only after information about the vulnerability used by Adobe Reader 0-day became publicly known, namely on February 12, 2013. At the same time, Adobe released a patch to close this vulnerability on February 20, 2013.
This means that for a long time, many antivirus companies might not have a solution to protect against this targeted attack: the exploit used in the attack can successfully bypass such advanced technologies to combat exploits as ASLR and DEP.
As the data of Kaspersky Security Network (KSN) show , the “combat load” (Shellcode) of the Adobe Reader exploit was blocked by our products for corporate and home users even before we learned about the existence of this attack.
Fig. 1 Statistics of Kaspersky Security Network for February 2013. Geography of distribution and the number of blocked attempts to execute on a computer the shellcode used in the Adobe Reader exploit
Moreover, the statistics of blocking this shellcode for 2012 indicates its previous use.
Fig. 2 Kaspersky Security Network statistics for 2012. Distribution geography and the number of blocked execution attempts on the computer shellcode used in the Adobe Reader exploit
This shellcode was first discovered and blocked by our products at the end of 2010!
Fig. 3 Statistics of Kaspersky Security Network from 2010 to 2013. Geography of distribution and the number of blocked attempts to execute on a computer the shellcode used in the Adobe Reader exploit
Thus, the “combat load” (Shellcode) used in the Adobe Reader exploit for the MiniDuke cyber attack is successfully blocked by our products since 2010.
This occurs at the stage of analysis of mail messages by mail antivirus. In the case of an attempt to penetrate a letter with a malicious object onto the computer, the user of Kaspersky Lab products simply receives an email with the deleted file and information that the file contained a malicious program with the verdict Exploit.JS.Pdfka.giw.
Fig. 4 Notification to the user about blocking the Shellcode exploit when receiving mail in interactive and non-interactive modes
How was it possible to block this shellcode before we learned about its existence?
Typically, several layers of protection are involved in the detection of complex threats, including targeted attacks. One key is Automatic Exploit Prevention . It was this proactive technology that worked effectively in the event of the discovery of Red October, as well as Java 0-day , public information about which appeared in January 2013.
Fig. 6. The multi-level security model of Kaspersky Lab
However, in the case of MiniDuke, everything turned out to be much simpler. In August 2010, our antivirus experts created a heuristic signature to block many exploits that exploit vulnerabilities in Adobe Reader. It is this link of multilayer protection implemented in our products that has worked effectively in this case.
Heuristic analysis belongs to the class of proactive protection technologies, it allows you to find files infected with an unknown virus or a new modification of a known instance. This technology makes it possible to block many malicious files with a single signature, while at the same time improving the quality of detection and reducing the size of anti-virus databases.
Our products include static and dynamic analysis.
Static analysis scans the code for suspicious commands that may be a sign of malware. For example, a characteristic feature of a malicious program may be behavior in which it searches for executable files and subsequently changes them.
The heuristic analyzer looks through the program code and, upon encountering a suspicious command or fragment, increases the "suspiciousness counter" of the program. If after scanning the entire program the value of this counter exceeds some predetermined threshold value, then the object is considered suspicious.
When using dynamic analysis, the launch of an object program is emulated in a virtual address space. If the heuristic analyzer detects suspicious actions during the emulation process, the program or object is recognized as malicious and their launch on the user's computer is blocked.
In our products, a number of components use heuristic analysis, such as File Anti-Virus, Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus, Application Activity Control, etc.
However, a simple way to block this threat does not mean that all such attacks can be neutralized in a similar way.
Therefore, we continue to improve the multi-level approach in user protection and regularly release new technologies, such as Whitelist , Application Control , Default Deny , Safe Money . This allows Kaspersky Lab products to provide reliable comprehensive protection against computer threats, including new and previously unknown ones.
Another proof of the magnitude was not long in coming. February 27, Kaspersky Lab published a new reportto investigate a series of cyber espionage incidents against government agencies and academic institutions around the world. The malware MiniDuke continues to attack its victims from Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland and other countries today. Specially for Habr, a report on this new threat was prepared by Vladimir Zapolyansky, deputy head of the global research center, head of the technology positioning department of Kaspersky Lab .
A tweet for an account created by team server operators and containing a specific tag that marks an encrypted URL for use by backdoors.
To infiltrate a victim’s computer, MiniDuke uses an exploit for recently discovered0-day vulnerability CVE-2013-0640 in PDF Adobe Reader 9, 10, 11. After opening a pdf file received via e-mail, a malicious program module of small size (20 Kb) penetrates the computer. A characteristic feature of the attack is that this module is written in Assembler in a style popular with virus authors in the late 90s and early 2000s, and is very rarely used today.
After penetration, the program communicates with its creators through the microblogging service Twitter, where it searches for tweets in accounts created in advance by the attackers. Following the links published on Twitter, she downloads the bulk of the malicious code. Downloading is carried out in several stages, after which the malicious code begins to function as a Backdoor, thereby opening the attacker with access to any data on the victim’s computer.
Is there protection against MiniDuke?
Today, many anti-virus companies are blocking MiniDuke with signature or heuristic methods. However, this detection of malicious code became possible only after information about the vulnerability used by Adobe Reader 0-day became publicly known, namely on February 12, 2013. At the same time, Adobe released a patch to close this vulnerability on February 20, 2013.
This means that for a long time, many antivirus companies might not have a solution to protect against this targeted attack: the exploit used in the attack can successfully bypass such advanced technologies to combat exploits as ASLR and DEP.
Kaspersky Lab Security
As the data of Kaspersky Security Network (KSN) show , the “combat load” (Shellcode) of the Adobe Reader exploit was blocked by our products for corporate and home users even before we learned about the existence of this attack.
Fig. 1 Statistics of Kaspersky Security Network for February 2013. Geography of distribution and the number of blocked attempts to execute on a computer the shellcode used in the Adobe Reader exploit
Moreover, the statistics of blocking this shellcode for 2012 indicates its previous use.
Fig. 2 Kaspersky Security Network statistics for 2012. Distribution geography and the number of blocked execution attempts on the computer shellcode used in the Adobe Reader exploit
This shellcode was first discovered and blocked by our products at the end of 2010!
Fig. 3 Statistics of Kaspersky Security Network from 2010 to 2013. Geography of distribution and the number of blocked attempts to execute on a computer the shellcode used in the Adobe Reader exploit
Thus, the “combat load” (Shellcode) used in the Adobe Reader exploit for the MiniDuke cyber attack is successfully blocked by our products since 2010.
This occurs at the stage of analysis of mail messages by mail antivirus. In the case of an attempt to penetrate a letter with a malicious object onto the computer, the user of Kaspersky Lab products simply receives an email with the deleted file and information that the file contained a malicious program with the verdict Exploit.JS.Pdfka.giw.
Fig. 4 Notification to the user about blocking the Shellcode exploit when receiving mail in interactive and non-interactive modes
How was it possible to block this shellcode before we learned about its existence?
Typically, several layers of protection are involved in the detection of complex threats, including targeted attacks. One key is Automatic Exploit Prevention . It was this proactive technology that worked effectively in the event of the discovery of Red October, as well as Java 0-day , public information about which appeared in January 2013.
Fig. 6. The multi-level security model of Kaspersky Lab
However, in the case of MiniDuke, everything turned out to be much simpler. In August 2010, our antivirus experts created a heuristic signature to block many exploits that exploit vulnerabilities in Adobe Reader. It is this link of multilayer protection implemented in our products that has worked effectively in this case.
Kaspersky Lab Heuristic Detection
Heuristic analysis belongs to the class of proactive protection technologies, it allows you to find files infected with an unknown virus or a new modification of a known instance. This technology makes it possible to block many malicious files with a single signature, while at the same time improving the quality of detection and reducing the size of anti-virus databases.
Our products include static and dynamic analysis.
Static analysis scans the code for suspicious commands that may be a sign of malware. For example, a characteristic feature of a malicious program may be behavior in which it searches for executable files and subsequently changes them.
The heuristic analyzer looks through the program code and, upon encountering a suspicious command or fragment, increases the "suspiciousness counter" of the program. If after scanning the entire program the value of this counter exceeds some predetermined threshold value, then the object is considered suspicious.
When using dynamic analysis, the launch of an object program is emulated in a virtual address space. If the heuristic analyzer detects suspicious actions during the emulation process, the program or object is recognized as malicious and their launch on the user's computer is blocked.
In our products, a number of components use heuristic analysis, such as File Anti-Virus, Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus, Application Activity Control, etc.
Conclusion
However, a simple way to block this threat does not mean that all such attacks can be neutralized in a similar way.
Therefore, we continue to improve the multi-level approach in user protection and regularly release new technologies, such as Whitelist , Application Control , Default Deny , Safe Money . This allows Kaspersky Lab products to provide reliable comprehensive protection against computer threats, including new and previously unknown ones.