23 July 2014

RUSSIAN-GRADE CYBER WEAPONS CROSS-POLLINATING WITH COMMERCIAL MALWARE SAYS FINNISH CYBER SECURITY FIRM

July 21, 2014 


John Dunn, writing in today’s (July 21, 2014) online edition of Techworld.com, notes that “sophisticated code of the sort used in the Russian Government cyber-weapons could be seeping into the commercial malware wielded by criminals in that country,” according to the cyber security start-up firm, Sentinel Labs. The firm based this analysis on the fact that they recently observed the malware ‘Gyges,” in the wild and discovered that it had cross-pollinated with other malicious bugs — including industrial-grade stealth malware.

Mr. Dunn adds that ‘Gyges’ “is certainly an oddity, showing a gap between the sophisticated code that allows it to bypass defenses — the bit Sentinel Labs ascribes to a possible government program; — and, the more quick and dirty executable that directs the payload.” “The clue,” Mr. Dunn writes, “is in the relatively complex and arcane techniques used by Gyges to be the sandboxing and security products that run or ‘emulate’ suspected malware to see what it does. It also includes code that makes it harder to reverse engineer, or debug some of the inner workings.”

“Other parts of the ‘government code’ carry out data theft, screen capturing, credential keylogging and eavesdropping on network traffic — while the commercial element of the program executes ransomware, botnetting, and online banking fraud,” notes Mr. Dunn.

“How does the firm know the evasion code was used in government cyber weapons?,” Mr. Dunn asks. “The firm doesn’t go into much detail,” he says, “but, claims it detected it [Gyges] in previous targeted attacks, — code for small-scale attacks carried out against specific organizations. or individuals. It is also [constitutes] interference; as no commercial malware would have access to such sophisticated mechanisms; or, would go to such lengths to use obscure, almost experimental techniques. Gyges further uses what Sentinel Labs calls a “hooking bypass ‘logic bug,’ in Windows 7 and 8, the sort of unusual exploit normally jealously guarded by the need-to-knows who write government malware.”

“If the analysis stands up,” Mr. Dunn contends, “and the evidence presented by Sentinel Labs is still a bit thin — Russian government malware has somehow escaped to be used by commercial malware writers, a slightly worrying trend — although one that has long been predicted by [cyber] security experts. The implication is that the Russians out-source at least part of their cyber weapons development to commercial malware writers. If so, it’s hard to believe they would be pleased that some of it has now turned up in a criminal campaign — because government malware needs absolute secrecy to do its job.”

“it comes as no surprise to us that this type of intelligence agency-grade malware would eventually fall into cyber criminals’ hands,” wrote Sentinel Labs Research Director, Udi Shamir. “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively repurposed, modularized and coupled with other malware to commit cyber crime.” he added.

“Russian State Security malware is still poorly understood, drowned out by the raging fuss over alleged Chinese state [cyber] attacks on U.S. organizations. This seems to be part of the general dismissal of Russia as an opponent worth worrying about; the West, it seems, just doesn’t rate Russia as a cyber-power,” wrote Mr. Dunn. “This is starting to look pretty complacent,” he adds. “Evidence of fairly sophisticated [cyber] attacks from within Russia has trickled out in recent months, — in particular, the ‘Snake’ (aka ‘Turla’ or ‘Uroburos’) malware that has been traced as far back as 2005. If the Russians have been hard at it in the cyber-weapons stakes, their campaigns are not a new phenomenon.”

“Interestingly, earlier this month,” Mr. Dunn observes, “the [cyber] security Finnish firm, F-Secure, published an analysis of another piece of malware called Cosmu, which it suggested could be a Russian cyber weapon that had re-used the ancient code from a commercial Trojan.”

“The intermixing of money-making malware and cyber weapons might, in fact, be quite well advanced without that [fact] being apparent until now,” concludes Mr. Dunn. “Whether this matters is moot. If criminals can access advanced techniques — then, that makes them more potent. But, if criminals can access advanced malware — then, that reduces the impact of government-level attacks because they will be detected earlier.” It is indeed the Digital Wild, Wild, West. V/R, RCP

No comments: