A CxO’s Guide to Understanding Today’s Most Dangerous Attacks
To understand how to counter stealth malware threats, you first need to understand the nature and sophistication of these attacks at each of their four stages.
By Matt Brinkley
Today’s latest stealth malware attacks are more complex and sophisticated than at any other time in history. Such attacks could be the product of opportunistic Trojans or fake antivirus (AV) software that indiscriminately attack any system, or they could be targeted advanced persistent threats (APT) designed to achieve a particularly significant impact on specific organizations.
Whether opportunistic or targeted, the damage these threats can perpetrate can negatively affect employee productivity, damage-control costs, compliance efforts, legal liabilities, customer relationships, and a corporation’s reputation. From established technologies to newer security innovations, solutions are available now to counter stealth malware threats at each of the four stages of an attack: Contact, Execution, Embedding, and Damage. Understanding the nature and sophistication of the attacks at each of these stages is the first critical step to defending against them.
Stage 1: Contact
The first stage of the stealth attack is the point at which attackers first cross paths and make contact with their victims. However they make contact, the objective will be to deliver sophisticated malware to a system. This malware could include rootkit software capable of embedding itself on a system, cloaking the existence of its processes and tools within legitimate system processes, and allowing the attackers ongoing access to that system.
The most common of these contact points is the malicious Web site, where a site is owned and controlled, infiltrated, or otherwise infected by attackers. It is here that an unsuspecting user falls victim to a “drive-by” download, or a download that simply requires a browser visit for the infection to occur. A 2011 study by McAfee Labs found an average of 6,500 new malicious sites per day in one quarter and 9,300 the next quarter. The report also found that as many as one in every 400 URLs was malicious. Such numbers are a testament to the Web site’s effectiveness as an attack vector.
Unsolicited messages are another common method of contacting and infecting victims. Such messages carry Web links to malware download sites or malware-bearing attachments, and could reach users through e-mail, Twitter, Facebook, or instant messages under the guise of friendly communications. Hackers could also attack victims through untrusted WiFi networks or through infected systems elsewhere on a network.
Hackers have also adopted the practice of loading malware onto rogue thumb drives and leaving them in public places where they can be picked up and inserted into endpoints. The tactic is known as a “candy drop,” given that users cannot resist picking up free thumb drives for their personal use.
Stage 2: Execution
After contact is made, the malware begins its maiden run on the host machine. The malicious code may exploit one or more of the thousands of vulnerabilities in common, legitimate applications or in the operating system itself. It can also take advantage of common configuration errors to run malicious code on the system. Execution could also be initiated through a social engineering scheme that tricks the user into choosing to run malware masquerading as a codec required to watch a video, a game, pirated software, or an executable masquerading as a document of interest.
Whether an exploit or social engineering is employed, the malware has begun execution on the victim’s computer. From here it can begin its malicious activities.
Stage 3: Embedding
At this stage, the malware firmly embeds itself into the system, hides its payload, and launches further infections. The goal here is to “persist” the malicious code on the system, allowing it to survive reboot, stay hidden from security measures, as well as hide itself from the user. The malware accomplishes this by hiding itself in known good processes and by blocking access to security software updates. It may also change browser security settings and disable the Windows Task Manager, Windows Safe Mode, System Restore, the host-based firewall and Microsoft Security Center.
A kernel mode rootkit will embed itself beneath the OS and then hide, making it possible for the malware to boot up before the OS and effectively evade any security measures within the OS. When it is firmly entrenched, the malware will then be able to download whatever other code it requires to achieve its objectives.
Stage 4: Damage
In this final stage, the malware focuses on the ultimate goal of the malware author. This could involve any number of crimes or schemes, including identity theft for the purpose of financial fraud, the implementation of adware or scareware, the theft of intellectual property, cyber sabotage, or self-propagation through the infection of other endpoints.
Taking control of endpoints allows a hacker to set up a botnet capable of sending spam or launching distributed denial of service (DDoS) attacks against targets elsewhere on the web. Such botnets can be rented out to cybercriminals hoping to perpetrate a short-term crime and leave no digital fingerprints. In the case of adware and scareware, attackers extort money from users tricked into believing that they are buying legitimate AV security software. Most APTs are launched to steal intellectual property and other confidential information from corporations or government entities.
At the end of the day, stolen passwords, user names, personal employee data, and other confidential information will find their way into a thriving community of underground auctions and marketplaces.
Security Solutions for Each Stage
The contact threat can be mitigated through a combination of Web site and e-mail filtering, Web site reputation services, gateway protection, and thumb drive-thwarting device control solutions. Additionally, host-based network access control solutions can assure that only healthy endpoints access a system, and host-based desktop firewalls can protect against network exploit attempts.
Traditional AV blocks access to “known” malware, that has already been identified and a signature developed. Initial malware execution can be countered by “on access” scanning of all files entering a system from the network. Memory-based exploit prevention can prevent the buffer overflow frequently used to initiate malware infections. Finally, application control, or “whitelisting,” can be implemented to ensure that only known applications can be installed on the host computer.
Established AV solutions can address some of the malware activities in the“embedding” stage through file scanning. In the “damage” and “embedding” stage, application control could again play a role if only whitelisted applications are authorized to make changes to application files or OS settings. Host intrusion prevention technologies can use behavioral and signature analysis to block known and newly emerging attacks; host-based firewalls can prevent connections to known malicious bot networks.
A Final Word
Because the cost of mitigating threats increases with each passing stage, protecting users at the contact stage is the least expensive and most effective way to maintain a secure environment. Users must be educated on what to look for in fraudulent sites and unsolicited messages. Web site certification can assure visitors that malware scanning services regularly test sites for malware. Users must also receive guidance on how to avoid misconfigured or unsecured wireless networks. Organizations must assess which business processes and enterprise assets present vulnerabilities and targets, and assume that the latest trends in stealth threat evolution will continue to bring forward new wrinkles at each of the four stages of attack.
Matt Brinkley is the senior architect in McAfee’s endpoint security business unit, covering all of McAfee’s enterprise endpoint protection technologies. You can contact the author at matt_brinkley@mcafee.com.