Malware in September: The Fine Art of Targeted Attacks

13 Oct 2011
Business News

Out-of-the-box activity.

The idea of infecting BIOS has long been a highly intriguing prospect for cybercriminals: by launching from BIOS immediately after the computer is turned on, a malicious program can gain control of all the boot-up stages of the computer or operating system. Since 1998 and the CIH virus, which could merely corrupt BIOS, malware writers have made little progress on this front. That changed, however, in September when a Trojan was detected that could infect BIOS and as a result gain control of the system. The rootkit is designed to infect BIOS manufactured by Award and appears to have originated in China. The Trojan’s code is clearly unfinished and contains debug information, but Kaspersky Lab analysts have verified that its functionality works.

Attacks against individual users

The DigiNotar hack.
One of the main aims of the hackers who attacked the Dutch certificate authority DigiNotar was the creation of fake SSL certificates for a number of popular resources, including social networks and email services that are used by home users.

The hack occurred at the end of July and went unnoticed throughout August while the attacker manipulated the DigiNotar system to create several dozen certificates for resources such as Gmail, Facebook and Twitter. Their use was later recorded on the Internet as part of an attack on Iranian users. The fake certificates are installed at the provider level and allow data flows between a user and a server to be intercepted. The DigiNotar story once again demonstrates that the existing system of hundreds of certificate authorities is poorly protected and merely discredits the very idea of digital certificates.

MacOS threats: the new Trojan concealed inside a PDF.

Cybercriminals are taking advantage of the complacency shown by many MacOS users. For instance, most Windows users who receive email attachments with additional file extensions such as .pdf.exe or .doc.exe will simply delete them without opening them. However, this tactic proved to be a novelty for Mac users, who are more prone to unwittingly launch malicious code masquerading as a PDF, an image or a doc etc.

This mechanism was detected in late September in the malicious program Backdoor.OSX.Imuler.a, which is capable of receiving additional commands from a control server as well as downloading random files and screenshots to the server from the infected system. In this case, the cybercriminals used a PDF document as a mask.

Mobile threats
Kaspersky Lab detected 680 new variations of malicious programs for different mobile platforms in September. 559 of them were for Android. In recent months there has been a significant increase in the overall number of malicious programs for Android and, in particular, the number of backdoors: of the 559 malicious programs detected for Android, 182 (32.5%) were modifications with backdoor functionality. More and more malicious programs for mobile devices are now making extensive use of the Internet for such things as connecting to remote servers to receive commands.

mTAN thefts.
Mobile Trojans designed to intercept text messages containing mTANs used in online banking are becoming increasingly popular among cybercriminals. Following in the footsteps of ZitMo, which has been operating on the four most popular platforms for the last year, is SpitMo which works in much the same way but in tandem with the SpyEye Trojan rather than ZeuS.

Attacks via QR codes.
At the end of September the first attempted malicious attacks using QR codes were detected. When it comes to installing software on smartphones, a variety of websites offer users a simplified process that involves scanning a QR code to start downloading an app without having to enter a URL. Predictably, cybercriminals have also decided to make use of this technology to download malicious software to smartphones: Kaspersky Lab analysts detected several malicious websites containing QR codes for mobile apps (e.g. Jimm and Opera Mini) which included a Trojan capable of sending text messages to premium-rate short numbers.

Attacks on corporate networks

The number of serious attacks on large organizations that make use of emails in the initial stages is on the increase. In September alone there was news of two major incidents that made use of this tactic. The first, named Lurid, was uncovered by Trend Micro during research by the company’s experts. They managed to intercept traffic to several servers that were being used to control a network of 1,500 compromised computers located mainly in Russia, former Soviet republics and countries in eastern Europe. Analysis of the Russian victims showed that it was a targeted attack against very specific organizations in the aerospace industry, as well as scientific research institutes, several commercial organizations, state bodies and a number of media outlets. The attackers managed to gain access to data by sending malicious files via email to employees in these organizations.

Attack on Mitsubishi.
News about an attack on the Japanese corporation Mitsubishi appeared in the middle of the month, although research by Kaspersky Lab suggests that it was most probably launched as far back as in July and entered its active phase in August.

According to the Japanese press, approximately 80 computers and servers were infected at plants manufacturing equipment for submarines, rockets and the nuclear industry. Malware was also detected on computers at the company’s headquarters. There is now no way of knowing exactly what information was stolen by the hackers, but it is likely that the affected computers contained confidential information of strategic importance.

“It is safe to say that the attack was carefully planned and executed,” says Alexander Gostev, Chief Security Expert at Kaspersky Lab. “It was a familiar scenario: in late July a number of Mitsubishi employees received emails from cybercriminals containing a PDF file, which was an exploit for a vulnerability in Adobe Reader. The malicious component was installed as soon as the file was opened, resulting in the hackers getting full remote access to the affected system. From the infected computer the hackers then penetrated the company’s network still further, cracking servers and gathering information that was then forwarded to the hackers’ server. A dozen or so different malicious programs were used in the attack, some developed specifically with the company’s internal network structure in mind.”

The war on cybercrime

Closure of the Hlux/Kelihos botnet.
September saw a major breakthrough in the battle against botnets – the closure of the Hlux botnet. Cooperation between Kaspersky Lab, Microsoft and Kyrus Tech not only led to the takeover of the network of Hlux-infected machines, the first time this had ever been done with a P2P botnet, but also the closure of the entire cz.cc domain. Throughout 2011 this domain had hosted command and control centers for dozens of botnets and was a veritable hotbed of security threats. At the time it was taken offline the Hlux botnet numbered over 40,000 computers and was capable of sending out tens of millions of spam messages on a daily basis, performing DDoS attacks and downloading malware to victim machines.

Kaspersky Lab currently controls the botnet and the company’s experts are in contact with the service providers of the affected users to clean up infected systems. Detection for Hlux has been added to Microsoft’s Malicious Software Removal Tool, helping to significantly reduce the number of infected machines. More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users' computers in September 2011 is available at http://www.securelist.com.

© 1997 – 2014 Kaspersky Lab ZAO

All Rights Reserved. Industry-leading Antivirus Software