Famous malware attacks

From ICO wiki
Jump to navigationJump to search

Introduction

Malware is malicious software that can enter, and stay on your computer, and then perform actions without your consent, giving hackers full access to your data, and systems. The malware initially appeared as a form of cybervandalism. So it was used to change the computer's background tasks and access your personal information. Since then, these methods, adopted by cybercriminals, have begun to be used to track information and steal valuable business or personal data.


Petya

Petya is a file-encrypting Trojan that was first discovered in 2016, according to information on 2SpyWare, which was launched as a project to help people learn more about cybersecurity issues and malware. It has continued to appear in various variants with several different updates until today. Among its derivatives are PetrWrap, GoldenEye, Mamba virus, Mischa, Diskcoder.D, and Bad Rabbit. Petya has been one of the classic ransomware attacks in which the files on victims' computers are encrypted to make them inaccessible and then demand a ransom to give the encryption key. Ransoms are also typically demanded in bitcoin or other cryptocurrencies. Its beginnings were similar to WannaCry; The epidemic was not noticed from anywhere and spread rapidly. However, unlike WannaCry, this malware spread via spam e-mails, immediately after restarting the computer, it displayed the following message on the screen.

PHOTO WILL BE UPLOADED

Although this screen may seem like a system error at first glance, users In fact, Petya software silently performed file encryption in the background of the system. If the user tries to reboot the system or the file encryption operation is performed, a flashing red skeleton appears on the screen, and “Press any key” appears. After pressing the key, a new window is opened with the ransom note

PHOTO WILL BE UPLOADED

One of the email domains associated with the perpetrators of the attack was revoked in the process, thus giving a victim's computer a specific code to help retrieve the matching decoder data recovery has become impossible. It has been effective in countries such as Russia, England, France, Denmark, Iran, Brazil, and Mexico, especially in Ukraine. Spain, Netherlands, and India also confirmed the attack. Ukraine has suffered the most from the attack. Petya malware also envelops various public institutions of the country; In addition, it affected a wide area such as Kyiv Airport, metro systems, power plants, and nuclear power plants, bringing the systems to a standstill and causing many disruptions. MeDoc, a Ukrainian software company, was held responsible for the attack that brought life to a standstill in Ukraine. Although MeDoc denies these allegations, many cybersecurity experts have claimed to have evidence that the firm was the first source. 55 Public authorities stated that the affected institutions had difficulties in carrying out customer service and banking transactions, it was observed that most of the ATMs were out of service or Petya's ransomware message was displayed on their screens.

Considering that it is also exposed to similar attacks, it is understood that it is a political attack aimed at creating confusion in the country rather than for a financial purpose. It has been understood that many systems do not have enough defense against ransomware. The extent of such attacks has also revealed the widespread inadequacy of awareness of cyber security, vulnerability scanning, testing, use of correct cyber security applications, and taking backups. It can also be said that Petya, which aims to render the system unusable rather than encrypting the files, aims to have a devastating effect rather than money.


SamSam

The most comprehensive research report on ransomware named SamSam, which was first seen in December 2015 and started to spread in 2016, belongs to the global cyber security company Sophos. According to the report published in April 2018, unlike most of the well-known ransomware families that randomly attack, SamSam has been used against certain organizations that are predicted to be most likely to pay to get their data back, such as hospitals or schools. Instead of spam campaigns, the cybercriminals behind SamSam exploited vulnerabilities to access victims' networks or use brute-force tactics against weak passwords of the Remote Desktop Protocol (RDP). This is the main feature that distinguishes SamSam from other ransomware attacks. The process, which is designed to cause the highest level of damage to the IT infrastructure of the victim selected institution in the shortest time, is based on the fact that a person or group who is skilled in infiltrating the systems detects the weaknesses in the infiltrating network and manually runs the malware there. After potential targets were discovered, attackers manually deployed SamSam malware to selected systems using tools such as PSEXEC and batch scripts. The first victim of the attack was Atlanta. The attack resulted in severe digital blackouts in five of the city's 13 local government units. The attack had far-reaching effects, including disrupting the court system, preventing residents from paying their water bills, limiting vital communications such as sewer infrastructure requests, and forcing the Atlanta Police Department to work with pen and paper instead of computers. The ransom amount demanded is around $50,000. It was reported in the press that over 2.6 million dollars were spent at the first stage to eliminate these attacks. The majority of the spending is related to emergency response to systems recovery, forensics, and additional staffing. In addition, it was reported in the press that he spent an additional $650 thousand on a crisis communication center and emergency response consultancy. exceeded the dollar.


Some striking data from this report are as follows:

  • 74 percent of known victims are located in the USA. Canada, the United Kingdom, and the Middle East countries are among the countries most affected by the attack.
  • According to transfers made in Bitcoin, SamSam attackers managed to extort ransoms of up to 64 thousand dollars from individual victims at once.
  • Following the emergence of the SamSam attack, new versions were also developed, more complex attack methods were used in each new version, and it was observed that more competent measures were taken to protect from operational security measures in order not to leave traces.
  • SamSam attackers targeted medium to large-sized public sector institutions in the fields of health, education and government at 50 percent, and private sector companies at 50 percent.
  • The attackers' preparation for the attack is meticulous. SamSam attackers waited for the opportune moment; they initiated encryption commands at midnight when most users were asleep, or in the early morning hours of the victim's local time zone. In the SamSam example, after attackers had successfully infected a server, they also created additional victimization by stealing network mapping and credentials. It would be appropriate to interpret this attack as a professional diamond theft rather than a simple theft. Because both the attack method and the targeted critical institutions are the basic foundations of this determination.

Stuxnet

Stuxnet, a malicious computer worm that was made for attacking Iran’s nuclear facilities, the specific target was hardware and crippling it, by taking control and changing PLCs (Programmable Logic Controllers) that were used to automate the machine processes that took place in the facilities. The worm was initially discovered in 2010, but which had been evolving and spreading ever since it’s discovery.

Workings of Stuxnet

Composition

Stuxnet is composed of three components: a worm, a link file and a rootkit.

The link file automatically executes the copies the worm, which exploits a vulnerability in the way Windows displays the icons of shortcut files.

The worm executes all routines related to the main payload of the attack. It implements a Microsoft Remote Procedure Call to execute certain functions, effectively enabling affected systems to communicate with one another. With the inclusion of tests, that check for an active Internet connection on the affected system to communicate with a remote server, which holds the copies of the worm.

The rootkit is the main component responsible for hiding all the malicious files and processes, to stay undetected by the user and anti-virus software.

Use of P2P

Stuxnet installs both server and client components for a Microsoft Remote Procedure Call in all infected systems and versions. After connecting to a system, it would do the following procedure: Getting malware version, receiving module and injecting it, send the malware file, create a process that would be command shell or a file, create a file, delete a file and then read a file.

All affected systems would have a UUID (Universally Unique Identifier) to use for communication between systems for updating each other.

The remote server

Firstly it tries to connect with a URL: www.windowsupdate.com or www.msn.com. Then after it has identified that internet connection is available, it would connect with a user with a URL: Error! Hyperlink reference not valid. or Error! Hyperlink reference not valid.. After it has connected with the malicious user, a URL is generated “http://www.{BLOCKED}erfutbol.com/index.php?data={data}”, where {data} is an encrypted hex value that contains the IP address of the machine, computer name, and domain.

History

The earlier versions of Stuxnet could spread only by infecting Step7 project files, which were the files that were used to program the PLCs, but later versions could also spread via USB flash drives, using a Windows feature called “Autorun” or through a local network with print-spooler exploit. The reasoning for adding increased spreadability of Stuxnet by the creators was to increase the odds of a successful attack on companies related to Iran’s nuclear production, from manufacture to installment side of things. The companies provided a gateway via infected employees for the worm to enter Natanz, which was the location of the Iran’s uranium-enrichment plant or Būshehr, which was the location of a nuclear reactor. The attack took place in June 2009, with the first company to get infected was Follad Technic, then a week after Behpajooh was hit and then another nine days for Neda Industrial Group to also get struck. The size of the worm was 500KB and infected the software of at least 14 industrial sites. The reason for the virus to be unnoticed for about a year after the initial attack was due to the fact that it was also giving false data, in the sense that the data indicated that everything was running fine and smoothly, when in truth it was not. While there were early notifications about the Step 7.DLL file producing errors and that the problem was consistent when using a flash drive to transfer files, when before it was a clean computer, there were no errors. The biggest giveaway was when new machines were being installed about five months after the early notifications, none of the newer machines were being fed gas as they were in the process of being installed, but the systems monitors SCADA (Supervisory Control and Data Acquisition), were showing data, as if gas was being fed into the machines. While the Iranian nuclear program continued to suffer technical difficulties, people were speculating that the worm originated as a co-op program by United States and Israel, called “Olympic Games”. The virus started spreading on a global scale via employees and the general public, targeting industrial control systems and causing massive damages, data showed that approximately 100k computers were infected by the end of 2010, with more than 60% allocated in Iran. The damages were only increasing, due to the sheer number of people plugging USB flash drivers into multiple storage devices, effectively re-infecting and spreading systems around the globe. No infrastructure was safe and targets were any and all industrial control systems.

Stuxnet family

In the following years after the initial attack in 2009 and the continuous damages throughout until late 2010, many related malwares were developed from the same type of worm virus as the original Stuxnet.

Duqu (2011)

Being nearly identical to Stuxnet, but having a different purpose. Based on original code (Stuxnet) main function was to capture and log information, such as keystrokes, mining data and system information from industrial facilities, presumably to launch an attack at a later date. Reported cases have been in at least eight countries.

Flame (2012)

Flame module exploits the same vulnerabilities for spreading as Stuxnet did. It was a sophisticated spyware that logged keystrokes, recorded conversations (e.g. Skype), gathered screenshots and many other data collection activities. Main targets of Flame were government and educational organizations and some private individuals mostly in Iran and other Middle Eastern countries.

Havex (2013)

Havex was used in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense and petrochemical sectors, with the primary targets being in the United States, Europe and Canadian organizations.

Industroyer (2016)

The only targets for Industroyer was power facilities. Cyberattack on Ukraine’s power grid, casuing a power outage in December.

Triton (2017)

Was discovered in Saudi Arabia, when it made safety systems defective in a petrochemical plant. Increasing the odds of physical injury to workers.

Stuxnet 2.0 (2018)

The target was Iran, as with original Stuxnet, but this time the target was the telecom infrastructure.

“Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon”, written by Kim Zetter, explains the events regarding Stuxnet in further detail.

Retrieved from "https://wiki.itcollege.ee/index.php?title=Famous_malware_attacks&oldid=142104"