Technology to combat MiniDuke. Simple protection against complex threats?
Just a year ago, many were convinced that targeted attacks (not to be confused with cyber-weapons ) were directed exclusively at American and Western European companies. However, the exposure of cyber-operations of Red October by experts of Kaspersky Lab allowed to dispel the myth of the narrow geographic focus of such threats.
Another proof of the scale was not long in coming. On February 27, Kaspersky Lab published a new report on a study of a number of incidents involving cyber espionage against government agencies and scientific organizations around the world. The malicious program MiniDuk continues to attack its victims from Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland and other countries today. Specially for Habr, the report on this new threat was prepared by Vladimir Zapolyansky, deputy head of the global research center, head of Kaspersky Lab's technology positioning department.
A tweet of an account created by command server operators and containing a specific tag that marks an encrypted URL for use by backdoors.
')
To penetrate the victim’s computer, MiniDuke uses an exploit for the newly discovered 0-day vulnerability CVE-2013-0640 in PDF Adobe Reader 9, 10, 11. After opening a pdf file received via email, a small malicious program module penetrates the computer (20 KB). A characteristic feature of the attack is that this module is written in Assembler in a style popular with virus writers in the late 90s - early 2000s, and is very rarely used today.
After penetration, the program contacts its creators via the Twitter microblogging service, where it searches for tweets in accounts previously created by attackers. Going on the links posted on Twitter, it downloads the bulk of the malicious code. The download is carried out in several stages, after which the malicious code begins to function as Backdoor, thereby opening up to the attacker access to any data stored on the victim’s computer.
Today, many anti-virus security companies block MiniDuke with signature or heuristic methods. However, this detection of malicious code became possible only after the information about the vulnerability used by Adobe Reader 0-day became publicly known, namely from February 12, 2013. At the same time, Adobe released a patch to close this vulnerability on February 20, 2013.
This means that for a long time many anti-virus companies might not have a solution for protecting against this targeted attack: the exploit used in the attack can successfully bypass such advanced anti-exploit technologies like ASLR and DEP.
As shown by the Kaspersky Security Network (KSN) data, the “combat load” (Shellcode) of the Adobe Reader exploit was blocked by our products for corporate and home users even before we learned about the existence of this attack.
Fig. 1 Kaspersky Security Network statistics for February 2013. Geography of distribution and the number of blocked execution attempts on the shellcode computer used in the Adobe Reader exploit
Moreover, lockdown statistics for this shellcode for 2012 indicate its use earlier.
Fig. 2 Statistics of the Kaspersky Security Network for 2012. Geography of distribution and the number of blocked execution attempts on a shellcode computer used in the Adobe Reader exploit
This shellcode was first discovered and blocked by our products at the end of 2010!
Fig. 3 Statistics of Kaspersky Security Network from 2010 to 2013. The geography of distribution and the number of blocked execution attempts on the shellcode computer used in the Adobe Reader exploit
Thus, the “combat load” (Shellcode) used in the Adobe Reader exploit for the MiniDuke cyber attack has been successfully blocked by our products since 2010.
This happens at the stage of analysis of email messages by email antivirus. In the case of an attempt to penetrate a letter with a malicious object onto a computer, a user of Kaspersky Lab products simply receives an email with a deleted file and information that the file contained a malicious program with the Exploit.JS.Pdfka.giw verdict.
Fig. 4 Notification to the user about blocking the Shellcode exploit when receiving mail in interactive and non-interactive modes
How was it possible to block this shellcode before we learned about its existence?
Usually in the detection of complex threats, including targeted attacks, involved several layers of protection. One key is Automatic Exploit Prevention . It was this proactive technology that worked effectively when Red October was detected, as well as Java 0-day , public information about which appeared in January 2013.
Fig. 6. Multi-level protection model of Kaspersky Lab
However, in the case of MiniDuke, everything turned out to be much simpler. In August 2010, our antivirus experts created a heuristic signature to block many exploits that exploit vulnerabilities in Adobe Reader. It is this link of multi-layer protection implemented in our products that effectively worked in this case.
Heuristic analysis belongs to the class of proactive protection technologies, it allows you to find files infected with an unknown virus or a new modification of a known instance. This technology makes it possible to block a lot of malicious files with a single signature, at the same time allowing you to improve the quality of detection and reduce the size of anti-virus databases.
In our products implemented static and dynamic analysis.
Static analysis scans the code for suspicious commands that may be a sign of malware. For example, a characteristic of a malicious program may be the behavior in which it performs the search for executable files and their subsequent modification.
The heuristic analyzer scans the program code and, having encountered a suspicious command or fragment, increases the program’s “suspicion counter”. If, after scanning the entire program, the value of this counter exceeds a certain threshold value, then the object is recognized as suspicious.
When using dynamic analysis, the launch of an object's program is emulated in a virtual address space. If during the emulation process the heuristic analyzer detects suspicious actions, then the program or object is recognized as malicious and their launch on the user's computer is blocked.
In our products, a number of components use heuristic analysis, such as File Anti-Virus, Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus, Application Activity Control, etc.
However, the simple way to block this threat does not mean that all such attacks can be neutralized in the same way.
Therefore, we continue to improve the multi-level approach to protecting the user and regularly release new technologies, such as Whitelist , Application Control , Default Deny , Safe Money . This allows Kaspersky Lab products to provide reliable comprehensive protection against computer threats, including new and previously unknown ones.
Another proof of the scale was not long in coming. On February 27, Kaspersky Lab published a new report on a study of a number of incidents involving cyber espionage against government agencies and scientific organizations around the world. The malicious program MiniDuk continues to attack its victims from Ukraine, Belgium, Portugal, Romania, the Czech Republic, Ireland and other countries today. Specially for Habr, the report on this new threat was prepared by Vladimir Zapolyansky, deputy head of the global research center, head of Kaspersky Lab's technology positioning department.
A tweet of an account created by command server operators and containing a specific tag that marks an encrypted URL for use by backdoors.
')
To penetrate the victim’s computer, MiniDuke uses an exploit for the newly discovered 0-day vulnerability CVE-2013-0640 in PDF Adobe Reader 9, 10, 11. After opening a pdf file received via email, a small malicious program module penetrates the computer (20 KB). A characteristic feature of the attack is that this module is written in Assembler in a style popular with virus writers in the late 90s - early 2000s, and is very rarely used today.
After penetration, the program contacts its creators via the Twitter microblogging service, where it searches for tweets in accounts previously created by attackers. Going on the links posted on Twitter, it downloads the bulk of the malicious code. The download is carried out in several stages, after which the malicious code begins to function as Backdoor, thereby opening up to the attacker access to any data stored on the victim’s computer.
Is there any protection against MiniDuke?
Today, many anti-virus security companies block MiniDuke with signature or heuristic methods. However, this detection of malicious code became possible only after the information about the vulnerability used by Adobe Reader 0-day became publicly known, namely from February 12, 2013. At the same time, Adobe released a patch to close this vulnerability on February 20, 2013.
This means that for a long time many anti-virus companies might not have a solution for protecting against this targeted attack: the exploit used in the attack can successfully bypass such advanced anti-exploit technologies like ASLR and DEP.
Protection of Kaspersky Lab
As shown by the Kaspersky Security Network (KSN) data, the “combat load” (Shellcode) of the Adobe Reader exploit was blocked by our products for corporate and home users even before we learned about the existence of this attack.
Fig. 1 Kaspersky Security Network statistics for February 2013. Geography of distribution and the number of blocked execution attempts on the shellcode computer used in the Adobe Reader exploit
Moreover, lockdown statistics for this shellcode for 2012 indicate its use earlier.
Fig. 2 Statistics of the Kaspersky Security Network for 2012. Geography of distribution and the number of blocked execution attempts on a shellcode computer used in the Adobe Reader exploit
This shellcode was first discovered and blocked by our products at the end of 2010!
Fig. 3 Statistics of Kaspersky Security Network from 2010 to 2013. The geography of distribution and the number of blocked execution attempts on the shellcode computer used in the Adobe Reader exploit
Thus, the “combat load” (Shellcode) used in the Adobe Reader exploit for the MiniDuke cyber attack has been successfully blocked by our products since 2010.
This happens at the stage of analysis of email messages by email antivirus. In the case of an attempt to penetrate a letter with a malicious object onto a computer, a user of Kaspersky Lab products simply receives an email with a deleted file and information that the file contained a malicious program with the Exploit.JS.Pdfka.giw verdict.
Fig. 4 Notification to the user about blocking the Shellcode exploit when receiving mail in interactive and non-interactive modes
How was it possible to block this shellcode before we learned about its existence?
Usually in the detection of complex threats, including targeted attacks, involved several layers of protection. One key is Automatic Exploit Prevention . It was this proactive technology that worked effectively when Red October was detected, as well as Java 0-day , public information about which appeared in January 2013.
Fig. 6. Multi-level protection model of Kaspersky Lab
However, in the case of MiniDuke, everything turned out to be much simpler. In August 2010, our antivirus experts created a heuristic signature to block many exploits that exploit vulnerabilities in Adobe Reader. It is this link of multi-layer protection implemented in our products that effectively worked in this case.
Heuristic detection by Kaspersky Lab
Heuristic analysis belongs to the class of proactive protection technologies, it allows you to find files infected with an unknown virus or a new modification of a known instance. This technology makes it possible to block a lot of malicious files with a single signature, at the same time allowing you to improve the quality of detection and reduce the size of anti-virus databases.
In our products implemented static and dynamic analysis.
Static analysis scans the code for suspicious commands that may be a sign of malware. For example, a characteristic of a malicious program may be the behavior in which it performs the search for executable files and their subsequent modification.
The heuristic analyzer scans the program code and, having encountered a suspicious command or fragment, increases the program’s “suspicion counter”. If, after scanning the entire program, the value of this counter exceeds a certain threshold value, then the object is recognized as suspicious.
When using dynamic analysis, the launch of an object's program is emulated in a virtual address space. If during the emulation process the heuristic analyzer detects suspicious actions, then the program or object is recognized as malicious and their launch on the user's computer is blocked.
In our products, a number of components use heuristic analysis, such as File Anti-Virus, Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus, Application Activity Control, etc.
Conclusion
However, the simple way to block this threat does not mean that all such attacks can be neutralized in the same way.
Therefore, we continue to improve the multi-level approach to protecting the user and regularly release new technologies, such as Whitelist , Application Control , Default Deny , Safe Money . This allows Kaspersky Lab products to provide reliable comprehensive protection against computer threats, including new and previously unknown ones.
Source: https://habr.com/ru/post/172293/
All Articles