Use Wufoo integrations and get your data to your favorite apps.

Category: malware

There are 2 posts published under malware.

Kimsuky is a Simple Computer Virus That Targets South Korea

On September 11, Kaspersky’s research team published a report showing attacks on South Korea’s think-tanks. This cyber-espionage campaign, named Kimsuky, seemed to only target 11 South Korean and 2 Chinese groups—some of these groups include: the Sejong Institute, KIDA (Korea Institute for Defense Analysis), South Korea’s Ministry of Unification, Hyundai Merchant Marine, and supporters of the Korean Unification.

The first instance of Kimsuky’s activity was on April 3, 2013 and the first Trojan samples were found on May 5, 2013. This virus is special in that it’s pretty unsophisticated and communicated with its master using a public email server. Apparently, this is commonplace with amateur virus coders and is usually ignored. What caught the attention of the researchers was that Kimsuky used a Bulgarian email server and the code contains Hangul (Korean characters), which actually translate to “attack” and “completion.”


Because Kimsuky is highly limited and targeted, it is uncertain how it is being distributed. The early Trojan samples collected were delivered by spear-phishing emails. These emails have been traced to “kim” names and 10 IP addresses. These IP addresses connect this virus to the Jilin and Liaoning Network Province in China. Interestingly enough, there are lines in these provinces that connect to North Korea. Another interesting attribute of Kimsuky is that it disables the security tools of a South Korean anti-malware company, AhnLab.


Looking at Kimsuky’s targets and the source of the IP addresses, it seems as though the source of the malware is North Korea. Though, Kaspersky researchers say that “it is not that hard to enter arbitrary registration information and misdirect investigators to an obvious North Korean origin.” In the end, there is no clear cut evidence to point any fingers.


Luckily, the code is, as previously mentioned, simple—Kaspersky products are able to detect and neutralize various Kimsuky threats.


Kaspersky Labs Explains Virtualization Security

In August 2012, the IT industry read headlines about a malicious Trojan known as Crisis or Morcut, which spread across PCs and Macs with the purpose of intercepting financial data.

But what made this particular piece of malware special was one of the ways it spread – by targeting virtual machines.  This was one of the very first pieces of malware to target virtual machines for infection…in the past, malware intentionally avoided virtual environments, since they are frequently used by security researchers to analyze malware.  But cybercriminals will always “follow the money,” and as virtualization has surged in popularity, it’s no surprise to see this change in tactics.


Just how popular has virtualization become? According to a Forrester survey in 2012, 85% of companies have either implemented server virtualization, or are planning to do so.[1]  According to a global survey of businesses conducted by O+K Research in 2012, 81 percent of US companies run business-critical services in virtual environments.


But, while virtualization has grown in popularity, securing virtual environments has lagged behind.  In fact, a Gartner report claims that “… in 2012, 60% of virtualized servers will be less secure than the physical servers they replace”.[2]  So what reasons lie behind the apparent paradox of ‘fast to virtualize, slow to secure’ when security threats – particularly from malware – are greater than ever before?


The primary reason behind this lag in virtualization security is a perception that a virtual machine is more secure than a physical one.  The truth is that while virtual machines may be less prone to threats such as spyware and ransomware, they are just as vulnerable to malware in the form of malicious email attachments, drive-by-downloads, botnet Trojans and even targeted ‘spear-fishing’ attacks.  One major security benefit of virtualization is when a temporary virtual machine is “turned off,” any malware is typically wiped away with it, and a new virtual machine can be created from the base configuration.  Now, we’re seeing examples of malware that can survive the decommissioning of non-persistent virtual machines and become active again when the virtual machine is put back into operation.


In fact, the main befit of virtualization is actually the source of its greatest security weakness.  According to the National Institute of Standards and Technology:

“Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls. Combining many systems onto a single physical computer can cause a larger impact if a security compromise occurs. Further, virtualization systems, which rely on a shared resource infrastructure, create a dangerous attack vector in which a single compromised virtual machine impacts the entire virtual infrastructure.”[3]


Here is a quick overview of the top risks to the virtual environment:

  • Infection in one virtual machine has the ability to infect data stores that other virtual machines use, spreading the infection and compromising additional systems and data.
  • One virtual machine can be used to ‘eavesdrop’ on another virtual machine’s traffic.
  • Malware has historically been created to avoid virtual systems. Now malware creators are writing code that targets both physical and virtual machines. Some malware is designed to survive the ‘tear-down’ of a non-persistent virtual machine allowing it to ‘return’ when the virtual machine is re-commissioned.


But despite these risks, Security has been largely an afterthought in the server virtualization movement.  In most IT organizations, it is the network team, the server team, or the Data Center team that handles server virtualization deployment projects, with the security team often joining in at a later time.  In most cases, the conventional thinking is to apply existing security practices for physical devices to the virtualized environment, and believe that whatever has worked for physical environments will be good enough in the virtual environment.


Businesses may assume that their virtual infrastructures are already secured via perimeter security.   But now that VMs are being deployed for desktop applications and critical server applications, securing the edges of a network isn’t enough.  Having “no security” on these critical endpoints isn’t an option anymore.


It’s also important to understand that since virtual systems are different from physical systems, virtual machines should be protected differently than physical endpoints.  When evaluating virtualization security solutions, businesses should pay attention to the differences between “agent-based” and “agent-less” offerings.   An agent-based offering follows the traditional model used to secure standard workstations – a copy of the software runs on each machine.  But with virtual machines, instead of having each individual workstation responsible for protecting itself, businesses can instead off-load security activity onto a single, separate appliance.  This agent-less approach offers several advantages for virtual endpoints, including:


  • A central scanning engine means each machine isn’t wasting time scanning the same files – they are scanned centrally, which doesn’t drain resources from each endpoint
  • Virtual machines are created under the security umbrella of the central scanning engine, eliminating the so-called “Instant-On Gap,” where a new virtual machine is created, but defenseless until security software can be installed.
  • Security updates are downloaded, configured, and installed once by the central security appliance, not by each virtual machine.  This avoids “AV-Storms” caused by numerous machines downloading updates at the same time, and drastically slowing down the network.


Understanding the realities of virtualization security lets IT managers take the first steps towards securing their network without sacrificing the performance and flexibility that made virtualization so appealing in the first place.


-Mark Bermingham, Director, Global Product Marketing, Kaspersky Lab

[1] The CISO’s Guide to Virtualization Security, Forrester Research, Inc., January 2012

[2] Gartner: Virtualization security will take time,, March 2012

[3] Guide to Security for Full Virtualization Technologies, National Institute of Standards & Technology