“Know your enemy” is an old defensive strategy derived from the ancient Chinese military treatise The Art of War.
It’s just as apt in the war against malware.
For example, on Tuesday an Israeli security company, CyActive, released a list of the top five malware used in 2014 that re-use or adapt known components.
The top is Snake (also called Turla or Uruboros by some researchers), which has been around since 2005. Three years later, CyActive said, it was used to break into the U.S. Defense Department. It has also been used to attack government and military Web sites in the U.K., the European Union and the former Soviet Union.
Snake uses known exploits (CVE-2009-1123 and CVE-2010-0232) for administrator privileges on the targets, says CyActive, API hooking methods for stealth and driver registering methods for gathering information, a XOR key for encryption, and even the names of storage files.
“In every attack exposed until today there was a least one adapted component,” CyActive CEO and co-founder Liran Tancman said in an interview. “If we could predict and prevent this re-use and adaptation we would be able to prevent pretty much every major attack known until today, and we would impose impossible costs on hackers, who would have to re-invent their tools,” which would cost them millions.
CyActive says the malware used in the recent breach at Sony Pictures Entertainment reportedly used at least 6 components of previous malware, including Destover and two data-erasing malware, Shamoon and Darkseoul.
At the recent SecTor 2014 security conference in Toronto, one speaker outlined how attackers can build malware with free tools, or spend tens of thousands for a better weapon. Tancman notes that malware authors do more than cut and paste when taking previously-used components; they adapt them.
(For more on that see my security feature in the December, 2014 edition of Computing Canada.)
Tancman says his company’s network software appliance and end point software can look at existing attacks and predict how they will be used tomorrow’s threats.
But CSOs should also be aware that identifying commonly used malware components is a good way they can also spot attacks. One problem, Tancman said, is some organizations aren’t diligent in patching systems, leaving holes open for malware to exploit. Others aren’t using security best practices, he said.
The other top malware with adapted components identified by CyActive include
–BlackPoS: Used extensively last year in breaches at U.S. retailers including HomeDepot, and, in 2013, Target. “An absolute winner for cybercriminals,” says a CyActive report.
Re-used components include he original BlackPoS code, the “RAM scraper” tool, methods aimed at verifying the relevant data, an “API call” used in Zeus trojan for listing all the running
processes on the device, a disguise as Antivirus software for stealth, and an exfiltration method using the “net use” command;
— Gyges: CyActive says this is “government malware gone rogue” — the government is unnamed — and highjacked by cybercriminals, with eight recycled components. With a simple tweak it’s been used to attack financial institutions, retailers and tech companies. Seen as earlier as 2005;
–Dragonfly: The six reused components included known Java and IE exploits (CVE-2012-1723, CVE-2013-2465, CVE-2012-4792, CVE-2013-1347) as part of exploit kits and well-known RAT malware – Backdoor.Oldrea (AKA Havex), based on SySMain, and Trojan.Karagany. Seen as early as 2010.
What is unique about Dragonfly, says Tancman, is the target: Industrial control systems;
–Zberp: A version of the 2007 Zeus (Zbot) trojan. Uses four recycled components. Has hit 450 financial institutions around the world, says CyActive.
It mixes code from both Zeus and Carberp, two banking malware. Among the components are steganography, which hides malicious code in pictures; Invisible Persistence, which deletes its persistence key from the registry during the Windows startup process to prevent detection; command and control secure communication using SSL; and API hooking, a widely reused component.