If the last couple of years of life on the Internet have taught us anything it should be that there’s a lot we don’t know about what’s happening out there. Sure, we know that there are a lot of attacks going on, metric tons of money being stolen and untold terabytes of data being siphoned off, and once in a while we’re even able to figure out who’s doing some of it. But, as the discovery of tools such as Flame and Gauss suggests, there’s a lot of stuff bubbling under the surface that mostly goes unseen.

Malware obviously is not one of those unknowns. It’s been an issue for 25 years and it’s not going anywhere anytime soon. Whenever a new platform emerges, malware makes the jump. A new defensive technology hits the market, and malware adapts. It’s the way of the world. But the mass malware that fills up antimalware databases and shows up in shotgun-style phishing campaigns isn’t much of a threat these days anyway. That stuff is handled.

That’s just the top of the massive threat pyramid, though. The truly worrisome activity is what makes up the rest of that pyramid: the custom tools written by professionals with specific targets in mind. In terms of volume, this kind of malware is still far less prevalent than the commodity malware, but if you measure it by potential effect, it’s orders of magnitude more threatening.

Defining this kind of attack tool is difficult, but if you think of attacks involving tools such as Duqu, Flame and Gauss, you’re in the right ballpark. These are tools built by talented developers, written with a specific set of targets in mind and designed to remain undetected on a compromised system for as long as possible. In the cases of Duqu and Flame, the attackers were looking to steal data from target systems, gathering the information from various places and then sending it back to the attackers. They were unconcerned with trying to dig up financial information or stealing banking credentials, for example. When you’re after product plans or schematics for the next fighter jet, a banking login is small potatoes.

And the teams behind Duqu, Flame and other similar malware are not distracted by small, shiny objects.

The exception to this rule seems to be Gauss, the most recently discovered of these tools and the only one that contains functionality to steal banking credentials, as well as PayPal logins. Researchers are unsure whether the tool was used to actually enable the attackers to steal money from victims’ accounts or whether it was used simply to monitor activity in specific accounts in a small number of banks. Either way, Gauss is an outlier in this respect.

What’s truly worrisome when you stand back and look at the threat landscape right now isn’t the fact that researchers have discovered all of these tools, it’s that there are some unknown number of similar tools at in use right now. For every Stuxnet or Flame that turns up, there likely are dozens or hundreds of analogous tools sitting undetected on systems around the world. There are indications in the Gauss code that it’s related closely to Flame and that the team behind the two have other similar projects underway as well. It’s safe to assume that these attackers, whoever they are, have been watching the reaction to the discovery of their creations and making notes about what worked, how the malware was detected and how to do better the next time.

The teams behind these tools present a special challenge to defenders, because they do not appear to be constrained by budget, technical resources or other typical roadblocks. If we look at Flame as an example, we see that the attackers had the time, money and cryptographic expertise to find an MD5 hash collision that enabled them to impersonate Windows Update with a forged digital certificate. One researcher, Alex Sotirov, estimated that this attack could have cost the Flame team hundreds of thousands or even millions of dollars to achieve. It’s virtually impossible for even the most well-defended organizations to plan for attacks like that. 

And the same holds true for many of these kinds of operations. You do your best, but the chances of keeping these kinds of teams on the other side of the fence are pretty slim. If they’re interested in something you have, they’re likely going to find a way in. If it’s not Duqu or Flame or one of their offspring, it’ll likely be something else. 

This is where serious cyber espionage attacks diverge from the everyday cybercrime and commodity malware. A cybercrime gang isn’t interested in you or your organization; he just wants money. Whether it’s your money or the next guy’s money, he couldn’t care less. It all spends the same. If he can’t fool you with a crummy phishing email or drive-by download, that’s ok, because he’s using the same tactic on thousands of other potential victims at the same time. Someone will take the bait, probably lots of people, in fact, and that’s all that matters to that class of attacker.

But the professional teams (call them governments or state-sponsored actors or whatever term you prefer) spending months or years and possibly millions of dollars on development efforts, those groups want you specifically. They want your data, your product plans, your schematics. Whatever your organization has that’s valuable, that’s what they’re after. If they run up against a roadblock, they don’t move on to the next target. They find a way around it or over it or underneath it and, in most cases, they’re going to get what they came for.

That doesn’t mean that it’s time to throw up your hands and admit defeat. That helps no one. It’s more a matter of recognizing that we’re only seeing a small percentage of the high-level malicious activity that’s going on. Compromises are going to happen, and the question is whether we recognize the true nature of the threat and start looking for ways to defeat it rather than being distracted by the low hum of everyday attacks.

Categories: Malware, Social Engineering

Comments (5)

  1. Anonymous
    1

    Seems to me that no matter how high-tech or “advanced” this type of malware is, it still depends upon low-tech stuff like gullible users for the initial infection.  Looks to me like it gets back to good/regular employee training, timely patching, updated AV, good/regular monitoring of security logs, and a management team that is aware/concerned about good security practices.  How “high-tech” can that be?

    Regards,

  2. f0real
    2

    Let us be glad that there are things we don’t know about; if we new about Stuxnet when it first was released in Iran, Iran would have nukes by now. Look beyond the malware and see the politics, people.

    Also, there should be no question about why Gauss had bank spying abilities. It was NOT aiming to steal any money or credit card numbers. It was monitoring financial transactions with terrorist groups like Hezbollah. I don’t know about you, but that is a very good thing! (Unless you support terrorist groups)

    jeffreycarr.blogspot.com/#!/2012/08/was-flames-gauss-malware-used-to.html

    f-secure.com/weblog/archives/00002406.html

  3. x y
    3

    If we follow that line of logic, NIST 800-131A, FIPS 800-3, NIST SP 800-107 would not exist.  Ditto: low cost gene sequencing arrays.

     

  4. Anonymous
    4

    Stuxnet infected everyone and everything it came to contact with,not just Iran’s nuclear program .The vast majority of the victims couldn’t care less about Iran or its nuclear program .gauss monitors everything and can’t identify if a given transaction is “terrorist” or not. I don’t know about you , but that is a very bad thing!(unless you support big-brother-style dictatorships).

    Although my computer is not hooked up to a nuclear centrifuger ,I don’t like to get infected with malware and I deem my system -and privacy- sacred .If someone messes with me , I will make sure I get my revenge . I will find many people who share my thoughts and who would gladly collaborate with me.. we are legion .

    Secondly , no one gave the authors of these tools the right to classify people the way they do ;I can be labeled a “terrorist” for this comment ,for example. Or maybe you ? why are you still reading this “terrorist” comment ??

    finally ,there are people who actually understand code and can reuse these tools to do whatever they want ,the original purpose of these tools is just irrelevent.

  5. f0real
    5

    First off, Stuxnet is just a useless piece of Windows PE Code sitting on a computer if it is not on a computer that interfaces with a Siemens S7 PLC. Also, it is programmed to do nothing after June 24, 2012, so it couldn’t even run anymore anyway.

    About your whole “terrorist” argument, give me a break! Do you really think Hezbollah is a moral and upstanding organization by launching rockets and blowing themselves up in Israeli towns? They are terrorists! If you don’t agree, then you must be a sad sorry person with no moral direction or discretion.

Comments are closed.