Saturday, March 2, 2013

Kaspersky Lab identifies malware MiniDuke


Kaspersky Lab's team of experts recently published a new research report that analyzed a series of security incidents involving the use of the recently discovered PDF exploit in Adobe Reader (CVE-2013-6040) and a new, highly customized malicious programme known as MiniDuke. The MiniDuke backdoor was used to attack multiple government entities and institutions worldwide during the past week, said the lab's press release. Kaspersky Lab's experts, in partnership with CrySys Lab, analyzed the attacks in detail and published their findings. 
MiniDuke's highly customized backdoor was written in assembler and is very small in size, being only 20kb. "The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous," said the statement issued by the lab. 

It said that the MiniDuke attackers are still active at this time and have created malware as recently as February 20. To compromise victims, the attackers used extremely effective social engineering techniques, which involved sending malicious PDF documents to their targets. 

Once the system is exploited, a very small downloader is dropped onto the victim's disc that's only 20kb in size. This downloader is unique per system and contains a customized backdoor written in Assembler. When loaded at system boot, the downloader uses a set of mathematical calculations to determine the computer's unique fingerprint, and in turn uses this data to uniquely encrypt its communications later. It is also programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware. If it finds any of these indicators, it will run idle in the environment instead of moving to another stage and exposing more of its functionality by decrypting itself further; this indicates the malware writers know exactly what antivirus and IT security professionals are doing in order to analyze and identify malware. 

No comments:

Post a Comment