Something’s Happenin’ in Malware
Malware is a nasty threat to everyone, whether you’re trying to enrich Uranium with fancy centrifuges in Iran or enrich your bank account with fancy craft projects on Etsy. The really menacing examples are named like characters lifted from fan fiction based on William Gibson books or The Matrix: Flame, Stuxnet, Duqu, Gauss.
This new breed has demonstrated a perhaps unsurprising aspect: malicious software (i.e. “malware”) is still just software. Anyone can develop it and those developers affect the quality and effectiveness of the software.
Recent examples have captured the cybercombat imagination because of their perceived sophistication, situational targeting (specific infrastructure, specific governments), and delay to discovery. They’ve demonstrated that it’s possible to find unfixed vulnerabilities (so-called “0-days”) and it’s possible to avoid detection (evade anti-virus). Whether these possibilities surprise you is likely correlated with how diligently you keep your system up to date and why.
A major problem for malware developers is delivery. Criminals, miscreants, and the vapidly named “state sponsored” groups have an easy time developing malware. The real challenge is deploying the malware wherever they want. An intriguing aspect of Stuxnet and its siblings was how it spread. It apparently used USB drives to jump from computer to computer, following engineers as they worked at installations in different countries. Other targeted malware looked at IP addresses or specific system features to decide whether to unleash mayhem or remain dormant.
More banal malware just sits on web pages or lurks in compromised advertising banners, waiting to ambush the poor, unpatched browser that happens upon it. This type of deployment cared less about who the victims were and more about how many victims could be compromised before the payload expired — in other words, before anti-virus (AV) caught up with it or too many people eventually patched their systems.
This is the other challenge for malware developers: avoiding detection. It’s also a growing concern for the security industry because recent analysis of sophisticated malware has shown them to have been active for months, if not years. Even AV vendors had to admit they failed spectacularly to detect and block these attacks. It seems that malware has short longevity only when it’s widespread and noisy, which implies that we’re all canaries in the coal mine and we need more canaries. Even if that’s the least efficient countermeasure.
AV is fighting a losing battle. Modern software architectures are turning to cloud computing and software-as-a-service (Saas). Malware is following suit. There are SaaS offerings verify whether a piece of malware will be detected or not by any of the several dozen anti-virus applications.
Just because the cool, media-favored malware examples are sophisticated doesn’t mean malware must be sophisticated. There are plenty of examples that target vulnerabilities that have been known about and patched for six months or longer. When was the last time Adobe released a non-critical patch for Flash? When was the last time you actually updated it? There’s a reason the Chrome browser decided to install and manage Flash on its own, as much as there’s a reason Apple decided to forgo it altogether on their mobile devices.
Malware developers also have speed on their side. They don’t need to spend effort on finding new 0-day vulns; they can wait for a vendor to release a security patch, reverse engineer the patch, and deliver a new malware payload within days (if not hours).
Then there’s a whole new realm we haven’t covered yet. Mobile devices have old breeds of malware in shiny, new apps. Where malware like Stuxnet, Flame, and Gauss use 0-days, encryption, and stealth to attack specific targets, mobile malware just throws itself at users. It’s not uncommon to find app stores seeded with thousands of malicious apps before they’re eventually cleaned out.
For what reason do you think a “flashlight” app needs access to your geo-location info? Or your contacts list? Was that version of Angry Birds you downloaded the official distribution from Roxio? Or a version infected with spyware? Both are available on app stores.
Even legitimate mobile apps have muddied the waters of privacy by requesting more privileges than they require. In some cases apps have uploaded complete contact lists to their own sites. Other apps have neglected to use SSL/TLS connections even when their web-based counterparts correctly do so. And some of the apps that use SSL don’t bother to verify the server’s certificate — completely negating one of the ways SSL is intended to prevent interception attacks. None of these apps are created with malicious intent, but they’re no more help to your privacy and security than actual malware.
Not only has malware become more adept at avoiding AV systems; it’s adopted good crypto engineering. Whereas those previously mentioned “good” apps sometimes neglect encrypted connections altogether, recently discovered malware has implemented strong encryption for its command-and-control channels. The encryption in Gauss, for example, has hampered its analysis to the point where researchers have openly called for help from the larger security community. If only web site developers would apply the same effort towards protecting passwords from being stolen and easily cracked.
One way to reduce the spread of malware is to make web sites more secure. Yes, end users need to do their part in keeping browsers and plugins updated. (It’s not hard, a site like https://browsercheck.qualys.com/ will let you know whether your browser deserves a thumbs up.)
My book, Seven Deadliest Web Application Attacks (ISBN 978-1597495431), briefly covers malware along with the more general problem of protecting a site from becoming a malware distribution point. Whether you’re building a web site or trying to determine whether it’s secure, this book provides examples from SQL injection and cross-site scripting to more complex analysis of a site’s logic and new technologies like HTML5.
Malware Forensics: Investigating and Analyzing Malicious Code (ISBN 978-1597492683) opens up more of the details behind malware: how it hides, how it spreads, and how to analyze it. This book goes into the details of 0-days and encryption that I’ve only hinted at here. Reverse engineering a malware sample requires patience and luck; this book explains some of the tools and techniques to make the process more successful.
Malware Forensics Field Guide for Windows Systems (ISBN 978-1597494724) covers malware from the perspective of Windows. Windows systems still represent a huge target base and has been the focus of malware for almost twenty years. It’s always helpful to know how to figure out whether than PDF or ZIP file attached to an email message is going to cause havoc on your system.
Mobile Malware Attacks and Defense (ISBN 978-1597492980) details the new world of malicious mobile apps. There’s as much creativity put towards bypassing app store controls and device security as there are types of phones and versions of operating systems. If your brain relies on having a mobile device at hand 24 hours a day, then it’s a good idea to know how to keep that device healthy.
About this author
Mike Shema develops software for finding and fixing web security problems, currently as the Director of Engineering at Qualys. His experience with information security also covers penetration testing, secure programming, and wireless networks. He’s put this experience into books like The Anti-Hacker Toolkit, Seven Deadliest Web Attacks, and, most recently, Hacking Web Apps. He has taught classes and presented security research at conferences around the world.