LAS VEGAS -- Two researchers peeled back the curtain on targeted malware today at the Black Hat Briefings, demonstrating
examples of attacks that relied on a variety of hacks, ranging from zero-day PDF attacks to memory-based rootkits. In each of the four examples, the attack was specially crafted to beat the target company, and new layers of functionality were added to the malware to either beat detection protections already in place, or frustrate network security forensics investigators.
"Customization of malware is the key," said one of the presenters, Nick Percoco, senior VP at Trustwave's SpiderLabs, the Chicago-based forensic company's security research arm. "Also, slow and steady wins the race for today's attackers. They're not in it for quick and dirty hacks. Persistency is the key; they have to get in and maintain the attack," Percoco said.We're seeing new attacks continuously; they're constantly developing and adding new sophistication and new layers of automation. Attackers via this automation don't even have to touch a system.
senior VPTrustwave's SpiderLabs
Targeted, persistent attacks have been prominent this year, starting with Google's admission that it, along with more than 30 other technology companies, large enterprises and defense contractors, had been infiltrated by attackers from China using sophisticated attacks to quietly siphon sensitive data. The attacks also introduced APT, or advanced persistent threat, into the security lexicon.
While targeting may be gaining more prominence, the means by which attackers are getting into enterprises aren't much different than they were 18 months ago. Keyloggers, network sniffers and memory-dumping rootkits are still in vogue; the newness is in the way attackers are covering their tracks in order to maintain a persistent presence inside an organization.
In many instances, Percoco and his co-presenter, Trustwave senior forensic investigator Jibran Ilyas, pointed out that attackers are hiding in plain sight. For example, they're moving data out of organizations using tried-and-true means, such as FTP, HTTP and SMTP. Firewalls won't flag HTTP traffic as an anomaly, but they will raise an alarm if traffic starts moving over TCP port 31337, Percoco said.
In other cases, such as a recent attack against a high-profile Miami sports bar often frequented by celebrities, attackers have found simple ways around data loss prevention software. Attackers used a memory rootkit to install malware, which then captured track data from credit cards swiped at the bar. The bar had no IT staff and outsourced all of its IT needs. Making matters worse, its point-of-sale system was also the DVR server for its video security system.
The attackers managed to install the rootkit, which would extract only track data containing card numbers from the cards' magnetic strips. Each data track installs a carrot character between the credit card number and the account holder's name. The malware was designed to spot the carrot character, and replace it with a percent sign. DLP looking for the carrot character as part of the card number pattern would never catch this in data being exfiltrated, Ilyas said.
In an attack against a West Coast online adult bookstore, attackers managed to beat a Web application (all Web app development was outsourced) and install a keylogger in order to steal authentication credentials on an admin page they'd found online. Incredibly, the admin page allowed file uploads, which enabled this attack to happen.
To elude a sharp admin who might notice a new log file had been created in the Windows folder, the malware was also packed with a tool that could change the timestamp data on new entries, making them look as if they'd been present since the date the operating system had been installed.
"Too many third parties are falling down on the job somewhere," Percoco said.
Third-party failures also took down an international VoIP provider. The provider offered its customers two payment options: either online or through kiosks. Attackers were able to install a network sniffer rootkit that was packed with ngrep, a tool that allows users to search for regular expressions in network packets. The malware would look at packets for track 2 credit card data and then send it out via FTP at the same time every day.
In the final example the two shared, a U.S. defense contractor that was doing analytics for the military was compromised by an Adobe PDF zero-day attack. A well-crafted email looked like it was coming from an executive and contained the same verbiage and signature that the executive would use. An infected PDF was attached and, once opened, malware would steal everything from the victim's My Documents folder and route it out via FTP to the attacker's server.
"These attacks are not slowing down," Percoco said. "We're seeing new attacks continuously; they're constantly developing and adding new sophistication and new layers of automation. Attackers via this automation don't even have to touch a system."