The presentation was translated during the talk and the speech is also available in English. Do not be surprised by the fact that the introduction will be made by a male voice, followed by several translators in real time who had to put complex security terms in plain English, while I talked very fast!

The presentation covers several important developments and the history of the last 25 years of computer malware. It has been an exiting journey for me to dedicate a large part of my life to the problems of computer threats. The presentation also details industry control system attacks, their history, Stuxnet, and recent interesting fake AV and rootkit developments. Many of the techniques were not publicly discussed prior to my talk. Enjoy!

The English version:

And for those of you who would like to listen in Hungarian, the talk is available here:

Hacktivity 2011 – Szőr Péter: Küzdelem a kártékony kódok ellen

Certificate authorities have been targeted several times in the recent past with some success. There is a large chunk of known malware signed by apparently legitimate companies that appear to have authored malware, adware, and/or potentially unwanted programs. As a matter of fact, a very significant percentage of recent malware executables (as high as 5 percent) purport to be, or are, signed with some sort of certificate. Even in the case of mobile malware, signed executables have appeared because issuers have failed to see the malware in the files before approving them. This attention to certificates by malware authors seems to validate that they are indeed the “keys to the kingdom.”

A few days ago, we first saw a new attack that turned out to be variants of the infamous ZeroAccess rootkit, launched by digitally signed installers and uninstallers. In the cases observed so far, the signed application is a valid program–such as the installer for recent Flash Player versions, as shown below.

As eager as vendors are to patch vulnerabilities, users are likewise eager to keep themselves protected. This gives the malware author an opportunity to prey on this (real or perceived) fear and, with that, the assumption by the user that whatever is signed must be trustworthy. The challenge for malware authors is how to supply victims with a legitimately signed, unmodified application that supports their nefarious purposes?

The answer lies in the imported DLLs (Dynamic Link Libraries) and their references. In 1998, the Lorez virus used a simple trick.[1] It infected the Kernel32.DLL module of Windows by copying it to the Windows folder from its usual known location. On startup, Windows would load this DLL instead of the original, clean file, because LoadLibrary() API first searches in the current directory for library files.

This attack got a lot of attention last year when it was newly “discovered,” and Microsoft issued a possible fix using a registry key.[2] This registry entry was supposed to control the operating system functions and prevent this behavior. One of the issues (in rare cases) with this fix is that it can potentially break the functionality of some applications.

In the past, it appears that the DLL preload method was targeted by early variants of this malware to allow installation with legitimate applications. Below we see what appears to be a fix implemented by a well-known browser to bypass illegitimate DLLs that have been placed in the same directory to take advantage of this condition.

In more recent variants we see that dummy functions have been added to the DLL that bypass this check:

Now, even more recent versions look to be taking aim at the trust model that certificates use.

Below we see how the ZeroAccess package may look in a designated folder on a test machine.

The actual malware file pretends to be msimg32.dll. Known variants of this module are detected by McAfee as ZeroAccess.dr. The Flash Player installer is indirectly referencing the “msimg32.dll” via its imports. See dependencies below:

When the user executes the installer, the malicious, mimicked DLL will load. This DLL preload issue is due to the system’s normally looking at the current directory for any DLL dependencies necessary for the executable. If it can find the module in the current directory, it will load it–moving to the defined path only as necessary. As we already stated, this is far from the first time anyone has seen this happen.

To a user, the reputation of the signed file looks correct, as most likely there are millions of users for it. However, when the two files get packaged together by the attackers, the ZeroAccess rootkit will be installed from the extra DLL. (This DLL is not signed in the variants we have observed so far.) Once executed, the installation begins, and code is injected into svchost.exe, which in turn will run ping.exe and inject extra code into it. So what we see is that a legitimate, trusted file is abused to allow behavior blocking and the bypassing of the personal firewall. ZeroAccess is now installed as a by-product of the trust placed in a signed application. Let us be clear: This issue lies not with any particular vendor, but with the usage of a signed executable that compromises the user’s trust in the signature itself.

ZeroAccess is known to be very difficult to remove from system. It has a variety of techniques to fight against antivirus and security products, and can do so generically. Previously, we discussed how the rootkit can generically kill AV and security products, using user mode APC calls from kernel mode.[3] This attack is very serious, and successful against most targets.

This version of ZeroAccess uses another neat trick to also generically target certain security products. Once ZeroAccess is loaded, it prevents the execution of several security products by mimicking a load error. Upon execution, the user will see an error message similar to this:

Several installers and uninstallers have been observed, with variants of ZeroAccess. Those that we are aware of can be cleaned with the free McAfee Labs tool RootkitRemover, which is available for download.[4]

Once RootkitRemover detects the threat, it will report a manner similar to what we see below, as it replaces known files with itself in the Windows drivers directory.

References

1. “Breaking the Lorez,” Peter Szor, Virus Bulletin, October 1998 (available at www.peterszor.com/lorez.pdf)
2. Microsoft Knowledgebase Article on DLL load control: http://support.microsoft.com/kb/2264107
3. “Asynchronous Harakiri++,” Peter Szor and Rachit Mathur, Virus Bulletin, October 2011
4. Free ZeroAccess removal tool from McAfee Labs, RootkitRemover, available at http://vil.nai.com/images/562354_4.zip

Researchers at CrySys Labs in Hungary have disclosed information about a Word document that is purported to be the installer file for the Duqu attacks. The document loads a kernel driver after exploitation from a possible new zero-day vulnerability, which then loads a DLL into Services.exe to start the Duqu installation. This driver appears to have been compiled on Thu Feb 21 06:14:47 2008, according to the time stamp in its PE header. The driver is not signed, as it is loaded via the zero-day exploit that results in kernel memory access.

We have already seen several indications that this threat was related to Stuxnet in some form. When comparing the code of the first Duqu samples we received with older Stuxnet variants, we noticed several similarities, and even exact matches for some important functions such as the DLL-injection routine, decryption of strings and external modules, and management of tables for indirect API calls, among others. Due to the 2008 timeframe for the driver code in question, we have yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet, which reused old driver code in several cases while creating new exploits.

Detection has been added for these new malware to our existing Duqu coverage: PWS-Duqu, PWS-Duqu!rootkit, and PWS-Duqu!dat.

More to come as this tale unfolds!

Cybercriminals use clever stealth techniques to evade detection because it allows their malware to be more effective, live on a machine or network longer, and thus maximize the compromise. McAfee Labs is now at the point where we detect more than 110,000 new unique rootkits per quarter.

To make matters worse, there is another issue that many fail to recognize:

Today’s current OS-based security model is not adequate; cybercriminals know how to get past these defenses every time.

The security industry has to find a new vantage point on cybercriminal behavior to stop and uncover their stealth techniques. It is time for our industry to start looking at security beyond the operating system to gain a more effective view of how cybercriminals operate.

We delve into these and many other issues in our latest report: “The New Reality of Stealth Crimeware,” written by myself and Thom Sawicki of Intel. Download it here.

Sure enough, there were a series of attacks: Night Dragon, the attack on EMC, which put SecureID tokens at risk, Sony, and, recently, Lockheed Martin.

Lockheed Martin is very important to the U.S. as a defense contractor. Some of the most critical information, such as the arsenal used in the Afghanistan war and future military technology information, are residing in the Lockheed Martin network. I don’t want to speculate how the attackers were able to break in, but there are multiple theories, one being spear-phishing. Some of the blogs and reports are correlating the Lockheed Martin attack with the EMC breach, where the attacker entered the network via a VPN. Lockheed Martin has neither confirmed nor denied this, so we have to wait for the information to unfold.

At McAfee, we see 55,000 new pieces of malware each day. There are 2,000,000 (2 million) malicious website detected each month. These numbers cannot be managed by patches or blacklisting technology alone. But before we talk about the solution, let’s look at the anatomy of an attack. Any attack involves three stages:

1. Exploit the service or application.
2. Drop and execute the payload either in the memory or on the disk.
3. Finally, get p0wned!!

You should be able to dissect any attack (e.g. Operation Aurora, Night Dragon, Stuxnet and possibly other future attacks) into these three stages. Let me briefly explain the protection. For blacklisting solutions, we need to have a signature to stop the vulnerability or the behavior-based detection to identify that something is wrong, but behavior-based detection is not 100% and signatures for zero day-vulnerabilities are not always available. Therefore, the attackers will successfully be able to go to step 2 after exploiting the “zero-day” vulnerability. Don’t forget, Stuxnet used four “zero-day” vulnerabilities. This is not a story from the movie Mission Impossible or Swordfish. This is real. Once the vulnerability is exploited, the attacker can execute payload and connect to a command and control center to download more malicious code, such as keyloggers and sniffers.

With a shift to application whitelisting solutions, you can protect against all stages of an attack. Memory protection will prevent the attacker from exploiting the vulnerability and, in case the attacker was successful in exploiting the vulnerability, the payload will not be able to execute from the disk or from the memory because payload is not part of the whitelist.

It is time to change the current structure of security – we need a combination of whitelisting and blacklisting solutions.

Look for a solution that can cater to your server and desktop environment and support a Unix or Windows operating system.

For Lockheed Martin, there is a possibility that it is linked to the RSA token breach. Regardless, it is a crucial reminder that we must design a layered defense. While designing the internal layer, we should assume that the outer defense layer has already been breached.  Application whitelisting is going to play a huge role in security architecture in the years to come! Next time you are designing a security architecture with VPN, firewall, two-factor authentication or antivirus, ask yourself a simple question: If there is a zero-day vulnerability, will a security breach on my system be prevented with any of these technology?

Stars would be the second malware infestation targeted at Iran within a years time, following the discovery of Stuxnet in July last year.

Outside of the published news reports, McAfee has no information on “Stars” at this time. That’s different from Stuxnet, where international cybersecurity companies knew of the malware and were able to investigate it through customary sharing of malware samples.

We currently have no way of verifying the attack the Iranian government is reporting, nor do we have any way of identifying who might be behind the attack or what the target could be.

We are eager to learn more.

Schneck points out “The so-called ‘smart’ grid is being created with that renewed joy of convenience and efficiency, and that renewed lack of investment in security.” In the Dark gathers research and survey data from IT security executives at critical electricity infrastructure enterprises across 14 countries.

In the past year, the sophistication of Stuxnet has dramatically changed the threat landscape – an attack aimed at sabotaging an industrial control system. Focused on the major industry sectors of power, oil, gas and water, this recent report highlights the key industry findings from respondents as they address the scale of the attacks and the relative adoption of security technologies. Also noted in the report are key trends pulled from the executive survey data including the role of government in these cyber attacks.

Take a look at the key findings or check out the full report and let us know your comments below.

Fast forward to 2011, as McAfee releases “In the Dark: Crucial Industries Confront Cyberattacks,” the frightening news is the mistake is being repeated.  The so-called “smart” grid is being created with that renewed joy of convenience and efficiency, and that renewed lack of investment in security.  This report is a follow-up to the report released to McAfee’s 2010 report: “In the Crossfire: Critical Infrastructure in the Age of Cyberwar.” This sequel report surveyed 200 IT security executives from critical electricity infrastructure enterprises in 14 counties, focused on the critical civilian energy infrastructure that depends most heavily on industrial control systems.

Perhaps one of the most frightening findings in the report is the fact that, although the security threat and awareness of the threat have increased exponentially, the energy sector increased its adoption of security technologies by only one percent.  Potential reasoning comprises:

1.  Lack of incentives to invest in a difficult economy in protecting against cyber security vulnerabilities when they are not tangible and have not yet been known to cause harm to the energy sector and 2.  Cyber security investment is made often at the CIO/CISO level as a technology conversation for the technology budget vs. where it really needs to be – at the CEO/CFO level where business risk is assessed.  Cyber security is a business risk – if the lights go out, everyone loses money.

It is our hope that this report electrifies the discussion of securing cyber systems for the sake of our safety.   We want to engage the conversation about incentives – what does it take to get us to protect against a threat which, although we cannot see it yet, could be devastating to public safety, business and the economy?  How do we break the vicious cycle of building great new systems, such as the smart grid, without including security from the ground up?  Are we really going to repeat the fatal flaw of the Internet to save a few dollars in the short term?

The following are some key findings in the report:

Key findings in the CIP report

• Eighty percent of respondents have faced a large-scale denial of service attack
• Twenty-five percent of respondents have been victims of extortion attempts
• More than 40 percent of executives believe that their industry’s vulnerability has increased
• Almost 30 percent believe their company is not prepared for a cyberattack
• More than 40 percent expect a major cyberattack within the next year
• Energy sector increased its adoption of security technologies by only a single percentage point, at 51 percent
• Oil and gas industries increased by only three percentage points, at 48 percent
• Nearly 70 percent of respondents frequently found malware designed to sabotage their systems
• A quarter of respondents reported daily or weekly DDoS attacks

Overall Assessment:

• There has been an increase in cyberattacks on critical infrastructure, yet organizations are unprepared or investing more
• The rate of security adoption is significantly trailing behind the rate at which threat are growing, and critical infrastructure industries have made only modest progress since 2010
• Infrastructures that control systems affecting our everyday lives, such as smart grids, are rising in adoption; yet still do not have proper security from attacks in place.

Our CEO, Dave DeWalt sat down with Ben Iannotta, C4ISR Journal, as part of the publication’s “Interview” series to discuss Wikileaks, mobile devices and smart phones, as well as critical infrastructure protection. Additionally, Dave discussed our work in the defense space, where our host-based security solution is now on more than 5 million computing devices across the entire Department of Defense’s three networks. You can view the interview on C4ISR’s website, or catch it in this month’s print edition.

Although 2010 was an active year for cyber criminals, we at McAfee continued to provide solutions to help business and government keep their data secure.  As we enter the New Year, you can be sure that our continued commitment to provide innovative and effective protection will be one of our “resolutions.” Here’s to a safe, secure 2011!

This quarter we have seen quite a bit of activity from old nemeses such as Koobface, fake anti-virus software, password-stealing Trojans, and AutoRun (a.k.a. USB-based) malware. In our current review, McAfee Threats Report: Third Quarter 2010, we look at the top malware threats around the globe. We observed significant development in one of the most dangerous threats we face: the Zeus robot network. Threats to mobile devices are attracting more attention, and we now see the Zeus bot is also riding the mobile wave. In many ways these new threats will mirror many of the established threats as they make their way to new platforms—because the human element, with its constant susceptibility to social engineering, remains the same.

Spam volumes are still quite high, and the geographical and subject breakdown by region is as fascinating as always this quarter. We also look globally at botnets.

We saw growth in the number of malicious websites and continued abuse of search-engine results. SQL-injection attacks allowed China to reclaim the dubious honor of Number 1 source. Search engine and term abuse continues to mirror the news of the day, and we saw many developments in the areas of cybercrime and hacktivism—specifically in stolen identities and cybercrime toolkits.

However, all these attack vectors take a backseat to the quarter’s most significant threat: Stuxnet. This advanced worm took center stage amid rumors of government conspiracies and cyberwarfare.

When we look back, this year might well become known as the Year of the Targeted Attack, due to narrowly aimed malware such as Stuxnet and Operation Aurora. In the mean time, join us to learn what the threat landscape in the third quarter held for us.

Read the full report in English here. You’ll also find eight other languages on the McAfee Labs Technical White Papers page.