September 3, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

Malware: Is Your Workstation at Risk? Part 2

  • March 9, 2004
  • By Dinis Cruz
  • Send Email »
  • More Articles »

In Part 1 of this article:

  • It was explained why (as a programmer) your workstation is a very 'tasty' target for a malicious user
  • A fictitious scenario was provided
  • A couple of examples of attacks were highlighted (i.e. paths to 'infection')

In Part 2, using one of the possible 'infection' methods, I will explain how different types of Malware (Virus, Worms, Trojans, Backdoors, and RootKits) work and what a malicious attacker could do to you (Source-Code poisoning).

Malware Definitions

Malware is the name commonly used to describe any kind of Malicious Software. It is any piece of code that was designed with malicious intent in mind.

The most famous types of Malware are:

  • Viruses—Programs executed on the 'infected' machine with malicious intent. Viruses contain self-preservation mechanisms (such as 'infecting other executables') but usually need user intervention to propagate (for example, a user needs to open an attachment)
  • Worms—Self-Replicating Viruses that propagate automatically without any user intervention (for example, using a Buffer Overflow vulnerability present on an exposed service)
  • Backdoors—Programs that allow the malicious attacker remote access to the 'infected' machine without requiring normal user authentication and authorization
  • Trojans—Programs that contain a benign functionality (for example, a game) and a malign feature (for example, a backdoor). As in the original story, a Trojan program is designed in such a way that it bypasses normal defences and is knowledgeably executed by the user
  • User-Level RootKits—Programs that 'infect' program files that are executed by the user and run under the user account's privileges (for example, the Explorer.exe or Word.exe program)
  • Kernel-Level RootKits—Programs that 'infect' functions belonging to the Operating System kernel (i.e. the core Windows operating system) and are used by hundreds of applications (including the Windows API). Kernel-Mode RootKits will modify (i.e. hijack) internal operating system functions that return lists of files, processes, and open ports (use the 'DependencyWalker' program to see Kernel functions on the 'NTDLL.dll', 'Kerner32.dll', and 'NTOSKRNEL.exe' files)

For example, in an infected machine, although the RootKit program is active and running in its own process, the 'Task Manager' won't show it because 'Task Manager' relies on Windows Kernel functions to retrieve the list of running Processes (that can be changed so that the results won't include the RootKit's own process).

For an extended and well-presented explanation of these Malware programs, I strongly recommend the Ed Skoudis book Malware: Fighting Malicious Code (ISBN: 0-13-101405-6).

There are several ways in which these Malware programs can be propagated:

  • Infecting executables with the Malware code
  • Exploiting known vulnerabilities (for example, buffer overflows)
  • E-mailing itself to the victim's entire contact list
  • Infecting an application's source code with the Malware code

A V.W.T.B.R.M. (Virus.Worm.Trojan.Backdoor.RootKit.Malware)

In my example, your machine is attacked by a V.W.T.B.R.M. (Virus.Worm.Trojan.Backdoor.RootKit.Malware) program.

The original infection occurs through an e-mail attachment sent to your company's sales department (although, as you read in Part 1, there are other available paths to 'Infection').

The Development lab

This scenario starts in the malicious attacker's Development Labs, where he/she and his team are working on their latest V.W.T.B.R.M. program.

These malicious attackers are not kids and should not be ignored. They are organized criminals whose aim is to gain access to sensitive servers (located inside corporate networks) to steal information and blackmail their owners.

They are professionals (in their field). Have no scruples, are well financed and have patience (i.e. time is on their side).

So their V.W.T.B.R.M. will not:

  • Be detected by Anti-Virus software
  • Try to infect every machine on the Internet (using a huge amount of bandwidth and processing power that are easily detected by the local IT staff)
  • Be detected by normal methods (looking for weird files, processes, open ports, or network traffic)

Basically, their V.W.T.B.R.M. will be hyper-stealthy and very hard to detect.

Once completed, fully tested, and QAed (Quality Assuranced), the V.W.T.B.R.M. is ready for deployment.

The innocent RfP (Request for Proposal)

To gain access to sensitive internal networks and be virtually undetected, the malicious attackers perform an indirect strike.

They attack software development houses that create software for the targeted companies. They don't really have a particular software development house in mind and the first wave will be a wide hit aimed at finding vulnerable companies.

Research on the Internet reveals hundreds of software development companies; a personalized e-mail is sent to each of them.

Example of e-mail sent:

From: Name.X@_Credible_looking_URL.com
To: Sales@Company_X.com
Subject: Request for Proposal (RfP)
Message:

Dear Company X Sales team:

I'm acting on behalf of our client (international corporation), which is looking for a software development house such as yours to outsource their current Internet/Intranet/Extranet project.

{... more details about the project (which will be created based around Company X's strengths) ...}

{... explain why they are contacting company X ...}

{... final comment saying how impressed they were with Company X's portfolio and experience in creating similar solutions ...}

Please find attached a zip file (called "Request_For_Proposal.exe") that contains a PowerPoint presentation about the project (Project.ppt) and a Request for Proposal Word document (RfP.doc) that you will need to use as the template for your response.

Best regards

Name.X
Credible_looking_Company name
Credible_looking_Company.URL

At Company_X, all e-mails from Sales@Company_X.com go directly to the sales department. They (pressured by management to meet their quarterly or monthly targets) can't believe their luck and eagerly opens the attachment and start working on the requested proposal.

What the sales staff didn't notice (and neither did their anti-virus software) was that the attached zip file (the Request_for_Proposal.exe file) was a TROJAN (i.e. it was the V.W.T.B.R.M. program). The file contained:

  • the PowerPoint presentation
  • the 'Request for Proposal' Word document
  • the Malware program (i.e. the VIRUS)

So, the V.W.T.B.R.M. Malware is executed. The Sales staff don't notice the 'infection' and spend the rest of the day working on the fictitious proposal. (From the malicious attacker's point of view, it is very important that the attack goes un-noticed.)

The V.W.T.B.R.M. program (i.e. the VIRUS), once executed, does the following:

  1. Unzips the PowerPoint presentation and the 'Request for Proposal' Word document.
  2. Activates its WORM component and starts to automatically propagate by slowly scanning (to avoid detection) the local network for other computers and servers.
    1. Once a computer is found, a buffer overflow attack is mounted which, if successful, allows the remote execution of commands on the server (i.e. a remote shell) with the privileges of the current logged in user.
    2. This remote shell is used to copy and execute the V.W.T.B.R.M. program (without the 'Request for Proposal' files) to the newly 'infected' computer.
  3. Because the sales staff uses a normal User account (i.e. without administrative rights) the VIRUS cannot install its ROOTKIT on the 'infected machine', so once the WORM component is finished (and all vulnerable computers are infected) the VIRUS removes all traces (i.e. temporary files) and closes it running process.

And so it happens that one of the vulnerable machines is YOUR development workstation:

  1. The Buffer Overflow in your computer is exploited and the V.W.T.B.R.M. program (without the 'Request for Proposal' files) is executed under your user account (which has administrator privileges on your machine).
  2. Because the VIRUS is now executing with Administrative rights, the ROOTKIT component is activated where Kernel-Level functions (that return lists of processes, open ports, and Registry keys) are changed so that the VIRUS is now completely invisible to the Windows API (i.e. the 'Task Manager' and 'Netstat -na' will 'lie' to you).
  3. The VIRUS also infects several other executables to guarantee its execution every time your computer is rebooted.
  4. Once the VIRUS is in its 'invisible mode', it activates the BACKDOOR component and sends a message to the malicious attackers saying "I'm in and have full control over this computer. What do you want me to do now?" This process is also referred to as 'Calling Home'.
  5. To further avoid detection:
    • The virus will only 'Call Home' once per reboot and will terminate its process if no response is received in 10 minutes.
    • All communications will occur over the 'normal and unsuspicious' port 443. This port is used for HTTPS and usually is not blocked by firewalls.




Page 1 of 2



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Sitemap | Contact Us

Rocket Fuel