Why we are getting better at catching nation-state sponsored malware

Why we are getting better at catching nation-state

sponsored malware

Aleks Gostev &Vitaly Kamluk

GReAT, Kaspersky Lab

Daily news...

Daily news...

Kaspersky Lab’spublished research

“Yet another APT”

● Since 2009, the number of APT campaign exposures has increased considerably

● Different companies focus on different things - eg, China

● Focusing on one thing makes you blind to the full picture or creates a distorted view of the real world situation

● This is the “safe” path

Adversary statistics© 2013 Crowdstrike

This includes: Duqu, Stuxnet, Flame, Regin or Equation, but also MiniDuke,

Turla, BE2, CosmicDuke and CozyDuke

At Kaspersky we took the “unsafe” path of analysing and detecting

all APTs, no matter the origin

Side by side - Kaspersky Research

“Western APTs”● Stuxnet● Duqu● Careto● Flame● Gauss● Regin● Equation

“Russian-speaking APTs”● BlackEnergy 2/3● RedOctober● TeamSpy● Miniduke● CosmicDuke● Epic Turla● CozyDuke

Why is nation state malware so

interesting?

The 1000 question:

Vitaly (ex-Kaspersky Lab)

Today’s hosts

Aleks (Kaspersky Lab)

Vitaly● First of all: we are the best● We have 0-day’s● We have fiber taps● Best programmers in the free world● Smartest mathematicians and cryptographers● Unlimited (ahem) budget● And the best thing: it’s all legal :-)

Aleks● Our budget is limited● Good researchers are hard to find● But!● Our technologies are getting better - the cloud

has opened new doors to catch your stuff● We understand that we know very little● Simple goal: protect our users

Side by sideArguments

0-day’s

Vitaly● An unlimited supply of 0-

days that will pwn even the best defences

● Microsoft, Adobe, Oracle, your_favorite_vendor - we have a 0-day for it

● Kernel exploits● We just need to be

successful once

Aleks● Finding your 0-days is our

favorite activity!● We actively hunt for them● The more 0-days you use,

the more likely we are to catch you

● We need to be successful every time

Crypto

Vitaly● We pwn most crypto● We sign our malware as

Microsoft or even your certs :-)

● We sabotage crypto so we can crack it faster

● We only use the best algorithms in our malware; the rest is for masses

Aleks● When you sign your

malware as Microsoft, you subvert major trust principles; this will backfire

● MitM against Windows updates? Baaad...

● Elite crypto gives away your malware

● RC6? Use Camellia :)

Sophisticated, invisible malware

Vitaly● Our malware is the best –

cybercrime malware is laughable compared to ours

● Our rootkits prevent anyone from detecting our malware

● We hide where you least expect us! –Registry, VFSes, raw disks… even firmware ;)

Aleks● The more you hide, the

more likely you’ll trigger an alarm

● Anti-rootkit technology● VFS detection and parsing● Raw disk detection ● That firmware thing was

surprising, OK● Still working on it :)

There is no defense

Vitaly● in practice, you can’t

defend against our attacks● if we can’t hit you directly,

we’ll hack your ISP● if your ISP is not enough,

we’ll hack your country● if that’s not enough, we’ll

put a satellite behind every telecom satellite

Aleks● let’s not forget the goal● people very easily get dragged

into “hack everything” traps● “hey, I have an idea...”● target protects themselves with

antivirus ‘x’ or target uses Windows updates?

● Please do not subvert the trust people have in the IT Security industry or Software (Microsoft Windows) updates

● Flame MD5 attack was bad... :-(

The victims

Vitaly● Our universal malware can

be used to infect everyone: Belgacom, Quisquater, Merkel’s aide and terrorists altogether

● We have a unique, modular platform for use against everyone

● “Make once, use many”

Aleks● Find once, find all● Makes it easier to catch

everything● Worst: doesn’t give me

any options● Friendly advice: don’t use

the same malware on Merkel’s aide and terrorists, it’s bad

Steal everything

Vitaly● We collect everything● We extract metadata from all

your documents● Our malware makes

screenshots, captures keyboard, audio and all your internet traffic

● Honestly speaking, we don’t need all this but it’s fun to collect :-)

Aleks● The more active your

malware is, the more likely we’ll catch it

● Anti-keylogger tech● Exfiltration is always a weak

point● Effectively, the more you

collect the higher the chance we’ll catch you

● The media loves numbers :)

Interesting malware

Vitaly● We like quality stuff● Our code is the best● We make no mistakes - most

of the the time :)● We use only the best crypto● We use compression● We use kernel mode

orchestrators● Our malware never crashes -

most of the time :)

Aleks● We are geeks● We like to reverse engineer

Chinese PlugX samples 5 days a week – NOT!

● We want to reverse the best kernel mode code

● We like to find mistakes :-)● When you crash, you raise

alarms● QA could be better... :)

Takeaways!● Sophistication attracts attention● Hiding attracts attention● Merkel’s aide attracts attention● 0-day’s attract attention● Crashes attract attention● Mass infections attract attention● Attacks against ITSec products attract the most

attention - bad, bad, bad!● We are just doing our jobs... :)

Let’s vote?

The spooks are winning, no chance anti-malware companies can keep up with our elite malware!

ITSec companies are winning, the situation is kind of bad for spooks nowadays.

Thanks!Spies’ curse: “May we read about you

in Kaspersky Lab’s research!”