Gauss, Flame Highlight Problem of Defeating High-End Malware

If the last couple of years of life on the Internet have taught us anything it should be that there’s a lot we don’t know about what’s happening out there. Sure, we know that there are a lot of attacks going on, metric tons of money being stolen and untold terabytes of data being siphoned off, and once in a while we’re even able to figure out who’s doing some of it. But, as the discovery of tools such as Flame and Gauss suggests, there’s a lot of stuff bubbling under the surface that mostly goes unseen.

If the last couple of years of life on the Internet have taught us anything it should be that there’s a lot we don’t know about what’s happening out there. Sure, we know that there are a lot of attacks going on, metric tons of money being stolen and untold terabytes of data being siphoned off, and once in a while we’re even able to figure out who’s doing some of it. But, as the discovery of tools such as Flame and Gauss suggests, there’s a lot of stuff bubbling under the surface that mostly goes unseen.

Malware obviously is not one of those unknowns. It’s been an issue for 25 years and it’s not going anywhere anytime soon. Whenever a new platform emerges, malware makes the jump. A new defensive technology hits the market, and malware adapts. It’s the way of the world. But the mass malware that fills up antimalware databases and shows up in shotgun-style phishing campaigns isn’t much of a threat these days anyway. That stuff is handled.

That’s just the top of the massive threat pyramid, though. The truly worrisome activity is what makes up the rest of that pyramid: the custom tools written by professionals with specific targets in mind. In terms of volume, this kind of malware is still far less prevalent than the commodity malware, but if you measure it by potential effect, it’s orders of magnitude more threatening.

Defining this kind of attack tool is difficult, but if you think of attacks involving tools such as Duqu, Flame and Gauss, you’re in the right ballpark. These are tools built by talented developers, written with a specific set of targets in mind and designed to remain undetected on a compromised system for as long as possible. In the cases of Duqu and Flame, the attackers were looking to steal data from target systems, gathering the information from various places and then sending it back to the attackers. They were unconcerned with trying to dig up financial information or stealing banking credentials, for example. When you’re after product plans or schematics for the next fighter jet, a banking login is small potatoes.

And the teams behind Duqu, Flame and other similar malware are not distracted by small, shiny objects.

The exception to this rule seems to be Gauss, the most recently discovered of these tools and the only one that contains functionality to steal banking credentials, as well as PayPal logins. Researchers are unsure whether the tool was used to actually enable the attackers to steal money from victims’ accounts or whether it was used simply to monitor activity in specific accounts in a small number of banks. Either way, Gauss is an outlier in this respect.

What’s truly worrisome when you stand back and look at the threat landscape right now isn’t the fact that researchers have discovered all of these tools, it’s that there are some unknown number of similar tools at in use right now. For every Stuxnet or Flame that turns up, there likely are dozens or hundreds of analogous tools sitting undetected on systems around the world. There are indications in the Gauss code that it’s related closely to Flame and that the team behind the two have other similar projects underway as well. It’s safe to assume that these attackers, whoever they are, have been watching the reaction to the discovery of their creations and making notes about what worked, how the malware was detected and how to do better the next time.

The teams behind these tools present a special challenge to defenders, because they do not appear to be constrained by budget, technical resources or other typical roadblocks. If we look at Flame as an example, we see that the attackers had the time, money and cryptographic expertise to find an MD5 hash collision that enabled them to impersonate Windows Update with a forged digital certificate. One researcher, Alex Sotirov, estimated that this attack could have cost the Flame team hundreds of thousands or even millions of dollars to achieve. It’s virtually impossible for even the most well-defended organizations to plan for attacks like that. 

And the same holds true for many of these kinds of operations. You do your best, but the chances of keeping these kinds of teams on the other side of the fence are pretty slim. If they’re interested in something you have, they’re likely going to find a way in. If it’s not Duqu or Flame or one of their offspring, it’ll likely be something else. 

This is where serious cyber espionage attacks diverge from the everyday cybercrime and commodity malware. A cybercrime gang isn’t interested in you or your organization; he just wants money. Whether it’s your money or the next guy’s money, he couldn’t care less. It all spends the same. If he can’t fool you with a crummy phishing email or drive-by download, that’s ok, because he’s using the same tactic on thousands of other potential victims at the same time. Someone will take the bait, probably lots of people, in fact, and that’s all that matters to that class of attacker.

But the professional teams (call them governments or state-sponsored actors or whatever term you prefer) spending months or years and possibly millions of dollars on development efforts, those groups want you specifically. They want your data, your product plans, your schematics. Whatever your organization has that’s valuable, that’s what they’re after. If they run up against a roadblock, they don’t move on to the next target. They find a way around it or over it or underneath it and, in most cases, they’re going to get what they came for.

That doesn’t mean that it’s time to throw up your hands and admit defeat. That helps no one. It’s more a matter of recognizing that we’re only seeing a small percentage of the high-level malicious activity that’s going on. Compromises are going to happen, and the question is whether we recognize the true nature of the threat and start looking for ways to defeat it rather than being distracted by the low hum of everyday attacks.

Suggested articles