Antivirus software and heroes of Cervantes
Modern malware developed by professional programmers working as part of highly structured criminal systems no longer protect themselves from viruses by simply installing an antivirus.
In this regard, the previous article has already said that technical specialists responsible for information security in their companies should be able to competently use software products and their components, and in the event of new threats, justify the need to purchase new products or their components.
')
It is necessary to clarify why some vendors, and in particular Doctor Web, offer such a wide range of information protection tools. Is it just the company's desire to make a proposal for all occasions? Or the developers of antivirus software in their official duties know a little more about the reality of certain threats, and, like the heroes of Cervantes, they want to achieve a good goal - the complete protection of their clients? Let's try to figure it out.
One of the most pressing goals for malware creators at the moment is the remote banking service systems, let's consider these threats in more detail.
Head over to updates.drweb.com and search for Carberp. Updates only for 2012-03-02 (the date at the time of this writing):
Trojan.Carberp.14 (2) Trojan.Carberp.15 (7) Trojan.Carberp.194 Trojan.Carberp.195 Trojan.Carberp.196 Trojan.Carberp.197 Trojan.Carberp.198 Trojan.Carberp.199 Trojan.Carberp. 200 Trojan.Carberp.201 Trojan.Carberp.202 Trojan.Carberp.203 Trojan.Carberp.204 Trojan.Carberp.205 Trojan.Carberp.206 Trojan.Carberp.207 Trojan.Carberp.208 (14) Trojan.Carberp.209 Trojan .Carberp.210 Trojan.Carberp.211 Trojan.Carberp.213 Trojan.Carberp.214 Trojan.Carberp.215 Trojan.Carberp.216 Trojan.Carberp.217 Trojan.Carberp.218 Trojan.Carberp.219 Trojan.Carberp.220 Trojan .Carberp.221 Trojan.Carberp.222 Trojan.Carberp.224 Trojan.Carberp.225 Trojan.Carberp.226 Trojan.Carberp.227 Trojan.Carberp.228 Trojan.Carberp.229 Trojan.Carberp.230 Trojan.Carberp.231 Trojan .Carberp.232 Trojan.Carberp.233 Trojan.Carberp.234 Trojan.Carberp.235 Trojan.Carberp.236 Trojan.Carberp.237 Trojan.Carberp.238 Trojan.Carberp.239 Trojan.Carberp.240 Trojan.Carberp.241 Trojan .Carberp.242 Trojan.Carberp.243 Trojan.Carberp.244 Trojan.Carberp.245 Troj an.Carberp.246 Trojan.Carberp.247 Trojan.Carberp.248 Trojan.Carberp.249 Trojan.Carberp.250 Trojan.Carberp.251 Trojan.Carberp.252 Trojan.Carberp.253 Trojan.Carberp.254 Trojan.Carberp.255 Trojan.Carberp.256 Trojan.Carberp.257 Trojan.Carberp.258 Trojan.Carberp.259 Trojan.Carberp.260 Trojan.Carberp.261 Trojan.Carberp.262 Trojan.Carberp.263 Trojan.Carberp.264 Trojan.Carberp.265 Trojan.Carberp.266 Trojan.Carberp.267 Trojan.Carberp.29 (14) Trojan.Carberp.33 (10) Trojan.Carberp.45 (4) Trojan.Carberp.5 (3) Trojan.Carberp.60 (6) Trojan.Carberp.61 Trojan.Carberp.80
As is known, Trojans of the Trojan.Carberp family are aimed at stealing money from companies and individuals. Trojan.Carberp is distributed using the Black Hole Exploit Kit exploit kit, a collection of vulnerabilities that exploit errors and undocumented features of modern software, in particular, browsers and operating systems. In most cases, the Black Hole victim doesn’t need to take any action at all to “get the Trojan”: the infection occurs automatically when you view infected websites.
Trojan.Carberp is developed and “promoted” by an organized group of intruders: the developers are in one country, the servers from which the Trojan directly spreads - in the other, the organizers - in the third.
At the moment, the situation with Trojan.Carberp resembles the situation with last year's Winlock - new modifications, tested in advance on the latest versions of antiviruses, came out daily. And, of course, antivirus took time to start removing a new type of threat for them. At the same time, Trojan.Carberp is much more dangerous than Trojan.Winlock - if Winlock simply did not allow to work, blocking access to the OS, and demanded sending SMS, then Trojan.Carberp is sent to long-term work in the system.
If you look at the appointment of Trojan.Carberp itself, it directly serves to steal passwords from remote banking services and trading platforms, as well as stealing passwords from other programs (browsers, messengers, ftp clients, mail clients, etc.) ) - Recalling the famous Zeus. Moreover, Trojan.Carberp can also implement custom functionality — thanks to the extensible architecture, this Trojan program has the ability to download special embedded add-ons (plug-ins) to perform other destructive actions.
Summing up, it can be noted that modern malware:
1. At the time of creation, they are often not detected by antiviruses - and, moreover, they are attempting to remove the antivirus.
2. Use the latest developments in the field of creating malware. The same Trojan.Carberp uses various methods for intercepting RBS-related information: logging keystrokes by the user, inserting HTTP traffic in search of credentials and transmitted values ​​of screen forms, embedding them into the processes of the Bank-Client programs, creating screenshots at the moments of entering important information, interceptions of individual functions that can participate in data transfer, search and theft of certificates and keys. All variants of Trojans are encrypted by virus packers. Among the commands that Trojan.Carberp is able to execute are directives to launch arbitrary files on an infected computer, a command to set up a “remote desktop” session via RDP, and even to delete an operating system on an infected PC. Thus, it is possible to make bank transactions using remote access - in an existing or parallel session.
3. Perfectly masked in the system. Trojan.Carberp, running on an infected machine, takes a whole range of actions in order to get away from the means of control and surveillance. After a successful launch, the Trojan is embedded in other running applications, and its main process is completed, so that all its further work takes place in parts of third-party processes, which is its characteristic feature. The myth that the appearance of any virus can be seen visually has become obsolete.
4. They compete with each other - in Trojan.Carberp there is the possibility of destroying “competing” banking Trojans.
5. Operate in the composition of botnets managed from one (or several) command centers. Thus, an infected machine or network also serves as a source of infection.
6.Thanks to the possibility of remote control and the possibility of using plug-ins, there is an opportunity to organize an attack on a specific company by request from outside. At the moment there are versions of plug-ins for most well-known banking systems.
What can oppose this system administrator, having available antivirus? If it uses only antivirus (or more precisely, a file monitor that monitors file activity), then nothing. Yes, after a while a new infection will be found, but during this time the money will have gone.
But modern antivirus is not equal to file antivirus. In its structure there are also systems of access restriction. With their help, you can only allow employees access to selected sites (we recall that Trojan.Carberp is distributed through hacked websites aimed at publishing financial or accounting information). Antivirus has the function of checking links - this also needs to be used. Anti-Virus should not allow employees to change the settings on their own for the reason that “everything is slowing down” - that is, there must be a centralized management system through which the settings will be distributed.
All antiviruses will sooner or later begin to catch a new modification, but some will start to do it earlier, others later (including depending on where their virus analysts are located). In this regard, it is the correct practice recommended by the STO BR RF (and implemented in banks) to use several antiviruses - before the file reaches the user, it must be checked by two antiviruses - for example, on the gateway and mail server or on the mail server and the user's machine.
Modern threats also serve as an argument for switching to systems like Linux - at the moment there are far fewer viruses for this OS. However, changing the operating system with which transactions with the bank will be made is not an unambiguous solution to the problem. So, the first banking Trojan for the Android platform already exists - Android.SpyEye.1. The risk of being infected with the Android.SpyEye.1 malware is primarily affected by users whose computers are already infected with the SpyEye Trojan. When accessing various banking sites whose addresses are present in the Trojan’s configuration file, extraneous content is injected into the web page viewed by the user, which may include various text or web forms. Thus, the unsuspecting victim downloads the bank’s web page in which the account is opened in the browser of the desktop computer or laptop and detects a message stating that the bank has introduced new security measures without which the user will not be able to access the Bank-Client system, as well as the offer to download a special application containing a Trojan onto a mobile phone.
After downloading and installing on a mobile device, Android.SpyEye.1 intercepts and sends all incoming SMS messages to attackers (at the moment SMS payment confirmation technology is considered the most reliable). Android.SpyEye.1 can be dangerous for owners of mobile devices, as it can transfer confidential information into the hands of virus writers.
Practice shows that for the most part companies only purchase protection systems for workstations and (sometimes) file servers. But server systems have much more opportunities for filtering malicious and unwanted content!
Practice shows that payments can be made not only from machines located in the accounting department, but also from personal home PCs, as well as from mobile devices. Thus, at the moment you need to protect all the machines and mobile devices with which the employees of the company work one way or another (which, by the way, can serve as a kind of bonus for them).
Eventually:
1. The use of the actual antivirus (file monitor) is not enough to protect against existing threats.
2. The use of antivirus protection system (in terms of Doctor Web, complex protection) makes it possible to significantly reduce the risk of infection — including through the use of an access distribution system, testing on server systems, etc.
3. Professionals responsible for the security of local systems should be able to react real-time flexibly to emerging threats - and how to use the existing capabilities of the systems, what needs to be actually purchased, what to argue with the management about the need for a particular solution, for them necessarily.
In this regard, the previous article has already said that technical specialists responsible for information security in their companies should be able to competently use software products and their components, and in the event of new threats, justify the need to purchase new products or their components.
')
It is necessary to clarify why some vendors, and in particular Doctor Web, offer such a wide range of information protection tools. Is it just the company's desire to make a proposal for all occasions? Or the developers of antivirus software in their official duties know a little more about the reality of certain threats, and, like the heroes of Cervantes, they want to achieve a good goal - the complete protection of their clients? Let's try to figure it out.
One of the most pressing goals for malware creators at the moment is the remote banking service systems, let's consider these threats in more detail.
Head over to updates.drweb.com and search for Carberp. Updates only for 2012-03-02 (the date at the time of this writing):
Trojan.Carberp.14 (2) Trojan.Carberp.15 (7) Trojan.Carberp.194 Trojan.Carberp.195 Trojan.Carberp.196 Trojan.Carberp.197 Trojan.Carberp.198 Trojan.Carberp.199 Trojan.Carberp. 200 Trojan.Carberp.201 Trojan.Carberp.202 Trojan.Carberp.203 Trojan.Carberp.204 Trojan.Carberp.205 Trojan.Carberp.206 Trojan.Carberp.207 Trojan.Carberp.208 (14) Trojan.Carberp.209 Trojan .Carberp.210 Trojan.Carberp.211 Trojan.Carberp.213 Trojan.Carberp.214 Trojan.Carberp.215 Trojan.Carberp.216 Trojan.Carberp.217 Trojan.Carberp.218 Trojan.Carberp.219 Trojan.Carberp.220 Trojan .Carberp.221 Trojan.Carberp.222 Trojan.Carberp.224 Trojan.Carberp.225 Trojan.Carberp.226 Trojan.Carberp.227 Trojan.Carberp.228 Trojan.Carberp.229 Trojan.Carberp.230 Trojan.Carberp.231 Trojan .Carberp.232 Trojan.Carberp.233 Trojan.Carberp.234 Trojan.Carberp.235 Trojan.Carberp.236 Trojan.Carberp.237 Trojan.Carberp.238 Trojan.Carberp.239 Trojan.Carberp.240 Trojan.Carberp.241 Trojan .Carberp.242 Trojan.Carberp.243 Trojan.Carberp.244 Trojan.Carberp.245 Troj an.Carberp.246 Trojan.Carberp.247 Trojan.Carberp.248 Trojan.Carberp.249 Trojan.Carberp.250 Trojan.Carberp.251 Trojan.Carberp.252 Trojan.Carberp.253 Trojan.Carberp.254 Trojan.Carberp.255 Trojan.Carberp.256 Trojan.Carberp.257 Trojan.Carberp.258 Trojan.Carberp.259 Trojan.Carberp.260 Trojan.Carberp.261 Trojan.Carberp.262 Trojan.Carberp.263 Trojan.Carberp.264 Trojan.Carberp.265 Trojan.Carberp.266 Trojan.Carberp.267 Trojan.Carberp.29 (14) Trojan.Carberp.33 (10) Trojan.Carberp.45 (4) Trojan.Carberp.5 (3) Trojan.Carberp.60 (6) Trojan.Carberp.61 Trojan.Carberp.80
As is known, Trojans of the Trojan.Carberp family are aimed at stealing money from companies and individuals. Trojan.Carberp is distributed using the Black Hole Exploit Kit exploit kit, a collection of vulnerabilities that exploit errors and undocumented features of modern software, in particular, browsers and operating systems. In most cases, the Black Hole victim doesn’t need to take any action at all to “get the Trojan”: the infection occurs automatically when you view infected websites.
Trojan.Carberp is developed and “promoted” by an organized group of intruders: the developers are in one country, the servers from which the Trojan directly spreads - in the other, the organizers - in the third.
At the moment, the situation with Trojan.Carberp resembles the situation with last year's Winlock - new modifications, tested in advance on the latest versions of antiviruses, came out daily. And, of course, antivirus took time to start removing a new type of threat for them. At the same time, Trojan.Carberp is much more dangerous than Trojan.Winlock - if Winlock simply did not allow to work, blocking access to the OS, and demanded sending SMS, then Trojan.Carberp is sent to long-term work in the system.
If you look at the appointment of Trojan.Carberp itself, it directly serves to steal passwords from remote banking services and trading platforms, as well as stealing passwords from other programs (browsers, messengers, ftp clients, mail clients, etc.) ) - Recalling the famous Zeus. Moreover, Trojan.Carberp can also implement custom functionality — thanks to the extensible architecture, this Trojan program has the ability to download special embedded add-ons (plug-ins) to perform other destructive actions.
Summing up, it can be noted that modern malware:
1. At the time of creation, they are often not detected by antiviruses - and, moreover, they are attempting to remove the antivirus.
2. Use the latest developments in the field of creating malware. The same Trojan.Carberp uses various methods for intercepting RBS-related information: logging keystrokes by the user, inserting HTTP traffic in search of credentials and transmitted values ​​of screen forms, embedding them into the processes of the Bank-Client programs, creating screenshots at the moments of entering important information, interceptions of individual functions that can participate in data transfer, search and theft of certificates and keys. All variants of Trojans are encrypted by virus packers. Among the commands that Trojan.Carberp is able to execute are directives to launch arbitrary files on an infected computer, a command to set up a “remote desktop” session via RDP, and even to delete an operating system on an infected PC. Thus, it is possible to make bank transactions using remote access - in an existing or parallel session.
3. Perfectly masked in the system. Trojan.Carberp, running on an infected machine, takes a whole range of actions in order to get away from the means of control and surveillance. After a successful launch, the Trojan is embedded in other running applications, and its main process is completed, so that all its further work takes place in parts of third-party processes, which is its characteristic feature. The myth that the appearance of any virus can be seen visually has become obsolete.
4. They compete with each other - in Trojan.Carberp there is the possibility of destroying “competing” banking Trojans.
5. Operate in the composition of botnets managed from one (or several) command centers. Thus, an infected machine or network also serves as a source of infection.
6.Thanks to the possibility of remote control and the possibility of using plug-ins, there is an opportunity to organize an attack on a specific company by request from outside. At the moment there are versions of plug-ins for most well-known banking systems.
What can oppose this system administrator, having available antivirus? If it uses only antivirus (or more precisely, a file monitor that monitors file activity), then nothing. Yes, after a while a new infection will be found, but during this time the money will have gone.
But modern antivirus is not equal to file antivirus. In its structure there are also systems of access restriction. With their help, you can only allow employees access to selected sites (we recall that Trojan.Carberp is distributed through hacked websites aimed at publishing financial or accounting information). Antivirus has the function of checking links - this also needs to be used. Anti-Virus should not allow employees to change the settings on their own for the reason that “everything is slowing down” - that is, there must be a centralized management system through which the settings will be distributed.
All antiviruses will sooner or later begin to catch a new modification, but some will start to do it earlier, others later (including depending on where their virus analysts are located). In this regard, it is the correct practice recommended by the STO BR RF (and implemented in banks) to use several antiviruses - before the file reaches the user, it must be checked by two antiviruses - for example, on the gateway and mail server or on the mail server and the user's machine.
Modern threats also serve as an argument for switching to systems like Linux - at the moment there are far fewer viruses for this OS. However, changing the operating system with which transactions with the bank will be made is not an unambiguous solution to the problem. So, the first banking Trojan for the Android platform already exists - Android.SpyEye.1. The risk of being infected with the Android.SpyEye.1 malware is primarily affected by users whose computers are already infected with the SpyEye Trojan. When accessing various banking sites whose addresses are present in the Trojan’s configuration file, extraneous content is injected into the web page viewed by the user, which may include various text or web forms. Thus, the unsuspecting victim downloads the bank’s web page in which the account is opened in the browser of the desktop computer or laptop and detects a message stating that the bank has introduced new security measures without which the user will not be able to access the Bank-Client system, as well as the offer to download a special application containing a Trojan onto a mobile phone.
After downloading and installing on a mobile device, Android.SpyEye.1 intercepts and sends all incoming SMS messages to attackers (at the moment SMS payment confirmation technology is considered the most reliable). Android.SpyEye.1 can be dangerous for owners of mobile devices, as it can transfer confidential information into the hands of virus writers.
Practice shows that for the most part companies only purchase protection systems for workstations and (sometimes) file servers. But server systems have much more opportunities for filtering malicious and unwanted content!
Practice shows that payments can be made not only from machines located in the accounting department, but also from personal home PCs, as well as from mobile devices. Thus, at the moment you need to protect all the machines and mobile devices with which the employees of the company work one way or another (which, by the way, can serve as a kind of bonus for them).
Eventually:
1. The use of the actual antivirus (file monitor) is not enough to protect against existing threats.
2. The use of antivirus protection system (in terms of Doctor Web, complex protection) makes it possible to significantly reduce the risk of infection — including through the use of an access distribution system, testing on server systems, etc.
3. Professionals responsible for the security of local systems should be able to react real-time flexibly to emerging threats - and how to use the existing capabilities of the systems, what needs to be actually purchased, what to argue with the management about the need for a particular solution, for them necessarily.
Source: https://habr.com/ru/post/141296/
All Articles