Blocking NetTraveler: our answer to sophisticated cyber-espionage

Targeted attacks gain popularity as a means of cyber-espionage. They get more complex, use sophisticated algorithms and act more stealthily than ever. Even U.S. President Barack Obama voiced his concerns

Targeted attacks gain popularity as a means of cyber-espionage. They get more complex, use sophisticated algorithms and act more stealthily than ever. Even U.S. President Barack Obama voiced his concerns about the rise of cyber-spying, stating the issue at the White House earlier this week. We definitely need comprehensive new technologies to reliably combat this threat.

Signature detection engines normally intercept previously identified malware, but this is rarely effective when a specially prepared attack is unleashed against a specific target. These attacks typically use yet unknown vulnerabilities to gain access to the victim’s data – and in this scenario a different, proactive approach to protection is needed.

Kaspersky Lab products feature a sophisticated arsenal of proactive technologies to fight targeted attacks.

The first battleground involves trying to prevent malware from getting through to the system at the early stages of the attack. In the NetTraveler targeted attack case two previously identified buffer overflow vulnerabilities CVE-2012-0158 and CVE-2010-3333 were used to infect the targets. Microsoft was aware of these problems and had released patches to eliminate them, but the owners of vulnerable systems had little way of knowing that they were at risk. So the first stage of the preventative approach is to use Vulnerability Assessment technology.

Vulnerability Assessment

Vulnerability Assessment is a technology which addresses these threats by tracking and detecting known vulnerabilities in software applications, including operating systems and widely used third party applications such as Microsoft Office, Java-based applications, Adobe Flash/Acrobat and others. Kaspersky’s Vulnerability Assessment technology is built around a substantial product database that draws data from Secunia, Microsoft and our own unique information stream developed by Kaspersky Lab experts. This internal data, which is the largest source for our vulnerability database, comes from Kaspersky Security Network – a constantly updated cloud of knowledge about vulnerabilities and malware derived from scanning millions of computers all over the world. This data is assessed by automatic systems and Kaspersky Lab malware experts before being added to the global vulnerabilities database. Thus we can identify a wide range of vulnerabilities in operating systems and third party products. This vulnerability assessment technology is available with Kaspersky Endpoint Security for Business.

When anyone responsible for IT security knows that the system is vulnerable, the next step for him/her is obvious – to try and patch the vulnerable software, if such a vendor patch exists. This task can be made easier with Patch Management.

Patch Management

Patch management  technology helps to monitor, download and apply operating system and third party application patches. Kaspersky’s technology can ensure that all vulnerabilities are automatically patched as soon as the software vendor makes a patch available. The sooner patches are installed, the easier it gets to stay ahead of targeted malware which uses known exploits. This patch management technology is also part of Kaspersky Endpoint Security for Business.

Sometimes patches cannot be applied to vulnerable applications, or a cyber-attack uses a 0-day vulnerability which is unknown to the vendor. Even in this challenging situation it is still possible to prevent infection with the help of Automatic Exploit Prevention (AEP) technology.

Automatic Exploit Prevention

Automatic Exploit Prevention (АЕР) is a comprehensive set of technologies which prevent exploits from using vulnerabilities in a variety of programs and operating systems. АЕР can also prevent the escalation of malicious behavior even after the exploit has launched. This technology is based on analysis of exploit behavior, as well as information on applications which are most often attacked by cybercriminals – Adobe Acrobat, Java, Windows components, Internet Explorer and others. Any time these programs attempt to launch suspicious code, special controls immediately intervene, interrupt the launch and trigger a scan of the system. Independent test results repeatedly confirm that our AEP technology is indeed an effective way of combating unknown and 0-day vulnerabilities.

In the NetTraveler case the malware exploited CVE-2012-0158 and CVE-2010-3333 vulnerabilities to infect the victims. AEP detects these exploits if common shellcodes are used. AEP is available in various Kaspersky Lab products including Kaspersky Internet Security 2013 and Kaspersky Endpoint Security for Business.

Traditional protection approaches remain effective, but to enhance the security of company infrastructures and to defend those from not only NetTraveler but from other currently unknown threats, too, we would like to introduce a completely new protection system.

Default Deny

Default Deny is the most complete and effective protection available. We believe that this technology is one of the most effective against future threats.

This technology automatically prevents the operation of any software that has not previously been placed on a list of safe/approved applications – unknown or unwanted software finds it simply impossible to launch. In the Default Deny mode a corporate network (or PC/group of PCs) operates in an isolated software environment, where only programs that are essential for the company’s business needs may be used. Unknown or unwanted applications are blocked, including new modifications of malicious programs such as those used in the NetTraveler targeted attack. This maintains a secure environment for the corporate infrastructure.

Kaspersky Lab Default Deny technology was named the best in an independent comparison of Application Control technologies performed by Dennis Technology Labs.