This article has been making the rounds around the IT/Security blog world, and I couldn’t help but weigh in and comment on it. The story being passed around is a scary one: An employee of the Massachusetts state government was found to have a fairly large quantity of child pornography in the browser cache of his state-issued laptop. He was, of course, arrested and charged with possession of child porn. During the course of mounting his defense against these charges, it was found that his machine had some form of malware that was “programmed to visit as many as 40 child porn sites per minute,” a clearly impossible task for a human who actually wants to see what’s on those sites. It became clear to all involved that the pornographic images found were very unlikely put there by him, and the charges were dropped. All’s well that ends well, right? Wrong.
The first problem here is that this opens Pandora’s box a crack, as it tends to raise the standard of proof for the conviction of real offenders. In fact, prosecutors are already calling this the “SODDI” (Some Other Dude Did It) defense. Their skepticism is probably warranted here: every real offender will point to this case and try to make the government (who has the burden of proof, at least in a United States court) prove that a virus wasn’t the reason illegal child pornography was on a particular machine.
There’s another problem here, though. This opens up a whole new world for profit-motivated malware authors. It’s actually a play on the old ransomware attack: traditionally, ransomware works on a “we’ve encrypted your files. Pay up or you’ll never see them again” basis. One problem in the business model for ransomware authors is that some people back up their machines (really!), and others simply won’t care about the data that is being held hostage. You can’t get someone to pay when they can simply respond “Screw you, I’ll just restore from backup”. The new twist on this is that, at least in concept, a ransomware author, instead of holding files hostage, can hold a person’s entire life hostage by planting a piece of malware of this type on someone’s machine and then threatening to expose that person.
Take for example the case of the person in the article. In this case this guy lost his job, his reputation, many of his friends, close to 250,000 dollars spent on his defense – and you can’t restore that from backup. Crimes involving the sexual exploitation of children are (justifiably) considered to be among the most grave transgressions against not only individual children, but society as a whole, and people who commit these crimes have richly earned society’s reproach. One unfortunate side-effect of that, however, is the fact that the mere accusation, even a false one, of a crime of that magnitude is enough to irrevocably harm one’s reputation. If the profit-motivated malware gangs hadn’t already figured this one out, they certainly have now, and I’d be willing to bet that we’re going to see at least sporadic attacks of this type (attacks against the reputation of an individual) in the very near future.
I would remiss if I did not mention the roll of the backdoor within the context of this discussion. Backdoors are well known within the information security world. They come in a variety of flavors however can be traditionally categorized as either symmetric or asymmetric (today their study is commonly referred to as cryptovirology). Adam Young and Moti Yung spoke about this back in 1996 defining the terminology and use cases. Backdoors are used (in authorized or unauthorized manners) largely for bypassing normal or traditional authentication mechanisms. The reality is that they are used to gain secure remote access to these systems with the endgame being the obtaining access to plain-text data in some form of privilege escalated state. All while remaining or attempting to remain undetected by administrators.
Backdoors can be independent applications or programs. They can also be the result of a modification made to an existing application, program or even hardware devices (e.g BIOS backdoor passwords etc). The possibilities are quite broad; limited only by the imagination of the designer and the weaknesses, flaws and vulnerabilities identified in the target application, program or device in question design. Examples of this type of activity are abundant. In November of 2003 just such a threat was identified and addressed in the common Linux Kernel. A two-line addition to a development copy of the source code made to look like a harmless error-checking feature was identified. At first glance, it appeared to be quite harmless; benign in both function and intent. Why such a serious matter then? The answer stems from what the code was truly architected to do: if it identified an invalid combination of flag pairings, it would grant the process root privileges, turning the seemingly innocuous wait4 () into backdoor allowing for complete control of any machine found susceptible to it. 
Many other such examples of this type of threat can be seen historically, some associated with worms such as MyDoom for example, and others manifesting as cleverly marketed DRM styled protection mechanisms such as the SONY/BMG Rootkit I discussed in my last post. It’s important to bear in mind that all of them play a role in today’s threat landscape and have not gone the way of the dinosaur as some researchers and vendors would have you believe. Their uses and application are limited only by the intent and imaginations of those wielding them. Their role in the rise of Advanced Persistent Threats and Designer Malware is irrefutable and must not be dismissed as ideal held over from the antiquity of computing.
Yesterday I wrote a quick blog entry regarding new trends associated with Trojan’s, particularly those involving ‘Command and Control’ functionality. It is something that I will be expanding upon in detail in a later post. Today however, I wanted to discuss another of my favorite malware related topics, one which I enjoy conducting analysis on in detail (within the safety and sanctity of my environment), and that is the realm of the root kit. As we have discussed previously, there are scores of ways in which malware (any malware, not root kits or Trojans in particular), can be introduced into an environment. Some of which are more effective than others are, and yet in this brave new world of high-speed broadband connectivity to homes throughout the land (not to mention the world), one must conclude that the likelihood or probability of introduction, compromise and infection has grown (and likely will continue to do so), in an exponential manner. Still, one of the most effective threat vector lies with the human factor as discussed in yesterday’s post. In order to avoid beating a dead horse I will simply say this: much can (not all but much), be avoided if end users (whether they are ‘corporate’ end users ‘private’ citizens such as my mom), are properly and thoroughly educated with respect to the dangers associated with malware such as root kits.
This education and awareness needs to be ongoing and should never fall to the wayside; it should be at the forefront given the continued popularity and adoption of advanced technologies. OK back to root kits, root kits are not new (sound familiar?), in fact, they are quite mature and some might even say “old school”.
For arguments, sake let suppose you do not know what defines a root kit. Quite simply, root kits are software systems which often contain one or more programs used in order to prevent anyone (end users, administrators etc.), from discovering that a system has been compromised. They come in a variety of forms including:
- Hardware/Firmware
- Hypervisor level
- Kernel level
- Library level
- Application level
They do not necessarily grant a user administrative permissions or privileges however they are often times leveraged by attackers to replace system files (e.g. executables etc.) which may then be used to hide processes and files the attacker has installed in addition to obfuscating the presence of the root kit itself (this is most often accomplished via subversion or evasion of traditional OS security and monitoring mechanisms such as Anti-virus and / or Anti-Spyware technologies). In effect, their mission is simple: compromise the host and subsequently seize control of the operating system.
In many cases, they are Trojans as well and just as we discussed yesterday they attempt to convey a sense of benignity and usefulness to the user in order to convince the user in question they are safe in executing them on their system. Additionally, many root kits implement backdoors into the systems they have compromised by corrupting or replacing the legitimate login mechanism with one designed by the attacker (e.g. /bin/login). No one is entirely certain of their origin however there are some who feel it is reasonable to believe they were originally designed to perform similar functions provided by utilities such as VNC for remote command and control of an unresponsive or failing machine. Whatever the case with respect to their origins, their use and popularity continue to grow; manifesting in some of the most unlikely places. In the last three years for example, we have seen some rather profound instances of use (at least those which have been publicly reported after having been disclosed), and proliferation of root kits.
Take for example the Sony Root Kit. In 2005, Sony began distributing their XCP (Extended Copy Protection), software in some of their products. In effect, XCP was a digital rights management program, which employed techniques (e.g. cloaking), normally associated with malicious root kit developers which was a security risk. As a result, in addition to a loss of face, credibility and some branding, Sony was forced to recall millions of CDs. What makes this case unique is that Sony knowingly distributed XCP to their customer base and in effect acted in the same manner as those who traditionally operate for malicious ends. The net effect was a public relations disaster for Sony, which has yet to fade in the minds of the information security community much less the world at large.
2008 saw two interesting examples of root kit activity the first being the Pandex Trojan. The Pandex Trojan was interesting in that it would identify the presence of a root kit, remove the incumbent’s hooks into system calls and subsequently stop the first root kit. Upon stopping the incumbent, Pandex would install its own root kit. Similar ‘turf’ wars had been seen during the heyday of worms but this was unique amongst root kits. Sebastian Muniz, a security researcher with Core Security Technologies, developed the next example of interest, which caught my eye. Muniz developed a root kit for the Cisco IOS, which he debuted at EUSecWest in London. Muniz’s root kit work increased the already present scrutiny associated with routers due to Mike Lynn’s presentation in 2005. Muniz’s root kit (which runs in the router’s flash memory –which contains the first IOS commands used for system boot), though reliant upon an alternate means of introduction to the host in question, would, once present allow for obfuscated monitoring and command & control of the device. The impact of such an event occurring on a massive scale is simply staggering.
This year in March, we saw the SMM (System Management Mode) root kit (which uses an Intel CPU caching vulnerability) identified by Joanna Rutkowska and Loic Duflot. The attack in question allows the root kit to hide in the SMM space and subsequently secure control of the system in question. The second example was that which was discovered by Alfredo Ortega and Anibal Sacco from Core Security Technologies. They identified what proved to be a dangerous, pre-installed root kit (Computrace LoJack for Laptops — which was estimated to be present on 60 percent of all new laptops), that resides in BIOS, and periodically calls home to a central authority for instructions. This call functionality allows the central authority to wipe the system in the event the device is stolen or it is unable to track the location of the device in question. What makes this truly dangerous is the potential for exploitation of the call home process. Should a hacker compromise this function he or she has access to a great deal of information. One might ask how it is possible that an authorized and unauthorized party might both be able to leverage that mechanism and according to the authors, it was due to the technologies dependency on a configuration method that contains the IP address, port and URL all hard-coded in the OPTION-ROM…where is my Excedrin.
As you can see these are just a few examples of what root kits are and how they are leveraged. This topic truly warrants a greater degree of time and perhaps one day soon, I will have the time to write something a bit more formal, but in the meantime bear in mind their presence and the dangers associated with them. They were once thought to be out of style yet clearly the evidence suggests otherwise.
In an earlier post, I introduced the concept of “Advanced Persistent Threats” & “Designer Malware” at a very high level, the ‘101′ if you will. You may recall my reference to the article which Business Week ran in 2008 which addressed, briefly, the concept of Advanced Persistent Threats (APTs). No one knows for certain the true reach of such threats but it can safely be assumed based on both historical and current information, that instances of such threats continue to grow with many going unreported to authorities or information security professionals for fear of the consequences associated with having been found first vulnerable and second compromised. Though there are many means by which a given threat might be introduced into an organization, some work better than others. Some of the most successful in fact, still rely upon the most obvious and oldest of all threat vectors, human nature. Human nature is wondrous thing; complex, multi-faceted, representative of all that we are: good and bad. It aides in defining us however it is not what defines us.
In June of 2006, Mike Bond and George Danezis of the University of Cambridge Computer Laboratory released a paper which posed an interesting question regarding the role in which human nature plays with respect to exploitation and compromise of both systems and people. In fact, in their abstract Bond and Danezis stated the following “We study malware propagation strategies which exploit not the incompetence or naivety of users, but instead their own greed, malice and short-sightedness. We demonstrate that interactive propagation strategies, for example bribery and black-mail of computer users, are effective mechanisms for malware to survive and en-trench, and present an example employing these techniques. We argue that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.” I loved this paper from the first time I read and have had conversations with its authors regarding their views, I highly recommend it to anyone in our field as its relevance is indisputable as its timeliness.
It is key to recognize and emphasize the importance of malware propagation strategies being diverse. The vehicle for delivery can take many forms and require many variables be present and available. Attempting to compromise both systems and personnel requires that a discretionary mode thought be employed in order to choose the most simplistic yet effective means for accomplishing the goal. In short, adherence to the principle identified and immortalized by William of Ockham “entia non sunt multiplicanda praeter necessitatem”, (“when you have two competing theories that make exactly the same predictions, the simpler one is the better.”), also known as Occam’s Razor.
With respect to Advanced Persistent Threats I’d like to focus the remainder of this entry on the reinvention of the Trojan. I am going to focus on Trojans today as of late, I’ve been dealing a lot with them and find the evolution revolution taking place with respect to them quite interesting. Like all malicious programs, Trojans rely upon obfuscation in order to avoid being identified, detected, shut down and / or removed by a user or administrator. This reliance upon obfuscation is paramount in the successful introduction and installation of Trojans as they typically attempt to convey a sense of benignity and / or usefulness to the user or environment they are being targeted toward or via the application or mechanism being used for this purpose. Often times this pseudo-benignity creates a false sense of security in the target and ideally finds the target susceptible and willing to install the Trojan without knowing exactly or truly what it does.
Many factors influence the manner in which the payload will operate and to what degree and what schedule but ultimately, the goal is to infiltrate, install and subsequently deliver the payload (again as defined by the author), within the host environment. Trojans themselves fall into the category of malware which lacks the native capability to self-propagate (a la viruses) or replicate (a la worms) which requires them to leverage an alternate mechanism for distribution. As mentioned above, the path of least resistance is often the best and depending who and what is identified as being the target of opportunity the choice of distribution method may vary with the net effect being the same. Popular means of distribution involve either exploitation of vulnerable systems via direct targeting, randomized exploitation via malicious websites and domains (a la ‘drive by infections’), peer-to-peer file sharing and /or the ever popular ’sneaker net’ via compromised USB.
As of late, it’s become more and more popular amongst malware authors in the underground to implement command and control mechanisms within Trojans enabling greater degrees of administrative response in addition to creating an environment which responds bidirectionally to the botmaster in question. Clampi, Monkif, Grups Trojan, and URLZone Trojan are great examples of this. It is important to note that the rate of change being noted is great and that the subsequent re-engineering of malware samples of this type more common. Changes such as these imply that the traditional use cases for such malware (though still applicable), are in fact also shifting. As a result, the need for greater degrees of awareness, beginning with solidly architected security programs & education / awareness campaigns be employed and coupled with both technical and procedural controls.
In my next post we’ll discuss the rampant growth and resurgence of rootkits and backdoors as they pertain to APTs and Designer malware and what potential impact they are having today and may have in the future.
