Technology expose Red October
Another global cyber threat is revealed by experts at Kaspersky Lab. This time we are talking about a targeted attack, or rather an extensive network of cyber espionage against diplomatic and government agencies, research institutes, industrial companies and military departments of different countries.
This event was preceded by an investigation of Red October, which began in October 2012, when, at the request of one of our partners, we conducted an analysis of the attack and the malicious modules of an unknown malicious code at that time. This helped us determine the true size of the campaign, which, as it turned out, covers about 20 countries of the world.
The investigation revealed the use of at least four different exploits to known vulnerabilities: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word), CVE-2011-3544 (Java ). Exploits are used in documents sent out during targeted phishing attacks. After opening such a file, the main module of the malicious code is loaded, which acts as a 'entry point' to the system and allows you to load additional modules for the next stages of the attack.
')
To date, we have identified about 1000 malicious files belonging to 30 different groups of modules. All of them were created from 2007 to early 2013, and the most recent ones are dated January 8, 2013.
Now our anti-virus products, including mobile ones under Windows, detect the files of this malware with signatures like Backdoor.Win32.Sputnik. And exploits like Trojan-Dropper.MSWord.Agent.ga, Exploit.MSWord.CVE-2010-3333.bw, Exploit.Win32.CVE-2012-0158.j and Exploit.Java.CVE-2011-3544.l in a heuristic way . Heuristic detection is a technology that allows a single signature to detect many malicious files, including previously unknown modifications of malware, while at the same time making it possible to improve the quality of detection and reduce the size of anti-virus databases.
An extremely interesting question is whether this malicious code was detected until October?
As shown by data from the Kaspersky Security Network (KSN) , part of the Red October malicious files were already blocked by our products until October 2012. Components (dll, exe) were blocked by signatures that we put on files obtained from our standard sources (KSN, virus collections, mail, etc.). The verdicts were named, for example: Trojan.Win32.Monzat.ac, Trojan.Win32.Genome.afykf, Trojan.Win32.Agent2.fhqq, Net-Worm.Win32.Kolab.baih.
Analysis of the attack allowed to systematize the existing knowledge, collect the missing information and combine existing and new instances of malicious files under one name: Backdoor.Win32.Sputnik.
The exploits used for the infection were blocked by Automatic Exploit Prevention (AEP) technology under the name PDM: Exploit.Win32.Generic, which is common to all types of exploits, unless they are specifically identified by our analysts. The prototype of the AEP technology was implemented in Kaspersky Internet Security 2012 and Kaspersky Endpoint Security 8, and the full version is included in Kaspersky Internet Security 2013 and Kaspersky Endpoint Security 10.
In order to understand how Automatic Exploit Prevention has detected these threats, let's look at how technology works.
Automatic Exploit Prevention (AEP) is an extensive set of technologies that prevent exploits from exploiting, exploiting vulnerabilities in various programs and operating systems. AER also prevents the development of malicious behavior, if the exploit did work.
The technology is based on analyzing the behavior of exploits, as well as information about applications that are most often subjected to attacks by intruders, such as Adobe Acrobat, Java, Windows components, Internet Exprorer and others. For such programs, a special control is established - as soon as one of them tries to run suspicious program code, the procedure is interrupted and the check begins.
Fig. 1 The principle of operation of the Automatic Exploit Prevention technology
Quite often, exploits prior to direct infection of the system pre-load files. The AER monitors network access to programs and analyzes the source of files. The technology can also distinguish between files created with the participation of the user, and new, unauthorized. Accordingly, an attempt to launch a file downloaded from a suspicious source and without the knowledge of the user will also be blocked.
Another method used in AEP is based on Address Space Layout Randomization (ASLR) technology. Support for this technology is built into the Windows operating system (starting with Vista) and ensures that key data (for example, system libraries) are randomly located in the address space, which greatly complicates the use of certain vulnerabilities by attackers. The technology offers the user the function Forced Address Space Layout Randomization, which performs the same operations and is able to work in cases where a similar system in Windows is powerless. In particular, Forced ASLR can work in Windows XP.
The provider of information about events occurring on the user's computer for AER is the System Watcher component, which is part of KAV, KIS, Pure, Endpoint 10. System Watcher analyzes in real time the actions of all installed programs and system services on the computer and in case of suspicious activity blocks execution. It makes it based on the so-called BSS-patterns (Behavior Stream Signatures) - models of malicious behavior, which can be used to calculate an unknown instance of malicious code.
Fig. 2 Exploit detection by Automatic Exploit Prevention
A behavioral analysis-based protection approach is extremely effective against frequently changing malware. If something cannot be detected by static detection methods or cloud technologies, malware will be determined by technologies based on behavioral analysis, even if we are talking about a previously unknown exploit that exploits zero-day vulnerability.
This approach allowed blocking exploits, which later turned out to be part of the Red October attack.
Information about another high-profile incident, this time related to the use of the 0-day CVE 2013-0422 vulnerability in 1.7 and 10 versions of the Java application, became available to the public on January 10, 2013 from the publication Disable Java plugin Now . Using this vulnerability, attackers can run arbitrary program code on the attacked computer.
The campaign to spread the exploit for this vulnerability is immense. When you click on advertising banners, in numerous numbers placed in different countries on legal sites, for example, news sites, weather sites or sites with adult content, visitors get to a web resource containing exloits of one of the most popular bundles of Blackhole exploits, including this java 0-day.
According to statistics published by Blackhole owners, the effectiveness of this exploit is over 83%.
Fig. 3 Efficiency exploit 0 day Java
Specialists of the cyber threat unit of the US Department of Homeland Security recommend that users disable Java add-on in web browsers to protect against malicious attacks that use a previously unknown vulnerability in the Java software platform.
How are things going to be protected from this exploit? According to statistics from the Kaspersky Security Network, the penetration of this exploit onto a user's computer was blocked by Kaspersky Lab products, namely AEP technology, even before the incident was publicly disclosed. The blocking was carried out using behavioral analysis, i.e. proactively.
Fig. 4 KSN data on the operation of the technology AER
This exploit was first identified by AER technology in early December, i.e. users of our products were protected before it was actively used by virus writers.
Most independent test laboratories today check three key parameters of anti-virus protection: the quality of detection of malicious code, false positives and performance. Only a few of them test more specialized areas, including the quality of detection of exploits.
One such test was conducted by MRG in 2012.
The testing methodology was to use the Metasploit Framework and the set of exploits it provides, based on vulnerabilities for which there was no patch from the official vendor at that time. A system was considered to be protected if the initialization of its payload was blocked during the launch of the exploit.
Fig. 5 MRG test results
The test results demonstrate the advantage of Kaspersky Lab products as protection against various types of exploits.
Today, exploits are the most common way to penetrate malicious code on a user's computer. They are used both in targeted attacks, such as Red October, and in mass infections through bundles of exploits, such as Blackhole.
To provide reliable user protection, endpoint security product manufacturers must pay special attention to combating this type of threat. Traditional signature-based methods are not enough, since they can only block known exploits. Therefore, the most effective way to protect are technologies based on behavioral analysis.
Kaspersky Lab has a set of technologies for protection against exploits called Automatic Exploit Prevention (AEP), it is implemented in KAV, KIS, Pure, Endpoint products. AER blocks the execution of exploits that exploit vulnerabilities in various programs and the operating system. AER also prevents the development of malicious behavior, if the exploit did work.
The successful blocking of malicious code used in Red October, Java 0-day exploits, as well as the results of independent tests, prove that AER is really effective in combating unknown vulnerabilities, including 0-day vulnerabilities.
At the same time, we believe that there is no one technology that can protect the user from all types of threats. And the last interest in the protection given the most difficult. Therefore, as a company driven by technological development, we continue to fight for the latest interest in protecting the user and regularly release new technologies such as Whitelist , Application Control , Default Deny , Safe Money . This allows Kaspersky Lab products to provide reliable comprehensive protection against computer threats, including new and previously unknown ones.
The results of testing these technologies can also be found.
• Whitelist technology test company , organized by West Coast Labs
• Application Control technology benchmarking organized by West Coast Labs
• Comparison test of Safe Money technology , organized by Matousec.com
This event was preceded by an investigation of Red October, which began in October 2012, when, at the request of one of our partners, we conducted an analysis of the attack and the malicious modules of an unknown malicious code at that time. This helped us determine the true size of the campaign, which, as it turned out, covers about 20 countries of the world.
The investigation revealed the use of at least four different exploits to known vulnerabilities: CVE-2009-3129 (MS Excel), CVE-2010-3333 (MS Word) and CVE-2012-0158 (MS Word), CVE-2011-3544 (Java ). Exploits are used in documents sent out during targeted phishing attacks. After opening such a file, the main module of the malicious code is loaded, which acts as a 'entry point' to the system and allows you to load additional modules for the next stages of the attack.
')
To date, we have identified about 1000 malicious files belonging to 30 different groups of modules. All of them were created from 2007 to early 2013, and the most recent ones are dated January 8, 2013.
Now our anti-virus products, including mobile ones under Windows, detect the files of this malware with signatures like Backdoor.Win32.Sputnik. And exploits like Trojan-Dropper.MSWord.Agent.ga, Exploit.MSWord.CVE-2010-3333.bw, Exploit.Win32.CVE-2012-0158.j and Exploit.Java.CVE-2011-3544.l in a heuristic way . Heuristic detection is a technology that allows a single signature to detect many malicious files, including previously unknown modifications of malware, while at the same time making it possible to improve the quality of detection and reduce the size of anti-virus databases.
An extremely interesting question is whether this malicious code was detected until October?
As shown by data from the Kaspersky Security Network (KSN) , part of the Red October malicious files were already blocked by our products until October 2012. Components (dll, exe) were blocked by signatures that we put on files obtained from our standard sources (KSN, virus collections, mail, etc.). The verdicts were named, for example: Trojan.Win32.Monzat.ac, Trojan.Win32.Genome.afykf, Trojan.Win32.Agent2.fhqq, Net-Worm.Win32.Kolab.baih.
Analysis of the attack allowed to systematize the existing knowledge, collect the missing information and combine existing and new instances of malicious files under one name: Backdoor.Win32.Sputnik.
The exploits used for the infection were blocked by Automatic Exploit Prevention (AEP) technology under the name PDM: Exploit.Win32.Generic, which is common to all types of exploits, unless they are specifically identified by our analysts. The prototype of the AEP technology was implemented in Kaspersky Internet Security 2012 and Kaspersky Endpoint Security 8, and the full version is included in Kaspersky Internet Security 2013 and Kaspersky Endpoint Security 10.
In order to understand how Automatic Exploit Prevention has detected these threats, let's look at how technology works.
Automatic Exploit Prevention Technology
Automatic Exploit Prevention (AEP) is an extensive set of technologies that prevent exploits from exploiting, exploiting vulnerabilities in various programs and operating systems. AER also prevents the development of malicious behavior, if the exploit did work.
The technology is based on analyzing the behavior of exploits, as well as information about applications that are most often subjected to attacks by intruders, such as Adobe Acrobat, Java, Windows components, Internet Exprorer and others. For such programs, a special control is established - as soon as one of them tries to run suspicious program code, the procedure is interrupted and the check begins.
Fig. 1 The principle of operation of the Automatic Exploit Prevention technology
Quite often, exploits prior to direct infection of the system pre-load files. The AER monitors network access to programs and analyzes the source of files. The technology can also distinguish between files created with the participation of the user, and new, unauthorized. Accordingly, an attempt to launch a file downloaded from a suspicious source and without the knowledge of the user will also be blocked.
Another method used in AEP is based on Address Space Layout Randomization (ASLR) technology. Support for this technology is built into the Windows operating system (starting with Vista) and ensures that key data (for example, system libraries) are randomly located in the address space, which greatly complicates the use of certain vulnerabilities by attackers. The technology offers the user the function Forced Address Space Layout Randomization, which performs the same operations and is able to work in cases where a similar system in Windows is powerless. In particular, Forced ASLR can work in Windows XP.
The provider of information about events occurring on the user's computer for AER is the System Watcher component, which is part of KAV, KIS, Pure, Endpoint 10. System Watcher analyzes in real time the actions of all installed programs and system services on the computer and in case of suspicious activity blocks execution. It makes it based on the so-called BSS-patterns (Behavior Stream Signatures) - models of malicious behavior, which can be used to calculate an unknown instance of malicious code.
Fig. 2 Exploit detection by Automatic Exploit Prevention
A behavioral analysis-based protection approach is extremely effective against frequently changing malware. If something cannot be detected by static detection methods or cloud technologies, malware will be determined by technologies based on behavioral analysis, even if we are talking about a previously unknown exploit that exploits zero-day vulnerability.
This approach allowed blocking exploits, which later turned out to be part of the Red October attack.
0-day vulnerability technology
Information about another high-profile incident, this time related to the use of the 0-day CVE 2013-0422 vulnerability in 1.7 and 10 versions of the Java application, became available to the public on January 10, 2013 from the publication Disable Java plugin Now . Using this vulnerability, attackers can run arbitrary program code on the attacked computer.
The campaign to spread the exploit for this vulnerability is immense. When you click on advertising banners, in numerous numbers placed in different countries on legal sites, for example, news sites, weather sites or sites with adult content, visitors get to a web resource containing exloits of one of the most popular bundles of Blackhole exploits, including this java 0-day.
According to statistics published by Blackhole owners, the effectiveness of this exploit is over 83%.
Fig. 3 Efficiency exploit 0 day Java
Specialists of the cyber threat unit of the US Department of Homeland Security recommend that users disable Java add-on in web browsers to protect against malicious attacks that use a previously unknown vulnerability in the Java software platform.
How are things going to be protected from this exploit? According to statistics from the Kaspersky Security Network, the penetration of this exploit onto a user's computer was blocked by Kaspersky Lab products, namely AEP technology, even before the incident was publicly disclosed. The blocking was carried out using behavioral analysis, i.e. proactively.
Fig. 4 KSN data on the operation of the technology AER
This exploit was first identified by AER technology in early December, i.e. users of our products were protected before it was actively used by virus writers.
Independent test results
Most independent test laboratories today check three key parameters of anti-virus protection: the quality of detection of malicious code, false positives and performance. Only a few of them test more specialized areas, including the quality of detection of exploits.
One such test was conducted by MRG in 2012.
The testing methodology was to use the Metasploit Framework and the set of exploits it provides, based on vulnerabilities for which there was no patch from the official vendor at that time. A system was considered to be protected if the initialization of its payload was blocked during the launch of the exploit.
Fig. 5 MRG test results
The test results demonstrate the advantage of Kaspersky Lab products as protection against various types of exploits.
Conclusion
Today, exploits are the most common way to penetrate malicious code on a user's computer. They are used both in targeted attacks, such as Red October, and in mass infections through bundles of exploits, such as Blackhole.
To provide reliable user protection, endpoint security product manufacturers must pay special attention to combating this type of threat. Traditional signature-based methods are not enough, since they can only block known exploits. Therefore, the most effective way to protect are technologies based on behavioral analysis.
Kaspersky Lab has a set of technologies for protection against exploits called Automatic Exploit Prevention (AEP), it is implemented in KAV, KIS, Pure, Endpoint products. AER blocks the execution of exploits that exploit vulnerabilities in various programs and the operating system. AER also prevents the development of malicious behavior, if the exploit did work.
The successful blocking of malicious code used in Red October, Java 0-day exploits, as well as the results of independent tests, prove that AER is really effective in combating unknown vulnerabilities, including 0-day vulnerabilities.
At the same time, we believe that there is no one technology that can protect the user from all types of threats. And the last interest in the protection given the most difficult. Therefore, as a company driven by technological development, we continue to fight for the latest interest in protecting the user and regularly release new technologies such as Whitelist , Application Control , Default Deny , Safe Money . This allows Kaspersky Lab products to provide reliable comprehensive protection against computer threats, including new and previously unknown ones.
The results of testing these technologies can also be found.
• Whitelist technology test company , organized by West Coast Labs
• Application Control technology benchmarking organized by West Coast Labs
• Comparison test of Safe Money technology , organized by Matousec.com
Source: https://habr.com/ru/post/169839/
All Articles