"There are several reasons why the discovery of a new variant of Sykipot targeting smart cards didn’t shock me."
Costin Raiu, Director of Kaspersky Lab's Global Research & Analysis Team:
“There are several reasons why the discovery of a new variant of Sykipot targeting smart cards didn’t shock me.
First of all, this smartcard hijacking / malicious usage is normal, expected behavioral evolution for advanced persistent threats (APTs). The main aim is to get access to highly confidential data, which is no doubt well protected - with two factor authentication and other advanced crypto. So, this comes as no surprise at all.
OK, Sykipot is capable of listing and using certificates that are stored in the Windows key store, but stealing digital certificates and interfering with them began many years ago. The ZeuS gang started collecting digital certificates to perform attacks against online banking users who were protected only by a certificate, username and password. The increase in attacks against certificate authorities and misuse of advanced crypto is one of the main stories we highlighted for 2011. This will no doubt continue in 2012 as more malware authors understand the importance of crypto, and how it can be leveraged in their interests.
Additionally, the use of zero-days in Sykipot (see https://www.securelist.com) is a classic technique nowadays - with Adobe Flash Player and Reader and Java being the main targets.
Here are the ways to secure your system against Sykipot attacks:
- These attacks take advantage of the fact that a card must be physically present in the slot. It's good advice not to leave your card in the computer overnight.
- Unless absolutely necessary – especially on highly sensitive systems – we recommend disabling Adobe Flash Player, Adobe Reader and Java add-ons. Java is rarely used nowadays, so it can be safely uninstalled in 95% of cases. Adobe Reader X features a sandbox which makes it more secure; additionally, alternatives like Foxit Secure PDF Reader offer added protection. Finally, Flash Player is a weak point - but again, if you run a super-secret, classified system, then surely you don't need to watch YouTube on it, right?
- Detection for Sykipot should be strong in most security solutions. Therefore, running a security solution is essential; it’s the first step of defense against any malware attack.
- Update everything. Make sure you run the latest version of Windows –7 – and preferably the 64-bit version. Update Office to the latest version, together with all the other third-party apps.
- Plan for the worse. Sooner or later, you'll be hacked. Have a procedure to deal with it.”
