Criminals get hold of 'Russian state malware'

News by Tim Ring

One of the first cases of government-grade malware falling into the hands of common cyber criminals has been uncovered by US security firm Sentinel Labs.

Sentinel research head Udi Shamir reported on Thursday that the ‘Gyges' malware, which he believes was developed by the Russian intelligence service, has recently been bolted-on to ransomware and online banking Trojans, making them much more difficult to detect.

Sentinel warns that because Gyges has sophisticated ‘government-grade' anti-tampering and anti- detection techniques “it is virtually invisible and capable of operating undetected for long periods of time”.

The blog says: “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being re-purposed, modularised and coupled with other malware to commit cyber-crime.”

Gyges targets Microsoft Windows 7 and 8 operating systems and is designed for both the x86 and x64 CPU architectures. Sentinel has tracked it being used for ‘government' purposes such as network eavesdropping, key logging, stealing user-identities, screen capturing and IP theft; and for criminal purposes such as ransomware, banking fraud, installing rootkits and Trojans, and creating botnets and zombie networks.

The company first saw the malware in March and was intrigued by its “sophisticated” masking techniques – which led them to discover its nation-state origins. Shamir wrote: “Gyges uses a hooking bypass technique that exploits a logic bug in Windows 7 and Windows 8. It also combines highly advanced anti-debugging and anti-reverse-engineering.

“The malicious code used for all of these evasion techniques is significantly more sophisticated than the core executable. That led us to believe that it was previously used as a ‘bus' or ‘carrier' for much more sophisticated attacks such as government data exfiltration. We eventually recovered government traces inside the carrier code.”

Sentinel has named it after the ring of Gyges in Greek mythology, which makes its owner invisible. Shamir said: “It uses less well-known injection techniques and waits for user inactivity (as opposed to the more common technique of waiting for user activity). This method is clearly designed to bypass sandbox-based security products which emulate user activity to trigger malware execution.”

The blog adds: “The malware is packed with heavily modified Yoda protector, which provides polymorphic encryption and anti-debugging.”

Sentinel claims Gyges' evasion techniques present a new level of threat to security professionals, saying: “The Gyges variant not only demonstrates the growing sophistication of malware, but more importantly shows how the lines are blurring between government-grade and mainstream attack code. The fact that carrier code can be bolted on to any type of malware to carry out invisible attacks is another indication that current approaches to security have reached their end-of-life for  detecting advanced threats.

”In addition to anti-virus, even advanced protection measures including network monitoring, breach detection systems and sandboxing have become less effective at preventing and detecting advanced threats like Gyges before they can cause extensive damage.”

Analysing the malware, Cigital principal consultant Paco Hope said it marks another step in the ‘arms race' between malware authors and security pros. He told via email: “Every report describes every new strain of malware as the most sophisticated ever seen - that's because it often is. Software (malicious or otherwise) is constantly growing more sophisticated.

“20 years ago simple encryption like DES was called ‘government grade' security and many western nations sought to regulate it as if it were a weapon of war. We would all be more secure if the makers of good software (operating systems, online services, applications, etc) built software more securely and harder for malware to manipulate.

“Achieving security in our operating systems, software and hardware requires the manufacturers to build security in from the beginning, not merely address vulnerabilities later.”

Another industry expert, Keith Bird, UK MD of Check Point, highlighted the malware's ability to hide itself, telling by email: “The majority of new malware samples discovered have been developed and re-purposed from existing types – but it's interesting that Gyges seems to be purpose-built as a ‘cloaking device' to evade conventional detection techniques, and enable delivery of a malicious payload.”

In related news, Mayhem, another new piece of malware that targets Linux and UNIX web servers, has been found by researchers from Russian firm Yandex. Its report, published on Virus Bulletin, says Mayhem is a multi-purpose modular bot for web servers. Yandex has found 1,400 servers infected since first spotting Mayhem in April, mostly in the US, Russia, Germany and Canada.

The botnets have so far been used to brute-force crack WordPress passwords. The malware's functionality rests in a number of plug-ins, which are stored in a hidden file system. Most of the plug-ins help the perpetrators find other web servers to infect. Some plug-ins have yet to be seen in the wild, including one that exploits the Heartbleed vulnerability in OpenSSL.

Yandex warns that web servers have become a key target for malware authors, and say Mayhem is a continuation of last year's Fort Disco brute-force campaign.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews