These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

Archive for the ‘Personally speaking’ Category

https://icann-deal.with.it (Part 2)

Thursday, September 4th, 2014

This is the second part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

Continuing from the first part of my paper…

Internet Metamorphosis

The Internet is witnessing a critical phase in the transition from an old technology to a new one, and users must understand the security implications involved. These implications could manifest themselves either during the implementation stage or after.

Tunnel Vision. IP tunnelling implementation involves encapsulating the IPv6 packets into IPv4, which is similar to creating a Virtual Private Network (VPN). Teredo, for example, is a tunnelling protocol that is installed by default on Windows Vista and Windows 7 operating systems, and provides IPv6 connectivity to a native IPv4 device [7].

Fig.4: Example of tunnelled IPv6 traffic[8]

Since the IPv6 contents are disguised inside the IPv4 packets, most security devices struggle to analyse and detect them. This in turn opens the door for attacks when these tunnels are used to transport malware.

There have been known instances of malware which enable IPv6 on a compromised host to communicate with its creator using these IP tunnels. The fact that IPv6 is enabled by default on most new operating systems makes it easier for malware to spread without being noticed. The infamous Zeus, for example, is known to support IPv6 from early 2010 onwards. This malware not only boasts of having the capability to sniff IPv6 traffic, but also supports an IPv6 Peer-to-Peer network [9].

Stack ’em Up. Dual Stack Implementation involves running both IPv4 and IPv6 in parallel, with one protocol taking preference over the other. Communication is done using the preferred protocol first, failing which it is retried using the secondary protocol.

Fig.5: Example of dual stack traffic[8]

Considering that communications happen natively either in IPv4 or in IPv6, and that both protocols co-exist in the network, until sufficient machines become IPv6 compliant, at which point IPv4 can be pensioned off, this is the preferred method of transition.

To NAT or Not. Network Address Translation (NAT) is a technique that allows multiple devices within an internal network to get online by sharing a single public IP address. This public IP address would be provided to a router at the gateway level, which in turn directs traffic to machines inside the network that use non-routable IP addresses.

On a small scale, NAT is used within a Small Office Home Office (SOHO) environment, and on a large scale, often referred to as Carrier Grade NAT (CGN), it is used by ISPs who have a limited number of IPv4 addresses.

Fig.6: Simple implementation of NAT within a SOHO environment

Apart from cutting down on the number of routable IPv4 addresses used, this technology also provided a certain degree of privacy and security to the users in the internal network. Automated port scans and information gathering attempts are deterred at the gateway, and would only succeed from inside the private network.

The gargantuan number of addresses available in IPv6 means that ISPs could technically do away with NAT, and assign a static IP address to each of its users, and yet never run out of addresses in the foreseeable future.

While this would promote end to end connectivity, which was how the Internet was originally envisaged, it could also open up the flood gates of machines which were never previously directly connected to the Internet, for now they would be vulnerable to prying eyes and groping hands.

The silver lining, however, is that since an IPv6 address can now be mapped to each user, tracking down malicious traffic & the victims of a malware incident also becomes easier. It could be a boon or a bane, depending on how one perceives it.

The Whois Who of Malware URLs , Phishing & Spam

Over the years as communication media within the Internet expanded from e-mails to other forms such as instant messaging, forums, blogging, social networking, etc., spammers followed suit with campaigns targeting these channels. These campaigns include the relatively innocuous comment spam posted in blogs/forums, Pump ’n Dump scams, attempts to sell Viagra and the like, phishers vying for sensitive user information, and malware related spam which go for the jugular.

The current volume of spam received via various communication channels is kept to a minimum thanks to a combination of techniques which involves, but is not limited to, content based and list based filtering. Given the plethora of malware URLs and spam messages disseminated everyday, most of this filtering is done using automated systems.

Fig.7 below shows a steady rise in the number of malware/phishing URLs for the first half of the year 2012

Fig.7: Number of malicious URLs crawled by K7 from January 2012 to June 2012 [10]

Content Based Filtering. This works on analyzing different characteristics of a message or a URL. For example, messages with keywords such as Viagra, Rolex, etc, somewhere in the MIME envelope could automatically be declared as spam. Similarly, a URL with words like PayPal or Facebook in the sub-domain component, combined with a recently registered domain name having a minimum validity can be deemed suspicious. However, when these keywords are represented in another language, automated content based filtering could become more challenging since we would now have to recognise the representation of a keyword in as many different character sets or Puny Code equivalents, as possible.

List Based Filtering. This aims to assign a reputation to the source of the e-mail message or the URL. For example, when a stream of messages detected as spam originates from a single IP address, that address may then be assigned a bad reputation, and would go into a blacklist. Similarly, a malicious domain or IP could go into this list.

Subsequent messages from a blacklisted IP address would automatically be labeled as spam & dropped when e-mail servers query the blacklist in real time. Likewise, URLs containing blacklisted domains or IP addresses would also be blocked as malicious.

Fig.8: One blacklisted IP address used to both send spam and host malware [10]

Once a domain/IP address gets blacklisted, the attacker shifts to a new address from which to send the spam or on which to host malware until that gets blacklisted too. They do this by either releasing and renewing their IP from their service provider, if the machine used to send the spam or host the malware is physically owned and controlled by them, or by selecting a new bot, a machine from their botnet consisting of many infected machines, from which to send the spam vicariously or to host malware on the attacker’s behalf.

On an IPv4 network the attacker has a theoretical maximum of only 4 billion addresses to cycle through. This number increases manifold within an IPv6 network. The increase in the number of domain names, due to the introduction of IDNs, is also likely to add to the blacklist woes, especially when these domains originate from an IPv6 network.

Fig.9 below shows the steady rise in the number of IDNs in the first half of the year 2012. Though currently small, the numbers are expected to increase significantly over time.

Fig.9: Number of malicious IDNs crawled by K7 from January 2012 to June 2012 [10]

Another problem with respect to blacklists is the amount of disk space occupied by these lists and the time taken to look them up. Even in the case of the relatively impoverished IPv4, assuming that all 4 billion addresses get blacklisted, a flat CSV file containing all these addresses occupies a minimum of approximately 60 Gigabytes of disk space on a Unix platform [11]. Consider further the amount of time taken in creating, maintaining, and querying such a big database in real time. Such a system would be nigh on unworkable for IPv6.

To be continued…

References:
[7] Information on http://www.us-cert.gov/reading_room/IPv6Malware-Tunneling.pdf
[8] Information on http://www.cybertelecom.org/dns/ipv6_transition.htm
[9] https://blog.damballa.com/archives/438
[10] Internal data
[11] http://www.circleid.com/posts/digging_through_the_problem_of_ipv6_and_email_part_1

Lokesh Kumar
K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

The Awesome Power of Nature

Tuesday, September 2nd, 2014

No, there’s no new sobriquet for some obscure “Advanced Persistent Threat”. Instead, via the medium of this blog we at K7 Threat Control Lab would like to invite you into our space, both physical and mental, to better introduce ourselves, thus dispelling certain stereotypes associated with lab personnel.

K7 Computing is now 22 years old. Hoorah!! In celebration of this momentous milestone several departments, formed into teams, devoted space and time to decorate parts of our head office (in Chennai, INDIA) based on assigned themes.

The theme assigned to the lab team (TEAM RED) was “Nature” so we decided to depict her awesome power, highlighting the non-negotiable limits on human expropriation and control. Within the confines of the Threat Control Lab we modelled an earthquake, a tsunami, a tornado, thunder and lightning, and a volcano.

The photo below shows our version of a “volcano” constructed smack bang in the middle of the Threat Control Lab, for which we temporarily commandeered the overhead monitors that are meant to display real-time threat intelligence data:

Image courtesy of Kaarthik, Threat Researcher, K7TCL

Note, no aircraft were affected in any way by our volcano despite the tons of “aish“.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

“Now You See Me, Now You … Errr … See Me”

Wednesday, August 6th, 2014

Much has already been written about Win32/Poweliks, the touted fileless persistent malware.

The malware uses an embedded NUL within the key under the following registry path:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This non-standard use of NUL as part of the key name is not new. A similar trick was likely used by variants of more advanced malware such as ZeroAccess, when creating helper files on disk. Regedit, a usermode process, is unable to read this keyname, but it doesn’t mean the entry is invisible. In fact K7′s rootkit scanner reveals the key with ease:

The other important point is that the infection chain involves a malicious Microsoft Office document containing a dropper Windows executable file, both of which must exist on disk as normal files, albeit ephemerally, and executed before the above-mentioned registry entry can be created. This provides a fleeting opportunity to detect these vital components easily, and detect them we do as

Trojan ( 0001140e1 )

and

Trojan ( 0049882d1 )

respectively.

The techniques used by the malware to execute a JS-decoded DLL via a registry entry are indeed interesting, but there are still quite a few opportunities to flag the infection at various stages of the infection chain, including at the entry spam email stage itself. It remains to be seen if the malware evolves to employ more sophisticated techniques in future.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

https://icann-deal.with.it (Part 1)

Tuesday, July 22nd, 2014

This is the first part of a three-part blog based on my paper for AVAR 2012 that discusses the security challenges involved in adopting two relatively new technologies, namely, Internet Protocol Version 6 and Internationalized Domain Names.

The Internet landscape is about to witness profound changes with the mass adoption of Internet Protocol Version 6 (IPv6) and Internationalised Domain Names (IDNs) in the near future. While these developments have the potential to be immensely beneficial, they also present certain challenges to the security industry which need to be addressed. These changes not only increase the attack surface for malware authors and spammers, but also render traditional methods of URL and spam blocking obsolete.

The exhaustion of the 32 bit IPv4 addresses assigned by the Internet Assigned Numbers Authority (IANA) has led to the roll-out of its 128 bit successor, IPv6. This provides a significant increase in the address pool available to assign unique IP addresses, not only to computers, but also to other Internet-connected devices. Spammers and malware authors would now have a larger address space to infect and cycle through, vitiating existing methods of detecting spam/malware URLs.

The Internet Corporation for Assigned Names and Numbers (ICANN) has expanded domain names to include non-ASCII based IDNs in a user’s native language script. While these transitions have the potential to localise the global Internet, they also provide cyber criminals (spammers/phishers/malware distributors) enhanced opportunities for exploitation, especially via social engineering.

These cyber criminals will now have the ability to redirect a user to a URL with a character set unfamiliar to him/her. Given the exponential increase in the number of URLs shared among users in our socially inter-networked world, validation of these URLs by the user prima facie now becomes much more complicated, leading to a higher compromise success rate for cyber criminals.

This paper describes the imminent major changes to the Internet networking infrastructure. It attempts to explore the security challenges involved in these milestone developments and presents potential solutions to address them.

The IPv4 Clock is Ticking

The expansion of the Internet from an esoteric academic project to a publicly accessible resource, coupled with the surge of Internet enabled devices over the last decade have contributed to the shrinking pool of available IPv4 addresses.

Fig.1 depicts the number of expected Internet enabled devices and Internet users by 2016, and how they measure up with the number of IPv4 addresses available.

Fig.1: Number of connected devices & Internet users by 2016 [1]

Conservation efforts like Network Address Translation (NAT), Classless Inter Domain Routing (CIDR), reclaiming unused addresses etc., only prolonged what was unavoidable – the depletion, and eventual exhaustion, of IPv4 addresses.

Given that ICANN, which is responsible for distributing IP addresses, gave away the last block of IPv4 addresses to the five Regional Internet Registries (RIR) in early 2011 [2], the need for change is rather pressing.

IPv6 to the Rescue

This IPv4 address crunch has been anticipated for many years, and the Internet Engineering Task Force (IETF) has been working on refining IPv6, the successor to IPv4, since the early 1990s [3]. This version of the Internet Protocol can support up to 300 undecillion addresses compared to the relatively miniscule 4 billion, a number smaller than the current world population, offered by its predecessor. Apart from this massive increase in the address space, the IETF also embedded other features to IPv6 such as support for IPSec, auto-configuration of devices, etc. [4]

These benefits, along with the availability of IPv6 from ISPs, increased end-user device support & IPv6 content, will ensure the adoption of IPv6 in the years to come, eventually making it the dominant Internet Protocol.

Fig.2 shows that, as expected, the percentage of users accessing Google over a native IPv6 connection has seen a steep rise over recent times.

Fig.2: Percentage of IPv6 users accessing Google [5]

What’s in a Domain Name

The demand for Internationalised Domain Names (IDNs) has always existed in view of the fact that 60% of the countries around the world have an official language other than English [6]. ICANN, which has domain names within its remit, has recently started allowing IDNs to satisfy this unmet demand.

The introduction of IDNs allows non-ASCII character sets like Arabic, Cyrillic, Tamil, Hindi, Chinese, etc, to be included in a domain name, potentially paving the way for a truly globalised Internet.

These IDNs are converted into ASCII using Puny Code, an encoding syntax invisible to the user, which allows for standard domain name resolutions.

Fig.3 shows a domain name in English, its nonexistent IDN equivalent in the Tamil script, and the Puny Code representation of the IDN which is used for a domain name resolution.

Fig3: Domain Name, IDN, Puny Code representation

The current demand for IDNs, combined with registrars throwing them away at a price cheaper than the regular domains, could see a surge in the number of non-English sites registering domain names in their local language.

To be continued…

References:
[1] http://www.google.com/intl/en/ipv6/images/graph.png
[2] http://en.wikipedia.org/wiki/IPv6#Exhaustion_of_IPv4_addresses
[3] http://en.wikipedia.org/wiki/IPv6#Working-group_proposal
[4] Information on http://en.wikipedia.org/wiki/IPv6
[5] http://www.google.com/intl/en/ipv6/statistics.html
[6] http://en.wikipedia.org/wiki/List_of_countries_where_English_is_an_official_language

Images courtesy of icann.org & worldipv6launch.org

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Don’t Let Heartbleed Give You Nosebleed

Thursday, April 24th, 2014

Much has already been written about the infamous Heartbleed vulnerability (CVE-2014-0160), the best technical piece being on Cloudflare’s blog. Unfortunately, as always in such cases, there has also been a lot of junk spewed out causing undue panic amongst the masses. A glaring example of this was a recent article in a well-known Indian daily newspaper reprehensibly titled the “Heartbleed Virus”, at which point one ought to stop reading the article.

Heartbleed is NOT a virus! It cannot spread from machine to machine, from device to device, and it cannot directly damage your computer. That is not to say that Heartbleed is not a serious issue. It is! Rather, the gravity of the situation very much depends on who you are. If you are an average individual surfing the internet on your home computer, one could argue that Heartbleed is unlikely to affect you very much. We must perforce qualify this opinion.

Heartbleed is a vulnerability in the OpenSSL library, which is used to encrypt vast amounts of internet traffic to protect it from being snooped upon, unless the NSA is involved that is. The SSL/TLS protocols use Public Key Infrastructure (PKI) which is a proven technology for achieving Pretty Good Privacy, and hence is ubiquitous on the internet. Heartbleed, by potentially allowing the exposure of private keys on a secure webserver to a remote attacker, threatens the integrity of PKI-protected communication over a network. One could picture a heavily-reinforced steel vault, with the master key visible under the door mat outside.

It would be entities such as corporates, governments, etc, that have webservers using a vulnerable version of OpenSSL that are most at risk of potentially revealing critical confidential data, especially private keys. If you are such an entity we urge you to upgrade your version of OpenSSL immediately, and make a call on revoking and reissuing your private keys. Unfortunately attempted exploitation of Heartbleed does not necessarily leave evidence behind, and the nature of the vulnerability is such that it may be virtually impossible to tell what, if any, data has been leaked. Note, the vulnerability itself has been around for a couple of years before its discovery.

Let us now address the risk posed to the individual surfer. Although there is indeed some risk of your password and other data being leaked from some website you have logged into if the server hosting the site was being targeted, the chances are rather slim. This is because successful Heartbleed exploitation tends to reveal only ephemeral data, and on a webserver hosting a popular site with several concurrent logged-in sessions, especially one where the average individual logs out after visiting the page (assuming this frees up the session resources on the server for the next user), the probability of leaking confidential data, and that too data specifically pertaining to you, is low. Notwithstanding, to be on the safe side, you may yet wish to change your passwords if the site in question has admitted to being vulnerable earlier and has since patched the flaw. After all, based on GitHub’s advice, we in the Taggant Library Maintenance Committee (part of the IEEE Anti-Malware Support Service) did change our passwords for the following repository:

https://github.com/IEEEICSG/IEEE_Taggant_System

In addition client-side devices, including those running certain versions of Android (reportedly 4.1.0 and 4.1.1), could also be vulnerable to Heartbleed-based data leakage, and ought to be patched ASAP, even though exploitation on the client side is an even more remote possibility.

Images courtesy of:

heartbleed.com
forums.warpportal.com/index.php?/topic/131907-ragnarok-roll-cosplay

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

VAIN Vote for Industrial Action

Tuesday, April 1st, 2014

Virus Authors’ International Network (VAIN), the body looking after the interests of malware authors around the world, has unanimously voted for strike action with immediate effect. The number of malware written today, the 1st of April 2014, could be badly affected.

Otto Runn Würm, General Secretary of and spokesperson for VAIN, said

“It’s about job security, pensions, … and, of course, about better conditions in jail. Our members seek comfort at all times.”

Unfortunately malware writing services are expected to return to normal by tomorrow, if they haven’t done so already.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed

Click Without a Trace

Friday, March 2nd, 2012

The recent outbreak of the Xpaj virus in India due to the mass distribution of certain infected software provided me with an incentive to look at the virus code in a bit more detail.

Xpaj is not a new virus. It is at least a couple of years old and it has already been written about by my security industry colleagues. However there may be some space for me to provide my views on some of the technical aspects of this virus.

Xpaj is a midinfecting, polymorphic virus with a difference. Most viruses, including the common ones like Virut and Sality, leave behind clear, tell-tale signs, sometimes infection markers, in the infected host to indicate that there is something amiss. For example the entrypoint being modified to point to the last section which has rwx attributes smells somewhat rotten. Xpaj, however, is very clever in making all the modifications in the host whilst remaining extremely well camouflaged.

Changes to the code and data sections have been managed so that all looks normal:

  1. The original EP remains unchanged. Xpaj is a midinfector which patches certain relative calls in the host file’s code.
  2. There are no changes made to the attributes of any section. The required page permission changes are invoked dynamically via a call to ZwVirtualProtectMemory.
  3. Sections after the one containing the bulk of the virus are shifted down with ease, and corrections are made in the metadata areas, including relocating the resources, if any.
  4. Xpaj has no problems infecting DLLs with relocations, and can infect SYS files which run in kernel mode.
  5. Even the clusters of polymorphic virus code in the host file’s code section looks like bona fide High-Level Language (HLL) code.

Here is an example of some of the Xpaj code pointed to after judicious host-call-patching:

The above snippet conforms to HLL patterns in certain files compiled with Microsoft Visual C++ 8.

The virus code goes on to execute a mini virtual machine which does the decryption and makes the call to ZwVirtualProtectMemory before transferring control to the bulk of the virus code.

The Xpaj virus authors went through a lot of trouble, including a fair amount of QA, to develop their “product”. Xpaj is indeed a sophisticated virus. Of that there is no doubt. It demonstrates the lengths to which malware authors are prepared to go to spread obfuscated malicious code. Interestingly, a denuded Xpaj, divested of its obfuscatory vestments, is nothing more than a clicker.

Well before the outbreak, K7 customers who had their real-time scanner active would, of course, have already been protected. K7 products detect and clean Xpaj-infected files as “Virus ( 700000051 )”.

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

Malware Authors and Multiple Scanners

Friday, January 27th, 2012

One of the items on a malware authors checklist while distributing malicious code is to make sure that their malware remains undetected, for as long as possible. Scanning their creation using a multiple Anti-Virus scanning system is one among the many techniques in their arsenal which ensures just that.

Although time consuming and resource intensive, the malware author installs various Anti-Virus software and keeps them updated. The malicious files are scanned on this system before they are distributed to the victim.

For malware authors/script kiddies who can’t afford to build such a system, there are underground sites which mimic genuine online file/URL scanning services. A significant difference being, these underground sites in exchange for money, promise not to distribute the scanned files to the Anti-Virus vendors. Given below are screen shots of two such sites:

Then there are tools which incorporate multiple scanners & are distributed for free. Given below is a screen shot of one such tool:

If their malicious code is detected by the Anti-Virus vendors during the initial stage of the attack, the malware authors are quick to change their binary.

While traditional checksum based detections alone might be ineffective against such files, a combination of several detection methods, which include a behaviour based approach will prove far more effective.

R.V Shyam Charan
K7 TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

MalwAsia: In Operation Since 1986 (Part 3)

Friday, December 9th, 2011

This is the final instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

Continuing from the second instalment on last week’s blog…

In the Name of Mammon

The volume of malware samples up to 2006 and the 20 years prior to that could not have totalled more than a quarter of a million. Post 2006, however, the number of malware samples discovered year-on-year has multiplied manifold, with the current number of daily samples being in the order of tens of thousands. An estimate of the gross volume of malware samples since 2007 stands at well over 52.6 million.

The modern threat landscape is heavily dominated by malware written for financial gain, and since 2007 much of this malware is believed to originate in China and Russia (and the erstwhile republics of the Soviet Union), with those in South Korea and Brazil being smaller but significant players. It must be borne in mind that tracing malware back to its true origins is a difficult exercise since it is extremely straightforward for malware to pretend to come from another country, whether based on malware hosting URL or locales within the binary samples, etc.  However, a crude analysis of recent malware samples suggests that 20% come from China, 10% come from Russia, 3% may be attributed to Brazil, and 2% are Korean. These numbers are almost certainly gross underestimates. Suffice to state that the perception that the bulk of malware, much of it with a financial motive, comes from a handful of countries is a reasonable one. However, one ought to go further in an attempt to understand the potential reasons for this geographical bias in malware origin. Let us first digress briefly to explore the nature of some of the modern threats that have emanated from Asia.

Lineage of Modern Asian Malware

The spate of Autorun worms has already been described earlier. Many of these Autorun worm families did not have an obvious link to financial gain. The motive was to morph soon enough.

During the mid-to-late 2000s Asian malware was dominated by families of High Level Language Prepender file infectors and password stealers (PWS/PSW Trojans) which are believed to originate primarily in China. These PWS Trojans targeted online games such as Lineage and World of Warcraft, supposedly popular amongst Chinese gamers. Stolen game passwords and artefacts appear to have been sufficiently in demand to warrant a black market involving the exchange of hard currency.

In more recent years the Asian malware focus has expanded to encompass mundane Distributed Denial of Service and other hacker tools, Browser Helper Objects and browser hijackers, botnets with remote Command & Control, and rootkits. Interestingly, the increase in mobile threats, e.g. for the Android platform, is believed to be fuelled by authors in Russia and China.

Dave the Malware Author

Despite the Terminator series and other sci-fi films from Hollywood, code which control machines, whether it is good or nasty, is well and truly written by humans rather than automatons or some abstract force of evil. This fact raises interesting and important questions about malware authorship and the reasons for it. There is general agreement and plenty of statistics about the volume and sources of burgeoning malware, but perhaps an insufficiently clear understanding of and explanation for the phenomenon. Of course much of the malware is written for monetary gain, however, why then are the contributions to the threat landscape so heavily influenced by geography?

Dotcom Boom


Since 2007 the number of internet users in China and Russia has more than doubled to over 420 million (>31% of the population) and 59 million (>42% of the population) users respectively. This dramatic increase in a short timeframe implies a massive investment in internet infrastructure, both network connectivity and PC hardware, and a phenomenal increase in computer literacy.

Of course, these infrastructure improvements provide the means and viability for malware production since it is now increasingly possible to create and distribute malware globally, and reap the profits. Importantly, the increasing number of internet users also provides a growing local “market” for malware, i.e. there are now many more potential victims to exploit.

Internet penetration is increasing in other parts of Asia such as India and the “Tiger Cub” nations of Indonesia, Malaysia, Philippines and Thailand. It remains to be seen if the increase in the number of internet users in these countries leads to a concomitant rise in the number of malware emanating from them.

Legal Aid

Writing and distributing malware, essentially a form of common thievery in the modern day and potentially very damaging, is or ought to be against the law. Therefore there are likely to be legal aspects, with local flavours, to the geographical trend in malware.

The cyber crime laws in the so-called “malware hubs” are considered relatively lax or poorly enforced, due to various technical and administrative reasons . The process of strengthening cyber crime laws is certainly progressing, albeit at a viscous pace according to some. It is indeed surprising that even Japan, with its government departments dedicated to monitoring and fighting cyber crime [e.g. Office of IT Security Policy, Ministry of Economy, Trade and Industry], has supposedly only just recently made malware writing illegal.

It is possible that many of the victims of modern malware have been in countries other than the alleged malware hubs. This leads to issues of international jurisdiction. Local law enforcement agencies in victim countries would struggle to prosecute overseas perpetrators, and the law enforcement agencies in possible malware hub countries may not have sufficient incentive to investigate cyber crime and prosecute offenders when the victims are outside their remit.

Reports on the arrests of cyber criminals in China and elsewhere in Asia have made the press and blogs. There have also been coordinated international law enforcement efforts to arrest and prosecute cyber criminals which have shown positive, albeit probably ephemeral, results . No doubt, there are still too many loopholes for malware writers to function with impunity, and a course correction, replete with international treaties, is warranted.

SOD’s Law?

Iniquitous growth, inadequate job and education opportunities and denial of basic human freedoms are leading to growing radicalization of the youth, intolerance and extremism.

We have no choice but to meet these challenges head-on.
-    Shree Manmohan Singh, Honourable Prime Minister of India, in his address to the UN General Assembly, 24th September 2011

Human greed has no nationality. However, the sheer scale of the migration towards following a dubious path in the malware hubs suggests possible institutional concerns. Inadequate overall legislation notwithstanding, one would assume there are other core reasons to forsake Confucian values. These core reasons constitute a “Seeds of Discontent” hypothesis.

Money, the universal means of exchange in economics, forms the rationale for malware creation and distribution, and, perforce, economics deals with the fundamentals of social welfare. Deficiencies in social welfare sow the seeds of discontent, sometimes tending to result in undesirable activities, including malware authorship, as there is a scramble to satisfy Maslow’s hierarchy of needs when resources are scarce. If indeed the core issues derive from economic indicators, then we ought to spend some time investigating them in laymen’s terms.

A few of the global malware hubs went through periods of extreme economic restructuring based on Freidmanesque rather than Keynesian principles throughout the 1990s [Naomi Klein, “The Shock Doctrine”]. The extent of the economic volte-face in a couple of cases was from chalk to cheese, or vice-versa depending on one’s perspective. It is alleged that one of the eventual key consequences of these economic restructuring programmes was the loss of jobs and livelihoods for large swathes of people.

Since the 1990s several instances of downturns in the globalised economy, including the “credit crunch” which began in 2008, could have piqued the general sense of consternation and despair. A marked increase in criminal activity, including the establishment of mafia gangs, may well have been a reaction to these unfortunate scenarios. High-tech criminal activity, in the form of cyber crime, comes to the fore when the perpetrators happen to be adept university graduates who are unable to find suitable employment in the legitimate IT sector.

Let us consider Russia, a Eurasian country, as a simple case study since candid information is freely available. Russia’s unemployment rate has averaged around 8.4% with a high of 14.6% in February, 1999. Unemployment, and possibly other social welfare, benefits are reportedly far better on paper than they are in reality, and Russia’s inflation rate, double-digit on average over recent years, can be considered high. Mr. Putin, Russia’s former president and a firm candidate to return to the Kremlin, envisages an increase of average wages and salaries by 50% to US $1,000 by 2014. An ambitious $1,000 in 3 years time fades, nay wilts, in comparison to a guaranteed monthly salary of $5,000 currently offered to write custom packers to wrap malware. Therefore the incentive for many young Russian graduates, especially those with an IT background, to contribute to the “malware industry” appears particularly strong.

It is a reasonable assumption that most people who are able to comfortably satisfy Maslow’s pyramid through legitimate means are unlikely to be tempted by malware writing, given the moral and legal implications. The corollary of this, however, would be that once a person has been “turned”, he/she might have crossed “the point of no return”, i.e. succumbed to the malaise. Nevertheless the emphasis ought to be on dissuading the next generations of youth from partaking in the malware industry. This will be no easy task given the economic policy changes that might be required under difficult globalised economic conditions.

One would wager an educated guess, indeed a lot more, that the current trend of financially motivated malware, in increasing numbers, out of Asia and elsewhere will continue unabated. The role of the IT security industry is to continue to protect customers against malware attacks, and the law enforcement agencies are expected to prosecute the perpetrators. However, for the longer term, it could be the global policy-makers who hold the key to attempt to resolve the underlying issues to stem the gushing flow of malware.

The End

Images courtesy of:
dave-broos.blogspot.com
squidoo.com
medicmagic.net
gyanvihar.org
webend.in
tattoodonkey.com
blog.envole.net
microreviews.org
nwgasbdc.blogspot.com

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

MalwAsia: In Operation Since 1986 (Part 2)

Friday, December 2nd, 2011

This is the second instalment of a 3-part series representing my paper for AVAR 2011, investigating malware which have emanated from Asia, charting the likely reasons for these, and attempting to predict future trends.

Continuing from the first instalment on last week’s blog…

The Art of Cyber War

Nation-specific Attacks

Stuxnet, a worm with a particularly venomous, damaging payload, was almost certainly targeting the Iranian nuclear establishment. Given the means and the end, if one were to consider the motive, one would have no alternative but to attribute the creation of Stuxnet to powerful nations inimical to Iran’s nuclear programme, a couple of which are in West Asia.

The use of malware as an instrument of state policy may have already been in effect for a couple decades[Rainer Fahs, keynote address, EICAR2011]. In modern times nation-to-nation attacks, alleged or otherwise, have been given considerable publicity with much finger wagging and pointing. Many of these instances of cyber warfare appear to originate in Asia, which is hardly surprising given the frosty relationships that exist between several neighbourhood countries in Asia, e.g. North Korea-South Korea, India-Pakistan, etc. Indeed, avoiding the mention of China’s alleged contribution to cyber warfare would be like ignoring the elephant in the room, and the apparent involvement of Israeli personnel most certainly deserves an explicit mention.

There have been several documented cases of nation-specific cyber attacks, some of which are potentially ongoing. These cases may be summarised as follows:

The strategic advantage offered to powerful and resourceful nations via targeted cyber attacking is highly significant. As described in Table 2, the scope of these attacks could be anything from the stealing of state secrets to the targeted damage of both government hardware and software. Critical modern infrastructure is controlled by computer systems which presents an irresistible target for cyber attacks.

The stakes and incentives involved in cyber warfare are high, and cyber attacks are unlikely to diminish in the years to come. On the contrary, cyber warfare is likely to increase manifold with an eastward shift in the balance of power in the global hegemony suggesting an increasing involvement of Asian states.

There can be little doubt that the military and intelligence establishments of various nations have wings dedicated to cyber warfare. Sun Tzu would have been proud. Given the enormous resources involved and the high-profile, targeted nature of cyber attacks, it is difficult to predict the security responses of commercial Anti-Virus companies and the general public at large. It is likely that standard civilian bodies would be largely bystanders in these events. Indeed, for every attack that is reported and documented in the public domain, there may well be several others which are kept very firmly under wraps.

However, perhaps there are some mitigating circumstances:

  1. As a diplomatic preventative measure, it is possible that there could be an international convention, perhaps UN-brokered, on cyber warfare. The US government has already been contemplating diplomatic talks with certain countries. The main issue herein could well be the difficulty in proving state versus non-state actors, a challenge even in conventional warfare where proxy militant groups have been used with impunity to perpetrate attacks across international boundaries.
  2. Standard technical measures to secure systems, including instituting prescribed system configurations and policies, may be sufficient to prevent “80 percent of commonly known cyber attacks”.

Notwithstanding, it will be interesting to track how events transpire in the future. The average citizen of the world may well have to wait for the future offerings from Hollywood or Bollywood, with their vivid imaginations, to gauge the extent of the issues dealt with by sedentary agents code named ‘0000 0000 0111’, ‘JS0N B0URN3’, etc.

Corporate Insecurities

The attacks on large, well-known corporate entities over the recent past have been much publicised. The alleged origin of some of these high-profile, ongoing, attacks lie in Asia. It is worth summarising some of these attacks, described as “Advanced Persistent Threats”, as follows:

The origin of some of the attacks mentioned in Table 3 is up for heated debate as the parties concerned accuse each other of skulduggery and conspiratorial activity. In many cases, hard evidence pointing the finger at a specific culprit is rather difficult to gather which provides a level of immunity from risk for the perpetrators.

Targeted attacks on large corporate entities could, no doubt, yield valuable information which can eventually be used for significant financial gain, whether through a transfer of intellectual property, sabotage of competitor infrastructure, or a straightforward theft of classified financial data. The perceived or real benefits from such attacks for the perpetrators provide a clear incentive to invest resources.

Under these circumstances of high reward versus relatively low risk, and given the recent record of security breaches, the trend of targeted cyber attacks against corporations looks set to continue, and probably at an increasing rate.

Malware in Societal Conflicts

Terrorism may be defined as the systematic use of coercive tactics to instil fear in a targeted group as a means to the end of a perceived political gain.

Conflicts between different groups, whether within the bounds of the same sovereign territory or across international frontiers, have existed since the dawn of mankind. Some of the high-profile modern day conflicts involve actors, “state” or “non-state”, based in Asia who resort to forms of terrorism, whose definition and application to any given scenario is highly subjective, in an attempt to seek political mileage or redress against perceived grievances.

Given the advance of technology and the ubiquity of computer systems, many in critical infrastructure, acts of terror have included or are likely to include, at an increasing rate, attacks via binary media, i.e. code, software, etc. These attacks may be described as “Cyber Terrorism”.

Groups involved in international terrorist activities, many based in Pakistan and Afghanistan, include individuals familiar with modern computer systems and communication channels. Groups such as “al-Qaeda” allegedly have a dedicated R&D wing with ‘digital specialists’ successfully exploiting smartphone platforms for the theft of sensitive data. Given the impact it would likely have in spreading anxiety, there is a possibility, nay probability, that attempts will be made to cause the targeted destruction of systems in the future, via the mass deployment of malware, in addition to data theft.

Sometimes civilian bodies have been targeted by groups which are unlikely to be described as “militant”. Rather, it is possible that the civilian bodies themselves may conform to the definition of “militant”, yet another subjective and emotive term. For example, there have been numerous, but intermittent, malware attacks on pro-Tibet groups in recent years, the ones in 2008 just before the Beijing Olympics being widely reported by the media and in various IT security blogs. Many of these attacks involve the use of documents such as PPT and PDF containing crafted exploit code (some attacks have involved browser exploits), mailed to known individuals or posted to various fora. Attacks such as these have been alleged to originate in China , but some or all of them could have involved a social engineering angle, financially motivated, to exploit the media attention attributed to societal conflicts in areas such as Palestine or Tibet . Once again, it is difficult to garner specific evidence to arraign any one party. It remains to be seen how malware might be used in the future against such groups as the number of documented incidents appears to be waning.

The security industry has played, and will continue to play, a role in mitigating and remediating many of these attacks since the victims tend to be ordinary civilians, even if specifically targeted on occasion, and visibility of such attacks is relatively high.

To final instalment…

Images courtesy of:
cyberlawsinindia.blogspot.com
mumbai.olx.in
www.warchat.org

Samir Mody
Senior Manager, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/