Number of words in this paper: 3179

Reading time: 10 minutes

In recent years, the US National Security Agency and other network weapon libraries have been exposed, which makes the development and application of virus weapons once again cause widespread concern in the global security industry. At the same time, with the development and application of artificial intelligence technology, virus weapons began to integrate the use of intelligent technology. From the public information, we can see that the current virus weapons show more and more intelligent characteristics in the aspects of attack object selection, technical complexity, organizational strictness and attack effect.

One

Intelligent technology of virus weapon

From "shock network" and "flame" virus to NSA ant's attack tool platform, equation organization attack tool set published by shadow broker, to CIA vault 7 network weapon library, the intelligent trend of virus weapon has been fully reflected. The intelligent features mainly include automatic control of attack target, attack time, attack range, effect degree, braking and self destruction. The intelligence of virus weapons may be a combination of one or more of the following technologies.

（1） Directed attack technology

Targeted target selection and targeted attack are the primary characteristics of virus intelligence. Intelligent virus can scan, detect and collect the storage data, system attributes, network characteristics and other information of the target system, and then judge whether it is an attack target. If it meets the attack conditions, it will continue to start the next step of destruction activities. In order to achieve better self-protection, many virus samples will actively detect the environment before loading the core module. Once the detection is a virtual machine / sandbox environment, or is not the target of the attack, they will immediately complete the self-cleaning function. In August 2018, IBM Research Institute was in Black Hat USA At the 2018 meeting, deeplocker, a new highly targeted and evasive attack tool based on AI support, was proposed. Its technical idea is to combine the existing AI model with the current malware technology, hide its malicious load in benign operator applications (such as video conferencing software), identify the victims through facial recognition, geographic location, voice recognition and other factors, and combine it with the current malware technology Once the target is confirmed, deeplocker will launch an attack. If the target is not found, the malware will be in a hidden state.

（2） Multi way attack technology

Comprehensive utilization of multiple vulnerabilities and malicious code functions, multi-path attack effect is the main way to ensure the role of intelligent virus. NSA's "ant" attack weapon system has mastered a large number of unknown security vulnerabilities (0days), developed a very mature engineering attack utilization implant framework, and has the ability to cover a variety of operating systems and applications from the bottom to the top. According to the exposure materials of vault 7 network weapon library, CIA obtained 24 weaponized Android "zero day vulnerabilities" in 2016. Its virus tools can crack various kinds of smart phones such as apple and Android, and some of them can even get the complete control right of the target device. A vault 7 tool called "hive" enables infected computer systems to communicate with each other. The CIA uses this cross platform malware to remotely invade and monitor personal computers running Windows, Mac OS, Linux and other operating systems, and can bypass encryption measures and security settings to maintain continuous monitoring of network targets.

（3） Attack process control technology

Another important feature of intelligent virus is to be able to load different components according to different attack tasks, and at the same time use a variety of transmission ways to send control information in various forms at the same time to ensure the reliability of remote control, so as to achieve the purpose of attack. A new Delphi loader virus appeared in 2017. In order to delay, reduce the success rate of sandbox detection and increase the difficulty of reverse analysis, meaningless functions will be called many times before the core code is decrypted. In the network attack activities of darkhotel organized by apt for more than ten years, the virus code used is very complex, and there are dozens of related functional modules, involving more than 200 malicious codes. In June 2018, ESET malware researchers found invisimole virus, which is used to attack key targets in Russia and Ukraine, and the virus has been dormant for more than five years. Invisimole is only deployed for a few high-value targets, and uses multiple technologies such as disable UAC and self destruct to avoid detection and analysis.

（4） Attack effect control technology

According to the needs of attack task, intelligent virus can achieve specific attack effect. At present, intelligent virus can provide support for network operations such as access, analysis, attack, evaluation, camouflage, etc., and achieve various effects such as network breaking, deception, control, destruction, etc. In the leaked information of CIA vault 7 network weapon library, its virus weapons can launch intrusion attacks on autonomous vehicles, customized consumer software and various platforms based on Linux embedded system. They can not only use these devices to monitor the target's movements, but also operate intelligent TV and other terminal devices, and even remotely control intelligent vehicles to launch assassination operations. In addition, "vault 7" also records a virus tool named weeping angel in detail, which can be used to invade Samsung smart TV and let it enter a "pseudo shutdown" mode. Users think that they are in shutdown state, but actually record nearby voice chat information, and send it to a secret CIA server through Internet.

Two

Application trend of intelligent virus weapons

With the development of network information technology and the increasingly active hacker organizations with national background, the impact and harm caused by virus weapons are more and more serious. The development and application of virus weapons have attracted the attention of all countries in the world. Based on the network security events and various apt organization activities in recent years, the intelligent virus weapons show the trend of systematization of application, integration of technology mechanism to industrial control and Internet of things devices.

（1） Systematization of organization application

At present, the virus weapons used by all kinds of apt organizations reflect the intelligent combination of multiple virus technologies, which are reflected in the system function of all levels of the whole attack link. In 2011, Lockheed Martin introduced the concept of "kill chain" in the military field into cyberspace for the first time, dividing cyber attacks into seven parts: reconnaissance and tracking, weapon construction, load delivery, penetration utilization, installation and implantation, communication control, and goal achievement. In 2015, the U.S. Department of defense put forward the "network security kill chain" (cskc) in the "network security test and evaluation guide", which mainly includes seven stages of reconnaissance, weaponization, distribution, utilization, control, implementation and maintenance. Since then, Gartner, verdasys, HPE and other companies have proposed the concept of network lethality chain. With the introduction of the concept of "kill chain", the virus weapon has changed from relying on a single virus tool to an intelligent virus system with detailed division of labor and cooperation. From ant attack platform of NSA, vault of CIA 7. In the arsenal, we can see that the US side regards the intelligent application of virus weapons as a systematic project from tool design, code writing, program deployment, later maintenance, attack implementation and other aspects. Each branch has clear division of labor, clear responsibility and unified goal. Although the research focuses are different, all kinds of virus tools can finally form a target The team cooperation and joint efforts of various network attack tasks pose a great threat.

（2） Integration of technical mechanism into specific equipment

The goal of intelligent virus is to gather to infrastructure and Internet of things devices. In technology, it also needs to integrate the technical mechanism of various specific devices. On the one hand, with the rapid development of it / OT integration, more and more industrial control systems are using general hardware and general software. The openness of industrial control system is increasing day by day. System security vulnerabilities and defects become the natural nutrition for the fusion of intelligent viruses. On the other hand, due to the lack of its own security construction, many industrial control equipment is lack of security design, and the equipment networking mechanism is lack of security protection. In December 2017, hackers attacked Schneider's Triconex security instrument system (SIS) by using intelligent viruses such as Triton and hatman, which is widely used in energy industry and functional security protection of nuclear facilities. Investigation shows that hatman, written in Python, communicates with SIS controller through the proprietary tristation protocol, allowing attackers to add new ladder diagrams to modify SIS security logic, aiming to shut down the system and try to modify the system to a dangerous failure state. It can be seen from this security incident that the attacker is not satisfied with attacking the conventional industrial control system (DCS / PLC), but begins to attack the most core security protection system in the industrial field, trying to cause more serious hazards such as explosion and leakage of harmful substances.

（3） Development of attack target to Internet of things and mobile terminal

With the popularization of Internet of things technology, various kinds of intelligent wearable devices, intelligent home, intelligent router and other terminal devices and network devices are developing rapidly. However, due to the lack of consideration of relevant security measures in the development and design of some devices, there are some inherent security flaws in the devices, so that attackers can easily carry out attacks. Take the active Internet of things virus in 2017 as an example. For Mirai, which is mainly infected by camera / router, gafgyt, satori and brickerbot of Huawei router, and iotroop, which is embedded with multiple vulnerability scanning modules, these viruses will target specific vulnerable devices. It can be predicted that with the increase of the number of vulnerable devices, the security problem will become more and more serious, which may become the hotbed of large-scale network attacks in the future. In addition, the mobile terminal has become the target of criminals. According to the data, 21.1% of IOS users and 34.3% of Android users have had mobile Trojans. This includes high-risk intelligent viruses for specific target groups. In 2016, IOS broke out a "Trident" high-risk vulnerability. Using this vulnerability, as long as hackers send malicious links to lure users to click, Apple's mobile phone will be taken over by hackers, thus stealing a large number of privacy data such as SMS, email, call records, phone recording, stored passwords, monitoring and stealing chat information of WhatsApp, wechat and other social software, and even opening microphones to secretly record Voice and send it to the attacker, but the mobile phone user can't detect it at all. It can be judged that for mobile platforms, persistent and hidden smart viruses have always been an underestimated problem. With the increasing number of intelligent terminal users, more and more attack organizations will take mobile terminal as the main target.

（4） Attack process extends to supply chain

Intelligent virus is more and more inclined to attack the supply chain. The intelligent virus supply chain attack uses the trust relationship between the supplier and the end-user to hijack or tamper with the legitimate software in the process of legitimate normal propagation and upgrading, so as to bypass the traditional security product inspection and achieve the type of illegal attack. Taking nsaant attack tools as an example, the 49 kinds of tools are mostly implemented by the combination of software and hardware, which are always hidden in the core of computer network and mobile communication network, so it is difficult to find out the conventional protection measures. In 2017, the supply chain attack showed an outbreak trend. Among them, the event of HP audio drive keyboard recorder is a backdoor event reserved by a wide range of manufacturers. The audio driver will record all the tapping records of users, save them in the form of clear text storage, and upload them to the developers in the way of debugging information. Due to the strong concealment of supply chain security issues, even if users are infected, it is difficult to detect, and it involves the distribution, transmission, update and management of software and hardware, etc., intelligent virus will inevitably bring greater security challenges in the future.

Cyberspace Security Civil Military Integration Innovation Center

As the first military civilian integration development platform of Cyberspace Security for military civilian communication and military civilian coordination, the center focuses on the field of cyberspace national defense security, explores the establishment of a military civilian deep integration innovation development model for the construction of cyberspace national defense security equipment, and is committed to building a private think tank in the field of Cyberspace Security for military equipment development.