It looks like the total sum of all of my early fears regarding malware are starting to come to reality. The quiet types. I warned others about the potential for this back in the ‘80s when I worked for Symantec, but that was all theory and pizza induced chat sessions. This is real. Malware authors are leaving that intermediary phase of acquiring talents and skills from other attackers, going beyond the “blended threat” attack prevalent in the 90’s, and actively identifying, profiling and pursuing individual targets. Spear-phishing with a customized spear.
The internet has made the gathering of intelligence a trivial task. Not only does the internet have obvious privacy and security flaws that support and even encourage the gathering of information and data illegally, the internet has evolved from a publishing model where everyone and their dog had his own little web page, to a collaboration model where groups of people work together on portals and forums. Like-minded individuals are brought together into communicative and collaborative groups, sharing and exposing information that can be used for profile development.
A good resource published by Maarten Van Horenbeeck in 2007/2008 looked at early targeted attacks, and found that in 2005 to 2007, “targeted attacks are conducted in an opportunistic way: there is no set methodology”. Maarten’s Resource
Recent developments around Advanced Persistent Threats (APT) as they are being called and trolling the underground have led me to believe that malware agents and their delivery mechanisms are now being tailor made, and are exhibiting a methodology for distrivution and usage. Tailor made for specific individuals rather than wide distribution. Pin-point accurate targeting, not targeting a wide audience of PDF readers or courier users. Customization can often include:
- A single email rather than blanketed spam.
- Customized email content to appeal to the users’ identified weaknesses, interests, or hot topics.
- Enticements for the target to visit the vector vehicle;
- Compromised website,
- Malicious website,
- Download location of a decoy or payload impregnated document.
- Hide its presence from detective and preventive tools.
- Hide its communication mechanisms and patterns from traffic monitoring.
- Find new ways to achieve mass penetration, but triggered activation of a malicious agent in order to penetrate but remain hidden.
- Anti-tampering mechanisms to hide, self destruct or to disable the infected PCs boot-up capability.
- Existence in RAM only, no longer leaving traces on the hard disk.
Cases in point include recent attacks on Marathon Oil, ExxonMobil, and ConocoPhillips, the Aurora attacks on Google, Symantec, Intel and Adobe, and the mass injection of popular websites. Disconcerting is the fact that signature development for detection of these malware vectors can be retarded by the delay incurred by some malware authors’ intentionally allowing their agents to lie dormant until a triggering event such as visiting a specific website, typing in a specific string, launching a specific application, or termination of a specific process (Anti-virus or Firewall?) on the target box takes place.
IRC was initially used as a two way communication tool to allow data to be exfiltrated, and commands to be issued to the malware agent, often part of a botnet for hire. IRC was easily detectable, as it is not commonly used in most businesses. Encrypting or otherwise obfuscating outbound communication was a popular masking technique for early malware agents, but still led to detections because encrypted traffic or odd data streams would be considered unusual traffic and can be easily pattern matched. More modern covert tools simply send HTTP, HTTPS, FTP and SFTP traffic which are protocol streams universally accepted and allowed through most firewalls.
The premise is scary. The attacker hangs out in chat-rooms, forums, social media sites, appearing for all intents and purposes as just another user. If they are clever, they could volunteer for a moderators position, giving them access to IP address and other information of users and posters. Not necessary, but plausible. They lurk and engage others anonymously in apparently benign conversations using multiple pseudonyms, for the purposes of building trust, gathering information, creating a profile, progressively adding likes, dislikes, job, employer, marital status, weaknesses, fears, friends, employment history, email address, geo-location, physical location, phone number, etc. This information can be gleaned directly from the user, culled from dedicated intelligence sources, pulled from Facebook or LinkedIn, gathered through Social Engineering attacks on the individual or their contacts, posting fake job postings, or a myriad other ways.
All this effort for one final purpose; to get the user to visit a web site or open an attachment that will install software, built for him and him only, onto their system that will eventually find its way past their employer’s safeguards, gathering the credentials, data or information that will bring them access to their actual target. All nice and quiet, undetected, and with little or no impact to the user or the network.
The longer they can stay on the system and send data out sparingly but regularly, the better their chances of creating and maintaining a profit stream. If they have a built in self destruct mechanism, they can execute it if tampering is detected, or once access to the target data is attained in order to remain surreptitious. As long as the software is not detected, the revenue stream continues. As long as the software agent remains installed on only a select few target PCs, it is unlikely to be given to an anti-malware vendor and have a signature developed to detect it.
They are using our own tools against us, submitting initial versions of their malicious creations to VirusTotal and other sites that run malware scans from multiple vendors to ensure that they are not detected.
I once more vent about the lack of commercial (and open source, ‘cause I still like FREE) behavioral analysis A/V tools, and mention that I don’t much care for or consider these malware guys brilliant, special or interesting… Just lazy and misguided. Skin them all…