Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
4Activity
0 of .
Results for:
No results containing your search query
P. 1
Malware Report Q1-2013 Kaspersky Lab

Malware Report Q1-2013 Kaspersky Lab

Ratings: (0)|Views: 7,096 |Likes:
Published by ckoenis
Malware Report Q1-2013 Kaspersky Lab
Malware Report Q1-2013 Kaspersky Lab

More info:

Published by: ckoenis on May 17, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

02/03/2014

pdf

text

original

 
IT Threat Evolution: Q1 2013
Denis Maslennikov
Contents
Q1 in figures .................................................................................................................................................. 2Overview ....................................................................................................................................................... 2Cyberespionage and cyberweapons ......................................................................................................... 2Red October .......................................................................................................................................... 2MiniDuke ............................................................................................................................................... 2APT1 ...................................................................................................................................................... 3TeamSpy ................................................................................................................................................ 3Stuxnet 0.5 ............................................................................................................................................ 4Targeted attacks ........................................................................................................................................ 4Attacks against Tibetan and Uyghur activists ....................................................................................... 4Hacking corporate networks ................................................................................................................. 5Mobile threats ........................................................................................................................................... 5A few numbers ...................................................................................................................................... 5Incidents ................................................................................................................................................ 6Perkel ..................................................................................................................................................... 7The MDK Botnet .................................................................................................................................... 7
 
Q1 in figures
 
According to KSN data, Kaspersky Lab products detected and neutralized 1 345 570 352 threatsin Q1 2013.
 
A total of 22,750 new modifications of malicious programs targeting mobile devices weredetected this past quarter
 
that’s more than half 
of the total number of modificationsdetected in all of 2012.
 
Some 40% of the exploits seen in the first quarter of this year target vulnerabilities in Adobeproducts.
 
Nearly 60% of all malicious hosts are located in three countries: the US, Russia, and theNetherlands.
Overview
The first quarter of 2013 turned out to be a busy time in IT security. This report will address the mostsignificant events.
Cyberespionage and cyberweapons
Red October
At the very beginning of the year, Kaspersky Lab published a significant report with the results of a studyon the global cyberespionage operation known as Red October.These attacks targeted various government agencies, diplomatic organizations and companies around the world. Analyzing the files andreconstructing the structure of the attack took several months. However, after a labor-intensive study,we were able to determine several key facts.The attackers have been active over the past five years. The multifunctional platform that they usedhelped them quickly use new, expanded modules to collect information. In order to control and manageinfected systems, they created more than 60 different domain names and several servers hosted indifferent countries. The command sever infrastructure is comprised of a chain of proxy servers.In addition to traditional targeted attacks on workstations, Red October is also capable of stealing datafrom mobile devices, collecting data from network equipment, collecting files from USB drives, stealingemail databases from local Outlook archives or from remote POP/IMAP servers, and extracting filesfrom local FTP servers on the Internet.
MiniDuke
In February, FireEye published an analysis of a new malicious program that penetrates systems using a 0-day vulnerability in Adobe Reader (CVE-2013-0640). This became the first exploit capable of bypassingthe Acrobat Reader sandbox. It downloaded a backdoor meant to steal data from an infected system.After obtaining examples of this malicious program for analysis, we gave it the name ItaDuke.In time, we discovered several similar incidents targeting the very same vulnerability, only with differentthreats. The malicious program used by the cybercriminals was dubbed MiniDuke. An investigation intothese incidents was conducted by the Hungarian company Cr
ySys Lab. MiniDuke’s victims turned out to
be government agencies located in Ukraine, Belgium, Portugal, Romania, the Czech Republic andIreland, as well as a research organization in Hungary, in addition to a research institute, two scientificresearch centers and a medical facility in the US. In total, we detected 59 victims in 23 countries.
 
One of the most interesting characteristics of the MiniDuke attacks was the combination of a threat with
code written using a complex, ‘old school’ approach, and rela
tively new, yet tried-and-true, exploittechnologies targeting Adobe Reader vulnerabilities.The attackers sent out malicious PDF documents with exploits targeting versions 9 through 11 of AdobeReader. The documents contained information about a seminar on human rights (ASEM), news about
Ukraine’s foreign policy, and the plans of NATO countries. If an exploit was successful, the victim’s
computer would be infiltrated by a unique backdoor, small at just 20 KB, written in Assembler.The cybercriminals used Twitter in this attack: in order to obtain C&C server addresses and subsequentlydownload new malicious modules, the backdoor sought out special tweets from previously createdaccounts. As soon as the infected system established a connection with the command server, it wouldbegin to receive encrypted modules (backdoors) bundled with GIF files. These modules had relativelysimple functions: copying, moving and deleting files, creating directories, and downloading newmalicious programs.
 APT1
In February, Mandiant published a large PDF report on the attacks launched by a certain group of  Chinese hackers going by the name of APT1. The term APT (Advanced Persistent Threat) is still a buzz
word. Yet sometimes it refers to threats or attacks that aren’t exactly “advanced”
. However, in the case
of APT1, “advanced”
is no exaggeration
this campaign run by Chinese hackers is large-scale and not tobe taken lightly.The Mandiant reports starts off by stating that APT1 appears to be a division of the Chinese army. Thecompany even included a possible physical address for the division, and estimated the number of peopleinvolved and the infrastructure used. Mandiant believes that APT1 has been operating since 2006, andthat over the course of 6 years it has managed to steal terabytes of data from at least 141 organizations.The victim organizations are primarily located in English-speaking countries. No doubt these massiveattacks would not have been possible without real support from hundreds of people and a developed,modern infrastructure.This is definitely not the first time that China has faced accusations of its involvement of cyberattacksagainst government agencies and organizations in countries around the world. And there is nothing
particularly surprising about the Chinese government’s firm rejection of the assertions made in the
Mandiant report.Note that up till now, no country has ever claimed responsibility for any cyberespionage attack, or hasadmitted to involvement in cyberespionage under pressure from public or agency evidence.
TeamSpy
In March 2013, information was published about the latest in a line of complex attacks targeting high- ranking politicians and human rights advocates in the CIS and Eastern Europe. The operation was
dubbed
,” as the remote admin program TeamViewer was used by the attackers to control
victim computers. The main objective of this attack was to gather information from user computers,starting with screenshots and ending with copies of .pgp files, including passwords and encryption keys.Even though the tools used in the TeamSpy operation
and even the operation itself 
 
didn’t seem all
that sophisticated or professional compared to the Red October operation, the TeamSpy attacks werealso successful.

Activity (4)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->