The Need for New Taxonomic Views of Malicious Code & Content
Today’s blog post has been kicking around in the recesses of my mind for a while. I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice. It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have. Customized, designer malware. Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others. Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore. When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic. It’s a simple value proposition for the attacker:
- Study your target(s)
- Collect and qualify intelligence while making discretionary decisions on what to discard or retain
- Study and evaluate targets of opportunity – technical and non-technical
- Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
- Engage and begin insertion within the target environment
- Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
- Assess opportunity cost
- Engage in compromise
- Secure targeted object of mission
10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)
11. Secure the target
12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question
Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious. Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.
As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist. In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.
So how do we begin fighting these threats? We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance. Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented. Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware. I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges. These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish). Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.
When Antivirus becomes the Virus
Full Disclosure – I am a former McAfee employee, and currently draw a paycheck from a McAfee partner. The following are clearly my own thoughts and do not represent McAfee, my current/former employer(s) or anyone else.
Having been in the IT security industry for at least a decade, I have come to two key realizations:
1.) The IT security industry, as it relates to vendors selling products is largely based on FUD (fear, uncertainty, doubt), and
2.) Antivirus in almost no significant way equals comprehensive security
As many across the interwebs have already brought to light, McAfee had a very public snafu with one of their DAT updates (DAT 5958). Here is a mildly humorous link from Engadget’s site. To be clear, the point of this post is not to say the antivirus market poor or is dead, that McAfee has substandard products or solutions (usually the contrary), but that mistakes like this hurt not just one vendor or end customer, but the entire industry at large suffers.
That last part is an important point, especially in the case of endpoint security. Mistakes happen. QA processes are not perfect, vendors are trying to cut costs at every turn to increase profitability, so these things happen. In this specific case, if you were running VirusScan Enterprise with default settings, you will be a bit better than those who enabled “scan process by enable” or ran an on-demand scan with the 5958 DAT and scanned svchost.exe as the SVP of McAfee Support mentions in his blog post.
I see this with a lot of security practitioners where they turn on non-default options and get burned. Again, not picking on McAfee, but they also had a recent issue in their Patch 3 release of VirusScan Enterprise 8.7i where you enable “Prevent Windows Process Spoofing” (also an option that is disabled by default). This does not affect you if you don’t start turning on options you don’t fully understand. So, if you are responsible for endpoint security, a few simple tips:
1.) Have an IT test environment in place. Like Noah’s Ark, have representative systems (hardware, OS levels and apps installed) to test before you deploy. Many large enterprises wait 12-24 hours before rolling out DATs, and those who did were largely unaffected by this issue. Vendors like to throw around FUD here and push people to deploy reactive DAT coverage, and in few instances does security supercede system availability.
2.) Stick with the default options unless you are ready to accept the consequences – if you left the default options in place, neither of these two recent McAfee issues would have affected you. Quit turning knobs when you don’t fully understand what they do. A lot of us in IT assume instead of “trust but verify”.
3.) On-Demand scans are of minimal help on end workstations. AV scanning, especially on a scheduled basis is reactive. You already have malcode. Use realtime protection/on-access scanning, whatever. Save the scheduled reactive scanning for your file servers, SharePoint, and other file and data repositories.
4.) Antivirus is not total security, it is only one countermeasure. And, most importantly it is a reactive countermeasure at that. Regardless of what spin vendors put on it (heuristics, sandboxing, lookups in the cloud, etc.) by its very nature it is a reactive countermeasure. Implement more/better countermeasures, which leads me to …
5.) Complement endpoint security with more than just desktop and network firewalls. If you don’t use Host-based Intrusion Prevention on your laptops and critical systems, you probably should. Big difference in detecting malicious code or signature viruses versus stopping malicious traffic, and there is way more to it than blocking a port or protocol.
The point of this is not to unleash a hit piece on a specific vendor or technology, but to make sure practitioners frame the security tools and countermeasures in the appropriate context. AV won’t save you from malicious traffic for the most part, or from a targeted attack. Just like network security is not the answer to all of your security issues. The answer is an honest assessment of your countermeasures and their configurations, and if that maps to an acceptable level of protection versus risk. Sounds so simple, yet the devil’s in the details.
Introduction:
Just when you thought it could not get any weirder we bring you yet another installment of Bombs, Bullets, and Bits! In fact this is Episode V and of the ongoing series and today’s installment focuses on the wonderment of open market promotion, marketing, and salesmanship within the sub-economic ecosystems of the underground. Before we get going though I feel it is important to address a few key areas of economic theory in order to set the stage accordingly.
Adam Smith and Underground Sub-Economic Ecosystem of the Internet:
Adam Smith is revered the world over by economists and non-economists alike. Smith (b.1723 – d.1790), wrote what is considered to be by many as one of the most important texts in economics and philosophy, The Wealth of Nations. He is credited with coining the phrase and concept of the “invisible hand of the market” which, when allowed to move of its own volition, influences and churns economic cycles, conditions and markets in a natural manner reflecting basic and complex principles of conditions such as supply and demand. If you’ve not studies Smith’s works I would suggest picking up his The Wealth of Nations, as it is timeless. In the event you have not but are interested in understanding the basic premises of Smith’s philosophy (and if you intend on reading the remainder of this installment while being able to tie it all together), here is a short synopsis of the salient points contained therein:
- Every good and / or service has a “natural price” as determined by the weight given to it by its supplier, seller and the potential buyers
- If the price for a good and / or service exceeds that natural price then more resources (sellers, suppliers etc.) will be attracted to that market seeking to make a profit
- The price will return to it’s “natural” level over time as a result of market conditions
- ‘Supply’ should be viewed as a force or condition that tents to impact the price of a good or service based on availability and demand
- “Demand” should be viewed as a force that increase the price of a good or service. Demand is also driven and influenced by supply (depending on what the good or service is)
- If the two (‘Supply’ and ‘Demand’), are in equilibrium; a state of stability in the market than they will remain in balance. Should that stability fluctuate away from equilibrium, the natural cycle associated with competition rises once more and a return to ‘normalized’ pricing occurs
- These cycles never cease; they are in effect, in a state of kinetic motion
Relevance to the Underground and You:
Ok, at this point you may be thinking “thanks for the economic philosophy lesson, but what does this have to do with the underground, malware, hackers etc.”, I’m glad you asked. As we established above, every good and or service has what Smith called a “natural price”. This “natural price” is determined by a variety of factors including at a high level:
- Supply
- Demand
As one might expect availability, efficacy or desired effect (what it does vs. what it does not do), and application are all capitalized upon by the seller when targeting potential buyers and consumers. This is true in all markets to and including the various ‘sub-ecosystems’ of the underground. In conducting research on botnets I recently ran across quite a bit of ‘marketing’ and solicitation, the likes of which would’ve made any professional sales team proud. Want access to source code for a botnet to do with what you will? DDoS? SPAM? Malicious Code Infection? No problem, you can do it all with the right package. In fact, in one case, the case of the ‘Blazebot’ botnet which I originally began tracking around a year ago, the author offered the following features to the highest bidder in the botnet’s final form factor:
Figure 1: Examples of Marketed Features In the Underground
| Installation: | |
| Service Startup ActiveX Startup Anti Debugger thread Anti Dumping Mechanism File Protection (can be seen on video) Two types of process protection Windows Firewall exception Shared memory between service and userland app (ring 3) User impersonation (Service steals a token from userland App to steal their data) Pure API sockets (no ocx, csocketmaster or whatever) Ring3 API unhooking |
|
| Commands: | Update -Allows users to update the bots with a newer version Dump -This will cover the retrieving of: |
In this case the author decided to take his project to the open market and solicit private bids. Bids (which were rejected by the author), ranged from $50 USD to $400 Euros. In the end the author sold the entire source code package to a private party who wished to remain anonymous for an undisclosed amount. As part of the author’s campaign for a purchaser, he engaged in competitive marketing initiatives specifically targeting the ZeuS Botnet and community. A key selling point made by the author was that unlike ZeuS he was selling the entire source code package not simply binaries thusly enabling the buyer to establish their footprint in the Botnet world in any number of ways all of which were at the command of the new owner. Additionally, the author demonstrated the ability of the code to bypass detection of some 22 Anti-Malware engines.
Up On Olympus:
ZeuS is another wonderful example of this. Currently, active orders are being solicited for 1.4.x.x of ZeuS with prices ranging from $4000 USD to $8000 USD depending on which modules are desired for specific functionality. ZeuS is an interesting case in that older versions of the Botnet are easily had in the wild and can be used effectively though newer, more easily obfuscated versions of the code are available. ZeuS is in extremely high demand, selling on a pre-order basis. A testimony to its popularity and continued success for its authors, sellers and suppliers is its continued effectiveness in bypassing detection and delivering extremely high success rates in compromising hosts, impregnating them with malicious code & content packages with the end game being the establishment of participation within the greater command & control fabric. These examples are certainly not representative of all examples of activity within the underground however they provide a clear and concise view of just how supply and demand are working on a routine basis.
We are tied to our worlds, tethered if you will, in many respects by our mobile devices. Our Apple iPhones and RIM Blackberries among others, aid us in keeping up with our professional and personal lives. They provide us a near real time (and in some cases real time depending on the platform and connectivity), window to the world. Information is available as quickly as electric signals are converted to light and back again over terrestrial and non-terrestrial infrastructure. It’s an amazing time to be alive. But for every convenience there is a price to pay. Isn’t that always the case? As the old saying goes there is no such thing as a free lunch and technological advancement is no different in that respect. We pay a price for convenience. We sacrifice aspects of humanity for expedience. We trade willingly many of those commonalities which all mankind shares in order to ensure we can check our email, reply to a twitter posting, conduct online financial transactions, post a photo on facebook or find a movie online.
There is nothing intrinsically wrong with this. In fact, it is quite normal to see some elements of human life become retired as technological advancement occurs. Take for example the written word. Writing letters in centuries past was an art form. Manipulation of language and style enabled individuals and groups to establish identities; voices via pen and paper. With the advent of the telegraph, then the telephone, then data communications etc. the medium and styles seen changed to meet the times. To meet the needs; the urgency of communication and coupled with the ability to provide near real time responses to questions or statements.
In late November I wrote a piece that discussed exploitation of jail broken iPhones and the introduction of worms to the world of Apple handhelds. As a RIM Blackberry user, I took a certain amount of pride in this as I secretly coveted the coolness of the iPhone then yet another mobile vulnerability was announced only this time; it was for the RIM Blackberry platform. This is not the first time malware for RIM platforms has been developed or identified. Back in 2006, Jesse D’Aguanno, director of professional services and research with Praetorian Global LLC. wrote and released what many of us believe was the first Trojan for the RIM platform. At the time, RIM stated that the exploitation was dependent upon whether or not the Blackberry Enterprise Server Administrator enabled the IT policy settings for mitigating such threats. However, this is not where the story ends. On December 1, 2009 RIM released a security advisory that addressed multiple vulnerabilities in the PDF distiller of some released versions of the BlackBerry Attachment Service. Within the advisory RIM stated that the following versions of BlackBerry Enterprise Server running on the following Microsoft Windows platforms were affected:
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows version 2003 or 2008
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows 2000
- BlackBerry Enterprise Server software versions 4.1.3 through 4.1.7, and BlackBerry Professional Software 4.1.4.
In convincing a user to view a specially crafted PDF file, an attacker might be able to execute arbitrary code or cause a denial-of-service condition on the system that hosts the BlackBerry Attachment Service. This of course is not the first nor will it be the last time we hear and see advisories such as these for mobile device platforms (I suspect that Palm’s WEBOS will be the next victim just as the Android by Google has been). For better than 90% of those who use these devices, what we are discussing will not resonate in the same way as it would with security researchers and analysts. For that percentage of the populace these devices are merely extensions of themselves; windows to the world as mentioned earlier, which allow them to access and be accessed. That access of course runs deep and wide through their lives and sees their worlds become more risk inclined than not.
But are we so different than the 90%? Don’t we use these devices in similar fashion? Certainly we look at the technology differently than do most as our business is the business of security and as a result we are naturally or artificially disposed to being suspicious of that which we do not know intimately or understand. As a result, you and I might conduct analysis on a device prior to using it or examine in an isolated lab environment a sample of malicious code using debuggers and other tools & techniques to assess behavior, payload and net effect of said code on a system or platform. However, corporations find themselves enabled and ready to deal with the advent of the introduction of malicious code and content, who is taking first watch in defense of those who use these devices independent of a corporate IT security program?
The Rosie Scale and Stopping Stupid
Ok, girls and boys, gather round the campfire, because it’s story time here at Camp Cassandra. A long time ago, and in an office building far far away, I worked in the I.T. department at the corporate headquarters of a large telecommunications company. I liked my job, and the people I worked with were, generally speaking, pretty easy to deal with. There was, however, one person who’s name struck fear into the hearts of everyone on not only my team, but my entire department. This person wasn’t feared because she occupied a position of great authority, or had corporate political clout, or social connections. This person was feared by my colleagues in the I.T. Department for one reason and one reason alone; she might have been the dumbest person to ever sit down in front of a keyboard, and her name was Rosie. The people in my department knew that when Rosie called, it was more likely than not to consume the better part of a day. A visit to Rosie’s desk became a hazing event, in fact – the desktop support people reveled in sending new techs, oblivious to Rosie’s reputation, just to see the look of horror on their faces when they got back into the bullpen where we all sat.
This is not to say that Rosie was bad at her job – she was certainly competent at whatever it was that she was there to do, or they wouldn’t have kept her around. She also wasn’t a rude or unpleasant person to deal with – quite the contrary, in fact. She was actually quite a smart and witty person, but put her in front of a computer and her IQ would drop by an order of magnitude. Rosie had the tragic touch – she could cause a blue screen of death by walking PAST a computer. She once single-handedly took down the entire company’s network of email servers for an afternoon, in a single act of “wow, I didn’t know that would happen.” (if you’re curious about how she accomplished this, she did it by sending an email containing a 200MB attachment addressed to all 90,000 people in the company, and inadvertently exposed a serious flaw in the message size limit mechanism built into Microsoft Exchange 5.5 in the process.) Rosie could break a computer like no one else I’ve seen before or since. She’d have made a great QA engineer, if she could only tell anyone with any degree of specificity what the heck it was that she was doing when her computer went up in a mushroom cloud. Training Rosie on how to properly use her machine was a pointless exercise – it was like trying to fill a bucket that had a hole in the bottom. Rosie could make an abacus crash. She might have been the reason Microsoft invented Bob. The term “stupefyingly stupid” seems redundant, but it’s really not all that far off the mark. We’re talking weapons-grade stupidity here.
One night, after many beers and while swapping war stories at happy hour, a few of us decided to come up with a (admittedly imprecise) metric of end-user technology ability, which became known as The Rosie Scale. It’s been a few years, but from the best I can recall, the Rosie Scale looked something like this:
0 – Alan Turing
1 – Tim Berners-Lee, Dennis Ritchie, Steve Wozniak, Grace Hopper
2 –Linus Torvalds, Larry Wall
3 – Sysadmins, clueful developers, QA folks and support people
4 – Your average MCSE bootcamp graduate
5 – Your average corporate end user
6 – Your average AOL user (hey, it was the late 90s)
7 – Algae
8 – bellybutton fluff
9 – a bag of hammers, a box of rocks
10 – Rosie
Now, the sad thing is that Rosie is by no stretch of the imagination a unique individual. In fact, I’m willing to bet that among those reading this who’ve done end-user facing support for any length of time, a fair percentage have already given themselves whiplash from nodding in acknowledgement. We’ve all known our own Rosie, and we’ve got the emotional scars to prove it.
And this brings me to the moral of this little story. I came across this article earlier tonight and thought it worth a mention. This article discusses something that’s fairly well-established among I.T. Security professionals: that the biggest threat to the enterprise isn’t from the outside – it’s from the inside. Typically, the threat is from insiders who are not only acting without malice, but more than likely acting without the knowledge of why what they’ve done was bad in the first place. A colleague of mine once told me that he thought that 90% of IT security with regard to the endpoint was “stopping stupid,” and I couldn’t possibly agree more. Think about it: Most endpoint-based malware prevalent in the wild these days relies, at least in part, on social engineering; taking advantage of the end user’s trust or lack of sophistication. In fact, DLP, which has almost overnight become an endpoint must-have, is almost ALL “stopping stupid” – again protecting the end user from doing something dumb, like copying data including orders for troop movements to an unencrypted USB stick and then losing it in a nightclub in Cornwall, like this guy did. This person wasn’t acting with malice, and didn’t intend to compromise the data to which he was entrusted. He was being stupid, and worse yet didn’t know how stupid, and got caught out for it – but only because the person who found the USB stick turned it over to a newspaper rather than to the UK Ministry of Defense.
And this brings me back to my old friend Rosie. For the IT people out there, I want you to close your eyes, and think about your Rosie, the least-sophisticated, error-prone, “oh I wasn’t supposed to click on that attachment?” user you have. When viewed in the light of “stopping stupid”, this is the person you have to worry about the most.
I’ve noticed something recently: that we, as an industry, talk a good game when it comes to internal threats (the above-linked article being an example of that) but it still seems that we have a bit of a blind spot when it comes to providing actual protection, focusing more on direct attacks from external sources. As much as we worry about Eastern European or Asian organized crime gangs, or foreign government spies, or some kid sitting in their basement with too much time on his hands, anti-social tendencies, and a full bottle of Ritalin, the real threat is sitting in your office right now. The well-meaning but clueless person in your company who just doesn’t understand the consequences of what they are doing (in other words, your Rosie) is a bigger threat than all of those people combined, because they’re the ones holding the door open for the guys who are acting with malice.
And, your Rosie is the only thing standing between you and your organization’s next outbreak or data breach. If that doesn’t scare the pants off you, you’re in the wrong business.
For years the debate has raged on regarding the validity of signature based solutions — regardless of where they lie within an enterprise environments ecosystem, versus those of a signatureless order. Questions around the effectiveness of the signatures, the time to market, the ongoing resource consumption concerns all have been and will likely continue to rage on. Can signature based solutions, regardless of how automated they become, truly provide enough value to warrant continued spend given the nature of the threats we face today or has their day come and gone? Are we holding onto them, thereby forcing their relevance in order to satisfy audit control requirements such as those presented by the PCI DSS? In a time when malicious code and content is more intelligently, and voluminously developed than ever before — endowed with various means by which to detect, identify and bypass mitigation technologies, one must ask whether or not we as an industry, are jousting windmills with ineffective solutions hoping for victory.
Now, to be clear, I want to get something straight right out of the gate: I am not saying there is no need for signature based technologies at all within our enterprises or homes. What I’m suggesting here is that the role in which they have been traditionally positioned by vendors, service providers and others has, for several years in my opinion, warranted preemptive solutions rather than reactive ones. Our world and its demands have changed. It’s that simple. Due to this change, we need to espouse and endorse a more mature form of thought; one which takes into consideration the threats we face, the likelihood of these threats to achieve (successfully) the exploitation of identified vulnerabilities and the subsequent risk this perfect storm of circumstance represents. We need to ask ourselves, our peers and our industry to reconsider its position on these ideas while at the same time achieving a state which allows us to repurpose these signature based solutions where they can do the most good within our environments. 
You wouldn’t utilize a 22 year old engine in to compete against modern, more ergonomically designed and better optimized for purpose modern ones in an automobile race would you? Similarly, you wouldn’t ask fighter pilots to engage modern jet aircraft in P51 Mustangs either. So why would you task your staffs, your peers, and yourself with combating emerging, evolving threats with tools which are dependent upon the knowledge of a threat (e.g. patient “0″), as opposed to retooling yourselves and your environments. The technology is there; it has been for some time. Could it be improved? Well, nothing is perfect however even in its imperfection it has been my experience that modern signatureless solutions as first line of defense solutions are more effective than their signature based counterparts.
I would remiss if I did not mention the roll of the backdoor within the context of this discussion. Backdoors are well known within the information security world. They come in a variety of flavors however can be traditionally categorized as either symmetric or asymmetric (today their study is commonly referred to as cryptovirology). Adam Young and Moti Yung spoke about this back in 1996 defining the terminology and use cases. Backdoors are used (in authorized or unauthorized manners) largely for bypassing normal or traditional authentication mechanisms. The reality is that they are used to gain secure remote access to these systems with the endgame being the obtaining access to plain-text data in some form of privilege escalated state. All while remaining or attempting to remain undetected by administrators.
Backdoors can be independent applications or programs. They can also be the result of a modification made to an existing application, program or even hardware devices (e.g BIOS backdoor passwords etc). The possibilities are quite broad; limited only by the imagination of the designer and the weaknesses, flaws and vulnerabilities identified in the target application, program or device in question design. Examples of this type of activity are abundant. In November of 2003 just such a threat was identified and addressed in the common Linux Kernel. A two-line addition to a development copy of the source code made to look like a harmless error-checking feature was identified. At first glance, it appeared to be quite harmless; benign in both function and intent. Why such a serious matter then? The answer stems from what the code was truly architected to do: if it identified an invalid combination of flag pairings, it would grant the process root privileges, turning the seemingly innocuous wait4 () into backdoor allowing for complete control of any machine found susceptible to it. 
Many other such examples of this type of threat can be seen historically, some associated with worms such as MyDoom for example, and others manifesting as cleverly marketed DRM styled protection mechanisms such as the SONY/BMG Rootkit I discussed in my last post. It’s important to bear in mind that all of them play a role in today’s threat landscape and have not gone the way of the dinosaur as some researchers and vendors would have you believe. Their uses and application are limited only by the intent and imaginations of those wielding them. Their role in the rise of Advanced Persistent Threats and Designer Malware is irrefutable and must not be dismissed as ideal held over from the antiquity of computing.
Yesterday I wrote a quick blog entry regarding new trends associated with Trojan’s, particularly those involving ‘Command and Control’ functionality. It is something that I will be expanding upon in detail in a later post. Today however, I wanted to discuss another of my favorite malware related topics, one which I enjoy conducting analysis on in detail (within the safety and sanctity of my environment), and that is the realm of the root kit. As we have discussed previously, there are scores of ways in which malware (any malware, not root kits or Trojans in particular), can be introduced into an environment. Some of which are more effective than others are, and yet in this brave new world of high-speed broadband connectivity to homes throughout the land (not to mention the world), one must conclude that the likelihood or probability of introduction, compromise and infection has grown (and likely will continue to do so), in an exponential manner. Still, one of the most effective threat vector lies with the human factor as discussed in yesterday’s post. In order to avoid beating a dead horse I will simply say this: much can (not all but much), be avoided if end users (whether they are ‘corporate’ end users ‘private’ citizens such as my mom), are properly and thoroughly educated with respect to the dangers associated with malware such as root kits.
This education and awareness needs to be ongoing and should never fall to the wayside; it should be at the forefront given the continued popularity and adoption of advanced technologies. OK back to root kits, root kits are not new (sound familiar?), in fact, they are quite mature and some might even say “old school”.
For arguments, sake let suppose you do not know what defines a root kit. Quite simply, root kits are software systems which often contain one or more programs used in order to prevent anyone (end users, administrators etc.), from discovering that a system has been compromised. They come in a variety of forms including:
- Hardware/Firmware
- Hypervisor level
- Kernel level
- Library level
- Application level
They do not necessarily grant a user administrative permissions or privileges however they are often times leveraged by attackers to replace system files (e.g. executables etc.) which may then be used to hide processes and files the attacker has installed in addition to obfuscating the presence of the root kit itself (this is most often accomplished via subversion or evasion of traditional OS security and monitoring mechanisms such as Anti-virus and / or Anti-Spyware technologies). In effect, their mission is simple: compromise the host and subsequently seize control of the operating system.
In many cases, they are Trojans as well and just as we discussed yesterday they attempt to convey a sense of benignity and usefulness to the user in order to convince the user in question they are safe in executing them on their system. Additionally, many root kits implement backdoors into the systems they have compromised by corrupting or replacing the legitimate login mechanism with one designed by the attacker (e.g. /bin/login). No one is entirely certain of their origin however there are some who feel it is reasonable to believe they were originally designed to perform similar functions provided by utilities such as VNC for remote command and control of an unresponsive or failing machine. Whatever the case with respect to their origins, their use and popularity continue to grow; manifesting in some of the most unlikely places. In the last three years for example, we have seen some rather profound instances of use (at least those which have been publicly reported after having been disclosed), and proliferation of root kits.
Take for example the Sony Root Kit. In 2005, Sony began distributing their XCP (Extended Copy Protection), software in some of their products. In effect, XCP was a digital rights management program, which employed techniques (e.g. cloaking), normally associated with malicious root kit developers which was a security risk. As a result, in addition to a loss of face, credibility and some branding, Sony was forced to recall millions of CDs. What makes this case unique is that Sony knowingly distributed XCP to their customer base and in effect acted in the same manner as those who traditionally operate for malicious ends. The net effect was a public relations disaster for Sony, which has yet to fade in the minds of the information security community much less the world at large.
2008 saw two interesting examples of root kit activity the first being the Pandex Trojan. The Pandex Trojan was interesting in that it would identify the presence of a root kit, remove the incumbent’s hooks into system calls and subsequently stop the first root kit. Upon stopping the incumbent, Pandex would install its own root kit. Similar ‘turf’ wars had been seen during the heyday of worms but this was unique amongst root kits. Sebastian Muniz, a security researcher with Core Security Technologies, developed the next example of interest, which caught my eye. Muniz developed a root kit for the Cisco IOS, which he debuted at EUSecWest in London. Muniz’s root kit work increased the already present scrutiny associated with routers due to Mike Lynn’s presentation in 2005. Muniz’s root kit (which runs in the router’s flash memory –which contains the first IOS commands used for system boot), though reliant upon an alternate means of introduction to the host in question, would, once present allow for obfuscated monitoring and command & control of the device. The impact of such an event occurring on a massive scale is simply staggering.
This year in March, we saw the SMM (System Management Mode) root kit (which uses an Intel CPU caching vulnerability) identified by Joanna Rutkowska and Loic Duflot. The attack in question allows the root kit to hide in the SMM space and subsequently secure control of the system in question. The second example was that which was discovered by Alfredo Ortega and Anibal Sacco from Core Security Technologies. They identified what proved to be a dangerous, pre-installed root kit (Computrace LoJack for Laptops — which was estimated to be present on 60 percent of all new laptops), that resides in BIOS, and periodically calls home to a central authority for instructions. This call functionality allows the central authority to wipe the system in the event the device is stolen or it is unable to track the location of the device in question. What makes this truly dangerous is the potential for exploitation of the call home process. Should a hacker compromise this function he or she has access to a great deal of information. One might ask how it is possible that an authorized and unauthorized party might both be able to leverage that mechanism and according to the authors, it was due to the technologies dependency on a configuration method that contains the IP address, port and URL all hard-coded in the OPTION-ROM…where is my Excedrin.
As you can see these are just a few examples of what root kits are and how they are leveraged. This topic truly warrants a greater degree of time and perhaps one day soon, I will have the time to write something a bit more formal, but in the meantime bear in mind their presence and the dangers associated with them. They were once thought to be out of style yet clearly the evidence suggests otherwise.
In an earlier post, I introduced the concept of “Advanced Persistent Threats” & “Designer Malware” at a very high level, the ‘101′ if you will. You may recall my reference to the article which Business Week ran in 2008 which addressed, briefly, the concept of Advanced Persistent Threats (APTs). No one knows for certain the true reach of such threats but it can safely be assumed based on both historical and current information, that instances of such threats continue to grow with many going unreported to authorities or information security professionals for fear of the consequences associated with having been found first vulnerable and second compromised. Though there are many means by which a given threat might be introduced into an organization, some work better than others. Some of the most successful in fact, still rely upon the most obvious and oldest of all threat vectors, human nature. Human nature is wondrous thing; complex, multi-faceted, representative of all that we are: good and bad. It aides in defining us however it is not what defines us.
In June of 2006, Mike Bond and George Danezis of the University of Cambridge Computer Laboratory released a paper which posed an interesting question regarding the role in which human nature plays with respect to exploitation and compromise of both systems and people. In fact, in their abstract Bond and Danezis stated the following “We study malware propagation strategies which exploit not the incompetence or naivety of users, but instead their own greed, malice and short-sightedness. We demonstrate that interactive propagation strategies, for example bribery and black-mail of computer users, are effective mechanisms for malware to survive and en-trench, and present an example employing these techniques. We argue that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.” I loved this paper from the first time I read and have had conversations with its authors regarding their views, I highly recommend it to anyone in our field as its relevance is indisputable as its timeliness.
It is key to recognize and emphasize the importance of malware propagation strategies being diverse. The vehicle for delivery can take many forms and require many variables be present and available. Attempting to compromise both systems and personnel requires that a discretionary mode thought be employed in order to choose the most simplistic yet effective means for accomplishing the goal. In short, adherence to the principle identified and immortalized by William of Ockham “entia non sunt multiplicanda praeter necessitatem”, (“when you have two competing theories that make exactly the same predictions, the simpler one is the better.”), also known as Occam’s Razor.
With respect to Advanced Persistent Threats I’d like to focus the remainder of this entry on the reinvention of the Trojan. I am going to focus on Trojans today as of late, I’ve been dealing a lot with them and find the evolution revolution taking place with respect to them quite interesting. Like all malicious programs, Trojans rely upon obfuscation in order to avoid being identified, detected, shut down and / or removed by a user or administrator. This reliance upon obfuscation is paramount in the successful introduction and installation of Trojans as they typically attempt to convey a sense of benignity and / or usefulness to the user or environment they are being targeted toward or via the application or mechanism being used for this purpose. Often times this pseudo-benignity creates a false sense of security in the target and ideally finds the target susceptible and willing to install the Trojan without knowing exactly or truly what it does.
Many factors influence the manner in which the payload will operate and to what degree and what schedule but ultimately, the goal is to infiltrate, install and subsequently deliver the payload (again as defined by the author), within the host environment. Trojans themselves fall into the category of malware which lacks the native capability to self-propagate (a la viruses) or replicate (a la worms) which requires them to leverage an alternate mechanism for distribution. As mentioned above, the path of least resistance is often the best and depending who and what is identified as being the target of opportunity the choice of distribution method may vary with the net effect being the same. Popular means of distribution involve either exploitation of vulnerable systems via direct targeting, randomized exploitation via malicious websites and domains (a la ‘drive by infections’), peer-to-peer file sharing and /or the ever popular ’sneaker net’ via compromised USB.
As of late, it’s become more and more popular amongst malware authors in the underground to implement command and control mechanisms within Trojans enabling greater degrees of administrative response in addition to creating an environment which responds bidirectionally to the botmaster in question. Clampi, Monkif, Grups Trojan, and URLZone Trojan are great examples of this. It is important to note that the rate of change being noted is great and that the subsequent re-engineering of malware samples of this type more common. Changes such as these imply that the traditional use cases for such malware (though still applicable), are in fact also shifting. As a result, the need for greater degrees of awareness, beginning with solidly architected security programs & education / awareness campaigns be employed and coupled with both technical and procedural controls.
In my next post we’ll discuss the rampant growth and resurgence of rootkits and backdoors as they pertain to APTs and Designer malware and what potential impact they are having today and may have in the future.
Perimeter? What perimeter?
This came across my feed reader this morning, and I thought it was interesting. It’s yet another example of how the traditional notion of “the perimeter” doesn’t really exist any more. In this case, attackers were able to infect machines at a few small credit unions, simply by sending CDs in the mail that appeared to be from the National Credit Union Association. All the “traditional” infection vectors go out the window here: These machines weren’t infected by an email payload, or from a malicious website, or from a software or operating system vulnerability. All the network protection in the world wouldn’t have helped here, because NOTHING went over the network prior to infection. In fact, this is a really “old-school” way of disseminating malware – it’s the 21st century equivalent of a virus being passed around on an infected floppy.
So, what might have helped?
First and foremost, well-managed and well-monitored antimalware with a good, solid signatureless detection engine, running on each and every endpoint. To quote my friend and colleague Josh Corman, trying to write a signature for a targeted attack like this is like giving a vaccine to a corpse – by the time the signature is written and deployed, the damage is long since done.
Secondly, user education and training might have also helped here, to a degree. The users who blindly ran the infected CDs were gullible, plain and simple. A user with a well-tuned B.S. detector is your best defense against social engineering attacks like this one.
Third: desktop lockdown – 90% of corporate PC users have no job-related need whatsoever for their CD drive – so WHY do they have CDs available for use? There are plenty of enterprise-manageable software tools available to disable removeable storage – use them.
The credit unions that got hit with this were NOT sitting ducks, and you don’t have to be either. You CAN defend yourself against social engineering – you just need to be proactive about it.
