2012 – A Kaspersky Researcher Perspective - A Survey of 2011 Malware Activity and Looking Forward into 2012 Presented by: Kurt Baumgartner

1. 2012 – A Kaspersky Researcher Perspective
A Survey of 2011 Malware Activity and Looking Forward into 2012
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com

2. An Explosive 2011 and Expecting 2012
A Discussion
• 2011 - A Perfectly Horrid Infosec Backdrop
• Hacktivism – Lulzsec and the Anonymous Brands
• Kido/Conficker and Sality Live On
• Targeted Attacks and the APT
• Mobile Malware Ascendency
• Flashfake – An OS X Botnet Grows
• Blackhole Sucks in Victims and the Phoenix Re-arises
• 2012 - Your Customers’ Heartburn
• Q1 – Root/Bootkits (Zaccess, Tdss, Pihar), New Infector
• Blackhole, Fakeav, Zbot, ZeroAccess(+variants)
• Targeted Attacks and the APT
• BYOD – Mobile Exploitation and Spyware
• Dark and Stormy

3. 2011 - A Perfectly Horrid Infosec Backdrop

4. Hacktivism 2011
Branded Breakins
• Major Intrusion Incidents and DoS Events, most preventable
• Sony and the Cloud – 101,000,000
• Stratfor
• HBGary Federal
• ManTech
• InfraGard Local Chapters
• Certificate Authorities (?) – Comodogate and Diginotar
• Webapp SQLi, weak passwords, configuration mistakes
• Policy, process, and training

5. Top Local Infectors 2011
KSN Top Infection Stats - Autorun Spreaders and File Infectors
• Kido/Conficker 2011
• ~17% of all unique locally attacked/infected systems reporting (Net-
Worm.Win32.Kido.ih+ir)
• Sality 2011
• ~16% of all unique locally attacked/infected
systems reporting
(Virus.Win32.Sality.aa+bh+ag)
• Close to 80% of WAV detections are
heuristic or “cloud based”

6. 2011 Targeted Attacks and the APT
Successful Attacks Made Headline News Throughout the Year
• Targeted Attack Incidents Made Big Headlines
• The APT, Reconnaissance, Spearphish and Intrusions, Backdoors and
Exfiltration Operations
• What’s new here? Varying levels of nation-state support targeting non-
mil organizations (your customers) over multi-year project timeframes
• Headline News…
RSA, Mantech, Northrup Grumman, at least eighty “unnamed” law
firms, Tibetan and Uyghur NGOs, any and all google-able CN political
groups outside the mainland, human rights orgs like Amnesty
International, various government websites, Mitsubishi Heavy
Industries…the list goes on

7. Mobile Malware Ascendency
Android Android Android
• Wild growth of Android itself (15 million tablets, 60 million phones Q4)
• Our virlib approaches 2,000 Android trojans (end of 2011)
• Offensive Security Research and Weaponized Exploits
• The Mod Community
• Android Spyware

8. Growing an OS X Botnet
Flashfake Spreads via Apple’s Slowly Updated Java Client
• Flashfake – 700,000 node OS X botnet
• No viruses for Apple? Think differently about that.

9. Blackhole Sucks in Victims and the Phoenix Re-arises
Commodity Exploit Packs and MaaS
• Exploit Packs and Web-Delivered Mass Exploitation
• Blackhole Exploit Pack, Eleonore, Phoenix
• Unpatched, vulnerable, browser-accessible software – Java, Adobe
Reader and Flash, XML Parsers, QuickTime, Browser Vulns
• ZeroAccess (+variants), Zeus+SpyEye, FakeAv

10. Enabling Their Adversaries
Enabling “Easily” Preventable Effective Attack Activity 2011
• Weak Passwords (Morto)
• Improper Resource Configuration
• Unnecessary share access, unlimited access control, autorun
• Flawed web apps == SQLi
• Missing Software Patches and Security Updates
• Microsoft (Windows, IE, Office) and third party software – Java,
Adobe (Reader+Flash) == Exploit packs/commodity attacks and
spearphishing
• Partially Protected Environments
• Missing security suites, mix of products, sometimes improperly
installed on top of each other
• No Incident Response Plan, no Public Response Plan!

11. Design Mistakes 2011
Enabling Effective Malware Attacks
15% Network shares
5% configuration
15% 5%
Missing security
0% patches
Multiple AV products
Partially protected
environment
35% Firmware vulnerability
25%
Freeware
Source: Kaspersky Lab GERT – Global Emergency
Response Team, Alexey Polyakov

12. 2012 – What Will Keep Them Up At Night

13. 2012 – Keeping Your Customers Up at Night
Heatburn Overview
• Q1 KSN Stats – Rootkits/Bootkits (Zaccess, Tdss, Pihar), Nimnul joins Kido
and Sality, MOAR Mass Exploitation (Blackhole, Phoenix)
• Mass Targeted Attacks
• BYOD – Mobile Exploitation and Spyware
• Dark and Stormy

14. 2012 Q1 US KSN Statistics
Starting off the year somewhat expectedly

15. 2012 Q1 US – Detection Numbers
Mass Web Based Exploitation and Local Infections
• Different from our global statistics
• Every month of Q1 2012, the generic, heuristic and cloud based webav
detections far outweigh local detections. This is good, in way.
• Local detections Q1 2012 (US Only). Spyware, root/bootkits:
Jan Feb March April
Zbot Win64.Tdss Win64.Tdss Zbot
Zaccess Pihar Pihar Win64.Tdss
Kido Kido Kido Pihar
FakeAv Sality Sality Kido
Tepfer Sinowal Sinowal Zaccess

16. 2012 Q1 US – Starting Off Somewhat Expectedly
Mass Exploitation/Infections
• Nimnul/Ramnit joins Kido and Sality on
list of massively prevalent infectors – may
stay to replace Qbot over 2011
• Bootkits (Tdss, Pihar, Sinowal), Rootkits
(Zeroaccess/Maxx++/Click2)
• Blackhole and Phoenix mods
• FakeAv

17. 2012 Q1 US – Starting Off Somewhat Expectedly
Mass Exploitation/Infections
• Nimnul/Ramnit joins Kido and Sality on list of massively prevalent
infectors – may stay to replace Qbot over 2011
• Distributed as gamehacks/cheats, utility/application crackz over
filesharing sites like MediaFire and Ziddu, many others

18. MOAR Mass Exploitation
Blackhole, Fakeav, Zbot, ZeroAccess(+variants)
• Active development, additions for Java, Flash, Reader, HCP
exploitation
• How victims are redirected to Blackhole web sites: vulnerable
Wordpress pages, major web service malvertizements/banner ads
• Java exploits have become de facto primary module
• Maturing market for 0day, half day, and packs –
Blackhole, Phoenix, Bleeding Life, Eleonore, Bomba, Nice Pack, etc
• ROP techniques, EMET evasion development
• Classic and custom shellcode releases
• International law differences and forums continue to provide
necessary space and communications. Bitcoin need? Nah ah.
Webmoney, Liberty Reserve, etc

19. ZeroAccess/Max++/Click2 Attacks in the US
Multi-component malware
• Distribution increasing in the US
• Multiple rootkit components at sensitive low level insertions, system
driver infection, dynamic kernel module loading, encrypted “file
system” storage within system – no viral or worming components
• Crypted P2P traffic in more recent variants
• Exploit pack delivery, P2P network serialz/crackz delivery. Also *very*
popular, phony codecs and raunchy spoofed video titles
• Detection tools like gmer make for quick id of the problem (although
“Technical Details” pages on some AV vendors are outdated)
• Mostly all “bundles” include click fraud component, claims of additional
stealers being downloaded that I haven’t seen

20. Zbot – Two Factor Auth, Corp Defenses Defeated
Updated, customized spyware incidents
• Spammed email containing typical IRS, DHL, UPS, etc, themes and attachment
• Zbot hooks necessary in-process (mostly web browser) functions, steals data
from encrypted banking sessions)
• Customized scripts downloaded, targeting specific banks
• Money wired to overseas banks in select regions
• Incident contributors? AV was not updated, portions of it disabled
(easily preventable)

21. Corporate Spyware in 2012
Absolutely
• Not just Zeus:
Spyeye, Carberp, Nimnul/Ramnit, ZeroAccess payloads?, Spitmo/Zitmo
• Similar or same delivery schemes may be less effective into late 2012
• Spoofing spams or TA bait – BBB, IRS, DHL, Facebook, meeting requests
• Crack and keygen sites+redirects to compromised legitimate sites
• 2012 changes – spam volumes supplemented with focused browser
delivery, IM/FB messaging

22. Targeted Attacks and the APT
Social Engineering
Time and People Flush - Just Enough Technology to Get the Job Done
Array of Exfiltration Tools and Techniques

23. Targeted Attacks - The RSA Security Hack
Overview - how did this happen?

24. Targeted Attacks – Harpooning a Whale
Customization to better hit targets - Spearphishing with better chum
$91 million message
(Q1 profit margin difference estimate + Q2 earnings call)

25. Targeted Attacks – Harpooning a Whale
Offensive Security Research Investment - Poison Ivy was a Kid’s Hobby
• Poison Ivy RAT sprouted in the media throughout 2011
• Why Poison Ivy? What are its origins?
• ChaseNET “forums” founded by previous Evil Eye Software Th3ChaS3r
Members included ksv, shapeless, Heike, Digerati (busted in Operation Bot
Roast II because of mistaken C2 config file update)…
• “ShapeLeSS” joined ChaseNET as 18 year old Swedish kid in late October
2005, coded Poison Ivy. “Codius” assumes the project years later, continues to
distribute it for free
• Stable, available, and free builder, crypters, and SDK
• Quantifiable, reliable, low/no investment tool
• Defenders playing catchup(!)

26. Targeted Attacks – Harpooning a Whale
Poison Ivy was a Kid’s Hobby

27. Targeted Attacks – Harpooning a Whale
Currently, data exfiltration on the cheap
• Post-exploitation, Poison Ivy and other tools to establish foothold
• Download other free/open source tools to impersonate users, elevate
privileges, collect data from network, lateral network movement
• Encode, archive collected data
• Check in with series of C2 for activity commands – Facebook, Google
Code, Image Files (jpg, gif, etc)
• FTP PUT / HTTP POST encoded data over proxied connections to drop
servers controlled via RDP and VNC

28. The Apple of the APTs Eye
OSX and the APT
• Multiple Targeted Attacks and OS X-based Exploits
• More NGO attacks from the APT – Tibetan and Uyghur groups as
frequent targets, usually on Wintel platform
• Backdoor.OSX.Sabpub, Backdoor.OSX.MaControl, etc
• Sabpub efforts are currently active, more ongoing…

29. Targeted Attacks in 2012?
Absolutely. Without a Doubt
• 0day or known exploits - just enough to
get the job done? More than PIvy?
• Repeated wintel spearphish tactics eventually become less effective.
Supplemented with possibly IM and focused browser based attacks.
2012 Target systems also run OS X, Linux, Android
• Increased 2012 offsec investment and activity

30. BYOD and Consumerization
The corporate network just walked out the door

31. BYOD 2012
Defense set aside for convenience
• IE6 and clunky WinXPSP2 workstations begin to disappear. Other trees
produce lower hanging fruit
• More data copied to more mobile devices than ever before (over 300 million
Android activated as of Feb 2012) – policies. iPhones at around 250-300
million sold (“activated”?)
• Where will this “fruit” hang for corp mobile users?
• Exploitation with different purposes than “mods” begins in 2012
• Most likely Android, limited iPhone/iPad incidents
• Data exfiltration from the platform begins in 2012
• The new dumpster triple pike - outright device theft

32. Dark and Stormy
Trouble behind and trouble ahead

33. Cloud Security 2012
Dark and Stormy
• 2011 Dropbox pushed configuration mistake to production, no password
required to access 25 million user accounts’ storage
• Sony’s cloud services breach, early 2011 - 101 million user accounts
• More VMWare source code dumped in 2012
• Is underlying VMWare cloud infrastructure at risk? Is the related breach
known or will focus on a potential set of major incidents fade away?
• Recent public VMWare Exploit PoC release - six step VMware High-
Bandwidth Backdoor ROM Overwrite EoP, Derek Soeder (CVE-2012-1515)
• Xen VM exploitation released at Defcon, nothing reported Itw to-date
• 2012 - economic, scalable vision of “the cloud” may look past the cold
security lessons of past, remote, complex systems
• VM-aware malware - now with added functionality for different purposes

34. Thank You
Questions, comments?
Kurt Baumgartner, Senior Security Researcher
Global Research and Analysis Team
kurt.baumgartner@kaspersky.com