Malware: Is Your Workstation at Risk? Part 2

In Part 1 of this article:

• It was explained why (as a programmer) your workstation is a very 'tasty' target for a malicious user
• A fictitious scenario was provided
• A couple of examples of attacks were highlighted (i.e. paths to 'infection')

In Part 2, using one of the possible 'infection' methods, I will explain how different types of Malware (Virus, Worms, Trojans, Backdoors, and RootKits) work and what a malicious attacker could do to you (Source-Code poisoning).

Malware Definitions

Malware is the name commonly used to describe any kind of Malicious Software. It is any piece of code that was designed with malicious intent in mind.

The most famous types of Malware are:

• Viruses—Programs executed on the 'infected' machine with malicious intent. Viruses contain self-preservation mechanisms (such as 'infecting other executables') but usually need user intervention to propagate (for example, a user needs to open an attachment)
• Worms—Self-Replicating Viruses that propagate automatically without any user intervention (for example, using a Buffer Overflow vulnerability present on an exposed service)
• Backdoors—Programs that allow the malicious attacker remote access to the 'infected' machine without requiring normal user authentication and authorization
• Trojans—Programs that contain a benign functionality (for example, a game) and a malign feature (for example, a backdoor). As in the original story, a Trojan program is designed in such a way that it bypasses normal defences and is knowledgeably executed by the user
• User-Level RootKits—Programs that 'infect' program files that are executed by the user and run under the user account's privileges (for example, the Explorer.exe or Word.exe program)
• Kernel-Level RootKits—Programs that 'infect' functions belonging to the Operating System kernel (i.e. the core Windows operating system) and are used by hundreds of applications (including the Windows API). Kernel-Mode RootKits will modify (i.e. hijack) internal operating system functions that return lists of files, processes, and open ports (use the 'DependencyWalker' program to see Kernel functions on the 'NTDLL.dll', 'Kerner32.dll', and 'NTOSKRNEL.exe' files)

For example, in an infected machine, although the RootKit program is active and running in its own process, the 'Task Manager' won't show it because 'Task Manager' relies on Windows Kernel functions to retrieve the list of running Processes (that can be changed so that the results won't include the RootKit's own process).

For an extended and well-presented explanation of these Malware programs, I strongly recommend the Ed Skoudis book Malware: Fighting Malicious Code (ISBN: 0-13-101405-6).

There are several ways in which these Malware programs can be propagated:

• Infecting executables with the Malware code
• Exploiting known vulnerabilities (for example, buffer overflows)
• E-mailing itself to the victim's entire contact list
• Infecting an application's source code with the Malware code

A V.W.T.B.R.M. (Virus.Worm.Trojan.Backdoor.RootKit.Malware)

In my example, your machine is attacked by a V.W.T.B.R.M. (Virus.Worm.Trojan.Backdoor.RootKit.Malware) program.

The original infection occurs through an e-mail attachment sent to your company's sales department (although, as you read in Part 1, there are other available paths to 'Infection').

The Development lab

This scenario starts in the malicious attacker's Development Labs, where he/she and his team are working on their latest V.W.T.B.R.M. program.

These malicious attackers are not kids and should not be ignored. They are organized criminals whose aim is to gain access to sensitive servers (located inside corporate networks) to steal information and blackmail their owners.

They are professionals (in their field). Have no scruples, are well financed and have patience (i.e. time is on their side).

So their V.W.T.B.R.M. will not:

• Be detected by Anti-Virus software
• Try to infect every machine on the Internet (using a huge amount of bandwidth and processing power that are easily detected by the local IT staff)
• Be detected by normal methods (looking for weird files, processes, open ports, or network traffic)

Basically, their V.W.T.B.R.M. will be hyper-stealthy and very hard to detect.

Once completed, fully tested, and QAed (Quality Assuranced), the V.W.T.B.R.M. is ready for deployment.

The innocent RfP (Request for Proposal)

To gain access to sensitive internal networks and be virtually undetected, the malicious attackers perform an indirect strike.

They attack software development houses that create software for the targeted companies. They don't really have a particular software development house in mind and the first wave will be a wide hit aimed at finding vulnerable companies.

Research on the Internet reveals hundreds of software development companies; a personalized e-mail is sent to each of them.

Example of e-mail sent:

At Company_X, all e-mails from Sales@Company_X.com go directly to the sales department. They (pressured by management to meet their quarterly or monthly targets) can't believe their luck and eagerly opens the attachment and start working on the requested proposal.

What the sales staff didn't notice (and neither did their anti-virus software) was that the attached zip file (the Request_for_Proposal.exe file) was a TROJAN (i.e. it was the V.W.T.B.R.M. program). The file contained:

• the PowerPoint presentation
• the 'Request for Proposal' Word document
• the Malware program (i.e. the VIRUS)

So, the V.W.T.B.R.M. Malware is executed. The Sales staff don't notice the 'infection' and spend the rest of the day working on the fictitious proposal. (From the malicious attacker's point of view, it is very important that the attack goes un-noticed.)

The V.W.T.B.R.M. program (i.e. the VIRUS), once executed, does the following:

1. Unzips the PowerPoint presentation and the 'Request for Proposal' Word document.
2. Activates its WORM component and starts to automatically propagate by slowly scanning (to avoid detection) the local network for other computers and servers.
1. Once a computer is found, a buffer overflow attack is mounted which, if successful, allows the remote execution of commands on the server (i.e. a remote shell) with the privileges of the current logged in user.
2. This remote shell is used to copy and execute the V.W.T.B.R.M. program (without the 'Request for Proposal' files) to the newly 'infected' computer.
3. Because the sales staff uses a normal User account (i.e. without administrative rights) the VIRUS cannot install its ROOTKIT on the 'infected machine', so once the WORM component is finished (and all vulnerable computers are infected) the VIRUS removes all traces (i.e. temporary files) and closes it running process.

And so it happens that one of the vulnerable machines is YOUR development workstation:

1. The Buffer Overflow in your computer is exploited and the V.W.T.B.R.M. program (without the 'Request for Proposal' files) is executed under your user account (which has administrator privileges on your machine).
2. Because the VIRUS is now executing with Administrative rights, the ROOTKIT component is activated where Kernel-Level functions (that return lists of processes, open ports, and Registry keys) are changed so that the VIRUS is now completely invisible to the Windows API (i.e. the 'Task Manager' and 'Netstat -na' will 'lie' to you).
3. The VIRUS also infects several other executables to guarantee its execution every time your computer is rebooted.
4. Once the VIRUS is in its 'invisible mode', it activates the BACKDOOR component and sends a message to the malicious attackers saying "I'm in and have full control over this computer. What do you want me to do now?" This process is also referred to as 'Calling Home'.
5. To further avoid detection:
• The virus will only 'Call Home' once per reboot and will terminate its process if no response is received in 10 minutes.
• All communications will occur over the 'normal and unsuspicious' port 443. This port is used for HTTPS and usually is not blocked by firewalls.

Back at the Malicious Attackers' HQ

Having sent the e-mails with the V.W.T.B.R.M. program, the malicious attackers are now waiting for the responses.

And, sure enough, eventually YOUR computer is 'calling home', by contacting the 'listening server' (which is another previously compromised machine located somewhere on the Internet) asking for orders.

The BACKDOOR installed in YOUR computer provides the malicious attackers with a command prompt shell with Administrative rights. This shell will be used to:

1. Scan your computer for files and e-mails containing sensitive information (trade secrets, development plans, and account details).
2. Download source code stored in your local copy of your Visual Studio projects.
3. Upload changes to those source code files containing a BACKDOOR that will activate when your code is executed (i.e. your will be a victim of SOURCE-CODE POISONING).
4. Once the changed files are committed to the VSS repository, the VIRUS and all its traces are deleted from your computer.

Waiting for the Jackpot

The malicious attackers will, now patiently, wait for your development cycle to finish and for your product to be shipped to your clients, which will install them in their servers located inside their corporate network.

Because your company doesn't provide the source code of your software, it will be almost impossible for your clients to detect the BACKDOOR included.

Once the program is executed in your client's servers, the BACKDOOR is activated and your client will be involved in a serious security incident that could be very expensive and damaging.

And once the authorities get involved, guess where the forensic evidence will point to: Your Company, Your Computer, and ultimately YOU!

V.W.T.B.R.M. in a Nutshell

Recapping the different types of Malware used in this example:

• V. (Virus)—Program containing the 'malicious' Business Logic code and (when required) 'infected' other executables
• W. (Worm)—Self Propagated using a Buffer Overflow vulnerability
• T. (Trojan)—Malicious payload delivered though an authentic, look-alike 'Request for Proposal'
• B. (Backdoor)—Allows the malicious attackers to execute commands remotely on your computer
• R. (RootKit)—Changes core Operating System functions, which made it invisible and undetectable
• M. (Malware)—Malicious Software (all of the above)

Nahh.... It Could Never Happen to Me

If your company has a good security infrastructure and is well prepared to mitigate these stealth attacks, you are correct.

But... if your company's IT security is not able to detect and block the attacks described in this article, the question will be WHEN and not IF.

Today, most System Administrators and IT Security staff don't have programming backgrounds. They are not able to write scripts that, for example, automate security tests and detect possible intrusions.

If you are interested in learning about security and dedicate enough time to that endeavour, you could make a real difference in your company's security infrastructure (and your value as a IT professional will increase dramatically).

Now is the time to make the jump and add 'IT Security Knowledge' to your skills set and CV. Learn how Malware works and you will be able to write Anti-Malware scripts and applications for your projects and for your company.

About the Author

Dinis Cruz is an experienced security consultant based in London (UK) and specialized in ASP.NET Application Security, Active Directory Deployments, and Ethical Hacking. Dinis is also the creator and main developer of the OWASP's Open Source project: ASP.NET Security Analyser (ANSA). You can contact him at Dinis.developer.com@ddplus.net.