Adobe has confirmed this vulnerability and has scheduled a patch release for May 14.

Looking back this year’s RSA Conference, you might have the feeling that the current threat landscape is primarily a series of advanced attacks. This concept includes well-known advanced persistent threats (APTs) and zero-day vulnerability exploits. To respond to this trend in threats, McAfee Labs has launched several innovative projects, one of which we call the advanced exploit detection system (AEDS). The AEDS is based on our in-depth understanding of application security, which comes from our long-term cutting-edge research efforts. We have already seen some interesting results that reflect the effectiveness of the project.

Recently, we detected some unusual PDF samples. After some investigation, we successfully identified that the samples are exploiting an unpatched security issue in every version of Adobe Reader including the latest “sandboxed” Reader XI (11.0.2). Although the issue is not a serious problem (such as allowing code execution), it does let people track the usage of a PDF. Specifically, it allows the sender to see when and where the PDF is opened.

The vulnerability

When a specific PDF JavaScript API is called with the first parameter having a UNC-located resource, Adobe Reader will access that UNC resource. However, this action is normally blocked and creates a warning dialog asking for permission, such as we see below:

The danger is that if the second parameter is provided with a special value, it changes the API’s behavior. In this situation, if the UNC resource exists, we see the warning dialog. However, if the UNC resource does not exist, the warning dialog will not appear even though the TCP traffic has already gone.

The following screen capture shows the outgoing traffic:

How does this affect users?

Is this a serious problem? No, we don’t want to overvalue the issue. However, we do consider this issue a security vulnerability. Considering this, we have reported the issue to Adobe and we are waiting for their confirmation and a future patch. We are also hiding the key details of the vulnerability to protect Reader users. We may update this post at some point after we see a patch from Adobe.

Some people might leverage this issue just out of curiosity to know who has opened their PDF documents, but others won’t stop there. An APT attack usually consists of several sophisticated steps. The first step is often collecting information from the victim; this issue opens the door. Malicious senders could exploit this vulnerability to collect sensitive information such as IP address, Internet service provider, or even the victim’s computing routine. In addition, our analysis suggests that more information could be collected by calling various PDF JavaScript APIs. For example, the document’s location on the system could be obtained by calling the JavaScript “this.path” value.

Who is exploiting this issue?

We have detected some PDF samples in the wild that are exploiting this issue. Our investigation shows that the samples were made and delivered by an “email tracking service” provider. We don’t know whether the issue has been abused for illegal or APT attacks.

Conclusion and protection

This interesting case highlights the point that privacy protection is a part of security. It shows that we can form different opinions depending on our goals (such as security protection vs. email tracking service).

This case also demonstrates that we need to constantly explore methods of detection because these examples won’t trigger memory corruption or code execution. Some of the most advanced detection technologies in the industry failed to detect them. We are happy to see that our AEDS is filling the gap.

Until Adobe creates a patch, Reader users should consider disabling JavaScript in Reader.

Thanks to my colleagues Bing Sun, Xiaobo Chen, and Chong Xu for their help with this investigation.

Whilst the speculation makes for excellent media stories and fuels alcohol induced debates at security conferences – for the beleaguered CISO faced with the threats it really becomes nothing more than an afterthought.  Whether we are discussing, Flame, Gauss, Night Dragon, or any other attack; the first question asked will be;

Is my organisation impacted?

Of course, dependent on the answer, there is likely to be a whole host of additional answers sought by management; such as what information was leaked, how long was the threat on our network, and why didn’t you stop it? Some organisations may well rephrase the last question to ask why didn’t we stop it?

The key question that should be (and not always is) asked is how do we prevent from being compromised again?  Threats of this nature are invariably difficult to detect, which explains why with Gauss the threat appeared to be active for 10 months. Authors will dedicate efforts with the explicit intention of remaining as stealthy as possible, a far cry from website defacements and declarations on social media of compromised organisations, or intended targets.  The standard response is as expected to be ‘Defence in depth’, and quite rightly so.  As was documented in the McAfee Advanced Persistent Threat, Solution brief[1]; ‘There is no silver bullet for APTs because it’s more than firewall and IPS, more than anti-malware, and more than data loss prevention’.        

Those tasked with building the defenses have to be well-funded and versed in information security.  They also need to be patient in building an effective security management programme as developing security maturity does not happen overnight, and is a repetitive process.  For example, initiating security awareness is a continuous process that demands constant reminders for employees on adopting best practices. When we consider the ‘modus operandi’ for many of these ‘APT’ types of attacks, they invariably utilise the inherent human propensity to click before they think!  

Sharing information about the threats allows organizations to begin to answer that initial question.  Although the answer may be painful, there is no benefit in burying one’s head in the sand, and without it building the defences to mitigate the risk of it happening again becomes almost impossible!

Raj Samani

McAfee EMEA CTO
Twitter@Raj_Samani

Over the weekend, the IR Cert (Iran’s emergency response team) published a new report that describes this attack as Flame and/or Flamer. Some other news agencies also called  the attack Viper. The complex functionality of the malware is controlled by command servers, of which there are possibly dozens. The malware is also capable of slowly spreading via USB drives.

CrySys Lab, a Hungarian security team, noticed that a complex threat it had been analyzing for weeks was clearly the same threat as Flamer. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done to analyze the full details of this malware, as it has some extraordinary complexity.

Previously, other cyberthreats such as Stuxnet and Duqu required months of analysis; this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smallest encrypted modules is more than 70,000 lines of C decompiled code, which contains over 170 encrypted “strings”!

Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.

We found publicly available reports from antispyware companies, and log files in public help forums that could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example, in March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.

Skywiper is a modular, extendable, and updateable threat. It is capable of, but not limited to, the following key espionage functions:

- Scanning network resources
- Stealing information as specified
- Communicating to control servers over SSH and HTTPS protocols
- Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
- Using both kernel- and user-mode logic
- Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
- Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
- Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
- Capable of attacking new systems over USB flash memory and local network (spreading slowly)
- Creating screen captures
- Recording voice conversations
- Running on Windows XP, Windows Vista, and Windows 7 systems
- Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
- Using SQLite database to store collected information
- Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
- Often located on nearby systems: a local network for both control and target infection cases
- Using PE-encrypted resources

To summarize, the threat shows great similarity to Stuxnet and Duqu in some of its ways of operation, yet its code base and implementation are very different, and much more complex and robust in its basic structure.

Skywiper’s main executable files:

Windows\System32\mssecmgr.ocx – Main module
Windows\System32\msglu32.ocx
Windows\System32\nteps32.ocx
Windows\System32\advnetcfg.ocx
Windows\System32\soapr32.ocx

Misleading Program Information Blocks

According to its program information block, the main module pretends to be written by Microsoft Corporation. It claims to be a “Windows Authentication Client” for Microsoft Windows Version 5.1 (2600 Build). Several other modules also claim to be Microsoft Windows components. However, none of the files analyzed so far are signed with a valid (or even possibly stolen) key, as it was the case with Duqu and Stuxnet.

Further key filenames of the threat can include:

~dra52.tmp
target.lnk
zff042
urpd.ocx
ccalc32.sys
boot32drv.sys
Pcldrvx.ocx
~KWI
guninst32
~HLV
~DEB93D.tmp
~DEB83C.tmp
~dra53.tmp
cmutlcfg.ocx
~DFL983.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~a29.tmp
dsmgr.ocx
~f28.tmp
~dra51k.tmp
~d43a37b.tmp
~dfc855.tmp
Ef_trace.log
contents.btr
wrm3f0
scrcons.exe
wmiprvse.exe
wlndh32
mprhlp
kbdinai
~ZLM0D1.ocx
~ZLM0D2.ocx
sstab
~rcf0
~rcj0

Mutex usage

The threat files also use the TH_POOL_SHD_PQOISNG_#PID#SYNCMTX Mutex name to identify already infected systems, a common technique in modern malware. The #PID# is the process ID of the process in which the injection of the threat occurred.

I change my name; I change my extension

The threat files can change both filenames and extensions, according to specific control server requests, as well as configuration usage. In some cases, Skywiper detects specific antivirus software. The malware might then change the extension of the executable files (DLLs) from OCX to TMP, for example. However, we have not always seen this functionality on affected systems, especially if the threat has been installed prior to the security product in question.

Skywiper’s main module is over 6MB in size, while the completely deployed set is close to 20MB. Yes, this is a lot of code for malware, but this is necessary to carry the complex libraries such as Zlib, LUA interpreter, SQLite support, custom database support code, and so on.

Encryption includes simple obfuscation like XOR with a byte value. The XOR key, 0xAE, has appeared in some other cases–showing a potential relationship to Duqu and Stuxnet, as they also used this value. However, Stuxnet and Duqu always used other values in conjunction with this byte, which included dates of possible meaning.

Other than the above, Skywiper does not show a direct relationship in its code to Stuxnet or Duqu at this point. It uses a similar yet more complex structure, which in many ways reminds researchers of these attacks. In some ways it could be a parallel project, as the early date may suggest. The attack files showed recent development in January and August 2011, according to some of the leftover date values in its files. The dates in the file headers have been purposely changed (claiming to be from 1994, etc.), but export-table date values and dates elsewhere in the files indicate 2011.

The main module of Skywiper starts via the registry, over an exported function:

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages
- mssecmgr.ocx

Initial infections gathered by our network sensors are shown on the map below:

Generally, attackers try to conceal their presence by infecting locations unrelated to the main targets, possibly to further conceal their identity, and then use these locations as control servers. Continuing research will certainly need to take this into consideration.

McAfee antivirus products will detect and clean the threat as W32/Skywiper from infected systems. Our initial data indicates that there are multiple variants of this threat in the field.

McAfee exposed Operation Shady RAT, a massive case of espionage and wealth transfer. The intellectual property and confidential information of companies and agencies worldwide has been stolen by a single adversary over a 5+ year period. This attack was exposed so honest global communities can be aware of the urgency of cross-sector cyberresiliency. The cyberadversaries are agile and fast and disregard the law. They share information with ease and they execute their will upon companies, markets, and potentially entire economies. We lack the alacrity to defend against this threat without public-private collaboration, which begins with global awareness–the very thing we must promote to protect our way of life. It is unfortunate that Mr. Kaspersky takes issue with providing information to the public.

Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention? It doesn’t matter how sophisticated the attack is if it results in material loss. If a bank robber gets $100 million by walking in the front door with a gun, it’s news–not because the attack is novel, but because of its effectiveness. It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.

Speaking of technical arguments, apparently Mr. Kaspersky has gotten it in his head that Shady RAT is a botnet. Really? Unfortunately for Mr. Kaspersky, he is getting botnets and advanced persistent threats confused. In this case, the APT should be really be called an SPT (Successful Persistent Threat). It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary. Quiet, insidious, market-changing threats like these hide in the noise of botnets, “hacks,” and other high-profile or nuisance events.

We invite critics to join with McAfee and our greater global community and focus on what we can do collectively to keep organizations safe from these types of attacks, prosecute and lower the profit model for the adversaries, and to protect our critical infrastructures and way of life worldwide.

The systems in question are advanced controllers that cannot afford to behave erratically as it can lead to lost time, destruction of property, production safety issues and even fatalities. The consequences of altering the integrity of integrated automation systems are somewhat predictable and very unpleasant. Implementing off-the-shelf security solutions on these systems can be very risky if not thoroughly examined and tested. Furthermore few companies have adequate test environments or the resources to explore this option.   

We are pleased that Siemens-Division of Industry Automation has tested the compatibility of McAfee Application Control with their systems to defend against advanced persistent threats. As part of this joint effort, McAfee Application Control for Siemens-Division Industry Automation is available now from McAfee and its partners to deliver effective security controls and ongoing integrity of these systems.

No one wants to consider the disruptive possibilities that advanced persistent threats bring to our world. We at McAfee will continue to monitor these threats and look for ways to provide proper protection.

Talking about APTs has become increasingly popular over the last year. This is in part because of a series of cyber attacks dubbed Operation Aurora. These attacks started in mid-2009; Google, Northrop Grumman, Dow Chemical and around 30 other companies were targeted and it has been speculated that these attacks originated in China. Operation Aurora was considered an APT because the attacks were sophisticated, targeted, stealthy, and designed for long term manipulation of their targets. Over the last decade there have been several other attacks thought to be from China that could fall into the APT category including:

Titan Rain – A series of attacks in 2003 that extracted information equivalent in size to the Library of Congress from Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, NASA and several other government organizations.

F-35 Joint Strike Fighter – In 2009 the Wall Street Journal reported that the Pentagon’s $300 billion project had terabytes of data stolen.

When it comes to understanding APT, and the risk it poses to your business, you first need to consider four things: the actors, their motives, the targets, and goals. Once you understand these four aspects of an APT, you can better outline your own security strategy:

Actors: The actors behind an APT could be part of a terrorist group, activist group, or members of organized crime. Many perceive these actors as radical parts of a nation-state, but sympathizers and non-state participants can also be involved in APTs as seen in China with the antiCNN.exe attacks and in Russia with the Nashi youth groups where non-government citizens are called upon to engage in patriotic online attacks. We see many APTs based in Eastern European countries, Russia or China.

Motives: Hackers conducting an APT are almost always motivated by economic or political gain. These folks either want to make a significant amount of money from what they’re stealing, or they are driven by a strong ideology that is fundamentally at odds with an organization or group.

Targets: APT targets are often organizations such as the mainstream media, government, defense contractors, academic institutions or high powered individuals in control of sought-after, highly sensitive information. Organizations tied to state utility services are often targets.

Goals: Organizations involved in APT what to remain stealth or at least the organizers do. They will create backdoors, hide footprints, and take other measures to remain undetected while allowing alternative paths in. Ultimately they want sensitive data, they want to monitor communications, they want to disrupt operations, or some combination of all three.

Of imminent concern is the recent Stuxnet worm found on industrial control systems in the US, India, Iran and a handful of other nations this July. Now this is one sophisticated, expensive, and purpose-built worm. While the exact origins and motives behind Stuxnet are unknown, it is likely that it isn’t built to steal sensitive information or hold industrial control facilities hostage. There are far better ways to accomplish this. It targets controllers – the stuff that turns things on and off. It exploits a zero day vulnerability, uses stolen encryption signatures, leverages a rootkit and does all of this for the very first time we’ve ever seen it – on programmable logic controllers. Read: this worm is built to take over control of system operations. Not good.

So, what do you need to know about protecting against APT? Here are my thoughts in a nutshell:

First, there is no silver bullet for APT. If anybody offers you an anti-APT box – don’t walk away, run.

Take a risk-based approach to your security, rather than a threat-based approach. This may sound counter-intuitive, but trust me. Do discovery on your sensitive assets and create a broad, deep view of your network and assets from a centralized location.  Integrate threat intelligence into your overall strategy so you understand the behaviors and techniques of the attackers. Break down the silos. Disparate security silos give APT attackers the advantage. A connected, integrated strategy is the best bet against APTs, whether your organization is a Fortune 50 or company of 50.