Analysis

Trends and Analysis

Proof-of-Concept Exploit Sharing Is On The Rise

Research offers cyber defenders view of which POC exploits are being shared and distributed by threat actors.Approximately 12,000 references to shared Proof-of-Concept software exploits were generated over the last year, with significant distribution amongst threat actors and researchers, according to a new report.This represents nearly a 200% increase in POC references compared to 2014, culled from a wide range of sources including social media, security researcher blogs and forums, hacker chats and forums, and hidden websites on the Dark Web, according to Nicholas Espinoza, senior solutions engineer with Recorded Future, and an author of the report Prove It: The Rapid Rise of 12,000 Shared Proof-of-Concept Exploits. Approximately 12,000 references to POCs were identified within Recorded Future’s dataset from March 22, 2015 to the present.  For a defender that’s a lot of vulnerabilities and attack vectors to track, Espinoza says.  The threat intelligence company gleans POC information from hundreds of thousands of sources and ingests the data into its intelligence platform to make it more searchable.  Proof-of-Concept code is typically developed by security researchers, academics, and industry professionals to demonstrate possible vulnerabilities in software and operating systems, and to show the security risks of a particular method of attack. Malicious hackers develop and exploit the code to attack vulnerable applications, networks and systems. “With 12,000 conversations occurring about Proof-of-Concept exploits, there is certainly just too much information to cover,” Espinoza says.  Many security and product vendors will inform customers when vulnerabilities are discovered in their software and provide patches to fix them.

The more difficult discussion, though, is to determine which of the 100 vulnerabilities on my system, are exploitable, Espinoza says. Vendors try their best to maintain situational awareness and organizations such as the National Institute of Standards and Technology are working to track and identify vulnerabilities that have the “existence of exploits.”  However, POC exploits are developing “at such an insane speed there is no one to manage it,” says Espinoza.  A lot is being missed and only being reported, in many cases, a week or so after the exploit is in the wild, he says. Shared Via Social Media The report shows that POCs are disseminated primarily via social media platforms such as Twitter. Users are flagging POCs to view externally in a range of sources including code repositories like GitHub, paste sites like Pastebin, social media sites such as Facebook and Reddit, and Chinese and Spanish Deep Web forums, according to the report. Sharing of POCs makes sense because researchers and others who want to make the findings public need to share their information in public-facing and high-visibility forums.  “There’s a significant “echo” effect seen in the data, though, with other users retweeting or re-syndicating original content with a slightly different tweet,” the report says. Vulnerabilities that allow initial system access through privilege escalation and buffer overflow attacks are the primary focus of POC development, research indicates. The primary POC targets are companies that create popular consumer software and products such as Adobe, Google, Microsoft and VMware.  The underlying technologies being targeted include smartphones, office productivity software as well as core functions in Microsoft Windows and Linux machines such as DNS requests and HTTP requests. Some of the top POC vulnerabilities discussed or shared over the past year include: GNU C Library vulnerability that allows buffer overflow attacks through malicious DNS resources (CVE-2015-7547 (glibc)). Microsoft Windows Server vulnerability allowing remote code execution. (CVE-2015-1635 / MS15-034). Microsoft Windows Server vulnerability allowing local privilege escalation. (CVE-2016-0051). Virtualization platform vulnerability allowing the execution of arbitrary code to escape virtual machines. (CVE-2015-3456) Windows Remote Procedure Call vulnerability allowing local privilege escalation. (CVE-2015-2370 / MS15-076). The report helps “shed light on not just the classes of vulnerabilities out there, but what is the active interest in the threat actor community,” says Rodrigo Bijou, an independent security researcher focused on intelligence, information security, and analytics “It’s tough to say what is signal and what is noise when you are building a threat intelligence environment, pulling feeds from all the vulnerabilities of the day,” he says.

For example, a security engineer might find a vulnerability that has a common vulnerability score of 10, which appears critical. “It might look like a gnarly vulnerability, but is it being exploited and have an interest in the threat actor community?” “It is hard to say what vulnerabilities are necessarily in use until you actually take a look at the adversary.”  So it is useful to see what is being distributed by the various types of threat actors, Bijou says. Related Content:   Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government.
View Full BioMore Insights

Silicon & Artificial Intelligence: The Foundation of Next Gen Data Security

Why new challenges like 'real-time, always-on' authentication and access control can only be met by a combination of smart hardware and software.

Data security is at an inflection point.

As threats faced by consumers, businesses and countries continue to grow, the need for smart security solutions that incorporate both silicon and software becomes even more important. Tackling today’s security threats means moving far beyond scanning files against a known list of threats.

This reactive model has been displaced by real-time analysis, using complex models, behavior analysis and artificial intelligence (AI) to quickly discern between valid and malicious user activity.

And behind these complex models is large scale, high performance computing comprised of CPUs, GPUs and dedicated security silicon. Security is an engineering challenge because to do it well the system must look at a number of factors, all of which rely on increasing levels of computation.

Take the most basic form of security -- authentication -- and the general concept that the person accessing data is, in fact, authorized to do so.

Traditionally, this process would involve validating a login and password, effectively matching text entry against a database. Now, we see biometric authentication using fingerprint readers or facial recognition through web cameras, all of which need orders of magnitude of compute power to provide a good user experience. Security is now a real-time problem Authentication is an effective facet of security, and while we see great strides being made in improving it, security threats persist even after user verification.

The number of new security threats being detected on a daily basis is almost incomprehensible, with security vendors such as F-Secure, Trend Micro and Kaspersky Labs providing real-time data on the number of threats it is tracking.

These numbers should not only shock but serve to illustrate that security is a real-time problem; just because the user was authenticated two minutes ago doesn’t mean the threat has vanished.

There must be “real time, always on” security. The challenge of providing real-time security can only be met with a combination of smart hardware and software.

A growing trend in security is the use of AI and behavior analysis. One way of looking at this is that if traditional virus scanning and firewalling are the hammer and nails behind security, AI and behavior analysis are the surgeon’s scalpel: pinpoint accuracy backed up with supreme knowledge and skill. Behavior analysis is the ability to carefully consider the behavior of the user and match it to previous   activity to produce a confidence rating on whether the user is authentic or not. You may have already seen this in action through Google’s reCAPTHCA, which uses an “advanced risk analysis engine” to validate users.

Another incarnation of this technology is set to appear in online banking, where the banks can analyze the authenticity of the user even if an attacker has the correct login and password.

To do this, the system takes into account typing characteristics, mouse movements and other user behaviors to match them against an existing behavior profile.

This type of technology is absolutely critical if we are to make fine-grained access control a practical reality, where authentication doesn’t rely on only a single authentication method to validate the user’s session in entirety. Behavior analysis drives demand on backend compute systems Behavior analysis doesn’t only take place on the user’s computer, this technology is used in network threat detection, too, known more commonly as network behavior detection.

The goal is the same, analyzing behavior, but doing it across an entire organization’s network.

The use of intelligent algorithms to determine whether an attack is taking place and learn from past usage patterns is important, but having the processing power to crunch the data and make effective decisions before an attack can cause significant damage is absolutely critical. So while behavior analysis and AI are smart ways to tackle the challenges of security, they require significant computation power to effectively protect the user while simultaneously providing a positive user experience. We know that users who experience slow or halting security interfaces are apt to avoid or undermine available functionality.

Achieving a favorable experience with behavior analysis technologies will place great demands on the backend compute systems that crunch the data and provide actionable answers. The silicon that powers security back-end will be a mix of CPUs, GPUs and dedicated security processors.

This combination of hardware will be backed up by a software ecosystem that allows consumers and businesses to seamlessly tap into the silicon’s security capabilities and have a good out-of-the-box experience.
It is absolutely critical that security software be able to leverage the tremendous growth in general purpose and dedicated compute that is available in modern processors and system-on-chips. Malware, infrastructure, memory encryption & more Rob Enderle, principle analyst at the Enderle Group, has also talked about the need for behavioural analysis in security, citing it as an important defense against the tremendous growth in vulnerabilities being discovered daily. He said, “We are seeing millions of security threats every day that attack consumers, enterprises and national infrastructure, and history shows us this number will continue to rise sharply. One of the cornerstones of a comprehensive defense in depth for this massive exposure is to utilize complex algorithms and AI that leverage compute in the datacenter to provide an intelligent adaptive solution to this massive and rapidly growing security exposure.”  Behavior analysis isn’t merely a security tool that runs alongside existing ones; it is a key technique to improve existing tools, such as malware detection.
Software security vendors are modifying traditional security apparatuses such as anti-virus to make use of these technologies to identify and hunt emerging threats. In addition to individual consumers and businesses, smart security is vital in helping secure the nation’s infrastructure.

Compute power has long been used by nation states to further their economic development and protect their citizens; protecting intellectual property and a nation’s digital borders is a frontier in advanced security research and development. As we see security vendors develop ever more complex threat and behavior analysis models and rely on advances in artificial intelligence research, the onus will be on silicon to power these algorithms. Whether it be to run complex behavioral analysis models or implement hardware-enabled sandboxing, memory encryption and physical attack resistance, or power the next innovation of security, the computer processor’s silicon will help power the solution.  Related Content: Mark Papermaster is chief technology officer and senior vice president at AMD, responsible for corporate technical direction, and AMD's intellectual property and system-on-chip product research and development. His more than 30 years of engineering experience includes ...
View Full BioMore Insights

IT threat evolution in Q1 2016

 Download PDF version Q1 figures According to KSN data, Kaspersky Lab solutions detected and repelled 228,420,754 malicious attacks from online resources located in 195 countries all over the world. 74,001,808 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab’s web antivirus detected 18,610,281 unique malicious objects: scripts, exploits, executable files, etc. There were 459,970 registered notifications about attempted malware infections that aim to steal money via online access to bank accounts. Crypto ransomware attacks were blocked on 372,602 computers of unique users. Kaspersky Lab’s file antivirus detected a total of 174,547,611 unique malicious and potentially unwanted objects. Kaspersky Lab mobile security products detected: 2,045,323 malicious installation packages; 4,146 mobile banker Trojans; 2,896 mobile ransomware Trojans. Overview 2016 has only just got underway, but the first three months have already seen the same amount of cybersecurity events that just a few years ago would have seemed normal for a whole year.

The main underlying trends remained the same, while there was significant growth in trends related to traditional cybercrime, especially mobile threats and global ransomware epidemics. Ransomware became the main theme of the quarter after knocking targeted attacks from the top of the most popular threat rating. Unfortunately, this is a situation that will continue to evolve, and those behind the extortion could well end up being named “problem of the year”. Targeted attacks BlackEnergy2/3 The BlackEnergy cyberattack on the Ukrainian energy sector was the most high-profile incident.

Although it occurred at the end of last year, a fuller picture of what happened only appeared in the course of the subsequent analysis. Moreover, attempts by cybercriminals to arrange new attacks continued in 2016. The attack was unique because of the damage it caused – the hackers managed to disable the power distribution system in Western Ukraine, launch the Wiper program on the targeted systems and carry out a telephone DDoS on the technical support services of the affected companies. There were numerous publications about the attack, and Kaspersky Lab’s experts revealed several aspects of the activities of the group responsible.
In particular, they published an analysis of the tool used to penetrate the systems – a malicious DOC file. For those who want to learn more about the attack, we recommend the report prepared by the American SANS Institute and ICS-CERT. Poseidon In February, the experts at Kaspersky Lab revealed details about the activities of Poseidon – the first Portuguese-speaking targeted attack group which had set up a custom-tailored malware boutique. Although the report was only released in 2016, the group has been operational for a long time. Malware campaigns that were most probably supported by Poseidon were detected as far back as 2005, while the first sample dates back to 2001. Poseidon’s arsenal is focused primarily on the Microsoft Windows operating system family: from Windows 95, which the group targeted in its early days, to Windows 8.1 and Windows Server 2012, which were targeted by the most recently detected malware samples. The attack scenario is carefully tailored to the victim.

Although the initial infection occurs according to the same scenario, the following stages of the campaign specifically customize the infection method for each new victim.

That is why the specialists from the Global Research & Analysis Team (GReAT) decided to call Poseidon a “custom-tailored malware boutique”. Having gained access to the corporate network, the criminals move across the network and collect as much data as possible in order to escalate their privileges, create a network map and to identify the computer they need.

The main target of the attack is usually the local Windows domain controller. Once they have control over it, the attackers can steal intellectual property, data, trade secrets, and other valuable information. The information collected by Poseidon for its owners was in most cases used to blackmail victim companies into contracting the Poseidon Group as a security firm. Regardless of whether a contract was signed, Poseidon remained on the network. Hacking Team Yet another infamous “boutique” creating cyber-espionage tools, the Italian company Hacking Team, fell victim to a cyberattack last year in which a huge database of its employee email correspondence was stolen, as well as project source codes. The incident revealed a lot of problems in the work of the company and many thought it would be very difficult for the business to develop further. However, at the beginning of 2016 new Hacking Team implants for OSX were found.

This indicates that the group has no intention of halting its work and is continuing to develop in the sphere of secondary operating systems.

This means their “creations” will continue to be a problem for users who have become an object of interest for HT customers. Yet another story related to Hacking Team was the hunt for a Microsoft Silverlight 0-day.
Information about the possible presence of this vulnerability was found in the Italian company’s documents.

Based on very little initial data and armed with the Yara and VirusTotal tools, our experts set a trap and waited.

And sure enough, they detected a 0-day exploit. Operation BLOCKBASTER Kaspersky Lab was among the participants in operation Blockbaster, a joint investigation conducted by several major IT security companies.

The subject of the investigation was activity by the Lazarus Group, a cybercriminal gang of supposedly North Korean origin that was involved in the attack on Sony Pictures in 2014. The Lazarus Group has been around since 2009, but their activities moved up a gear from 2011.

The group is responsible for such well-known attacks as Troy, Dark Seoul (Wiper), WildPositron.

During the investigation over 40 different types of malicious program, which they had created over the years, were detected.
In particular, the group used their malware to attack companies, financial institutions, radio and television. Use of exploits for 0-day vulnerabilities was also recorded. Hospitals under attack This section on targeted attacks should also include Sergei Lozhkin’s research on how hackers can penetrate the internal network of hospitals and gain full access to patient data using publicly available tools and services. Unfortunately, medical institutions are being targeted more and more by such attacks.
In the first quarter of 2016, there were several incidents of hospital networks being infected with various types of Trojan ransomware that encrypts data and demands a ransom to decrypt it. The latest incident was an attack on the MedStar network that affected 10 hospitals.

According to the network’s official report, the data was saved without paying a ransom to the blackmailers, while another hospital in California ended up paying $17,000 for a ransomware crypto key. Cybercrime Adwind At the Security Analyst Summit 2016 (SAS 2016) our GReAT experts presented the results of their investigation into the Trojan known as Adwind RAT (Remote Access Tool). Having studied the activity of the malware, the researchers came to the conclusion that even the story behind the Trojan’s creation was out of the ordinary. The Trojan was developed continuously over several years, with the first samples appearing in 2012.
It has had different names at different times: in 2012, the creators were selling it as Frutas; in 2013 it was called Adwind; in 2014 the Trojan was known as Unrecom and AlienSpy; and in 2015 it was named JSocket. The GReAT experts believe that Adwind and all its incarnations have been developed by one hard-working hacker who has been releasing new features and modules for four years. The Adwind platform was initially only available in Spanish, but an English-language interface was added later, allowing cybercriminals worldwide to evaluate it.

The main users of this Trojan are those conducting advanced cyber fraud, unscrupulous competitors, as well as so-called Internet mercenaries who are paid for spying on people and organizations online.

Adwind can also be used by anyone wishing to spy on their friends. Geographically, the biggest concentration of victims has also changed over the last four years.
In 2013, the targets were mostly in Spanish- and Arabic-speaking countries.

The following year, cybercriminals focused on Turkey and India, as well as the United Arab Emirates, the United States and Vietnam.
In 2015, Russia topped the rating with the United Arab Emirates, Turkey, the United States and Germany close behind. Fortunately, our investigation was not in vain – a few days after its publication, the JSocket website stopped working and the Adwind author ceased their activity.
Since then, no new versions of the Trojan have appeared. Perhaps we can expect another reincarnation of the Trojan, or maybe this is the end of the story. Banking threats At the Security Analyst Summit (SAS in 2016), Kaspersky Lab announced the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights. In 2015, Kaspersky Lab researchers conducted incident response investigations for 29 organizations located in Russia that were infected by these three groups. There are other cybercriminal groups currently attacking banks in Russia, but these three are the most active and are involved in the most high-profile thefts from both customer bank accounts and the banks themselves. The activity of Carbanak 2.0 is of particular interest.
In December 2015, Kaspersky Lab confirmed that the group was still active after discovering signs of Carbanak in a telecommunications company and a financial organization.

An interesting feature of the Carbanak 2.0 group is that they have a different type of victim.

The group has moved beyond banks and is now targeting the budgeting and accounting departments of any organization that interests them, using the same APT-style tools and techniques. In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stored information about shareholders to change the ownership details of a major company.

The information was modified to name a money mule as a shareholder of the company, displaying their IDs. FakeCERT Yet another criminal gang known as Buhtrap came to the fore in the first quarter.
It is responsible not only for the theft of hundreds of millions of rubles from Russian banks but also for organizing a targeted attack on banks using the names and attributes of FinCERT, a special department of the Central Bank of Russia created to detect cyberattacks and notify member banks.
It was the first time that attackers had used the FinCert “brand” and the attack was carefully prepared; a corresponding domain name was created and the identifiers used by FinCERT were studied closely. The malicious mass mailing affected hundreds of banks in Russia.

The attackers have a database of their employee email addresses, including names and surnames.

A legitimate remote administration tool was used as the remote access module installed in the system. Bangladesh On the global arena, the most prominent attack on banks was that involving the Central Bank of Bangladesh.
It was not just the object of the attack – the Central Bank – that was remarkable but also the amount of money the attackers managed to steal, plus the amount they tried to steal but failed. The investigation is still ongoing, but according to the information that has been made public, it is possible to put together a picture of what happened.

Back in early February, hackers managed to access the workstations of several employees at the national bank. Using their identities, the fraudsters began to send out transfer orders for money held in different banks including the New York Federal Reserve Bank. With full access and posing as employees, they were able to steal approximately $80 million.

The money was transferred to accounts in the Philippines and then passed through a money-laundering scheme involving local casinos and forex brokers. Another $20 million would have been transferred to Sri Lanka, but the hackers made an error in the name of a recipient organization; this aroused the suspicion of Deutsche Bank, which was the correspondent bank of the Central Bank of Bangladesh.

An investigation found that the payment order had been initiated by hackers, and approximately $900 million was still waiting to be transferred. It’s worth noting that Bangladesh’s Minister of Finance only learned about the incident a month later from the mass media.

The head of the Central Bank was forced to resign, the investigators are currently trying to trace those responsible, and the bank is taking measures to return at least some of the stolen funds. Ransomware Trojans As we mentioned above, ransomware Trojans were the main theme of the quarter and could well become the main problem of the year. Making the situation worse is the fact that a number of ransomware Trojans have become accessible to anyone with a little bit of cyber know-how in the form of source code.

As a consequence, even the average script-kiddy can deploy their own version of the Trojan which, together with the active use of Bitcoin for paying ransoms, makes it much easier to organize attacks with impunity. Moreover, the term Ransomware-as-a-Service (RaaS) has already come into use.

This involves the attackers offering to pay for Trojan distribution, promising a cut of any ransom money received.

The clients of these services are usually webmasters of porn sites.

There are services that work the other way round, offering a complete set of tools to the encryptor who takes responsibility for distributing the Trojan and takes 10% of the ransom as commission. According to reports from several companies, the first quarter of 2016 saw incidents where ransomware was used by a number of well-known APT-groups, mainly Chinese. We also identified similar cases, and not only involving Chinese groups.
If these incidents become a trend, the threat will move to a new level because the damage caused by ransomware is not much different from that caused by Wiper-type Trojans.
In both cases, user data becomes inaccessible. In addition, ransomware Trojans are expanding their sphere of activity; in Q1 2016, CTB-Locker targeted web servers. The earlier version of CTB-Locker known as crypto-ransomware Onion differed from other ransomware in that it used the anonymous network Tor to protect its command servers from being disabled because, as a rule, it is only possible to disable static servers.

The use of Tor also helped the malware avoid detection and blocking.

There was one more thing that protected CTB-Locker operators: payment was only accepted in Bitcoins, a decentralized anonymous cryptocurrency. The new version of this malicious program encrypts web servers, and demands less than half a Bitcoin (~ $150) as ransom.
If the money is not paid on time, the ransom is doubled to about $300. Once the ransom is paid, a key is generated to decrypt the web server files. However, the biggest crypto epidemic of Q1 2016 was caused by the ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky). This Trojan is continuing to spread; Kaspersky Lab products have recorded attempts to infect users in 114 countries around the world. In order to spread the Trojan, the cybercriminals use mass mailings in which malicious loaders are attached to spam messages.
Initially, the malicious spam messages contained a DOC file attachment with a macro that downloaded the Locky Trojan from a remote server and executed it. At the time of writing, the malicious spam is still being sent, but instead of DOC files being attached there are now ZIP archives containing one or more obfuscated scripts in JavaScript.

The messages are mostly in English, though some bilingual variants have appeared. The most significant technical innovation in ransomware was full disk encryption (more specifically, encryption of the file system table) rather than file encryption.

This trick was used by the Petya Trojan (the fact that it has a Russian name does not necessarily mean that it was created by Russian-language malware writers). After encrypting the main file table, Petya shows its true face – a skull and crossbones composed of ASCII characters.

Then the typical encryptor routine begins: the Trojan demands a ransom from the victim, 0.9 Bitcoin (about $380) in this case. At this stage, the only thing that distinguishes Petya from other ransomware is the fact that it operates without an Internet connection.

This is hardly surprising though, because Petya basically “eats” the operating system, including its ability to connect to the Internet.

This means the user has to go to another computer to pay the ransom and recover their data. In March, yet another encryptor for Mac OS X was discovered – Trojan-Ransom.OSX.KeRanger.

The attackers used it to infect two BitTorrent client installers from the open source Transmission project, which were available for download on their official website. Most likely, the project site was hacked, and the files for download were substituted for malicious recompiled versions.

The KeRanger Apple encryptor was signed with a valid Apple certificate, and could therefore bypass the Gatekeeper security feature. Statistics on Trojan encryptors Encryptors belong to the Trojan-Ransom class of malware, i.e. to ransomware.

Today, in addition to encryptors this class of malicious programs also includes so-called browser ransomware.
In the general flow of Trojan-Ransom detections the share of browser ransomware accounts for 25%, and that is mainly in Russia and the CIS.
In this section, we will not dwell on browser ransomware, but will look at malicious encryptors in more detail. The number of new Trojan-Ransom encryptors The following graph represents the rise in the number of newly created encryptor modifications over the last two quarters. Number of Trojan-Ransom encryptor modifications in Kaspersky Lab’s Virus Collection (Q4 2015 vs Q1 2016) The overall number of encryptor modifications in our Virus Collection to date is at least 15,000. Nine new encryptor families and 2,900 new modifications were detected in Q1. The number of users attacked by encryptors Number of users attacked by Trojan-Ransom encryptor malware (Q1 2016) In Q1 2016, 372,602 unique users were attacked by encryptors, which is 30% more than in the previous quarter.

Approximately 17% of those attacked were in the corporate sector. It is important to keep in mind that the real number of incidents is several times higher: the statistics reflect only the results of signature-based and heuristic detections, while in most cases Kaspersky Lab products detect encryption Trojans based on behavior recognition models and issue the Generic verdict, which does not distinguish the types of malicious software. Top 10 countries attacked by encryptors Country* % of users attacked by encryptors** 1 Italy 3.06 2 Netherlands 1.81 3 Belgium 1.58 4 Luxembourg 1.36 5 Bulgaria 1.31 6 Croatia 1.16 7 Rwanda 1.15 8 Lebanon 1.13 9 Japan 1.11 10 Maldives 1.11 * We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).** Unique users whose computers have been targeted by Trojan-Ransom encryptor malware as a percentage of all unique users of Kaspersky Lab products in the country. In Q1, the first six places in the Top 10 were occupied by European countries.
Italy (3.06%) topped the rating; the most widespread encryptor family in this country was Teslacrypt (Trojan-Ransom.Win32.Bitman).
Italy was followed by the Netherlands (1.81%) and Belgium (1.58%). Top 10 most widespread encryptor families Name Verdict* Percentage of users** 1 Teslacrypt Trojan-Ransom.Win32.Bitman/Trojan-Ransom.JS.Cryptoload 58.43% 2 CTB-Locker Trojan-Ransom.Win32.Onion/Trojan-Ransom.NSIS.Onion 23.49% 3 Cryptowall / Cryptodef Trojan-Ransom.Win32.Cryptodef 3.41% 4 Cryakl Trojan-Ransom.Win32.Cryakl 3.22% 5 Scatter Trojan-Ransom.BAT.Scatter/Trojan-Downloader.JS.Scatter/Trojan-Dropper.JS.Scatter/Trojan-Ransom.Win32.Scatter 2.47% 6 Rakhni Trojan-Ransom.Win32.Rakhni/Trojan-Downloader.Win32.Rakhni 1.86% 7 Locky Trojan-Ransom.Win32.Locky 1.30% 8 Shade Trojan-Ransom.Win32.Shade 1.21% 9 iTorLock / Troli Trojan-Ransom.MSIL.Lortok 0.84% 10 Mor / Gulcrypt Trojan-Ransom.Win32.Mor 0.78% * These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data. ** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware. First place in Q1 was occupied by the Teslacrypt family represented by two verdicts: Trojan-Ransom.Win32.Bitman and Trojan-Ransom.JS.Cryptoload.

The second verdict is typical for scripts that are sent out in ZIP archives as part of spam mailings.
In the past, these scripts downloaded malware such as Fareit and Cryptowall, but recently the attackers have switched to TeslaCrypt. Noticeably, in Q1 new versions of this encryptor with an improved encryption algorithm were spread this way: the authors used the “reliable” RSA-4096 instead of AES. Second came the CTB-Locker (Trojan-Ransom.Win32 / NSIS.Onion) family.

The members of this family are usually distributed via an affiliate program, and are supported in many languages.

As mentioned above, in the first quarter of 2016, a new variant of the CTB-Locker that targets web servers only was discovered.
It has already successfully encrypted web-root files in more than 70 servers located in 10 countries. The Trojan-Ransom.Win32.Cryptodef family also known as Cryptowall came third.
Its representatives, as in the case of Teslacrypt, are spread via spam mass mailings. In fifth place is the Scatter family.

Earlier this year, a new wave of proliferation involving this encryptor via spam mailings was registered.

The emails contained a link to a JS script that was masked in order to make the user download and launch it locally.
Interestingly, when the script runs, in addition to Scatter, it saves two other malicious programs to the disk: Nitol (DDoS-bot) and Pony (a Trojan designed to steal information, mostly passwords). The Locky family, which occupied seventh place in the Q1 rating, was notable for its wide geographic spread, mainly across Europe. Located on the Tor network, the site containing the criminals’ demands supports more than two dozen languages, which doesn’t include Russian or other CIS languages.

This may mean that cybercriminals are not interested in attacking victims in these countries, something that is confirmed by the KSN statistics. Statistics All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components.

The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity. Mobile threats Cybercriminals continue to improve new techniques for deceiving users.

This quarter, we identified two mobile Trojans that counter standard security mechanisms used by operating systems. One version of Trojan-Banker.AndroidOS.Asacub overlays the regular system window requesting device administrator privileges with its own window containing buttons.

The Trojan thereby conceals the fact that it is gaining elevated privileges in the system from the user, and tricks the user into approving these privileges.

Another Trojan using a similar method is Trojan-SMS.AndroidOS.Tiny.aw.
In recent versions of Android the system asks for the user’s approval when an SMS is sent to a premium number.

The Tiny SMS Trojan overlays this dialog with its own screen without covering the buttons in the original window. Request screen of Trojan-SMS.AndroidOS.Tiny.aw overlaying a notification about the sending of an SMS to a premium-rate number (The message states: Would you like to send a request to receive a gaming database?) The Trojan’s request is presented in such a way that the user will most probably agree to send the SMS to a premium-rate number without having the vaguest idea of what happened next. In the Q3 2015 report we mentioned the banking Trojan Trojan-Banker.AndroidOS.Marcher.

This quarter, we were able to detect new versions of Marcher which attacked nearly 40 banking apps, mostly belonging to European banks. Unlike most other mobile Trojans, Marcher uses phishing web pages rather than its own windows to overlay banking app screens. In Q1, we saw an increase in activity by the mobile ransomware Trojan-Ransom.AndroidOS.Fusob.pac, which blocks the user’s device and demands a ransom for decryption.
In the first three months of 2016, Fusob became the most popular mobile Trojan of this type – it accounted for over 64% of users attacked by mobile ransomware.

The total number of users attacked by mobile ransomware Trojans increased more than 1.8 times compared to the previous quarter. The number of new mobile threats In Q1 2016, Kaspersky Lab detected 2,045,323 malicious installation packages – this is 11 times greater than in Q4 2015, and 1.2 times more than in Q3 2015. Number of detected malicious installation packages (Q2 2015 – Q1 2016) Distribution of mobile malware by type Distribution of new mobile malware by type, Q1 2016 vs. Q4 2015 In Q1 2016, adware programs continued to top the rating of detected malicious objects for mobile devices.

The share of adware programs grew 13 p.p. compared to Q4 2015, and reached 42.7%. Notably, this is lower than in Q3 2015 (52.5%). Second place is occupied by an SMS Trojan, and it is the second quarter in a row that we have seen a growth in the share of detections of this type of object.
In Q4 2015, the share of SMS Trojans rose dramatically from 6.2% to 19.8%, and grew by another 0.7 p.p. in Q1 2016, and amounted to 20.5%. Trojan spyware programs, with a 10% share, were right behind the SMS Trojans.

These programs steal the user’s personal data, including incoming messages (mTANs) from banks. RiskTool software, or legal applications that are potentially dangerous to users, had occupied the first or second position in this rating for nearly two years. However, starting in Q4 2015 they fell to the fifth place.
In Q4 2014, there share was 5.6%, and in Q1 2016 7.4%. The share of banking Trojans has continued to grow, and amounted to 1.2% in Q1 2016. TOP 20 mobile malware programs Please note that this ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware. Name % of attacked users* 1 DangerousObject.Multi.Generic 73.7 2 Backdoor.AndroidOS.Ztorg.c 11.3 3 Trojan.AndroidOS.Iop.c 8.9 4 Trojan.AndroidOS.Ztorg.a 8.7 5 Trojan-Ransom.AndroidOS.Fusob.pac 6.2 6 Trojan-Dropper.AndroidOS.Agent.ar 4.6 7 Trojan-Clicker.AndroidOS.Gopl.a 4.5 8 Backdoor.AndroidOS.Ztorg.b 4.3 9 Trojan.AndroidOS.Iop.m 3.7 10 Trojan.AndroidOS.Agent.ej 3.7 11 Trojan.AndroidOS.Iop.q 3.5 12 Trojan.AndroidOS.Ztorg.i 3.3 13 Trojan.AndroidOS.Muetan.b 3.1 14 Trojan.AndroidOS.Agent.gm 3.1 15 Trojan-SMS.AndroidOS.Podec.a 3.1 16 Trojan-Downloader.AndroidOS.Leech.a 3.0 17 Trojan-Dropper.AndroidOS.Guerrilla.b 2.8 18 Exploit.AndroidOS.Lotoor.be 2.8 19 Backdoor.AndroidOS.Ztorg.a 2.8 20 Backdoor.AndroidOS.Triada.d 2.4 * Percentage of users attacked by the malware in question, relative to all users attacked First place is occupied by DangerousObject.Multi.Generic (44.2%), used for malicious programs detected by cloud technologies.

Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object.

This is basically how the very latest malware is detected. An increasing number of entries in the TOP 20 are occupied by Trojans that use advertising as their main means of monetization.

Their goal is to deliver as much advertisements as possible to the user, employing various methods, including the installation of new adware.

These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.
In Q1, 16 such programs made it into the TOP 20: three programs from the family Backdoor.AndroidOS.Ztorg, three from the family Trojan.AndroidOS.Iop, two from the family Trojan.AndroidOS.Ztorg, plus Trojan-Dropper.AndroidOS.Agent.ar, Trojan-Clicker.AndroidOS.Gopl.a, Trojan.AndroidOS.Agent.ej, Trojan.AndroidOS.Muetan.b, Trojan.AndroidOS.Agent.gm, Trojan-Downloader.AndroidOS.Leech.a, Trojan-Dropper.AndroidOS.Guerrilla.b, and Backdoor.AndroidOS.Triada.d. Backdoor.AndroidOS.Triada is a new entry in the TOP 20 of mobile malware.

The main function of this Trojan is to redirect financial SMS transactions when the user makes online payments to buy additional content in legitimate apps.

The money goes to the attackers rather than to the software developer.

Triada is the most complex mobile malware program that we know of.
Its distinctive feature is the use of the Zygote process to implement its code in the context of all the applications on the device.

Triada penetrates virtually all applications running on the infected device, and continues to exist in the RAM memory only.
In addition, all the Trojan’s separately launched processes are concealed from the user and other applications. The ransomware Trojan Trojan-Ransom.AndroidOS.Fusob.pac is in fifth place (6.2%).

This Trojan demands a $200 ransom from victims to unblock their devices.

A substantial number of the victims are located in North America (the US and Canada) and Europe (mostly in Germany, Italy, the UK, Spain and Switzerland). Trojan-SMS.AndroidOS.Podec.a (3%) has spent over a year now in the mobile malware TOP 20, although now it is beginning to lose ground.

Earlier it was consistently among the top 5 mobile threats, but in Q1 2016 it only made it into the bottom half of the rating.

The number of users attacked by this Trojan fell 1.7 times compared to Q4 2015.
Its functionality has remained practically unchanged; the main means of monetization is still achieved by subscribing the user to paid services. Also making it into the rating is Exploit.AndroidOS.Lotoor.be, an exploit used to gain local super-user rights. The geography of mobile threats The geography of mobile malware infection attempts in Q1 2016 (percentage of all users attacked) Top 10 counties attacked by mobile malware (ranked by percentage of users attacked) Country* % of users attacked** 1 China 38.2 2 Bangladesh 27.6 3 Uzbekistan 21.3 4 Algeria 17.6 5 Nigeria 17,4 6 India 17.0 7 Philippines 15.7 8 Indonesia 15,6 9 Ukraine 15.0 10 Malaysia 14.0 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country. China topped the ranking, with 40% of users encountering a mobile threat at least once during the year.

To recap, in 2015 China also came first in the ranting. In all the countries of the Top 10 except for China the most popular mobile malware was the same – advertising Trojans that appeared in the TOP 20 mobile malware, and AdWare.
In China, a significant proportion of attacks also involved advertising Trojans, but the majority of users encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families. Representatives of the RiskTool.AndroidOS.SMSreg family were also popular.
If used carelessly, these programs could result in money being withdrawn from a mobile account. The safest countries are Taiwan (2.9%), Australia (2.7%) and Japan (0.9%). Mobile banking Trojans Over the reporting period, we detected 4,146 mobile Trojans, which is 1.7 times more than in the previous quarter. Number of mobile banking Trojans detected by Kaspersky Lab solutions (Q2 2015 – Q1 2016) Geography of mobile banking threats in Q1 2016 (number of users attacked) The number of attacked users depends on the overall number of users within each individual country.

To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we created a country ranking according to the percentage of users attacked by mobile banker Trojans. Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked) Country* % users attacked** 1 China 0.45 2 Australia 0.30 3 Russia 0.24 4 Uzbekistan 0.20 5 Ukraine 0.08 6 France 0.06 7 Byelorussia 0.05 8 Turkey 0.05 9 Japan 0.03 10 Kazakhstan 0.03 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country. In Q1 2016, first place was occupied by China where the majority of affected users encountered the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families of mobile banker Trojans.
In second place was Australia where the Trojan-Banker.AndroidOS.Acecard family was replaced by the Trojan-Banker.AndroidOS.Marcher family as the most popular threat. TOP 10 countries by the percentage of users attacked by mobile banking Trojans relative to all attacked users An indication of how popular mobile banker Trojans are with cybercriminals in each country can be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the quarter, relative to all users in the same country whose mobile security product was activated at least once in the reporting period.

This ranking differs from the one above: Country* % users attacked** 1 Australia 13.4 2 Russia 5.1 3 United Kingdom 1.6 4 Turkey 1.4 5 Austria 1.3 6 France 1.3 7 Poland 1.2 8 China 1.1 9 Hong Kong 1 10 Switzerland 0.9 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country. To recap, Australia was among the Top 3 countries with the lowest percentage of users attacked by mobile malware. However, in this ranking Australia ended in first place: more than 13% of all users attacked by mobile malicious programs were attacked by mobile bankers. Meanwhile China, which came first in the previous ranking, ended the quarter in tenth place.
In other words, in China the cybercriminals’ mobile banking Trojans are less popular than other types of mobile malware. Mobile Trojan-Ransom In Q1 2016, we detected 2,896 mobile ransomware samples, which is 1.4 times more than in the previous quarter. >Number of mobile Trojan-Ransomware programs detected by Kaspersky Lab (Q2 2015 – Q1 2016) TOP 10 countries attacked by Trojan-Ransomware as a percentage of attacked users: Country* % of users attacked ** 1 Kazakhstan 0.92 2 Germany 0.83 3 Uzbekistan 0.80 4 Canada 0.71 5 Italy 0.67 6 Netherlands 0.66 7 United Kingdom 0.59 8 Switzerland 0.58 9 USA 0.55 10 Spain 0.36 * We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users attacked by mobile malware in the country. In all the countries of the TOP 10, except for Kazakhstan and Uzbekistan, the most popular Trojan-Ransom family was Fusob, especially its Trojan-Ransom.AndroidOS.Fusob.pac modification (note, this malicious program was fifth in the ranking of mobile threats). In Kazakhstan and Uzbekistan, which came first and third respectively, the main threat to users originated from representatives of the Small family of mobile Trojan-Ransom.

This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demands $10 to unblock it. Vulnerable applications used by cybercriminals In Q1 2016, exploits for Adobe Flash Player remained popular.

During the reporting period two new vulnerabilities in this software were detected: CVE-2015-8651 CVE-2016-1001 The first exploit pack to add support for these vulnerabilities was Angler. One notable event in the first quarter was the use of an exploit for Silverlight – CVE-2016-0034.

At the time of publication, this vulnerability is used by the Angler and RIG exploit packs. As is now traditional, some popular packs included an exploit for the Internet Explorer (CVE-2015-2419) vulnerability. The overall picture of the use of exploits in the first quarter looks as follows: Distribution of exploits used in attacks by the type of application attacked, Q1 2016 As expected, we have seen a decline in the share of exploits for Java (-3 percentage points) and an increase in the use of Flash exploits (+1 p.p.).

There was also a significant increase in the percentage of exploits for Microsoft Office (+10 p.p.): this group mainly includes exploits for vulnerabilities in Microsoft Word.

This significant growth was caused by spam mailings containing these exploits. Overall, the first quarter of 2016 continued the trend of the past few years – cybercriminals are focused on exploits for Adobe Flash Player and Internet Explorer.
In our chart, the latter is included in the “Browsers” category together with detections of landing pages that “distribute” exploits. Online threats (Web-based attacks) The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources. In the first quarter of 2016, Kaspersky Lab’s web antivirus detected 18,610,281 unique malicious objects: scripts, exploits, executable files, etc. 74,001,808 unique URLs were recognized as malicious by web antivirus components. Online threats in the banking sector In the first three months of 2016, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 459,970 computers. We are witnessing a decline in financial malware activity: the figure for Q1 is 23.3% lower than in the previous quarter (597,415).

A year ago, in Q1 2015 this figure was 699,652, which translates into a 34.26% fall in the number of victims over the past year. Number of attacks by financial users, Q1 2016 Geography of attacks To evaluate and compare the degree of risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county. Geography of banking malware attacks in Q1 2016 (percentage of attacked users) Top 10 countries by the percentage of attacked users Country* % attacked users** 1 Brazil 3.86 2 Austria 2.09 3 Tunisia 1.86 4 Singapore 1.83 5 Russia 1.58 6 Venezuela 1.58 7 Morocco 1.43 8 Bulgaria 1.39 9 Hong Kong 1.37 10 United Arab emirates 1.30 These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country. In Q1 2016, Brazil had the highest percentage of Kaspersky Lab users who were attacked by banking Trojans. One of the reasons for the growth of financial threats in this country was the emergence of cross-platform Trojan bankers. Noticeably, most countries in the TOP 10 have a high level of technological development and/or well-developed banking system which attracts cybercriminals. In Russia, 1.58% of users encountered a banking Trojan at least once in Q1 (an increase of 1 p.p. compared to the previous quarter).
In the US, the figure was 0.26%; Spain – 0.84%; Italy – 0.79%; Germany – 0.52%; the UK – 0.48%; France – 0.36%. The Top 10 banking malware families The table below shows the Top 10 malware families most commonly used in Q1 2016 to attack online banking users: Name Number of users attacked 1 Trojan-Spy.Win32.Zbot 419940 2 Trojan-Downloader.Win32.Upatre 177665 3 Trojan-Banker.Java.Agent 68467 4 Trojan-Banker.Win32.Gozi 53978 5 Trojan-Banker.Win32.BestaFera 25923 6 Trojan.Win32.Tinba 24964 7 Trojan-Banker.Win32.Banbra 22942 8 Trojan-Banker.AndroidOS.Agent 19782 9 Trojan-Banker.AndroidOS.Abacus 13446 10 Trojan-Banker.Win32.ChePro 9209 Trojan-Spy.Win32.Zbot topped the ranking.
It has become a permanent resident in this ranking, and it is no coincidence that it consistently occupies a leading position.

The Trojans of the Zbot family were among the first to use web injections to compromise the payment details of online banking users and to modify the contents of banking web pages.

They encrypt their configuration files at several levels; the decrypted configuration file is never stored in the memory in its entirety, but is instead loaded in parts. The Trojan-Downloader.Win32.Upatre family of malicious programs came second in Q1 2016.

The malware is no larger than 3.5 KB in size, and is limited to downloading the payload to the victim computer, most typically a banker Trojan from the Dyre/Dyzap/Dyreza family.

The main aim of this family of banking Trojans is to steal the user’s payment details.

Dyre does this by intercepting the data from a banking session between the victim’s browser and the online banking web app, in other words, it uses the “Man-in-the-Browser” (MITB) technique. It is worth noting that the vast majority of the TOP 10 malware uses the technique of embedding arbitrary HTML code in the web page displayed by the browser and intercepting payment data entered by the user into the original and the inserted web forms. The TOP 3 threats in the first quarter of 2016 include cross-platform banking malware written in Java.

Brazilian cybercriminals have started actively using cross-platform Java Trojans.
In addition, Kaspersky Lab experts detected new malicious software also written in Java and used to steal financial information – Adwind RAT.

Adwind is written entirely in Java, which is why it can attack all popular platforms: Windows, Mac OS, Linux and Android.

The malicious program allows attackers to collect and extract data from the system, as well as remotely control an infected device.

To date, it is able to take screenshots, memorize keystrokes, steal passwords and data stored in browsers and web forms, take photos and videos via the webcam, make audio recordings using the microphone built into the device, collect general data about the user and the system, steal VPN certificates and keys from crypto currency wallets and, finally, manage SMS. Fourth place in the TOP 10 is occupied by Trojan-Banker.Win32.Gozi, which penetrates working processes of popular web browsers to steal payment information.
Some samples of this Trojan can infect the MBR (Master Boot Record) and maintain their presence in the operating system, even if it has been reinstalled. One of the most interesting pieces of malware designed to steal financial data that did not make it into the TOP 10 is Gootkit.
It is written using the software platform NodeJS and has a modular architecture.

The malicious code interpreter is contained in its body; as a result, it is big – approximately 5 MB.

To steal payment data, Gootkit uses http traffic interception and embeds itself in the browser. Other standard Trojan features include execution of arbitrary commands, auto-update, and capturing screenshots. However, this banking Trojan is not particularly widespread. Top 10 countries where online resources are seeded with malware The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.).

Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established. In Q1 2016, Kaspersky Lab solutions blocked 228,420,754 attacks launched from web resources located in 195 countries around the world. 76% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries. Distribution of web attack sources by country, Q1 2016 Q1 saw the Netherlands take over first place (24.6%) from the US (21.44%). Russia (7.45%) and Germany (6%), which followed them, also swapped places.
Vietnam has dropped out the Top 10, while Bulgaria is a newcomer in eighth place with 1.75%. Countries where users faced the greatest risk of online infection In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter.

The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries. Country* % of unique users attacked ** 1 Russia 36.28 2 Kazakhstan 33.19 3 China 32.87 4 Azerbaijan 30.28 5 Ukraine 29.96 6 Belarus 29.16 7 Slovenia 26.88 8 Armenia 26.27 9 Vietnam 25.14 10 Moldova 24.68 11 Kyrgyzstan 24.46 12 Spain 24.00 13 India 23.98 14 Brazil 23.68 15 Italy 22.98 16 Algeria 22.88 17 Lithuania 22.58 18 Croatia 22.04 19 Turkey 21.46 20 France 21.46 These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data. * These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country. The leader of this ranking remained unchanged – it is still Russia with 36.3%.
Since the previous quarter, Chile, Mongolia, Bulgaria and Nepal have left the Top 20. Newcomers to the ranking are Slovenia (26.9%), India (24%) and Italy (23%). The countries with the safest online surfing environments included Germany (17.7%), Canada (16.2%), Belgium (14.5%), Switzerland (14%), the US (12.8%), the UK (12.7%), Singapore (11.9%), Norway (11.3%), Honduras (10.7%), the Netherlands (9.6%) and Cuba (4.5%). On average, 21.42% of computers connected to the Internet globally were subjected to at least one web attack during the three months.

This is a fall of 1.5 p.p. compared to Q4 2015. Local threats Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports. Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. In Q1 2016, Kaspersky Lab’s file antivirus detected a total of 174,547,611 unique malicious and potentially unwanted objects. Countries where users faced the highest risk of local infection For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus had been triggered during the quarter.

These statistics reflect the level of personal computer infection in different countries. Top 20 countries with the highest levels of computer infection Country* % of unique users** 1 Somalia 66.88% 2 Yemen 66.82% 3 Armenia 65.17% 4 Kyrgyzstan 64.45% 5 Russia 64.18% 6 Tajikistan 64.06% 7 Bangladesh 63.00% 8 Vietnam 61.31% 9 Afghanistan 60.72% 10 Kazakhstan 60.62% 11 Nepal 59.60% 12 Uzbekistan 59.42% 13 Ethiopia 59.23% 14 Ukraine 58.90% 15 Byelorussia 58.51% 16 Laos 58.46% 17 Rwanda 58.10% 18 Iraq 57.16% 19 Algeria 57.50% 20 Moldova 56.93% These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data.

The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives. * These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users). ** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products. Somalia became the new leader of this rating in Q1, with 66.9%.

Bangladesh, the leader for the past few quarters, dropped to seventh place (63.6%). Newcomers to this ranking are Uzbekistan in 12th place (59.4%), Ukraine in 14th place (58.9%), Belarus in 15th place (58.5%), Iraq in 18th place (57.2%) and Moldova in 20th (57.0%). The safest countries in terms of local infection risks were the Czech Republic (27.2%), Denmark (23.2%) and Japan (21.0%). An average of 44.5% of computers globally faced at least one local threat during Q1 2016, which is 0.8 p.p. more than in Q4 2015.

Petya: the two-in-one trojan

Infecting the Master Boot Record (MBR) and encrypting files is nothing new in the world of malicious programs.

Back in 1994, the virus OneHalf emerged that infected MBRs and encrypted the disk contents. However, that virus did not extort money.
In 2011, MBR blocker Trojans began spreading (Trojan-Ransom.Win32.Mbro) that infected the MBR and prevented the operating system from loading further.

The victim was prompted to pay a ransom to get rid of the problem.
It was easy to treat a system infected by these blocker Trojans because, apart from the MBR, they usually didn’t encrypt any data on the disk. Today, we have encountered a new threat that’s a blast from the past.

The Petya Trojan (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Petr) infects the MBR preventing normal system loading, and encrypts the Master File Table (MFT), an important part of the NT file system (NTFS), thus preventing normal access to files on the hard drive. The infection scenario The people spreading Petya attack their potential victims by sending spam messages containing links that download a ZIP archive.

The archive contains the Trojan’s executable file and a JPEG image.

The file names are in German (Bewerbungsunterlagen.PDF.exe, Bewerbungsmappe-gepackt.exe), are made to look like resumes for job candidates, and target HR staff in German-speaking countries. Contents of the archives downloaded from links in spam The cybercriminals didn’t bother with automatic escalation of privileges – the manifest of the Trojan’s executable file contains the following standard record: If the user launches the malicious executable file Petya, Windows will show the standard UAC request for privilege escalation.
If the system has been properly configured by the system administrators (i.e. UAC is enabled, and the user is not working from an administrator account), the Trojan won’t be able to run any further. Unfortunately, a user who has the privileges to agree to a UAC request often underestimates the potential risks associated with launching unknown software with elevated rights. How it works The executable file and the packer A Petya Trojan infection begins with the launch of the malicious executable file.

The samples of the Trojan that Kaspersky Lab received for analysis are, just like most other malware samples, protected with a customized packer. When the executable file launches, the malicious packer’s code begins to work – it unpacks the malicious DLL Setup.dll into a newly designated RAM area, and then passes control to it. Cybercriminals typically use packers to avoid detection – circumvent static signatures, trick the heuristic analyzer, etc. While investigating the Petya packer, we noticed an unusual trick used by the cybercriminals. Cybercriminals often try to create the packer in such a way that a packed malicious executable file looks as similar as possible to a regular legitimate file.
Sometimes, they take a legitimate file and substitute part of the code with malicious code. That’s what they did with Petya, with one interesting peculiarity: it was a part of the standard compiler-generated runtime DLL that was replaced with malicious code, while the function WinMain remained intact.

The illustration below shows the transition, beginning from the entry point (“start”).

As can be seen, the function of unpacking malicious code (which we dubbed “evil”) is called from the legal function __calloc_crt which is part of the runtime code. Diagram of transitions between the malicious packer’s functions Why do it that way? Obviously, the creators of the malicious packer were trying to trick an inattentive researcher or automatic analyzers: the file looks legitimate – WinMain doesn’t contain malicious code – so it’s possible that it will be overlooked.

Besides, if the breakpoint is set at WinMain during debugging, then the malicious code works (and sends the system into BSOD, as we will discuss later in detail) and execution is over before the breakpoint is even reached. Kaspersky Lab has detected Petya samples that masquerade as legitimate files written in C/C++ and in Delphi. The malicious DLL Setup.dll is a DLL with just one export: _ZuWQdweafdsg345312@0.
It is written in C and compiled in Microsoft Visual Studio.

The cybercriminals used an implementation of cryptographic algorithms available in the public library mbedtls (formerly polarssl).
Setup.dll is not saved to the hard drive as a separate file, but always remains in the RAM. When Setup.dll receives control, it decrypts the data contained in the section ‘.xxxx’ and then proceeds to infect the victim computer. The encrypted ‘.xxxx’ section containing data Fragment of the decrypted data from the ‘.xxxx’ section At a higher degree of abstraction, the actions of Setup.dll come down to the following: Re-write the boot record on the hard drive with its own malicious loader; Generate a key, infection ID and other auxiliary information, and save them to the hard drive; Cause a system abort and reboot, thereby passing control to the malicious loader. Now let’s look in detail at how all of this is implemented in the Trojan.

But before doing so, we need to define the terminology used. Hard disk sector – the minimum addressable unit of a hard drive, typically 512 bytes. Master boot record (MBR) – the code and the data written to Sector 0.

After hardware is initialized, this code is used to boot the PC.

Also, this sector contains the hard disks’ partition table.

A disk partitioned with MBR may have up to four primary partitions, and the maximum partition size is ~2.2 TB. GUID Partition Table (GPT) – a more modern standard of hard drive layout.
It supports up to 128 partitions, each up to 9.4 ZB in size (1 ZB = 1021 bytes.) Now let’s return to the Trojan under review.
Setup.dll can infect disks partitioned according to either the older MBR standard or the more modern GPT standard.

There are two alternative branches of execution sequences in the malicious program; the choice of execution branch depends on the data in the field PartitionStyle of the structure PARTITION_INFORMATION_EX. Selection of the execution branch for disk infection, depending on whether the disk has MBR or GPT partitioning Infecting an MBR disk When infecting an MBR disk, Setup.dll performs the following actions: Encrypts sector 0 (the original code and the MBR data) with the simple operation XOR 0x37 (ASCII ‘7’), writes the result to sector 56; Encrypts sectors 1-33 with the same operation XOR 0x37; Generates configuration data for the malicious loader, writes them to sector 54; Creates the verification sector 55 populated with the repeating byte 0x37; Copies the disk’s NT signature and the partition table saved from the original MBR into its own first-level loader; writes first-level malicious code to sector 0 of the disk, and writes second-level code to sectors 34-50 (referred to here as the malicious loader); Calls the function NtRaiseHardError, which causes the operating system to crash (BSOD – the ‘blue screen of death’). When an MBR disk has been infected, the beginning of the disk has the following structure: Number of sector Content 0 First-level malicious loader 1 – 33 Encrypted sectors 1-33 (XOR 0x37) 34 – 50 Second-level malicious code … 54 Configuration sector of the malicious program 55 Verification sector (populated with byte 0x37) 56 Encrypted original MBR code (XOR 0x37) Infecting a GPT disk When infecting a GPT disk, Setup.dll performs more actions: Based on Primary GPT Header data, it receives the address of GPT header copy; Encrypts the GPT header copy with XOR 0x37; Performs all the actions that are performed when encrypting an MBR disk. When a GPT disk has been infected, the beginning of the disk has the following structure: Number of sector Content 0 First-level malicious loader 1 – 33 Encrypted sectors 1-33 (XOR 0x37) 34 – 50 Second-level malicious code … 54 Configuration sector of the malicious program 55 Verification sector (populated with byte 0x37) 56 Encrypted original MBR code (XOR 0x37) … Backup LBA –Backup LBA + 33 Encrypted copy of GPT Header (XOR 0x37) Generation of configuration data In the configuration sector (sector 54), the Trojan keeps the data it needs to encrypt MFT and decrypt it if the victim pays the ransom.

Generation of the configuration data consists of the following steps: Setup.dll generates a random string that is 16 characters long [1-9, a-x, A-X]; we will call this string password; Generate a pair of keys: ec_session_priv (a private key, a random large integer number) + ec_session_pub (public key, a point on a standard elliptic curve secp192k1); Calculate the session secret: session_secret = ECDH (ec_session_priv, ec_master_pub); the cybercriminals’ public key ec_master_pub is contained in the Trojan’s body; Calculate the aes_key = SHA512(session_secret) – only the first 32 bytes of the hash sum are used; Encrypt the ‘password’ string by XORing it with the first 16 bytes of ec_session_pub: password_xor = ec_session_pub[0, 15] xor password; Encrypt the result using AES-256 with the key aes_key: password_aes_encr = AES_enc(password_xor); Create the array ec_session_data = [ec_session_pub, password_aes_encr]; Calculate base58: ec_session_data_b58 = base58_enc(ec_session_data); Use the result to calculate SHA256: digest = sha256(ec_session_data_b58); Create array: ec_data = [check1, check2, ec_session_data_b58], where check1, check2 are bytes calculated by the formulas:a = digest[0] & 0xF;b = (digest[0] & 0xF) < 10;check1 = (digest[0] >> 4) + 0x57 + ((digest[0] >> 4) < 10 ? 0xD9 : 0);check2 = a + 0x57 + (b ? 0xD9 : 0); Based on the ‘password’, create a key for MFT encryption; Pseudocode creating a key for MFT encryption Generate IV – 8 random bytes which will be used during MFT encryption; Generate infection ID and use it to create “personalized” URLs for ransom payment webpages. Ultimately, the configuration data structure looks like this: In C language syntax, this structure can be presented as follows: This is what the configuration data looks like after it is written to the hard drive: Note that if the user turns off their computer after this stage and doesn’t switch it on again, only minimum damage will be done, as it is not difficult to decrypt data encrypted with 1-byte XOR.

Therefore, a good piece of advice: if you launch an unknown file and your system suddenly crashes, showing a blue screen, you should switch off your computer and get help from a qualified specialist.

The specialist should be able to identify a Petya infection and restore the disk sectors encrypted with XOR. If, however, the computer was re-booted, then the Trojan’s third stage kicks in – the malicious code written to sectors 0 and 34–50. The malicious loader After rebooting, the code in sector 0 (the first-level loader) gains control.
It loads the main second-level malicious code from sectors 34–50 into the memory and passes control to it.

This code, in turn, receives information about the hard drives available in the system, searches for the disk where the configuration is written, reads the configuration data from sector 54 and, depending on the value in the field ‘config.state’, begins encryption (if the value is 0) or asks the user to enter the decryption key that they have purchased (if the value is 1). Fragment of code implementing the Trojan’s logic Encryption of MFT The master file table (MFT) is a data structure with information about every file and directory on a volume formatted into NTFS, the file system that is used in all modern versions of Windows.

The table contains the service data required to find each file on the disk.
It can be compared to a table of contents in a book that tells you on which page to find a chapter.
Similarly, MFT indicates which logical cluster a file is located in. It is namely this critical area that is attacked by Petya.
If the value of ‘config.state’ is equal to 0 during launch, it does the following: Displays a fake disk check message: Reads the key ‘config.salsa_key’ from the configuration sector into a local array; sets this field to zero on the disk, sets ‘config.state’ field at 1; Encrypts the verification sector 55 with the stream cipher Salsa20; this sector is populated beforehand with the byte 0x37 (see the section ‘Infecting an MBR disk’ above); Searches for each partition’s MFT on each connected hard drive; Encrypts the MFT data with cipher Salsa20.

Encryption is performed in parts of 8 sectors (i.e. the size of each part is 4 KB).

A counter of the encrypted parts is kept in sector 57 of the first disk. When encryption is over, it triggers a system reboot. After the reboot, Petya displays an animated image of a flashing red and white skull drawn in ACCII-art style. If the user presses any key, the Trojan displays a text which tells the victim in no uncertain terms what has happened. Ransom demand and decryption On this screen Petya displays links to the ransom payment webpages located in the Tor network (the addresses are specified in config.mal_urls), and the “personal decryption code” which the victim has to enter at either of the above sites.
In reality, this “code” is the content of the field ‘config.ec_data’, hyphenated every six characters. So, how do the cybercriminals plan to decrypt MFT, and are they even capable of doing so? The ‘Key:’ field on this screen accepts a text string from the user.

This string is checked for length (a 16-character long string is required), and then the Trojan uses it to calculate a 32-byte ‘salsa_key’ (following the algorithm discussed above in the section ‘Generation of configuration data’).

The Trojan then attempts to decrypt the verification sector 55 with this key, and checks that the decrypted sector is completely populated with the byte 0x37.
If it is, the key is considered correct, and Petya uses it to decrypt MFT.

Then it decrypts all starting sectors encrypted with XOR 0x37, decrypts the original MBR and prompts the user to reboot the computer. Thus, the correct string to be entered in the ‘Key:’ field is that very same ‘password‘ string that is generated in the first step when the configuration data is created. Screen message displayed after successful decryption The question remains: how do the cybercriminals know this string so they can communicate it to a victim who has paid the ransom? No automatic communication with C&C servers is established during the entire infection life cycle.

The answer lies in the description of the algorithm for generating configuration data. The victim is prompted to manually enter their “personal decryption code” ec_data on the ransom payment webpage.

The cybercriminal can then perform the following actions: Decode base58: base58_dec(ec_session_data_b58) = ec_session_data = [ec_session_pub, password_aes_encr] Calculate session_secret = ECDH(ec_session_pub, ec_master_priv), in accordance with the Elliptic curve Diffie–Hellman properties, where ec_master_priv is a private key known to the Trojan’s creators only; Calculate aes_key = SHA256(session_secret); Decrypt AES-256: password_xor = AES_dec(password_encr); Knowing ec_session_pub, calculate the original password based on password_xor. The ransom payment webpage When we visit the Tor site at the URL provided by the Trojan, we see a page that requires a CAPTCHA to be entered, after which the main ransom payment page is loaded.

The design of the page immediately catches the eye, with its hammer and sickle and the word ‘ransomware’ in pseudo-Cyrillic.
It looks like a USSR parody along the lines of the game Red Alert. This page displays a countdown clock showing when the ransom price will be doubled, as well as regularly updated links to news and publications related to Petya. When the ‘Start the decryption process’ button is pressed, you end up on a page that asks you to enter the value of ‘ec_data’, which is now called “your identifier” rather than “your personal decryption code”.
It looks like the cybercriminals still haven’t decided what to call this part. When the user enters this string, the site displays the amount of ransom in BTC, information on how to purchase bitcoins, and the address where the money should be sent. As well as that, there are two other pages on the website: FAQ and Support. The FAQ page The FAQ page is interesting in that it contains false information: in reality, RSA is not used by the Trojan in any way, at any stage of infection. The Support page On the Support page, the user is given the option of sending a message to the cybercriminals. One phrase in particular stands out: “Please write your message in english, our russian speaking staff is not always available”.

This implies that there is at least one person in the group who speaks Russian. Geographic distribution As we noted above, the spam messages target German-speaking victims. KSN statistics clearly show that Germany is the main target for the cybercriminals. TOP 5 countries attacked by Petya Trojan by the number of attacked users: Country Number of attacked users 1 Germany 579 2 China 19 3 India 8 4 Japan 5 5 Russian Federation 5 Conclusion After analyzing the Petya Trojan, we discovered that it is an unusual hybrid of an MBR blocker and data encryptor: it prevents not only the operating system from booting but also blocks normal access to files located on the hard drives of the attacked system. Although Petya is noticeably different from the majority of ransomware that has emerged in the recent years, it can hardly be described as a fundamentally new development. The ideas behind the Trojan have been seen before in earlier malware; the creators of Petya have simply combined them all in a single creation.

That said, it should be acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and decrypt data prior to OS booting. Another interesting peculiarity about Petya is the pseudo-Soviet graphic design on the ransom payment website; the name of the Trojan also fits into the image of a “Russian Trojan” designed by cybercriminals.

There is no certainty as to whether the Trojan’s creators originally come from Russia or other former Soviet states; however, the text on the payment page suggests there is at least one Russian speaker in the gang. Kaspersky Lab’s products protect users from this threat: Petya’s executable files are detected with the verdict Trojan-Ransom.Win32.Petr; in addition, the behavior analyzer proactively detects even unknown versions of this Trojan with the verdict PDM:Trojan.Win32.Generic. P.S. How to decrypt your data without paying the ransom On April 8, some independent researchers reported that they had found a method of restoring the password without paying the ransom to the cybercriminals.

The method is based on a genetic algorithm; with the 8-byte long IV (stored in configuration sector 54) and the content of the encrypted verification sector 55, you can calculate the value of the password that generates the salsa key, which can then be used to decrypt the MFT.

US Supreme Court Approves Expanded Hacking Powers

The US Supreme Court has approved a rule change that could allow law enforcement to remotely search computers around the world.Previously, magistrate judges could order searches only within the jurisdiction of their court, often l...

Government Cybersecurity Performance, Confidence Bottoms Out

In the wake of OPM and other big gov breaches, government cybersecurity performance scores and employee confidence ratings sink through the floor. Government agencies at all levels are falling far behind the private sector in cybersecurity measures, according to a pair of recent studies.
If the damage left behind by massive breaches at the Office of Professional Management (OPM) and the Internal Revenue Service (IRS) weren't enough anecdotal evidence, now there's more data to back up government's lackluster performance.Most recently, a new study out by SecurityScorecard's research team found that local, state, and federal government agencies have the worst performance indicators among 18 industry verticals, including education, healthcare, and legal organizations--all known laggards on the cybersecurity front.

The scoring was based on SecurityScorecard's benchmarking platform, which aggregates from more than 30 million daily security-risk signals and sensors across the Web to form a picture of specific organizations and industries. Among the areas benchmarked, SecurityScorecard found that low-performing government agencies fared the worst compared to other organizations when it came to malware infection rates, network security indicators, and software patching cadence.

Among the 600 agencies included in this study, NASA fared dead last in performance scoring.                                                                                   "NASA’s primary threat indicators include a large number of detected malware signatures over the past 30 days, tracked P2P activity, various SSL certificate issues, and insecure open ports, varying from IMAP to Telnet to DB ports among others," the report stated. Leaders at federal agencies at least have a hunch that they aren't doing well: Another study out this month shows that cybersecurity confidence among the senior executive leadership at these agencies is at a low point.

Conducted by the Government Business Council and sponsored by Dell, this study is a follow-up to a similar one done in 2014.
Since that time, there's been a 30-point drop in the respondents who indicate they are confident or very confident in agency information security.
Similarly, there's been a 28-point drop in respondents indicating their confidence in their agency's ability to keep up with evolving cyber threats. "The federal government appears to still be in the beginning stages of constructing more robust cybersecurity strategies, and respondents cite budget constraints, slow technology acquisition processes, and bureaucratic inertia as the chief barriers to a more holistic agency cybersecurity posture," the report says. "Moving forward, agencies need to focus on tackling institutional obstacles in order to move forward with bolstering organizational cybersecurity." Ericka Chickowski specializes in coverage of information technology and business innovation.
She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full BioMore Insights

German Nuclear Plant Hit By Computer Viruses

Computer viruses have infected PCs used at a German nuclear power plant.The viruses were found on office computers and in a system used to model the movement of nuclear fuel rods.Power firm RWE said the infection posed no thre...

Kaspersky DDoS Intelligence Report for Q1 2016

Q1 events We have selected the events from the first quarter of 2016 that, in our view, illustrate the main trends in the field of DDoS attacks and the tools used to perform them. A record-breaking reflection DDoS attack DDoS attacks using amplification/reflection techniques are still popular and allow cybercriminals to break their peak power records.

From a technical point of view, amplification methods are nothing new in DDoS attacks, but cybercriminals are discovering new ways and resources to enhance the capacity of their botnets.

For example, according to a recently published report, 2015 saw the largest ever DDoS attack on record at 450-500 Gbps. DDoS attack on Trump It’s possible that last year’s record didn’t last very long – at the very beginning of the year the official website of Donald Trump’s election campaign were subjected to DDoS attacks whose strength, according to unconfirmed sources, reached 602 Gbps.

The hacktivist group New World Hacking claimed responsibility for both incidents. Use of the DNSSEC protocol Criminals are increasingly using the DNSSEC protocol to carry out DDoS attacks.

The protocol is intended to minimize DNS spoofing attacks, but besides the domain data a standard DNSSEC reply also contains additional authentication information.

Thus, unlike a standard DNS reply of 512 bytes, the DNSSEC reply comes to about 4096 bytes.

Attackers exploit this feature to perform amplification DDoS attacks.

They usually use domains in the government zone .gov, because in the US such domains are required by law to maintain DNSSEC. Pingback attacks on WordPress Web resources powered by the WordPress content management system (CMS) are still popular with cybercriminals carrying out DDoS attacks. Popular CMS-based resources often become targets of DDoS attacks exploiting the WordPress pingback function.

The pingback function notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS.
If the administrator of the site running WordPress has enabled the function, all links leading to the materials published on a site can perform a so-called pingback, i.e. send a special XML-RPC request to the original site.

A huge number of pingback requests sent to the original site can cause a “denial of service”.

This feature continues to attract the attention of cybercriminals and helps them perform DDoS attacks at the application level. Linux Mint hacking On 21 February 2016, the head of Linux Mint, Clement Lefebvre, reported that someone had managed to hack the project infrastructure including its official website and forum, and substituted the link to the legitimate ISO image of the Linux Mint 17.3 Cinnamon edition with their own URL.

The hacker’s modified ISO contained malicious code that used infected machines to perform DDoS attacks. Attacks on security companies Cybercriminals also target companies working in information security, with most of the major players – especially those offering anti-DDoS services – having to regularly combat DDoS attacks on their resources.

These attacks can’t cause much damage because all these resources are well-protected, but that doesn’t stop the cybercriminals. In Q1 2016, resources in 74 countries were targeted by #DDoS attacks #KLreportTweet In general, cybercriminals don’t go all out to bring down an IT security company’s site.

The attacks tend not to last long, and in most cases, they are terminated as soon as the source notices that protection systems are working.

The cybercriminals don’t want to waste their botnet resources when they could be earning money elsewhere. Nevertheless, the attacks continue. Analysis of the correspondence on underground forums suggests that the criminal fraternity uses the websites of IT security companies as test bed, i.e. to test new methods and tools.

This approach is no worse than others, but it does give us some valuable information.
If worldwide DDoS statistics show the current state of things, then attacks on IT security companies allow us to some extent to predict the future of DDoS. Data on the tactics, strength and types of attacks targeting Kaspersky Lab sites also allows us to forecast the trends in the DDoS industry for the coming months. Once again, we have had to deal with amplification attacks.

Their number has declined slightly compared to last year, but their maximum strength has increased fourfold.

This confirms the trend of a general strengthening of these attacks – the criminals have to increase the strength to overcome protection measures used by Internet providers and information security companies.
In our case, none of these attacks led to our sites being unavailable. In Q1 2016, 93.6% of resources targeted by #DDoS attacks, were located in 10 countries #KLreportTweet Considering the number of attacks on Kaspersky Lab resources in the first quarter of 2016, the “cream” of the cybercriminal community has gone back to the good old methods of attacks at the application level.

Already in the first quarter of this year, we combated several times more HTTP(s) attacks than we did in the whole of 2015.
Interestingly, there were several application-layer attacks performed simultaneously against a number of Kaspersky Lab resources.

The strength of the DDoS resources was spread between several targets, reducing the effect on each target.

This is most probably because the aim was not to disrupt Kaspersky Lab’s sites but to test tools and to see how we responded.

The longest attack of this type lasted less than six hours. We can assume that the proportion of Data Link layer attacks will gradually decline, and application-layer and multi-layer attacks (a combination of hardware and application-layer attacks) will come to the fore. Powerful UDP amplification attacks came into general use a few years ago and are still a favorite tool of cybercriminals.

The reasons for their popularity are clear: they are relatively easy to perform, they can be very powerful with a relatively small botnet, they often involve a third party, and it is extremely difficult to detect the source of the attack. Although in Q1 of 2016 our Kaspersky DDoS Prevention service continued to combat UDP amplification attacks, we believe that they will gradually disappear.

The once daunting task of combining the efforts of Internet providers and IT security companies to effectively filter the junk traffic generated by UDP attacks is almost solved. Having faced the risk of their main channels being clogged up due to large volumes of UDP packets, providers have acquired the necessary equipment and skills and cut this traffic off at the root.

This means amplification attacks on a Data Link Layer are becoming less effective and, as a result, less profitable. In Q1 2016, the largest numbers of #DDoS attacks targeted victims in #China, the #USA & #SouthKorea #KLReportTweet To execute application-layer attacks on web services, large botnets or several high-performance servers and a wide output channel are required, as well as thorough preparatory work to study the target and find its vulnerabilities. Without this, they are ineffective.
If the application-layer attack is carried out properly, it is difficult to counter it without blocking access to legitimate users – malicious requests look authentic and every bot faithfully fulfills the connection procedure.

The only anomaly is the high demand for the service. We registered these sorts of attempts in the first quarter.

This suggests that the DDoS market has developed so that complex, expensive attacks are becoming cost-effective, and better qualified cybercriminals are trying to make money using them. Moreover, there is a real danger of these methods being used by cybercriminals en masse – the more popular the technique, the more tools are offered for it on the black market.

And if application-layer attacks really do become widespread, we should expect to see a growth in the number of customers for this type of DDoS attack and more competent attackers. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity.

The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the first quarter of 2016. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours.
If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack.

Attacks on the same web resource from two different botnets are also regarded as separate attacks. The longest #DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) #KLreportTweet The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses.
In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab.
It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q1 Summary In Q1, resources in 74 countries were targeted by DDoS attacks (vs. 69 in Q4 of 2015). 93.6% of the targeted resources were located in 10 countries. China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets.

France and Germany were newcomers to the Top 10. The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios, while the number of UDP attacks continues to fall from quarter to quarter. Overall, command servers remained located in the same countries as the previous quarter, but Europe’s contribution increased – the number of C&C servers in the UK and France grew noticeably. Geography of attacks In Q1 2016, the geography of DDoS attacks narrowed to 74 countries. 93.6% of targeted resources were located in 10 countries. Distribution of DDoS attacks by country, Q1 2016 vs. Q4 2015 The Top 3 most targeted countries remained unchanged. However, South Korea’s share grew from 18.4% to 20.4% while the US’s contribution dropped by 2.2 percentage points.

Also of note is the fact that Q1 2016 saw an increase in the number of attacks targeting resources in Ukraine – from 0.3% to 2.0%. The statistics show that 94.7% of all attacks had targets within the Top 10 most targeted countries: Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q4 2015 The number of targets in South Korea increased by 3.4 percentage points.

China’s share fell from 50.3% in Q4 2015 to 49.7% in the first three months of 2016.

The percentage of DDoS attacks targeting resources in the United States also decreased (9.6% in Q1 2016 vs. 12.8% in Q4 2016).

Despite the change in figures, South Korea, China and the US maintained their positions in the Top 3, coming well ahead of all other countries. SYN #DDoS, TCP DDoS & HTTP DDoS remain the most common DDoS attack scenarios in Q1 2016 #KLreportTweet The first quarter of 2016 saw Ukraine enter the Top 5 DDoS targets: its share grew from an insignificant 0.5% at the end of last year to 1.9% in Q1 2016. Taiwan and the Netherlands’ share fell 0.8 and 0.7 percentage points respectively, meaning both dropped out of the Top 10 most attacked countries. Changes in DDoS attack numbers In Q1 2016, DDoS activity was distributed more or less evenly, with the exception of one peak on 6 February.

The peak number of attacks in one day was 1,272, recorded on 31 March. Number of DDoS attacks over time* in Q1 2016. * DDoS attacks may last for several days.
In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration. As in the previous quarter, Monday (16.5% of attacks) was the most active day of the week for DDoS attacks.

Thursday moved up to second (16.2%).

Tuesday, which was in second place in Q4 2015 (from 16.4% to 13.4%), became the quietest day of the week in terms of DDoS attacks. Distribution of DDoS attack numbers by day of the week Types and duration of DDoS attacks The ranking of the most popular attack methods remained constant from quarter to quarter.

Those used most often were the SYN DDoS method, although its share fell compared to the previous quarter (57.0% vs 54.9%), and TCP DDoS which fell by 0.7 percentage point.

The proportion of ICMP DDoS attacks grew significantly, rising to 9%; however, it did not affect the order of the Top 5. Distribution of DDoS attacks by type Noticeably, the figure for UDP DDoS has fallen continually over the last year: from 11.1% in Q2 2015 to 1.5% in Q1 2016. Like the previous quarter, about 70% of attacks lasted no more than 4 hours.

At the same time, the maximum duration of attacks decreased considerably.

The longest DDoS attack in the last quarter of 2015 lasted for 333 hours; in Q1 2016, the longest registered attack ended after 197 hours. Distribution of DDoS attacks by duration (hours) C&C servers and botnet types In Q1, South Korea remained the leader in terms of the number of C&C servers located on its territory, with its share growing from 59% in the previous quarter to 67.7% in the first quarter of 2016. China came second; its share grew from 8.3% to 9.5%.

As a result, China pushed the US down to third (6.8% vs 11.5% in Q4 of 2015).

For the first time during the reporting period France appeared in the Top 10 countries hosting the most C&C servers.

This correlates with the increased number of attacks in the country. Distribution of botnet C&C servers by country in Q1 2016 99.73% of DDoS targets in Q1 2016 were attacked by bots belonging to one family.

Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.25% of cases.
In 0.01% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families. Correlation between attacks launched from Windows and Linux botnets When it came to the number of attacks launched from Windows and Linux botnets in Q1 2016, Windows-based botnets were the clear leader.

For the third quarter in a row, the difference between the share of Windows- and Linux-based attacks was approximately 10 percentage points. Conclusion The events of the first quarter of 2016 once again demonstrated that the attackers are not resting on their laurels and are increasing their computing resources to perform DDoS attacks.

Amplification scenarios, which have de facto become the standard tool for carrying out a powerful attack, exploit vulnerabilities in new network protocols.

The reasons for an attack can vary: from disrupting pre-election campaigns and attacking candidates’ resources to showdowns between competitors on the black market.

There have been frequent incidents of DDoS attacks targeting the very organizations that specialize in countering them. With the spread of vulnerable devices and workstations and the abundance of configuration drawbacks at the application level, the cost of a significant attack is going down.

Therefore, reliable protection is needed to ensure these attacks are financially unviable for the criminals.

Pro-ISIS Hacking Groups Growing, Unifying, But Still Unskilled

Flashpoint report outlines the patchwork of hacking groups and the validity of their claims to fame. Although ISIS has not officially acknowledged or laid claim to a hacktivist group, there are several acting on the terrorist organization's behalf. New groups are emerging at an accelerate rate, others are joining forces, they're expanding their list of targets, but thankfully their capabilities are currently unsophisticated, according to a new report by Flashpoint.   The groups are low on homegrown hacking talent and have little success recruiting highly skilled attackers to the cause.

The most skilled hackers known to be connected to these groups: Jumaid Hussain (a.k.a.

Abu Hussain al-Brittani, a.k.a. "TriCk"), British citizen and previously a member of TeaMp0isoN.
Served time in British prison for hacking Tony Blair. Upon release, fled the United Kingdom to fight with ISIS.

Became leader of Cyber Caliphate Army, the first pro-ISIS hacking squad. Killed by an American drone strike in Raqqa in August 2015.    Ardit Ferizi (a.k.a. "Th3Dir3ctorY"), Kosovo citizen.

Believed to be the leader of the Kosova Hacker’s Security (KHS) hacking group, which is not a pro-ISIS group.

Ferizi allegedly hacked an unnamed victim organization, stole personal data -- including physical location -- of approximately 1,350 U.S. government and military personnel, then passed it to Hussain.  Hussain then published it on Twitter, with a message encouraging attacks on the individuals (and branding the data dump for "Islamic State Hacking Division," not Cyber Caliphate Army).

Ferizi was arrested in October and is the first person to face charges of cyber terrorism in the U.S. courts.
If convicted, he faces up to 35 years in prison.  Siful Haque Sujan, British-educated Bangladeshi citizen, who replaced Hussain as the leader of Cyber Caliphate after his death.
Sujan was also killed by a subsequent American drone strike in Raqqa in December 2015. One place that new recruits are both found and trained is the Gaza Hacker web forum, which is full of educational resources, according to the Flashpoint report. The pro-ISIS hacking groups tend to coordinate their attacks in private...but not very private. "We believe that while private communications between hackers takes place, they rely heavily on social media to generate support for their campaigns," the report states.

Flashpoint analysts have seen "security-savvy jihadists, but not necessarily hackers, [emphasis added] using encrypted online platforms for communications, such as Surespot and Telegram." Social media are used to declare intent of attacks, often with hashtags. Yet, some of the threats and claims may not be entirely genuine, according to analysts.

For example: When Hussain published the personal and location data on US government and military officials that Ferizi had allegedly provided, he stated they came from sensitive databases, but Flashpoint believes the data came from unclassified systems and that no military systems were compromised.  When the Islamic Cyber Army (users of the #AmericaUnderAttack hashtag) claimed they had "a list containing '300 FBI Agents emails hacked.' However, as purported FBI emails/passwords are a staple of low-level hacker dumps, Flashpoint analysts cross-checked the data and found that the list was a duplicate of a LulzSec leak from 2012." The Flashpoint report goes on to explain that the Islamic Cyber Army also defaced an Azerbaijani bank. "Lacking sophistication, ICA resorted to attacking any low-hanging fruit in its anti-American campaign, regardless of target relevance." Rabitat Al-Ansar used to be solely a propaganda engine until it added hacking.

A subgroup claimed to have obtained American credit card account information and told followers to use the information "for whatever Allah has made permissible." Yet, Flashpoint analysts' findings suggest that the data was not pilfered by Rabitat Al-Ansar hackers themselves, but rather, "may have been sourced from the so-called 'Scarfaze Hack Store.'" Despite their current limitations, Flashpoint researchers state that pro-ISIS hackers' "willingness to adapt and evolve in order to be more effective and garner more support indicates that while these actors are still unsophisticated, their ability to learn, pivot, and reorganize represents a growing threat." Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full BioMore Insights

Contributing to the Annual DBIR

This year’s DBIR release from Verizon exposes valuable and well organized data on global incidents this past year. Our contributions on targeted attack activity and other areas to a report like this one over the past several years is important to help to improve cyber-security awareness and education both in the security industry and the general public. The report is well organized, offering trending information from Point of Sale incidents to cyber-espionage, web application hacking, cybercrime, and skimming.

And it simplifies most of the data into nine categories for ease of discussion. The data demonstrates that intruders will use tried and true techniques before moving on to the newest and most expensive. Like most years in cybersecurity, “It’s like déjà vu, all over again.” —Yogi Berra You can download the 2016 DBIR here, its 85 pages of data and diagrams can help provide informed discussion around these topics on a greater scale. We look forward to another great writeup in 2017 from the DBIR guys at Verizon.

PLATINUM Used Windows' Own Patching System Against Itself

Platinum mass & well-formed crystals from Russia. (public display, Carnegie Museum of Natural History, Pittsburgh, Pennsylvania, USA).James St. JohnMicrosoft's Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks.

The focus is on the groups that are the most selective about their targets and that work the hardest to stay undetected.

The company wrote today about one particular group that it has named PLATINUM. The unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim, with just over half the attacks, and Indonesia in second place.

Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs.

The goal of these attacks does not appear to have been immediate financial gain—these hackers weren't after credit cards and banking details—but rather broader economic espionage using stolen information. Microsoft doesn't appear to know a great deal about the team doing the hacking.

The team has often used spear-phishing to initially penetrate target networks and seems to have taken great pains to hide its attacks.

For example, it has used self-deleting malware to cover its tracks, customized malware to evade anti-virus detection, and malware that limits its network activity to only be active during business hours, so its traffic is harder to notice. Redmond suggests that the adversary is likely a government organization of some kind, due to its organization and the kinds of data it has sought to steal. The hackers have used many techniques over the years, with numerous 0-day vulnerabilities being exploited to penetrate victims' systems and spread through their networks. Microsoft has a long writeup describing these techniques. One technique in particular is interesting, since it uses Windows' own capabilities against itself. Windows Server 2003 Service Pack 1 introduced support for hot patching certain core system services. Microsoft released ten different updates for the operating system that used this capability. When the updates were installed a particular way (it wasn't the default), the update would patch the running system to insert the new, updated code into a server without creating the need to reboot the server.

To support this hotpatching, certain versions of Windows include the ability to load a patch DLL and use this DLL to modify running programs.

Both regular programs and the kernel can be patched in this way. In 2006, Alex Sotirov gave a presentation at Black Hat that briefly described how Windows' hotpatching worked in the context of a description of how third parties had offered some quick patches for Windows flaws while waiting for Microsoft's official fixes.

A more thorough description was given by Alex Ionescu at SyScan 2013.
Ionescu's talk wasn't just about how hotpatching was implemented but described ways that attackers could use it to modify running systems to inject malware without having to write the malware to disk or inject DLLs, both of which are visible to anti-malware software and humans alike. The PLATINUM group used this technique, which can work against Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7, in real-world attacks to better hide its efforts from analysis.

This operating-system-provided hotpatching was found in malware attacking systems in Malaysia earlier this year. The hotpatching capability was removed in Windows 8, and subsequent versions of the operating system do not support it.
It wasn't often used, and saving a few reboots is arguably not that useful, especially if it means handing hackers a convenient tool for attacking running systems. Nonetheless, an attack that uses a well-intentioned operating system to evade detection is a relative novelty. Microsoft's hunt for PLATINUM is still ongoing.

Freezer Paper around Free Meat

BeEF Wrapped Up and Delivered in 2016 In late February 2016, a University website in Iran stood out for thoroughly vetting its current and potential students and staff.

The University’s web site served repackaged content from the Browser Exploitation Framework (BeEF) with embedded JavaScript content maintaining the potential to hook visitors’ web browsers, identify visited websites and domains, explore for vulnerabilities (we did not observe any auto-pwning), and provide tracking through evercookies.

Even a partial listing of visited sites can be sensitive and valuable information, and this sort of “sites visited” data gathering via other techniques, like screengrabbing and keylogging, were observed in past APT incidents like the Madi campaigns.

Currently, it’s advisable to avoid the site. The embedded BeEF content appears not to be fully configured, and only partially implemented. Perhaps a limited data set was of interest for this attacker, or this was an early attempt at deploying BeEF. This incident is interesting because at the same time and a bit earlier, another group was heavily relying on repackaging open source offensive security product in their toolset by deploying both BeEF and Metasploit-produced components across a select set of strategic web compromises.

This particular APT has years of low-tech elaborate social engineering schemes and re-purposed open source efforts under its belt. While we call them the NewsBeef APT, they have been reported in the past as Charming Kitten or Newscaster in 2014, social engineering their way into sensitive circles of trust with spoofed LinkedIn profiles and phony news media organizations. They continue to be highly active, but this time, they are using a slightly more technical toolset. On one hand, they have developed skills or discovered tools to compromise select web applications and sites, supporting their watering hole campaigns. On the other hand, they have repackaged leaked bot source code and repackaged open source Metasploit and PowerSploit components to produce and administer backdoors and downloaders. Newsbeef/Newscaster will find a way to compromise a web site, usually the vulnerability appears to be CMS related, in an outdated WordPress plugin, Joomla version, or Drupal version.

Attackers usually perform one of two things, Newsbeef has been performing the first of the two: inject a src or iframe link into web pages or css sheets inject the content of an entire BeEF web page into one of the internally linked javascript helpers The injected link will redirect visitors’ browsers to a BeEF server. Usually, the attackers deliver some of the tracking and system/browser identification and evercookie capabilities.
Sometimes, it appears that they deliver the metasploit integration to exploit and deliver backdoors (we haven’t identified that exploitation activity in our ksn data related to this group just yet).
Sometimes, it is used to pop up spoofed login input fields to steal social networking site credentials. We also haven’t detected that in ksn, but some partners have privately reported it about various incidents.

But we have identified that attackers will redirect specific targets to laced Adobe Flash and other installers from websites that they operate. So, the watering hole activity isn’t always and usually isn’t delivering backdoors. Most of the time, the watering hole injections are used to identify and track visitors or steal their browser history.

Then, they deliver the backdoors to the right targets. In addition to the University site and the NewsBeef APT, in the past couple of months, we identified a variety of compromised sites around the world serving the BeEF. Most are cleaned up.

Deployments to interesting and strategic web sites and their true reach on a global scale appears to be on the increase: Middle eastern embassy in the Russian Federation Indian military technology school High conflict regional presidency Ukrainian ICS Scanner mirror European Union education diversification support agency Russian foreign trade management organization Progressive Kazakh news and politics media Turkish news organization Specialized German music school Japanese textile manufacturing inspection corporate division Middle Eastern social responsibility and philanthropy surprisingly popular British “lifestyle” blog Algerian University’s online course platform Chinese construction group Russian overseas business development and holding company Russian gaming developer forum Romanian Steam gaming developer Chinese online gaming virtual gold seller Brazilian music instrument retailer BeEF Capabilities Key to these incidents are the development, distribution, and ease of use of toolkits like BeEF. BeEF itself is an open source collection of tools and tricks, some years old, that combined together can effectively hook a visiting web browser for evaluation and full exploitation.

Because of its capabilities, we have seen increased adoption of the framework for the past year or so. Browser enumeration and reporting Plugin enumeration and reporting Retrieve visited domains (based on an old browser cache fetch timing trick) Social engineering via live sessions and phishing within the browser Network exploration, discovery, and exfiltration tunneling Metasploit exploit integration and autopwning Evercookie deployment for persistent tracking – multiple platforms XSS evaluation and exploitation At the same time, many of the techniques implemented are very old and public.

The kit is extensible, customizable, and integrates with metasploit for autopwnage.
Some of the techniques were discussed during Jeremiah Grossman’s 2006 Black Hat conference presentation.

The delay in deployment for techniques of this type indicates that some teams are dependent on open source tool packaging and ease of use. We have seen this sort of reliance on both open source offensive toolkits and legitimate software in the past from APT like Crouching Yeti, TeamSpy, and now the Newsbeef. Fighting against the use of browser hooking frameworks for identification, tracking, live session social engineering, and precision and auto-exploitation effectively requires a mix of technologies. When these JavaScript-based frameworks are used in a malicious manner, the combination of network and host based detection is required to fully handle more serious incidents. Unfortunately, these incidents are on the increase. You can disable JavaScript in your own browser with NoScript, but that’s much like just moving to Lynx or a text-based browser – people don’t want that because it kills functionality in the browser they do want.

A Chrome plugin that detects the BeEF cookie is easily evaded by serious players.

And preventing the tracking methods altogether is another whole ball of wax, because much of the functionality is tied into legitimate web pages by third party marketers and retailers. Preventing the social engineering sessions for credential theft and Metasploit exploit integration makes immediate sense and can be incorporated at the network and more effectively at the host level.

AntiAPT can help wipe out most of an operation on the network at scale, but these measures can be evaded as well.
In other words, dealing with a determined attacker using tools like this one is difficult. References NEWSCASTER – An Iranian Threat Inside Social MediaThe Browser Exploitation Framework ProjectMetasploit: Penetration Testing Software