Analytics // Security Monitoring
7/17/2014
04:52 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Government-Grade Stealth Malware In Hands Of Criminals

"Gyges" can be bolted onto other malware to hide it from anti-virus, intrusion detection systems, and other security tools.

Malware originally developed for government espionage is now in use by criminals, who are bolting it onto their rootkits and ransomware.

The malware, dubbed Gyges, was first discovered in March by Sentinel Labs, which just released an intelligence report outlining their findings. From the report: "Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime."

Sentinel was able to detect Gyges with on-device heuristic sensors, but many intrusion prevention systems would miss it. The report states that Gyges' evasion techniques are "significantly more sophisticated" than the payloads attached. It includes anti-detection, anti-tampering, anti-debugging, and anti-reverse-engineering capabilities.

Because of this, the researchers suspected that although Gyges was attached to ransomware (including CryptoLocker) and bot code, it had been originally created as a "carrier" for a much more sophisticated attack -- something like what a government agency would use to collect intelligence data.

Further analysis bears out that suspicion. Certain components of the code matched that of known malware, which had been used before in targeted attacks for an espionage campaign originating in Russia.

"This code is really hard to replicate," says Udi Shamir, Sentinel's head of research, "so it would be hard to believe that it was created by a different group."

Gyges goes to great lengths to hide itself. For example:

  • Lots of malware leaps into action when a user is active; thus, sandbox-based security tools often emulate user activity to trigger malware execution. Gyges, on the other hand, waits for user inactivity before operating.

  • It also uses a hooking bypass technique that exploits a log bug in Windows 7 and 8. Security tools could hook into Windows-on-Windows to see what 32-bit applications are trying to run on a 64-bit system. What Gyges can do is start as a 32-bit application, then call the 64-bit system directly, instead of working through Windows-on-Windows, thereby bypassing a hook.

  • Gyges also uses Yoda, a "protector," which obfuscates malicious behavior by first converting the original application into sections, then extracting those sections only when the application is running.

"Malware hackers know that at some point they're going to be detected," says Sentinel Labs CEO Tomer Weingarten. "So [the Gyges writers] also started focusing on what happens after they're detected. They're putting in mechanisms to make it very hard for vendors to analyze them."

The malware was used by government agencies to gather information -- eavesdropping, keylogging, capturing screens, and stealing identities and intellectual property. Now it is being used by cybercriminals for committing online banking fraud, encrypting hard drives to collect ransoms, installing rootkits and Trojans, creating botnets, and targeting critical infrastructures.

Gyges seems like an awfully sophisticated bit of kit to tack onto some run-of-the-mill malware. Why put lipstick on a pig?

According to Weingarten, evasion techniques like these can give financially motivated criminals more bang for their buck, better return on their investments, because it helps increase the rate of and duration of infection.

"This is definitely a trend we're seeing," he said. "The evasion code is becoming what malware is all about."

For the complete technical details, download the complete report at sentinel-labs.com.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
theb0x
50%
50%
theb0x,
User Rank: Moderator
7/28/2014 | 5:01:28 PM
Government-Grade? Lol.
To me government-grade sounds outdated. Polymorphic Shellcode has been around a long time and is by far the most difficult to detect. Most IDSs contain signatures for commonly used strings within shellcode. It also hides the commonly used strings within shellcode, making shellcode signatures useless and can be different everyime it is sent. A properly tripple encoded attack vector generated from Metasploit drops directly into RAM bypassing any system security with full kernel level privileges. The best part is there is no cure for this attack method.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/22/2014 | 10:33:35 AM
Re: Government-grade? Is that a new explanation on criminal intent by governments?
I wonder how long until a real war is started as a result of a cyber attack.  Unfortunately, I think it is only a matter of time.

Once that happens, then there will be a cyber warfare treaty.
chriscinfosec
50%
50%
chriscinfosec,
User Rank: Apprentice
7/22/2014 | 9:32:53 AM
Re: from which nation-state?
That makes sense.. the evasion/rootkit technique is very sophisticated (nation-state) but the payloads weren't (organized crime trying to make money).  We see similar things at Invincea as part of our "malware genome" analysis to determine if a malware sample is part of a larger family of malware.  In the cases where the malware is similar, the differences are usually which C&C server it's connecting to and the packing technique.
ArneN455
50%
50%
ArneN455,
User Rank: Apprentice
7/22/2014 | 9:06:24 AM
Re: Government-grade? Is that a new explanation on criminal intent by governments?
That could be an idea, ofcourse, but my opinion, that I really wanted to point out, is that many more governements than people are aware of, are in fact dealing in criminal activity!

And it seem like the us-governement, is in the absolute front of this activity. With Mr. Cheney as the dark lord. And todays president started as this mass murderers apprentice!
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
7/18/2014 | 2:20:37 PM
Re: Government-grade? Is that a new explanation on criminal intent by governments?
That is unlikely to happen. Governments will always secretively want to know what goes on in other governments or organizations. Those clandestine activities have been happening ever since there were governments, so don't expect those to go away anytime soon. After all, there is some validity in wanting to spy on other governments or organizations in the interests of national defense, or other self interests. I am neither condoning or condemning their use; I'm just being pragmatic and realistic.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/18/2014 | 2:17:13 PM
Re: from which nation-state?
I guess another possibility would be that they somehow got a sample and reverse-engineered it...but it's probably more likely they got it under the table somehow.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/18/2014 | 2:13:50 PM
Re: from which nation-state?
@Kelly   Yeah, I keep thinking that the criminals have it because the government agents gave it to them. It seems like an awfully cynical viewpoint, but governments make deals with criminals all the time.
Sara Peters
0%
100%
Sara Peters,
User Rank: Author
7/18/2014 | 1:54:31 PM
Re: Government-grade? Is that a new explanation on criminal intent by governments?
@ArneN455 "Government criminal-ware is being spread to other criminals. What about NOT making it in the first place?"  That's a fair question. Do you think we need to have some kind of arms treaty that applies to the use of cyberweaponry?
ArneN455
50%
50%
ArneN455,
User Rank: Apprentice
7/18/2014 | 10:11:56 AM
Government-grade? Is that a new explanation on criminal intent by governments?
Government criminal-ware is being spread to other criminals. What about NOT making it in the first place? ALL those malwares are made with criminal intention, government, or not government!
GonzSTL
0%
100%
GonzSTL,
User Rank: Ninja
7/18/2014 | 9:13:37 AM
Government grade malware
So really, since it is so difficult to detect, the most effective way to combat this is through effective awareness training. After all, isn't a user's insecure practice the way malware enters a system in the first place?
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7484
Published: 2014-10-20
The Coca-Cola FM Guatemala (aka com.enyetech.radio.coca_cola.fm_gu) application 2.0.41725 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7485
Published: 2014-10-20
The Not Lost Just Somewhere Else (aka it.tinytap.attsa.notlost) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7486
Published: 2014-10-20
The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7487
Published: 2014-10-20
The ADT Aesthetic Dentistry Today (aka com.magazinecloner.aestheticdentistry) application @7F080181 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7488
Published: 2014-10-20
The Vineyard All In (aka com.wVineyardAllIn) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.