Networm

Main article: Malware (malware)

The main sign by which worms differ between themselves is the way the worm spreads. Other signs of difference are how to run a copy of the worm on the infected computer, methods of embedding into the system, as well as polymorphism, "stealth" and other characteristics inherent in other types of malicious software (viruses and Trojan programs).

Types of worms

Depending on the routes of penetration into the operating system, worms are divided into:

• Mail-Worm (Mail-Worm) - worms distributed in the format of e-mail messages. At the same time, the worm sends either its copy as an attachment to an email, or a link to its file located on a network resource (for example, a URL to an infected file located on a hacked or hacker website). In the first case, the worm code is activated when you open (start) an infected attachment, in the second - when you open a link to an infected file. In both cases, the effect is the same - the worm code is activated.
• IM worms (IM-Worm) are worms that use Internet pagers. Known computer worms of this type use the only distribution method - sending messages to detected contacts (from a contact list) containing URLs to a file located on a web server. This technique almost completely repeats the similar distribution method used by mail worms.
• P2P worms (P2P-Worm) are worms spread using peer-to-peer file-sharing networks. The mechanism of operation of most such worms is quite simple - to inject a worm into a P2P network, you just need to copy yourself to the file sharing directory, which is usually located on the local machine. The P2P network takes on all the rest of the work on the spread of the virus - when searching for files on the network, it will inform remote users about this file and provide all the necessary service to download the file from an infected computer. There are more complex P2P worms that simulate the network protocol of a specific file-sharing system and respond positively to search queries - while the worm offers its copy for download.
• Worms in IRC channels (IRC-Worm). In this type of worm, as in mail worms, there are two ways of spreading the worm through IRC channels, repeating the methods described above. The first is to reference a URL link to a copy of the worm. The second way is to send the infected file to any user on the network. In this case, the attacked user must confirm the reception of the file, then save it to disk and open (run for execution).
• Network worms (Net-Worm) - other network worms, among which it makes sense to additionally distinguish Internet worms and LAN worms
  • Internet worms are worms that use Internet protocols for distribution. Predominantly, this type of worm is spread using incorrect processing by some applications of the basic packets of the TCP/IP protocol stack
  • LAN worms - worms spread by local area network protocols

ICS/SCADA Security Problem Resolution

ICS includes a large segment of the tiered OT architecture, covering many different types of devices, systems, controls, and networks that control production processes. The most common are SCADA and Distributed Control Systems (DCS) ^[1].

For many years, most organizations have been implementing measures to ensure information security, but OT security is a slightly new territory. With the increasing penetration of industrial Internet of Things (IIoT) technologies and the subsequent convergence of IT/OT production, they lost the "air gap" that protected their OT systems from hackers and malware. As a result, attackers are increasingly starting to target OT systems to steal sensitive information, interrupt operations, or commit acts of cyber terrorism against critical infrastructure. This is partly because existing malware works effectively against legacy systems deployed in OT networks that have probably not been fixed or updated, given the lack of additional resources to refine.

A number of challenges have played a role in the evolution of cyber attacks that have affected OT systems over the years. Among them:

• Lack of inventory of OT devices. Organizations cannot protect assets - whether by applying patches or conducting security checks if they do not have full control over the environment.
• Lack of remote network access. Most of the technologies underlying ICS are based on limited physical access and hidden components and communication ​​protokolakh.
• Legacy hardware and software. Many ICS and SCADA systems use legacy hardware or legacy operating systems that are incompatible or too sensitive to support modern security technologies. Often, such hardware is deployed in environments where systems cannot be disconnected for remediation or upgrade.
• Poor network segmentation. OT environments tend to function using full trust settings, such a model is poorly transferred to new converged IT/OT environments. The standard security practice of dividing networks into functional segments that limit data and applications that can migrate from one segment to another is generally not used very often in ICS.
• Limited access control and permission management. As previously isolated or closed systems become interconnected, controls and processes that prescribed access often become confusing.

Fortunately, the risks that lead to security threats to ICS/SCADA are becoming more widely recognized and, as a result, more priority for many large organizations. Government bodies including the Control Systems Cyber Emergency Response Team (ICS-CERT) in the US and the Centre for Protection of National Infrastructure (CPNI) in the UK are currently publishing recommendations and advice on the use of ICS best practices in security.

2023: African countries attack updated version of malicious USB worm PlugX

On March 13, 2023, it became known that the researchers Sophos had discovered an updated version USB of the PlugX. By to data company, the original aspects of this variation malware are the updated payload type and C2- feedback.server

PlugX is a variety harmful ON that can propagate through. USB stores PlugX is able to collect system, information bypass antiviruses and control firewalls files the user, execute malicious code, and even give to malefactors remote access over the infected. computer

As of to data March 2023, the malware "like hot pies" diverges in. the African countries Infections are observed in,, and To Ghana. Zimbabwe Nigeria Experts also recorded another variant of PlugX in and. Papua New Guinea Mongolia Sophos believes the campaign is linked the Chinese to the Mustang Panda group, which is known to have used it malware in the past.

So, when a user inserts a USB drive with malware into a computer, the first thing he does is find a shortcut in the root of the flash drive disguised as the drive itself. Experienced users will probably have doubts before launching such a file. But, as you know, attackers will always find their target audience.

Illustration: securitylab.ru

For the correct operation of the malware, one shortcut is often not enough, so there are several more hidden folders on the disk, which can again be revealed to the world with a slight movement of the cursor:

Illustration: securitylab.ru

Illustration: securitylab.ru

Knowing that these folders exist on disk, it becomes much easier to "decrypt" the malicious script specified in the above shortcut:

The "RECYCLER.BIN" folder is deliberately named by attackers in this way. By some manipulation, hackers manage to connect the real Windows basket with the folder on the drive. Therefore, if you go to this folder through regular Windows Explorer, there will be files deleted to the trash from the user's computer, nothing superfluous. But if you open this directory through, for example, Total Commander, you can see the following subdirectories and files:

It is these files that provide the full functionality of the malware.

Illustration: securitylab.ru

This PlugX instance can send encrypted files to attackers over the Internet. Therefore, it collects the files ".doc," ".docx," ".xls," ".xlsx," ".ppt," ".pptx" and ".pdf" and saves them in encrypted form for subsequent sending. The files are saved in the aforementioned RECYCLER.BIN folder, and their names are converted to the base64 form and, after changing, look like this:

Illustration: securitylab.ru

As for the use of USB worms in 2023, they were certainly more common 10-20 years ago, when attackers could compromise the Pentagon by simply dropping a flash drive with malware in the right place. Already in 2023, removable media are not considered a fairly effective means of infection, especially compared to Internet attacks, but specifically in this campaign this distribution method turned out to be effective, stated Gabor Sappanos, Director of Threat Research[2].

2019

Avast helped neutralize 850 thousand unique Retadup worm infections

On August 28, 2019, it became known that a Avast company in the field of digital security products, in cooperation with the Center for the Fight against cyber crime The French the National Gendarmerie, destroyed harmful worm the Retadup program, which infected hundreds of thousands of PCs operating system Windows with in Latin America. Retadup is distributed by attackers specializing in. to cryptocurrency Sometimes they use Stop Ransomware and. Arkei

As of August 2019, thanks to cooperation, 850,000 cases of Retadup infections were neutralized, and the one from server which attackers managed infected devices (C&C) was replaced with a disinfecting server, which provoked the self-destruction of the malicious one. ON

Avast Threat Intelligence has discovered that Retadup is mainly spreading, transferring malicious shortcuts to connected disks in the hope that people will share malicious files with other users. The shortcut is created under the same name as an existing folder, but with the addition of text, such as Copy fpl.lnk. Thus, Retadup makes users think that they open their own files when in reality they infect themselves with malware. When opened on a computer, the shortcut launches a malicious Retadup script.

The cybercriminals behind Retadup had the ability to run additional malware on hundreds of thousands of computers around the world. Our main goal was to prevent attackers from running malware on a global scale and to prevent them from continuing to use infected computers. 'says Jan Wojteszek, reverse engineer at Avast '

Analyzing Retadup, the Avast Threat Intelligence team identified a C&C protocol vulnerability. Using this vulnerability, experts removed malware from the victims' computers. Retadup's infrastructure was mainly located in France, so the Avast team contacted the French National Gendarmerie's Cyber Crime Centre in late March to share their findings. On July 2, 2019, employees of the center replaced the malicious C&C server with another - the disinfection server. At the very first moment of operation of the installed server, several thousand bots connected to it to receive commands. The disinfection server was able to cure them using a C&C vulnerability. Thanks to this, all users were automatically protected from Retadup.

Some parts of the C&C infrastructure were located in. The French gendarmerie USA warned, which FBI then destroyed them. As of July 8, 2019, cybercriminals no longer had any control over infected bots. None of the bots received any tasks for mining after removing the server: they did not use the computing power of their victims, and the attackers did not receive any profit.

Computers infected with Retadup sent quite a lot of information about infected devices to the C&C server. The gendarmerie gave the Avast group access to a snapshot of the server to get some aggregated information about Retadup victims.

The most interesting information was the exact number of infected devices and their geographical distribution. As of August 2019, a total of 850,000 unique cases of Retadup infection have been neutralized. The vast majority were in Latin America. More than 85% of Retadup's victims were not identified as third-party. anti-virus software Some simply turned it off, making them absolutely vulnerable to the worm and allowing the infection to unwittingly spread further. Usually we can only help Avast users, so we were very interested in trying to protect the rest of the victims around the world on such a huge scale,

On the map: the number of neutralized cases of infection in each country. Most of the victims of Retadup were recorded in Spanish-speaking countries in Latin America.

A snapshot of the C&C server file system also allowed Avast specialists to get an idea of ​ ​ the amount in cryptocurrency that cybercriminals received from February 15, 2019 to March 12, 2019. Malware authors mined 53.72 XMR (about $4,500) only during the last month, when the wallet address was still active. The Avast team suggests that they could have sent the funds they received to other addresses immediately, so the real profit from mining was probably higher.

Most significant attacks on OT environments and ICS over the past decade

By assessing the most significant cyber attacks on industrial control systems (ICS) over the past decade, we can see how far the technological capabilities of criminals have come. Perhaps even more troubling, however, is their willingness to harm not just digital infrastructure but physical infrastructure, negatively affecting individual employees and entire companies. Stuxnet is perhaps one of the first in a series of malicious attacks on ICS that has demonstrated to organizations around the world the scale of the impact of cyber attacks on physical infrastructure.

The emergence of new threat and attack mechanisms has fundamentally changed the specifics of the operation of industrial control systems (ICS) and SCADA. Next, we will list some of the most notable cyber attacks on ICS that have occurred over the past decade, as well as describe their impact on current strategies to secure critical infrastructure.

• BlueKeep (2019). In May 2019, a vulnerability called BlueKeep was discovered on Windows operating systems, which affected up to a million devices. The vulnerability existed in the Remote Desktop Protocol (RDP), and a month after it was discovered, security experts began to discover attempts to exploit this vulnerability.

• EternalBlue (2017). EtenernalBlue is the name of a vulnerability in the Microsoft Server Message Block (SMB) protocol. The vulnerability gained notoriety in 2017 when it was exploited to carry out global attacks. encoder WannaCry These attacks affected computers in more than 150 countries, and they caused a total damage of 4 billion dollars US. This vulnerability was also exploited in ransomware attacks. NotPetya By the way, a patch to close this vulnerability was available a month before WannaCry hit.

• The TRITON malware, discovered in 2017, targeted industrial safety systems. In particular, it pursued a system of tool security tools (SIS), modifying firmware built into memory to add malicious functionality. This allowed attackers to read or change the contents of memory and activate their own code, along with additional programming to safely disable, block, or change the ability of an industrial process to fail. TRITON is the first known malicious software specifically designed to attack industrial safety systems that protect the human lives^[3]

• In 2015, it was discovered that malicious POBlackEnergy was used to use macros in Microsoft Excel documents. The malware infiltrated networks through phishing emails sent to employees. Although the tactics used by these attackers were relatively simple, the event proved that cybercriminals can indeed manipulate critical infrastructure on a large^[4]

• Havex trojan (2013) is a well-known enough for Remote Access Trojan -RAT, first discovered in 2013 by^[5]Havex, which belongs to the GRIZZLY STEPPE threat group, is intended for ICS systems and communicates with the C2 server, which can deploy modular payloads. Its ICS-specific target load collected server information for Open Platform Communication (OPC), including CLSID, server name, program ID, OPC version, provider information, execution status, number of groups, and server throughput, and was able to count OPC tags. Interacting with the C2 infrastructure, the malicious ON Havex posed a significant threat in the context of its ability to send instructions that provide advanced and unknown capabilities. malware

• Hungarian cybersecurity researchers discovered malware identified as Duqu (2011), which was very similar in structure and design to Stuxnet. Duqu was designed to steal information by masking data transfer as normal HTTP traffic and transferring fake JPG files. The key takeaway from Duqu's discovery was an understanding of the importance of intelligence work for criminals - often malicious code to steal information is the first cyber threat in a planned series of additional^[6] attacks^[7]

• Stuxnet Worm (2010). In June 2010, a Stuxnet cyber attack managed to destroy centrifuges at an Iranian nuclear power plant. Although Stuxnet is believed to have entered power plant systems through a removable device, it exploited four zero-day vulnerabilities for distribution, as well as the same vulnerabilities used by Conficker.

• Conficker Worm (2008). Conficker is a worm that was first discovered in November 2008. He exploited several vulnerabilities, including one of them in a network service that can be found in various versions of Windows, such as Windows XP, Windows Vista and Windows 2000. As it spread, Conficker used infected computers to create a botnet. It is estimated to have infected between 9 million and 15 million computers. Despite its fairly widespread distribution, Conficker did not cause much damage.

• Zotob (2005). This worm, which infected systems running various Microsoft operating systems, including Windows 2000, exploited various vulnerabilities, including a MS05-039 vulnerability in Plug & Play services. As a result, infected machines were constantly rebooted, and each time the computer was rebooted, a new copy of Zotob was created. Although it did not affect a large number of computers, it still managed to have a serious impact on its victims: according to experts, the affected companies spent an average of $ 97,000 on cleaning malware from their systems, which took about 80 hours to cure their systems.

• SQL Slammer (2003). SQL Slammer is another worm that infected about 75,000 machines in just ten minutes in 2003. It led to denial of service from some ISPs, which dramatically slowed Internet traffic. To spread so quickly, SQL Slammer took advantage of the buffer overflow vulnerability in Microsoft SQL Server. By the way, six months before this incident, Microsoft released a patch to fix this bug.

• Morris Worm (1988). To see one of the first examples of a computer virus that exploited known vulnerabilities, we have to go back to 1988, two years before the invention of the World Wide Web. The Morris worm was one of the first computer worms to spread over the Internet. It exploited known vulnerabilities in Unix Sendmail, rsh/rexec, as well as weak passwords. Although the creator did not intend to cause any damage, but rather emphasized weaknesses in the security system, nevertheless, his brainchild led to damage in the amount of $100,000 to $10,000,000.

APCS Safety Market

• Main Article: APCS Safety Market
• APCS Catalog of projects and solutions

Notes