Why we are getting better at catching nation-state sponsored malware

1. Why we are getting better
at catching nation-state
sponsored malware
Aleks Gostev &
Vitaly Kamluk
GReAT, Kaspersky Lab

2. Daily news...

3. Daily news...

4. Kaspersky Lab’s
published research

5. “Yet another APT”
● Since 2009, the number of APT campaign exposures
has increased considerably
● Different companies focus on different things - eg,
China
● Focusing on one thing makes you blind to the full
picture or creates a distorted view of the real world
situation
● This is the “safe” path

6. Adversary statistics
© 2013 Crowdstrike

7. This includes: Duqu, Stuxnet, Flame,
Regin or Equation, but also MiniDuke,
Turla, BE2, CosmicDuke and CozyDuke
At Kaspersky we took the “unsafe”
path of analysing and detecting
all APTs, no matter the origin

8. Side by side - Kaspersky Research
“Western APTs”
● Stuxnet
● Duqu
● Careto
● Flame
● Gauss
● Regin
● Equation
“Russian-speaking APTs”
● BlackEnergy 2/3
● RedOctober
● TeamSpy
● Miniduke
● CosmicDuke
● Epic Turla
● CozyDuke

9. Why is nation
state malware so
interesting?
The 1000 question:

10. Vitaly (ex-Kaspersky Lab)
Today’s hosts
Aleks (Kaspersky Lab)

11. Vitaly
● First of all: we are the best
● We have 0-day’s
● We have fiber taps
● Best programmers in the free world
● Smartest mathematicians and cryptographers
● Unlimited (ahem) budget
● And the best thing: it’s all legal :-)

12. Aleks
● Our budget is limited
● Good researchers are hard to find
● But!
● Our technologies are getting better - the cloud
has opened new doors to catch your stuff
● We understand that we know very little
● Simple goal: protect our users

13. Side by side
Arguments

14. 0-day’s
Vitaly
● An unlimited supply of 0-
days that will pwn even the
best defences
● Microsoft, Adobe, Oracle,
your_favorite_vendor - we
have a 0-day for it
● Kernel exploits
● We just need to be
successful once
Aleks
● Finding your 0-days is our
favorite activity!
● We actively hunt for them
● The more 0-days you use,
the more likely we are to
catch you
● We need to be successful
every time

15. Crypto
Vitaly
● We pwn most crypto
● We sign our malware as
Microsoft or even your
certs :-)
● We sabotage crypto so we
can crack it faster
● We only use the best
algorithms in our malware;
the rest is for masses
Aleks
● When you sign your
malware as Microsoft, you
subvert major trust
principles; this will backfire
● MitM against Windows
updates? Baaad...
● Elite crypto gives away
your malware
● RC6? Use Camellia :)

16. Sophisticated, invisible malware
Vitaly
● Our malware is the best –
cybercrime malware is
laughable compared to ours
● Our rootkits prevent anyone
from detecting our malware
● We hide where you least
expect us! –Registry, VFSes,
raw disks… even firmware ;)
Aleks
● The more you hide, the
more likely you’ll trigger an
alarm
● Anti-rootkit technology
● VFS detection and parsing
● Raw disk detection
● That firmware thing was
surprising, OK
● Still working on it :)

17. There is no defense
Vitaly
● in practice, you can’t
defend against our attacks
● if we can’t hit you directly,
we’ll hack your ISP
● if your ISP is not enough,
we’ll hack your country
● if that’s not enough, we’ll
put a satellite behind every
telecom satellite
Aleks
● let’s not forget the goal
● people very easily get dragged
into “hack everything” traps
● “hey, I have an idea...”
● target protects themselves with
antivirus ‘x’ or target uses
Windows updates?
● Please do not subvert the trust
people have in the IT Security
industry or Software (Microsoft
Windows) updates
● Flame MD5 attack was bad... :-(

18. The victims
Vitaly
● Our universal malware can
be used to infect
everyone: Belgacom,
Quisquater, Merkel’s aide
and terrorists altogether
● We have a unique,
modular platform for use
against everyone
● “Make once, use many”
Aleks
● Find once, find all
● Makes it easier to catch
everything
● Worst: doesn’t give me
any options
● Friendly advice: don’t use
the same malware on
Merkel’s aide and
terrorists, it’s bad

19. Steal everything
Vitaly
● We collect everything
● We extract metadata from all
your documents
● Our malware makes
screenshots, captures
keyboard, audio and all your
internet traffic
● Honestly speaking, we don’t
need all this but it’s fun to
collect :-)
Aleks
● The more active your
malware is, the more likely
we’ll catch it
● Anti-keylogger tech
● Exfiltration is always a weak
point
● Effectively, the more you
collect the higher the chance
we’ll catch you
● The media loves numbers :)

20. Interesting malware
Vitaly
● We like quality stuff
● Our code is the best
● We make no mistakes - most
of the the time :)
● We use only the best crypto
● We use compression
● We use kernel mode
orchestrators
● Our malware never crashes -
most of the time :)
Aleks
● We are geeks
● We like to reverse engineer
Chinese PlugX samples 5
days a week – NOT!
● We want to reverse the best
kernel mode code
● We like to find mistakes :-)
● When you crash, you raise
alarms
● QA could be better... :)

21. Takeaways!
● Sophistication attracts attention
● Hiding attracts attention
● Merkel’s aide attracts attention
● 0-day’s attract attention
● Crashes attract attention
● Mass infections attract attention
● Attacks against ITSec products attract the most
attention - bad, bad, bad!
● We are just doing our jobs... :)

22. Let’s vote?
The spooks are
winning, no chance
anti-malware
companies can keep
up with our elite
malware!
ITSec companies are
winning, the situation
is kind of bad for
spooks nowadays.

23. Thanks!
Spies’ curse: “May we read about you
in Kaspersky Lab’s research!”