Table of Contents for

Hacking Exposed Malware & Rootkits: Security Secrets and Solutions, Second Edition, 2nd Edition

PART I

MALWARE

CASE STUDY: Please Review This Before Our Quarterly Meeting

Let’s look at a scenario of an organization being targeted for a breach.

Tuesday 3:20 pm   A fake but very realistic email is sent to the ten executives on the company’s management team from what appears to be the CEO of a medium-sized manufacturing firm. The email is titled, “Please review this before our meeting,” and it asks them to save the attachment and then rename the file extension from .zip to .exe and run the program. The program is a plug-in for the quarterly meeting happening that Friday, and the plug-in is required for viewing video that will be presented. The CEO mentions in the message that the executives have to rename the attachment because the security of the mail server does not allow him to send executables.

The executives do as they are told and run the program. Those who would normally be suspicious see that their fellow coworkers received the same email so it must be legitimate. Also, with the email being sent late in the day, some don’t receive it until almost 5 pm, and they don’t have time to verify with the CEO that he sent the email.

The attached file is actually a piece of malware that installs a keystroke logger on each machine. Who would create such a thing and what would their motive be? Let’s meet our attacker.

Bob Fraudster, our attacker, is a programmer at a small local company. He primarily programs using web-based technologies such as ASP.NET and supports the marketing efforts of the company by producing dynamic web pages and web applications. Bob decides that he wants to earn some extra money on the side to make up for a pay cut he just took to keep the company he works for afloat. Bob goes to Google.com to research bots and botnets, as he heard they can generate tons of money for operators, and he thought it might be a good way to make some extra cash. Over the course of the next month or so, he joins chat forums, listens to others, and learns about the various online forums where he can purchase bot software to implement click fraud and create some revenue for himself. Through Bob’s research, he knows that the majority of antivirus applications can detect precompiled bots so he wants to make sure he gets a copy of source code and compiles his own bot. Bob specifically purchases a bot that communicates with his rented hosting server via SSL over HTTP, thereby reducing the chance that the outbound communications from his bots will be intercepted by security software. Because Bob is going to use SSL over HTTP, all of his bot traffic will be encrypted and go right through most content-filtering technology as well. Bob signs up as an Ad Syndicator with various search engines such as Google and MSN. As an Ad Syndicator, he can display ads from the search engine’s ad rotation programs like AdSense on his website and receive a small fee (pennies) for each click on an ad that is displayed on his website.

Bob uses some of the exploits he purchased with the bot in addition to some application-level vulnerabilities he purchased to compromise web servers around the world. Using standard web development tools, he modifies the HTML or PHP pages on the sites to load his ad syndication username and password so his ads are displayed instead of the site’s ads. Essentially, Bob has forced each website he has hacked into to syndicate and display ads that, when a user clicks them, will send money to him instead of the real website operators. This method of receiving money when a user clicks an advertisement on your website is called pay-per-click (PPC) advertising, and it makes up a chunk of Google’s revenue.

Next, Bob packages up the malware using the armadillo packer so it looks like a new PowerPoint presentation from the company’s CEO. He crafts a specific and custom email message that convinces the executives the attachment is legitimate and from the CEO. Now they just have to open it. Bob sends a copy of this presentation, which actually installs his bot, every 30 minutes or so to a variety of small businesses’ email addresses that he purchased. Since Bob has worked in marketing and implemented email campaigns, he knows he can purchase a list of email addresses rather easily from a company on the Internet. It is amazing how many email addresses are available for purchase. Bob focuses his efforts on email addresses that look like they are for smaller businesses instead of corporate email addresses because he knows many enterprises use antivirus at their email gateways and he doesn’t want to tip off any antivirus vendors about his bot.

Another alternative for Bob to obtain emails is to visit web pages of smaller businesses and scrape or guess the email addresses of executives that are typically found in the “About Us” or “Leadership” section of their websites.

Bob is smart. He knows many bots that communicate via IRC are becoming easier to detect so he purchases a bot that communicates with his privately rented server via SSL over HTTP. Using custom GET requests, the bot interacts by sending command-and-control messages with specific data to his web server, just like a normal browser interacts with any other website. Bob’s bot communicates via HTTP so he doesn’t have to worry about a firewall running on the machines he wants to infect, preventing his bot from accessing his rented web server, since most firewalls allow outgoing traffic on port 443. Web content filtering doesn’t worry him either because he is transferring data that looks innocent. Plus, when he wants to steal financial data from victims who watch the corporate PowerPoint presentation, he can just encrypt it and the web filtering will never see the data. Because he doesn’t release his bot using a mass propagation worm, the victim’s antivirus won’t detect it was installed, as the antivirus programs have no signatures for this bot.

Once installed, the bot runs instead of Internet Explorer as a Browser Helper Object (BHO), which gives the bot access to all of the company’s normal HTTP traffic and all of the functionality of Internet Explorer such as HTML parsing, window titles, and accessing the password fields of web pages. This is how Bob’s bot will sniff the data being sent to the company’s credit union and the various online banks. The bot starts to connect to Bob’s master bot server and queries the server to receive its list of the compromised websites to connect to and start clicking advertisements.

Once the bot receives the list of links to visit, it saves the list and waits for the victim to use Internet Explorer normally. While the victim is browsing CNN.com to learn about the latest happenings in the world, the bot goes to a site in its list of links to find an ad to click. The bot understands how the ad networks work so it uses the referrer of the site the victim is actually viewing (e.g., CNN.com) to make the click on the ad look legitimate. This fools the advertisement company’s antifraud software. Once the bot clicks the ad and views the advertisement’s landing page, it goes off to the next link in its list. The method the bot uses makes the logs in the advertising companies’ servers look like a normal person viewed the advertisement, which reduces the risk of Bob’s advertising account being flagged as fraudulent.

In order to remain hidden and generate as much revenue for himself as possible, Bob sets the bot to continue clicking advertisements in a very slow manner over the course of a couple weeks. Doing this helps ensure the victims don’t notice the extra load on their computers and that Bob’s bot isn’t caught for fraud.

Essentially, Bob has successfully converted the company’s workstations into the equivalent of an ATM spitting out cash into a street while he holds a bag to catch the money.

Other stealth techniques Bob employs ensure that the search engines his hosted bot server uses to find real data don’t detect his fraud either. To prevent detection, the bot employs a variety of search engines such as Google, Bing, Yahoo!, and so on, to implement its fraud. The more search engines it uses within the fraud scheme, the more money Bob can make.

Bob needs to use the search engines because they are the conduits for the fraud. The ads clicked are from the advertisements placed on the hacked websites that Bob broke into a few weeks ago. Of the ads the bot clicks on the compromised websites, only 10 percent are from Google and the rest are from other sources including other search engines. The bot implements a random click algorithm that clicks the ad link only half of the time just to make it even more undetectable by the search engine company.

Using the low and slow approach doesn’t mean it will take long for Bob to start making money. For example, using just Google, let’s assume Bob’s stealth propagation (e.g., slowly spreads) malware infects 10,000 machines; each machine clicks a maximum of 20 ads and picks Google ads only 50 percent of the time for a total of 100,000 ads clicked. Let’s also assume that Bob chooses to display ads that, when clicked, will generate revenue of $0.50 per click. Using this approach, the Bob generates $50,000 in revenue (10,000 × 20 × 50% × $.50). Not bad for a couple weeks’ worth of work.

Now that we understand Bob’s motives and how he plans to attack, let’s return to our fictitious company and see how they are handling the malware outbreak. Because Bob wants to remain inconspicuous, the malware, once running, reports to a central server via SSL over HTTP and requests and sends copies of all usernames and passwords typed into websites by the company’s employees. Because Bob built his bot using a BHO, he’ll capture passwords for sites whether or not they are SSL-encrypted. Websites, including the employee credit union and online vendors such as eBay and Amazon.com, are logged and sent to Bob’s rented server. Since the communication is happening over SSL via HTTP to Bob’s rented website, which is not flagged as a bad site by the company’s proxy, nothing is blocked.

Wednesday 8:00 am   The malware propagates by sending itself to all the users in the corporate address book of the executives who received the same message from the CEO. It also starts its lateral movement by infecting other machines by exploiting network vulnerabilities in the unpatched machines and machines that are running older versions of Microsoft Windows that IT hasn’t had a chance to update yet. Why didn’t the CIO approve the patch management product the network security team proposed to buy and implement last year?

Wednesday 4:00 pm   Hundreds of employees’ computers have been infected, but the rumor of the application from the email needing to be installed has reached IT, so they start to investigate. IT discovers that this may be malware, but their corporate antivirus and email antivirus didn’t detect it so they aren’t sure what the executable does. They have no information about the executable being malicious, its intent, or how the malware operates. As a result, they place their trust in their security vendors and send samples to their antivirus vendor for analysis.

Thursday 10:00 am   IT is scrambling and attempting to remove the virus using the special signatures received from the antivirus vendor last night. It is a cat-and-mouse game with IT barely keeping ahead of the propagation. IT turned off all workstations companywide last night, including those that were required by the manufacturing firm’s order processors in London. Customers are not happy.

Thursday 8:00 pm   IT is still attempting to disinfect the workstations. An IT staff member starts to do analysis on his own and discovers the binary may have been written by an ex-employee based off of some strings located in the binary that reference a past scuffle between the previous CIO and director of IT. IT contacts the FBI to determine if this could be a criminal act.

Friday 9:00 am   The quarterly meeting is supposed to start but is delayed because the workstation that the CEO must use to give his presentation was infected and hasn’t been cleaned since the machine was off when IT pushed out the new antivirus updates. The CEO calls an emergency meeting with the CIO to determine what is happening. IT continues to disinfect the network and is making steady progress.

Saturday 11:00 am   IT believes they have completely removed the malware from the network. Employees will be ready to work on Monday, but IT will still have much to do as the infection caused so much damage that 30 workstations have to be rebuilt because the malware was not perfectly removed from each workstation.

Next Monday 3:00 pm   The CIO meets with the CEO to give an estimated cost to the time spent in cleaning up the problem. Neither the CEO nor the CIO is able to fathom the actual number of lost sales or lost productivity of the 1500 workers who were infected and are unable to work. Furthermore, the CIO informs the CEO that a few employees had their identities stolen because the malware logged their keystrokes as they logged into their online bank accounts. The victim employees want to know what the company is going to do to help them.

Situations like this are not uncommon. The technical details may differ for each case, but the Monday meeting that the CIO had with the CEO happens frequently. It seemed no one within the manufacturing organization anticipated this attack—even though the industry trade magazines and every security report said it was inevitable. The main issue, in this case, is that the company was unprepared. As in war, knowledge is half the battle, and yet most organizations do not understand malware, how it is written, and why it is written, and they don’t have adequate policies and processes in place to handle a full-scale bot outbreak.

In our case study, the total time IT had to dedicate to get the business back up and running was high, and that amount does not include any potential notifications, compliance violations, or legal costs that are the result of the malware capturing personally identifiable information. Imagine how much all of these will cost the organization.