Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


looking back on 2014, the moment of network security - 2014 annual bulletin of network security - antan laboratory

Posted by muschett at 2020-03-16

Safety research and emergency response center bulletin Download

First release time: February 1, 2015 Japanese version update time: February 1, 2015 current version: v1.3

In 2014, for network security, it was full of tranquility and unusual. This makes us feel that the statistics derived from the malicious code background system every year cannot represent the era of both "magnificent" and "treacherous". Therefore, we decided to use some childish words and charts to make a brief look back on this year.

As early as a year ago, in the new year of 2014, Antan continued to update its security threat themed wanted card as a new year gift, just like every year. We choose apt (advanced persistent threat) as the king to identify it as the most serious security threat, and Malware / other as the king to predict the evolution of security threat trend. This is a self-made word relying on malicious code nomenclature. We call its Chinese name "threat generalization".

"Is apt heat decreasing?"? In 2014, this question was asked by the audience or the media many times after our technical speech. To this end, we give the answer that when the media has aesthetic fatigue to a threat, it is often that the threat has been normalized, which is no longer just a surprise study, but begins to approach more people's side.

But if the word apt was created in the conference room of the eighth United States Air Force from 2005 to 2006, it has a history of eight years and has been read and chewed too much. However, its popularity started from 2011 to 2012, when some new product solutions gradually matured and were concerned by industry and public opinion.

In this sense, for us who are still paying more attention to the rapid number expansion of Trojans in 2005-2006, we are "late"!

In 2014, when it comes to apt, there is no doubt that the public is more concerned about the invasion and destruction of Sony Video Company, the publisher of the movie the interview. But from another point of view, when an attack is preceded by extortion warning and ends with destroying hard disk data, is it still an apt? Maybe like Michael's questioning whether Stuxnet is an apt or cyberwar in "why Stuxnet isn't apt", Sony incident may also be a kind of combat action, but its technical skills are not so sophisticated.

Apt events are still more drawn by attention. There were 33 apt attacks exposed in 2014, among which regin and epic turla were the most attacks on countries and organizations. Regin is a group of advanced and invisible malicious programs, which has a good hiding means, and uses P2P technology to send instructions and steal information. From its body, we can really see the artistic attack means and standardized equipment system matched with apt.

Figure 1 apt events exposed in 2014

Figure 2 countries attacked in APT events exposed in 2014

In 2014, nearly 100 countries were attacked by the exposed apt events, among which the United States, Russia, China, Japan and other global countries suffered the most. The main industries under attack are energy, finance, healthcare, media and telecommunications, public management, security and defense, transportation and transportation.

On April 7, 2014, a vulnerability called the most serious vulnerability in three years, heartbeat vulnerability, was found in OpenSSL, an open-source cryptography technology library. This vulnerability will lead to memory overrun. Attackers can remotely read 64K of data stored in the vulnerable version of OpenSSL server, which can be used to obtain the user name, password and personal related information in memory Information, server certificate, private key and other sensitive information. Because OpenSSL is widely used, this vulnerability affects large Internet manufacturers, including Google, Facebook, Yahoo and domestic bat, as well as various network service manufacturers and institutions, such as online banking, e-commerce, online payment, e-mail and so on.

The vulnerability has existed in OpenSSL for two years, and was found by Google researcher Neil Mehta and researchers of network security company codenomicon. They informed OpenSSL organization to fix the vulnerability. A new version of OpenSSL 1.0.1g was released at the time of the vulnerability announcement, and Google also fixed the vulnerability earlier than the industry. After the vulnerability was released, the network attackers began to get data crazily. Some joked that in order to store the data obtained through heartbeat, the price of hard disk increased. Although overstated, its use value can be seen. When we look back at similar events, the irresponsible release of POC by some emerging companies, such as codenomicon, is also an important reason for the threat of "generalization".

Figure 3 Schematic diagram of heartbeat

Note: Figure 3 is from Antian's "heartbeat vulnerability (cve-2014-0160) FAQ" ( HTML)

In September, however, a more serious leak than "heart bleeding" was exposed again - "bash Shellshock" (broken shell), due to GNU Bash exists more widely, which not only threatens the server system, but also includes network devices, network switching devices, firewalls and other network security devices, as well as many customized systems such as cameras and IP phones. After research, it is found that this vulnerability has existed for nearly 20 years. Another fatal problem is that GNU bash can hardly be completely fixed due to its wide spread distribution; moreover, due to bash's flexible syntax, the resolver is extremely complex, so after several patches are published, new problems are found immediately, and a series of loopholes are evolved from "broken shell".

Figure 4 disclosure and repair iteration of "broken shell" vulnerability

Note: Figure 4 is quoted from Antan's analysis of the evolution of the threat associated with "shell breaking" vulnerability and the current situation of the malicious code in UNIX like systems ( "association" thread "evolution of" bash "and" the "current" status "of" malware "in" UNIX like "systems. HTML)

After that, a continuous DDoS attack seriously affected the operation of the domestic DNS system, and a large number of nodes that launched the attack were on-line intelligent devices, such as cameras. After tracking and analyzing the related Botnet, it just took advantage of the "shell breaking" vulnerability to expand and obtain a large number of nodes.

In fact, on some domestic operating systems, we also found the existence of "broken shell" loopholes, straightened out the reference and inheritance relationship of domestic systems, and repaired the loopholes in time. For the field of domestic operating systems relying on the development of open source system, the pseudo closed source system relying on open source software actually has a greater vulnerability threat than the open source software itself.

In addition, HTTPS, as an important basic protocol for secure authentication and encrypted communication, has been repeatedly mentioned in this year. The SSL implementation of Microsoft Server has also been found to have problems, and many online banks have been exposed to incorrect code implementation.

In 2014, in addition to the familiar windows, Linux and other UNIX like systems, IOS, Android and other operating systems and their application software vulnerabilities, with the ubiquity of smart home, wearable hardware and information technology in social life, the threat is also following the evolution. We made a diagram to try to illustrate the evolution of the threat distribution.

Figure 5 generalization and distribution of network security threats in 2014

The data leakage events caused by the series of "trapdoors" in 2012 have had a great impact, while the data leakage problems in 2014 are still serious. Some of the leaked data are still from trapdoors, but some are from database collision attacks. Among them, the "12306 database collision attack event" which has a great impact, let people see the spread of a small number of data sets formed by the database collision to claim that background data leakage will cause a certain social panic.

Figure 6 major data leakage events exposed at home and abroad in 2014

We have made some statistics on the leaked data in the "12306 database collision event", which shows that in the future, website service providers still need to guide users to implement stronger password strategies, especially to use separate passwords for important websites.



Number of users



One hundred and twenty-three thousand four hundred and fifty-six

Three hundred and ninety-two




Two hundred and eighty-one




One hundred and sixty-five



Five million two hundred and one thousand three hundred and fourteen

One hundred and sixty-one



One hundred and eleven thousand one hundred and eleven

One hundred and fifty-seven


Table 1 12306 top 5 password in leaked data

Table 2 12306 statistics of password usage habits in leaked data

We have analyzed the rapid explosive growth of malicious code from 2006 to 2012 in "the relevance and necessity of Trojan avalanche to apt", and this trend has changed a lot at present. In terms of the number of black samples in storage, in 2014, our sample library added 30 million hash, but the growth rate has slowed down greatly.

Figure 7 growth trend of malicious code in recent five years

In 2014, the number of new samples of malicious code family in PC platform ranked first, and the malicious code family named Trojan / win32.antifw was produced in February 2014. The malicious code family aims to obtain economic benefits and has potential threats, including installing advertising software, hijacking browser, trying to modify browser home page, custom search settings and other behaviors.

In the top 10 list, there are five similar advertising software families with the same goal, mostly for the purpose of obtaining economic benefits, namely domaiq, lollipop, morstar, adload and multiplug. From the description of the time when it first appeared, it can be found that except for grayware [adware] / win32.adload (the adware family that appeared in 2011), most of them are newly generated adware families.

In 2014, there is no new infectious malicious code family in the list of malicious code quantity, and sality and VIRUT are still the two old samples, while nimnul family is still on the list. In the top 10 list, the last one is the zbot family, which still lingers in 2014 and spreads through email and other means.

Figure 8 ranking list of malicious codes on PC platform in 2014

In 2014, in the ranking of malicious code behavior classification of PC platform, advertising behavior for the purpose of obtaining benefits ranked first again, while downloading behavior still has a large number of hidden and practical features, and the back door malicious code with remote control behavior ranked third.

Figure 9 ranking list of malicious code behaviors on PC platform in 2014

In 2014, the growth trend of the number of malicious codes on mobile platforms was also slightly slower than that in 2013, and the number of incoming samples in the whole year has exceeded 800000.

Figure 10 trend of mobile platform malware from 2005 to 2014

Mobile platform malicious programs are divided into 8 categories according to their behaviors: malicious fee deduction, tariff consumption, system damage, privacy theft, rogue behavior, remote control, fraud, malicious communication.

Figure 11 number of malicious programs on mobile platform by behavior attribute in 2014

In 2014, according to the monthly statistics of the number of malicious program propagation events on the mobile platform, the highest was in March, close to 12 million, and the lowest was in December. It can be seen from the number of transmission that there are two downward trends in the first half and the second half of the year.

Figure 12 monthly statistics of malicious program propagation events on mobile platform in 2014

According to the monthly statistics of the number of mobile platform malicious program propagation source domain names and IP in 2014, it can be seen that using domain name access is the more choice for malicious program propagation.

Figure 13 monthly statistics of domain name and IP quantity of malicious program propagation source on mobile platform in 2014

In 2014, the era of threat generalization is an era of breaking the illusion. For example, the so-called open source security myth before, when a small number of open source security theorists still insist that "open source is a system made by the whole world together, and closed source is a system made by a small number of people", the impact of the weak links brought by the imbalance of the community's security capabilities is becoming prominent. Heartbled shows the result of "black under the light" in the most common OpenSSL, and reminds the industry that this is exactly the security professionalism, research ability and supporting security cost needed to achieve security. On the other hand, the joint industry action on open source system security census after heart bleeding may be regarded as a "compensation for progress" (Engels) of disaster. This kind of activity enables open source systems to be examined from the perspective of global threat. Wirelurker, on the other hand, also shattered the security myth of IOS.

In 2014, the key loopholes once again demonstrated the huge energy of "looking at the small mountains at a glance", which made the comparison of the original number of loopholes and the empty discussion of which system is more secure completely meaningless. The key loopholes brought great uncertainty and contingency to both sides of the attack and defense, and the ability of information attack and defense might be flattened by a key loophole in an instant.

The era of generalization is a blind one. When new threats are repeatedly strengthened, we are easily attracted and moved. It is easy for us to pay full attention to new threats without analyzing our foundation and family background. The latter is equally important. For example, in heartbeat, it is also worth thinking about that the researchers also noticed that the HTTPS usage ratio of domestic websites is very low, a large number of websites still use HTTP, including famous websites (including mobile phones) actually use plaintext login protocol, and the security measures are just a hash of password calculation. In fact, this is a generation gap between China and developed countries in terms of basic security awareness and capacity.

And this year, the same popular "old three" - that is, "firewall", "anti-virus", "patching" criticism. This kind of criticism is used to support the search for a new security model or thinking. But in fact, the more real situation among more government and enterprise users in China is that after a large number of firewalls are purchased, they are put on the shelf and have never been installed or powered on; the virus database of anti-virus products in the intranet is upgraded only once every few months to half a year, and "patching" is seen as a dangerous move that may affect the stability of business. Our existing security problems are more from the "old three" don't work? Or is it not really valued and effectively used?

From internet security service specification to it governance capability, we have many lessons to be supplemented in security. We have not established a fully consolidated system, we can fully turn our eyes to look at new threats, but we need to face both old and new challenges at the same time. But if we ignore these situations, it will lead to unrealistic misjudgment, especially start to worship and look forward to the so-called "perpetual motive" to change the security situation once and for all, and forget that the essence of security is endless confrontation and improvement.

The era of generalization may also be an era of numbness. The "broken shell" loophole, which is more serious than "heart bleeding", is hard to get more attention from the domestic media. The reason is that many people think that "heart bleeding has not caused so much impact". When the memory data of some mainstream websites (including e-commerce) is obtained by T, we can't imagine what's more important. Only a large area of broken network, a large number of background data is directly open to the public is a major impact? This is a kind of backward safety judgment standard, which is enough to make people sing and dance in the volcano.

The reasons for the emergence of threat generalization are: firstly, the great development of information technology is doomed to make it ubiquitous, and many traps, hidden dangers and wrong thinking are constantly inherited, which is the soil of threat generalization; secondly, the popularization of attack ability, as Bruce Schneier in the state of According to incident response, "the trend that is happening and really important is that more and more tactical behaviors in wars are applied in a broader cyberspace environment. ", which provides tools and ammunition for accelerating the threat generalization; while the vigorous development of underground black production, increasingly no bottom line in pursuit of fame and wealth, has also become the continuous driving force of threat generalization.

In the era of generalization, many people have revived the pre-set plot of planned economy and panicked about safety, leading to the resurrection of many views on "no development without designing safety". These views ignore the rigidity of demand and think that many problems can be solved by sand table deduction and standard setting.

In the era of threat generalization, more people will think of "out of control" of K.K., and a teacher I highly respect told me that there are two books on his desk, one is "out of control", and the other is "the road to the future" from Bill Gates, he said, "at present, for a future high-tech world, the former brings people far more anxiety and panic than the latter ever did Give people a vision, but think about it, steam engine, electrical machine, atomic energy, genetic technology Which great technological progress has not brought human beings great anxiety, as if they are adjacent to the edge of a cliff? But even though it has also been used for destruction, crime and war, ultimately our world has always been more civilized, developed and better. "

The significance of security is always used to protect the application value, not to limit the application value, not to bind the development hand and foot. Today, despite all kinds of security crises and accompanying anxieties about the future, we firmly believe that development and progress are the greatest security.

Security workers should be doers, not prophets. Maybe this choice is more suitable for the era of "cross the ocean".

Antan is a professional R & D enterprise of the next generation security detection engine. Antan's detection engine provides the detection ability of viruses and various malicious codes for network security products and mobile devices, and is adopted by more than ten famous security manufacturers. The security software of tens of thousands of firewalls and tens of millions of mobile phones in the world has Antan's engine built in. Antan won the best mobile device protection award of 2013 av-test. Relying on the capabilities of engine, sandbox and background system, Antan further provides anti apt solutions with its own characteristics for Industry Enterprises Based on traffic.

Update date

Updated version

Update content

2014-12-25 13:58



2015-01-15 16:53


Modify data, charts, etc

2015-01-18 14:11


Modifying text

2015-01-29 10:21


More right

Share this briefing QR Code: