executive summary
We at CCFIS believe in research and innovation. We capture malware, decode them and then reverse engineer it to dig more information about it. Every malware we capture, we deeply analyses it in our state-of-art malware analysis lab. The best part of our malware analysis lab is that instead of relying on commercial tools, we have developed our own sandboxing environment that can simulate almost all operating systems and network infrastructure. We have developed capabilities to decode and break most of the malware that might be lurking inside your network.
Our specializations are also in understanding and predicting attack methodologies. In our attack analysis lab, we can simulate different types of attacks being performed by attackers to compromise the systems on various platforms. Once the attack methodologies are identified, we release attack countermeasures to safeguard from these attacks. We are also capable of reverse engineering these malwares and exploits used by attackers to compromise.
Last but not the least, in our forensics lab, we can gather complete DNA analysis information of any malware or attack. Our forensics lab have different capabilities to support our research like data recovery, memory forensics, packet analysis and many more.
With all these advanced capabilities and state-of-art labs, we present you our research driven security bulletin which is result of our analysis performed on different malwares, attacks and exploits.
malware size
In this age when we carry GBs of storage space in our pockets and don’t even care about files less than 10 KB or 1 MB. While analyzing all the malwares we captured from different location via our ATP sensor, we realized that most of the malwares were as small as 10 KB. These programs were actually not malware but were opening gates and downloading malwares from remote location.
Unfortunately, most of antivirus will not detect it as a virus as it’s not performing any suspicious activity in your computer, it’s just downloading the file that will perform malicious activity on your computer i.e. the malware.
In our complete research we found that most of these malicious programs and malwares are not larger than 1 MB. So next time if you are ignoring this files, think twice before ignoring.
recommendations –
· Delete unknown file. If you don’t understand it, or identify it, delete it simply. Stay alert and don’t delete any system file.
· Always monitor your task manager and start up processes and locate the file and if it’s not signed by vendor known to you, simply delete it.
· Most of the time you won’t be able to delete these malware by simply right click and delete. In that case boot your computer in safe mode and try deleting. If malware is smart enough and not allowing you to destroy itself, then install any Linux based live OS in pen drive and then delete these files.
state of malware: encrypted unencrypted
We in information security domain claim that we know all encryption-decryption algorithms, but do we actually know all algorithms? The answer with our research data as evidence is ‘NO’, we don’t know even half of encryption techniques that exists.
At CCFIS malware analysis lab, we have state of art lab with best malware analysts and almost all tools, equipment and infrastructure. We also developed several in house tools and technologies to analyze malware captured by our ATP sensor. We develop sandboxing technology where we can simulate almost any operating system, network infrastructure and working environment.
After creating this state of art malware analysis lab and best experts & researchers of country we are not even able to decrypt half of these malware to user readable source code format.
Now a days hackers are not using pre-defined algorithms that are publically available internet to encrypt their malware. And if the decryption methodologies are not known to antivirus companies, then how will they detect these malicious programs as malware and release patch for their users.
For analyzing these types of malware we used behavioral analysis and sandboxing technologies both on virtual as well as physical machines and finally we were able to identify these as malwares but still as these malwares were encrypted with methodologies that are not available publically, we were not able to dig into the code.
recommendations –
· Keep an eye over your task manager and see if any unknown process is running in background.
· Additionally you can open Command prompt by typing cmd in Run and then netstat to see list of all IPs your computer is communicating to. Before doing this, close all browsers and running applications and see if your system is communication to any unknown IP. If it is communicating then block that particular IP by editing C:\Windows\System32\Drivers\etc\networks in notepad.
We at CCFIS malware analysis lab has developed advance capabilities to open up malwares to user untestable coding language. In our complete analysis to prepare advance threat report for our customers, we came up with above chart of coding language in which most of the malwares were coded.
In previous issue of our security bulletin, we explained Perl as favorite language for hackers for creating malwares. In these issue too we found that Perl is the favorite language of hackers for coding malwares. Remember the phrase – ‘old is gold’? Hacker’s also remember the same phase. As you can see from data above, hackers are still using C & C++ to code most lethal malwares.
recommendations
If you don’t use Perl or Python on your Windows machine and install it only out of passion and use very rarely then consider uninstalling it, this will reduce threat of Perl or Python based remote key-logger. In our research we found that systems without these compilers were not compromised by these malwares but the systems with Perl or Python compiler were compromised easily by these remote key-logger malwares.
file extensions
A filename extension is a suffix to the name of a computer file applied to indicate the encoding of its contents or usage. Who says that Windows based malware come in exe format, not anymore. Above data proves that malware are being packed in different formats to infect users more smarty.
When we are busy in planning business strategies, attackers are busy planning new attack strategies to infect your systems. In first phase, instead of sending you malware in any execution format they are sending these malwares is .doc, .zip, .tar and other formats and most of the times these files are password protected. In second phase they simply send a small program that contains password and execution instruction of that particular malware hidden inside these .zip and .tar files. Now these small programs which are actually not malware, opens up these compressed files and execute malware. 
We simulated same techniques and we were able to bypass almost all updated latest antiviruses. So while simulating if we are able to bypass these antivirus then attacks must be bypassing your all antivirus and security solution. Think about it, if your antivirus or firewall are not detecting any attacks then it does not mean that you are not being attacked, it might be possible that you are being attacked but your antivirus or firewall are not detecting it.
Attackers are even using file renaming techniques. For example if they want to send you a malware named document.exe then instead of sending it in document.exe format they are renaming it in document.doc.exe. Also they are changing the icon to make it look like a document or an audible file.
recommendations:
To detect these type of files, just go to folder options and uncheck ‘Hide extensions for known file types’. After doing so, check for files with dual extensions like document.doc.exe. And delete it.
malware type
Backdoors are often installed by attackers who have compromised a system to ease their subsequent return to the system. Backdoors in your computer may be accessed by attackers without your knowledge or consent. Backdoors are considered to be real security threats.
While analyzing malware captured by ATP sensors installed across the globe we found that most of the malware were backdoor. An attacker tries to install a backdoor only when he has already exploited some vulnerabilities to compromise your system. We also found Trojans, which are generally non-self-replicating type of malware program containing malicious code that, when executed, carries out malicious actives like, key-logging, spamming, theft of data, and possible system harm.
The most shocking was to see that 26.6% of malicious programs were not detectable by most of antiviruses. We declared these files as malicious file after performing behavioral & code analysis of these malicious files.
Using antivirus and security solutions are best practices but simply relying & trusting your antivirus is not advisable.
recommendations—
We recommend following best practices to safeguard yourself from these identified & unidentified malwares –
· Always monitor processes running in your task manager. If you find any suspicious process, kill it immediately.
· Check for msconfig startup options and see what programs are automatically started when you boot up your system.
· For browsing, we recommend Google Chrome with Ad-block extension. Most of the systems are infecting by foolish activities of users while browsing like clicking on lucrative and attractive ads. Google Chrome will block sites hosting malicious codes and Ad-block extension will block all annoying ads.
· Perform a netstat in your command and see if your system is trying to communicate with any unknown IP, if yes then block that IP manually from C:\Windows\System32\Drivers\etc\networks.
region wise
- Alfa – Corporate simulation
- Delta – Financial institution simulation
- Beta – Government simulation
Our ATP sensor can simulate any network infrastructure ranging from complete production environment of banks to corporates. After this analysis, we realized that hackers are targeting mostly on corporate. Targeting money directly is old fashioned, but targeting data worth money is easier and safer trend opted by hackers now a days. After stealing data from corporates, hackers are selling company sensitive files over underground communities (deep web).
But still financial institutions are money and this is what that attracts most of attackers. So we created a dummy money bank with our ATP sensor and left it vulnerable to exploits. The result was as expected. Hackers used so complex techniques and 0-day exploits to compromise the network to get the money.
So if you are from corporate or financial institutions, no matter what security solutions you implement, hackers will always try to target you.
recommendations
In this case, we would recommend you to install ATP sensor in your location so that you can deflect attacks form your original network to a fake decoy monitored server. By deflecting most of the attacks you saved your networks from 70% targeted and automated attacks.
Also later on you can scan your network with these attacks, malware and exploit to see if your original network are vulnerable or not.
ATP sensors deployed in metro cities were compromised and attacked more than ATP sensors deployed in other cities. This simplifies that if you or your organization is in metro city then it increases probability of being attack.
most targeted networks
We developed our ATP sensor to replicate several organizations like research & development, financial, educational, government and critical infrastructure.
It is obvious that research and development organization are continuous under attack by intelligence agencies to understand capabilities and to gather information about what others are doing. Same are being attacked by hackers to steal new technologies, patents and later on make money out of it.
Critical infrastructure (CI) are assets that are essential for the functioning of a society and economy. Most common sector of CI are chemical sectors, commercial facility sectors, communications, critical manufacturing, dams, defense industries, emergency services, energy & power grids, financial, government facilities, healthcare, information technology, nuclear plants, transportation, water, etc. Hackers are trying to hack these sectors.
Hacking into these sector can result to creation of weapon of mass destruction.
If your organization belong from any of above sectors, we would recommend you to follow the best practices made by National Critical Information Infrastructure Protection Centre (NCIIPC).
Financial institutions were soft targets for attacks and will be soft targets for attacks. Also now a days attack are trying even to penetrate into educational organizations. There might be many reason behind these but several reason that we predicted are that most of the universities in India are research driven and research conducted by students at their university level are business for others and for themselves after several PoCs. So, hackers are also interested in these research data that they can steal and can be purchased by some investor. Another prediction is that, now a days every another teenager is either bug bounty hunter or a hacker. So it might also be possible that these students might be trying to hack into their university network to get question papers or hack into university ERP to manipulate their marks & attendance.
One of our major client Amity University captures 500+ targeted malware and 20,00,000 + targeted attacks after deploying ATP sensor. A hacker’s intensions cannot always be judged by his attack methodologies and hence if you are an educational organization and thinking that who will attack you then example of Amity University proved you wrong.
Also to conclude, if educational organization like Amity University which is not doing any business or any production environment are being attacked to brutally then what about other organizations who are actually doing some business and working on financial sectors.
country wise analysis
IPs of countries detected in attacking India’s network infrastructure. There are no of possibilities –
· The country attacking India’s infrastructure might be actually performing attacks and hence responsible to sending malwares.
· IPs of these countries were used as proxies to perform attacks.
attack timelines: hourly
With data collected by all locations of our ATP sensors, we created a central data of 6 months to predict at what time most attacks are happening and attacks are most active.
Most common attacks are happening between 7 PM to 10 PM. This is the most prime time for all Indians to check their social network, online shopping and other personal works that they cannot perform during official hours of 9 to 6. Most of the attackers are also active during this time only. Peoples are using their personal computer and laptops which are less secure than their office computers and hence it’s easy for attacker to break into their system.
Attackers are less active during day. Our ATP captured that India’s infrastructure are facing between attacks after 4 AM to 6 PM. And this is the time when we are sleeping, exercising, walking or working in offices.
Targeted attacks are not only those in which an attack sends a mail with malware specially crafted to compromise user system only, but these are actual targeted attacks in which attacker know your personal time table and know at what time you will be online over less secure systems and performing personal & financial transactions.
attack timelines: dates
We monitored logs of 6 months of all locations where we have installed our ATP sensors. We concluded to a result that attackers were most active on 20th and 28th of every month.
We also summarized that attacks are more active during end and starting of month. In India most of online shopping users make online transactions during this dates only. As most Indians receive their salary during this period only and spend specially in these period.
Hackers are less active during mid of the month. So it might be possible that attackers might be sniffing or capturing payment details.
One cannot predict attacker only by his attach methodologies, a behavioral analysts is always required in an organization to predict mindset of an attacker.
