APOC@LYPSE: THE END OF ANTIVIRUS. WHEN THE ANTIVIRUS IS THE THREAT


By Rodrigo Ruiz, researcher at CTI Renato Archer and Rogério Winter, Colonel at Brazilian Army

We present the proof of concept of a new cyber weapon that has the potential to paralyze an entire nation with irreversible damage, caused by nation state-sponsored attacks (Ministry of Justice of Georgia 2011) or terrorists. Apoc@lypse Technique removal of pages in the book ‘Apoc@lypse: The End of Antivirus’ (Ruiz, et al., 2015) clearly demonstrates the fragility of our defences. We were taught for more than 30 years that in the digital age, we should trust our antivirus system and always keep it updated. You can control the antivirus market and turn it against your opponent, since to do so protects your family photos, even those that protect our trade, finance and military strategies. Undetectable, fast and devastating for the computer data hit.

INTRODUCTION

A anti attack can be related to the context of asymmetric conflict where the asymmetric actors have power(s) that differ significantly, divergent political and military objectives. With that in mind, they seek strategic advantage to counterbalance their own weaknesses, and compensate for the technological superiority of its opponent. The utilisation of a cyber weapon is one way to conduct a cyber attack. Anyone can learn about and create effective cyber weapons. For this, it is necessary a computer, Internet connection, the time and patience to learn about software, hardware, and network vulnerabilities.

The unpredictability of cyber attacks often creates cascading effects that were outside the original intentions of the attacker, effecting results that were not in the initial planning.

In his article, Clay Wilson (Wilson 2015) mentions the recent studies regarding cyber attacks, which revealed common features that describe a cyber weapon:

  1. A malware attack campaign can combine multiple malicious programs for espionage, data theft or sabotage.
  2. The stealth capability allows you to maintain the secrecy of the operation for a long period.
  3. The attacker has detailed knowledge about the operation of the target system.
  4. There is a special kind of computer code to bypass cybersecurity protection technologies.

Moreover, another striking and present characteristic of the cyber weapon is the possibility of the concepts reuse that are also part the cyber weapon. In the other words, a malware analysis can find a number of features that will be learned and will used in the counterattack. In contrast, a kinetic weapon will be certainly destroyed if a defect or fault occur during the launch. As well as, if a kinetic weapon is found in the battlefield a specialized military unit will destroy it.

Wilson’s work (Wilson 2015) helps us to introduce the Apoc@lypse. The Apoc@lypse Technique was discovered in tests for verification of the effectiveness of antivirus1 and its resilience in case of attack. The DOD (US Department of Defense 2010) developed the following concept of Mission Assurance:

“A process to protect or ensure the continued function and resilience of capabilities and assets – including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains – critical to the execution of DoD mission-essential functions in any operating environment or condition.”

The concept of Mission Assurance involves not only military structures, but also adjusts itself perfectly in Business, Government and, Research and Development (R&D). In this context, the use of the antivirus has been emphasised as an information security dogma. In addition, it has been repeated as a best practice in almost all information security policies.

CYBER ATTACKS AND KINECTIC ATTACKS

With the evolution of computing systems, many critical infrastructures (Command & Control, Air Traffic Management, Power Plants, Weapon Systems, etc.) use advanced automation making modern society technologically dependent. This dependence makes the Cyberspace a new way to conduct wars as in ground, air or sea combat.

A successful Israeli fighter aircraft attack to a suspicious nuclear plant in Eastern Syria sparked up the expert’s curiosity about the failure of the Syrian radar system (Adee 2008). Supposedly, the Russian-built radar system was state-of-the-art to warn and it was not able to detect Israeli fighter aircraft invading the Syrian territory.

To protect cyberspace during a war, it is necessary to identify the main events in space and time, and to understand how Cyber Threats could produce damage to critical infrastructure that are used for operations.

For now on, imagine a hypothetical situation where your enemy can be able to take control of the antiaircraft missiles system avoiding your reaction. Now, think about a protection system that instead of protecting your territory destructs itself. Interestingly, it is possible and actually occurs in nature. We will explain how this phenomenon can occur in protecting a system, more specifically with an antivirus system.

An antivirus system has an important role in cyber defence, but an unfortunate finding was obtained after an analysis of the attacks carried out in recent years. Invariably, antivirus detection of errors is present in almost everyone. We have believed that our antivirus systems are capable to identify and fight against the cyber threats. Indeed, the reality is quite different. For instance, as it is mentioned in (Ministry of Justice of Georgia, 2011), the attack strategy against Georgian Government was to use Unknown Malicious Program that none Antivirus Products could identify the threat, by the time of discovery. In this case, the failure of malware detection contributed in decisive way for the success of the cyber attack.

As mentioned earlier, there is a possibility of a protection system to fail and destroys itself. If we establish a metaphor with the human body this situation is called autoimmune disease. Autoimmune disease is a disease in which a person’s immune system wrongly attacks its own healthy tissues. In addition, immunological body systems attacks its own cells and tissues.

In our research, we identified some similarities between the human body and the cyber body thus; we tried to simulate certain conditions. Consequently, we managed to establish the first autoimmune cyber disease and thus the antivirus system is able to attack the computer system, which it is defending.

Apoc@lypse: The End of Antivirus (Ruiz, et al., 2015) clearly demonstrates the fragility of our defences. The Apocalypse Technique is a generic and extremely efficient way to bypass the protection of the antivirus system. The technique explores undisclosed vulnerability of the system’s antivirus and allows infection in the furtive form a machine target and to destroy the operating system and stored data. We implemented the Apocalypse Technique in software and it can choose among several existent forms of infection. The signatures concept has been “copy and pasting” since the first antivirus, but it has an error inside the protection concept.

THE CYBER WEAPON

We present the proof of concept of a new cyber weapon with the potential to paralyze many information systems and different operational systems causing damage irreversible form. In this paper, we considered the following definition of the cyber weapon:

“a computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings”. (Lasiello 2015).

The cyber weapon can be classified by type: physical and logical weapon. Physical weapons are malicious artifacts found in the hardware of a computer or other devices under the management of a computerized system. More recently, this type of cyber weapon has received greater attention because of the great difficulty of detection.

“Cyberwarfare analysts argue that while most computer security efforts have until now been focused on software, tampering with hardware circuitry may ultimately be an equally dangerous threat”. (Markoff 2009).

On the other hand, the logical weapon is a cyber weapon crafted from a failure or an error in a software, which puts it in a vulnerable situation, allowing cyber exploitation. More accurately, the Apoc@lypse Technique exploits a vulnerability in the concept of misuse detection in the antivirus system. The misuse detection is a fundamental concept of all antivirus systems, from the earliest to the current ones.

In an antivirus system, we have two different approaches: misuse detections and anomaly detection. Misuse detection is based on signatures or patterns of attacks to the computational system. Some actions directed at the objects of the system are considered as threatening, such as file deletion, hard disk formatting or attempts to modify privileged access files. Well-defined and known actions to the weak points of a system form the signature of the attacks. The detection of attacks happens by observing such actions occurring with specific objects. Conversely, anomaly detection is based on the definition of the expected behaviour of a host computer or its network. Therefore, a profile of the normal behaviour is captured using statistical methods and association rules, for example; and the detection of attacks then takes place by spotting actions that were unexpected according to the profile.

The Apoc@lypse Technique is based on injection of any DNA fragment of virus (Figure 1) in benign files, without necessarily interfering with the functionality of these files. Depending on chosen virus DNA some antiviruses will be affected and others not because antivirus companies have different methods of handling viruses. However, a special DNA affects all. In fact, the technique is very simple to be implemented with the use of a string similar to the EICAR, the Anti-Malware Test file.

Figure 1: The Anti-Malware Test file (Source http://www.eicar.org/86-0-Intended-use.html).

In the first place, EICAR stands for European Institute for Computer Antivirus Research. They defined a test file, which it has been provided as the “EICAR Standard Anti-Virus Test File” (Figure 1). According to the EICAR, this string is safe to pass around because it is not a virus and does not include any fragments of viral code.

For instance, imagine the calculator on your Windows operating system™ receiving pieces of virus within the same executable file. From this standpoint, we have a calculator marked for death.

This piece of virus that we introduced in the calculator is harmless and does not represent any risk to the system. We deployed the Apoc@lypse technique in 150 different antivirus brands and after the process of injection, all products began to identify the executable file of the calculator a great and terrible threat. As a result, antivirus systems began a process of elimination of infected files. In this case, the enemy is not the DNA fragment of the malware, but the antivirus system that attacks all inject files. This concept now presented, is a trigger for the start of a large-scale phenomenon, which we call Cyber Autoimmune Disease.

A very important aspect in this type of operation is a secrecy. In this case, camouflage techniques are more indicated to obtain total operation secrecy and facilitate access to the target. With the Apoc@lypse Technique, it is possible bypass with great success the antivirus protection and create a prototype of the Cyber Weapon. We use the concept of the transporter of malware DNA in the cloaked form.

This transporter, metaphorically, is called “bacterium”. Many bacteria live in the human body symbiotically and are recognised as beneficial to our body, such as the Lactobacilli. Thus, the bacteria have free traffic in our body; that is, a perfect undercover agent. Our prototype allows the programming of the bacteria to locate target files and inoculate the DNA of the malware beyond other tasks, such as data exfiltration, espionage, data theft, or sabotage.

Figure 2: Apoc@lypse Technique – cyber weapon step-by-step.

The bacterium concept is taught in biology in primary education, but it is extremely effective when combined with a computer game, such as the old Tetris2. In Figure 2, we present the technical step-by-step of Apoc@lypse that is able to destroy the computer system.

FINANCIAL IMPACT ON THE CORPORATE WORLD

The assessment of the economic impact is an open question in cyberspace. Specialised reports of security companies point to an adverse scenario where certainty of the attack itself is accompanied by unpredictability of the day and place of the cyber attack.

The reports carried out by the security companies often present economic impacts in the several economic sectors. However, the fact is that each new report of security invariably we can identify a binding with a marketing campaign to launch new products and services of that company.

There are several discussions about how to assess the economic loss caused by a cyber attack. However, this assessment depends on two key factors: first, the companies need to know the size of the loss and secondly, they need to disclose that information. Therefore, the key problem with this finding is that the companies need to develop a situational awareness about what really was affected by the attack.

When we visualise cyberspace, four information assets are mandatory to consider in terms of mitigating risks and planning the defence: technology, people, processes and environment. In this way, we need to consider them when we estimate the economic impact before, during and after a cyber-attack. The ability to measure the damage caused by a cyber attack allows us to invest with great efficiency in cybersecurity.

Prior to 2010, the largest information security concern was with the theft of banking information. However, in 2010 a successful cyber attack established a change of thought in information security. We are referring to the Stuxnet. Stuxnet is a malware that was used for the first large-scale attack on SCADA systems, in Iran. A cyber event so sophisticated that it was able to break the pillars of cyber security: technology, people, processes and environment. With a very complex code, the Stuxnet, used 04 zero-days, and explored technological resources. This cyber attack resulted in the theory of a new weapon constructed by secret services to damage the Iranian nuclear program. We can imagine the economic impact in the Iran nuclear program.

The economic issue is important to society, not least because several wars were initiated by economic disagreements. It seems that everyone wants to have some value to use for many different purposes. The press show us amazing news, some vendors use Fear, Uncertainty, and Doubt, and to compare to other infections. The following lists the most emblematic attacks of the virus/malware that caused the greatest economic damage:

  1. Chernobyl -CIH (1988) between $20 million and $ 80 million; in addition, it destroyed data.
  2. Melissa (1999) caused damage estimated at 1 billion euros.
  3. ILOVEYOU (2000) the estimate of the financial damage caused was between $10 billion and $15 billion.
  4. Code Red (2001) estimates a million infected computers, and damages of $ 2.6 billion.
  5. SQL Slammer (2003) infected 75.000 computers in 10 minutes and messed up the online traffic.
  6. BLASTER (2003) the estimated damage was between $2 billion and $10 billion.
  7. Sobig. F (2003) the estimated damage was between $ 5 to $ 10 billion, with more than a million infected PCs.
  8. Bagle (2004) the estimated damage was at tens of millions of dollars.
  9. Mydoom (2004) decreased by 10% global Internet performance and increased the loading time of 50% sites.
  10. Sasser (2004) Sasser caused tens of millions of dollars in damage.
  11. Conficker (2009) The Cyber Secure Institute estimated the economic loss due to the Conficker worm could be as high as $9.1 billion. According to Conficker Working Group, this was 35 Million unique IP’s.

Malware detection systems are gradually becoming objects of criticism from security experts, in particular in terms of detection rate. The criticisms are directed to use the old technology-based signature approach to fighting recent threats. Currently, several specialized publications realizing efficiency tests on anti-malware systems. The results are very encouraging, but they do not match the reality of current threats. Maybe the blind spot in the process is the methodology employed, which does not allow a complete understanding of how the various anti-malwares are tested. In 2012, Brazilian scientists from the Center for Information Technology Renato Archer (Brazil) have applied the Brazil Method of Anti-malware Test (Filho, et al., 2014) for anti-malware systems sold on the Brazilian market. The result obtained was a detection rate different from those informed by magazines and specialised consultancies around the world. The tests were focused on the Brazilian internet domain and the average detection was only 50%.

For nearly four decades, since the invention of the first antivirus, we thought that were safe; but in fact, in each new virus or malware we are surprised at the time to defend ourselves. Cybersecurity depends on reliable operation of an infrastructure, which by its nature is critical.

HOW SHOULD WE DEFEND OURSELVES?

How does to defend yourself from an enemy that has this type of cyber weapon? An engineer from a big antivirus company, who declined to identify himself, wrote:

“Inserting parts of viruses in benign files is quite ingenious and I recognise the failure of all AV engines… It’s a structural behaviour and probably impossible to ignore with the current architecture.”

The rhetorical question to the problem: what is the solution? The answer is easier said than done. In cybersecurity, technology, environment, people, and process are inseparable. We believe that the time has come to have in hands a pen and a blank piece of paper, and rewrite every line of code again. In other words, structure the defence with a vision to fight against the recent threats.

CONCLUSION

Archimedes3 used to say, in the Doric speech of Syracuse: “Give me a place to stand and with a lever I will move the whole world.” The current paradigm is a computer and an internet access point to change the history of the world.

Security is a feeling of protection; necessary and indispensable to a society and each of its members, against threats of any kind. Defence is the capable action to sustain security feeling (Escola Superior de Guerra 2013). Many current systems are designed based on are past knowledge and concepts, but economic issues have not been updated. In 1987, Denning wrote:

“… on existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more secure systems, or else they cannot be replaced for economic reasons (Denning 1987)”.

The technologies that we trust to provide protection against cyber threats must be adapted to the context, in which they are used, as well as processes, people, environment of usage. In this context, the weapon that defends is the same that destroys the system. All information security standards insist that a best practice includes an installed and updated antivirus. The current time is the cybersecurity and the computation is ubiquitous in people’s lives. According to (Ford 2004):

“While the antivirus industry has been steadily improving over the years, some might be surprised to learn that the fundamental technology used for detecting and removing viruses has changed very little over time.”

It is amazing that after a decade of Ford’s statement, we can demonstrate that the technology has changed very little in combating existing cyber threats. The Apoc@lypse Technique is a proof of concept. Besides the discrete evolution, a serious flaw in the detection system allows it to be exploited as a cyber weapon.

We can demonstrate that is possible to take control of an anti-malware system and to command operating system destruction. The Apocalypse Technique proof of concept is more effective in Windows Operational System, but for the other operational systems (Linux, Android, UNIX e Mac) the effects can be less catastrophic.

The Apocalypse Technique explores undisclosed vulnerability in the anti-malware systems. Technical efficiency of Apocalypse was successfully tested in 150 anti-malware system existing in the international market. The Apoc@lypse Technique is undetectable, fast and devastating for the computer data.

The big question is that all nations defend themselves with the same vulnerable systems. This vulnerability can be used to attack the enemy with a similar system that can protect it.

How does the antivirus industry see this situation?

  1. Denial: It is extremely difficult for the industry to admit the problem publicly.
  2. Affliction: The antivirus companies do not know how to solve the problem.
  3. Laziness and Money: For security software, the complete solution of cyber problems represents the need to find another product to sell.

What will you do? ■

FOOTNOTES

  1. In this paper, we will use antivirus and antimalware intercangably because antivirus is a well-known
  2. http://www.download3k.com/Install-Tetris.html
  3. http://www.math.nyu.edu/~crorres/Archimedes/Lever/LeverQuotes.html

REFERENCES

  • Adee, Sally. “The Hunt for the Kill Switch.” IEEE Spectrum. May 01, 2008. http://spectrum.ieee.org/semiconductors/design/ the-hunt-for-the-kill-switch (accessed November 30, 2015).
  • Denning, Dorothy E. “An Intrusion-Detection Model.” TRANSACTIONS ON SOFTWARE ENGINEERING. Piscataway, NJ, USA: IEEE Press, 1987. 222-232.
  • Escola Superior de Guerra. “CAMPOS DE ATUAÇÃO DO PODER NACIONAL.” In Manual Básico da Escola Superior de Guerra – Elementos Fundamentais Volume I, 66 – 84. Rio de Janeiro: Biblioteca General Cordeiro de Farias, 2013.
  • Filho, Antonio Montes, Rogerio Winter, Rodrigo Ruiz, Fernando Pompeo Amatte, José Geremonte Garcia, and Bruna Stefani de Oliveira Martins. “Brazil Method Anti-malware Test and the Implications For Cyber Defense.” XVI Symposium of Operational Applications in Areas of Defense (SIGE). São José do Campos – Brazil: Aeronautics Institute of Technology – ITA, 2014.
  • Ford, Richard. “The future of virus detection.” Information Security Technical Report Vol. 9, No. 2, 2004: 19 – 26.
  • Lasiello, Emilio. “Are Cyber Weapons Effective Military Tools?” Military and Strategic Affairs, 2015: 23-40.
  • Markoff, John. “Old Trick Threatens the Newest Weapons.” The New York Times. October 26, 2009. http://www. nytimes.com/2009/10/27/science/27trojan.html (accessed November 30, 2015).
  • Ministry of Justice of Georgia. “CYBER ESPIONAGE – Against Georgian Government (Georbot Botnet).” Data Exchange Agency. March 2011. http://dea.gov.ge/uploads/CERT%20 DOCS/Cyber%20Espionage.pdf (accessed December 11, 2015).
  • Ruiz, Rodrigo, Rogerio Winter, Kil Park, and Fernando Amatte. Apoc@lypse: The End of Antivirus. Charleston: Amazon, 2015.
  • US Department of Defense. “DoD Policy and Responsibilities for Critical Infrastructure.” Federation of American Scientists. January 14, 2010. http://fas.org/irp/doddir/dod/d3020_40. pdf (accessed December 06, 2015).
  • Wilson, Clay. “Cyber weapons: 4 defining characteristics.” GCN. June 04, 2015. https://gcn.com/articles/2015/06/04/cyber-weapon.aspx (accessed December 06, 2015).
  • Zan, Tommaso De, Fabrizio d’Amore, and Federica Di Camillo. “Protezione del traffico aereo civile dalla minaccia cibernetica.” Istituto Affari Internazionali (IAI). December 09, 2015. http://www.iai.it/it/pubblicazioni/protezione-deltrafficoaereo-civile-dalla-minaccia-cibernetica (accessed December 13, 2015).

ABOUT THE AUTHORS

Rodrigo Ruiz is researcher of CTI – Information Technology Center – Renato Archer, Campinas, Brazil. He is also a member of the SDIWC (The Society of Digital Information and Wireless Communications) and co-author of the book “Apoc@lypse: The End of Antivirus” and many papers about privacy and security (https://www.researchgate.net/profile/Rodrigo_Ruiz3).
Email: rodrigosruiz@outlook.com

Rogério Winter is Colonel in the Brazilian army with more than 25 years experience in military operations and information security. He received the Master’s degree in Electronic Engineering and Computation by Aeronautics Technological Institute-ITA and is a member of the SDIWC (The Society of Digital Information and Wireless Communications). Today, he is dedicated to cyber warfare, command and control, and decision-making process and coauthor of the book “Apoc@lypse: The End of Antivirus”. Email: rogwinter@gmail.com

ACKNOWLEDGEMENT

We would like to express our thanks to the Fábio Renato Winter for his review work and to Victoria Ganzert for creating the name and publishing the Apoc@lypse.


Full version of the ebook ‘APOC@LYPSE – THE END OF ANTIVIRUS” is available at the link below:
APOCALYPSE – THE END OF ANTIVIRUS  (PDF – size 2.2 MB)


Publication date: February 2017