While threats to enterprise networks proliferate so rapidly that it's impossible to keep tabs on the latest virus or Trojan, there are secure practices that companies can use to prevent, detect and remove malware for good.
In part two of this video series, Greg Hoglund explains some of the newest malware threats to enterprise environments and how best to confront them.
About the speaker:
Greg Hoglund is CEO of HBGary Inc. and creator of the first rootkit.
Read the full transcript from this video below:
Please note the full transcript is for reference only and may include errors. To report an error, contact email@example.com.
Newest malware threats
Greg Hoglund: I would say the most important new attack vector is something that I call desktop exploitation. That is the introduction of malicious code into the enterprise through the use of documents, documents center, email, or other means. These documents are, for example, PDF, or like I was talking about earlier, Excel spreadsheet. Other types of content also can come in through ActiveX, a rich content, delivered through web pages. Remember again, the program that is rendering the content so that you can view it is not a simple text editor; it is a complete environment with graphics, parsing and language under the hood. Those programs, for the most part, have never been under the same thumb that some of the server software has been, in terms of securing it against an attacker. These environments have more code, there is a lot of stuff going on, bigger teams, a lot of components have to be brought together. A lot of them using things like Com, where there are third party components coming in that your team did not even develop; they are developed by a completely different company, and they are being used. All these interactions create an immersive and massive connection. All these different vectors that are not typically available in these server environments that are very lean, very audited, especially at the surface levels. Just to make this story short, those rendering environments, Microsoft Word, PDF, we will use those as examples, are much more likely to be exploitable, easier to find bugs in, so bad guys got more stuff they can exploit there. All they got to do is send you one of these crafted documents; you open it, and bam.
We have seen malware drop that its only job is to steal your digital identity. It goes through a series of very defined search places in your computer, such as your protected storage area for storing of passwords in Internet Explorer. It will inject something specifically in to say Bank of America's web page or E-Trade's web page, and it adds in additional components to have you enter your Social Security number and your mother's maiden name. These are things they need, they being the bad guys, so they can actually steal your account. Those are not bots and do not operate like bots, they just get that information and exfiltrate it to a drop site where it is later picked up. They can come in different forms.
The big answer is no; the malware has pretty much like it has always been. For the most part, it does not contain rootkit technology. It is mostly user mode. The behaviors that malware has within it to do what it does is very easy to see. We at HB Gary been able to identify all kinds of interesting behaviors that are very common to malware, irrespective of its particular malware variant. However, that being said, we do see some droppers come in, occasionally, that have a kernel mode component. A couple of weeks ago, for example, we just saw a new beep.sys, this is a device driver for windows, but oftentimes it will be a used as a Trojan and it will actually have a rootkit and it will be downloaded from a remote site. We got a new one of those, and it was kernel mode, of course, and it was packed. It was the first time I had actually seen packing used in a kernel mode binary. That means that there is a packer that has been developed that can build a device driver in packed format without causing any blue screens or any other types of problems when it unpacks itself and runs in the kernel. That is new technology, so there is an emergent piece of technology that makes it harder to take apart that rootkit if you do a static analysis on it. An analyst is doing forensic investigation and captures it; it makes it harder for him to get information out of that thing. It is a self-defense that the developers of this malware are starting to use. Occasionally we do get rootkits in the kernel, but not very often.
One thing to do is just keep in mind that everything is a defense-in-depth strategy. Just because you cannot get all the bad stuff does not mean that those technologies that are already there do not have some value. They are removing some malware capability from getting in to your network. Remember what I said earlier: the bad guys can get their hands on this technology, so they are going to craft ways to get around it, and they do. By the way, those guys are not usually the ones attacking your network; they are the ones building the tools that they sell to the guys that attack your network. There is a whole underground in cyber weaponry. The bad guys get their hands on a pretty new toolkit and they are able to get into lots of machines, millions. That is the problem.
There is this defense-in-depth strategy, and there is going to be a threat that can get all the way through to the end, but you have still got to be able to detect those guys once they get in. In that environment, you need to detect behaviors as specific signatures. There could be over 100,000 malware out there that do keylogging, but there is only six ways to sniff keystrokes on Windows, so if you can detect the behavior of keylogging, regardless of what program is doing it, now you can detect suspicious behaviors that did make it all the way into the network. The thing to remember about this is, even though you did not block the behavior, even though you did not stop it at the firewall, the bad guy may have not done any damage to you yet. This is just his first step into your network, so it is still proactive to detect something once it's in the environment. Now you know about it' if you did not know about it, then it would be a problem. If you know about it, you can try to remove it, and you can find actionable intelligence in that binary, for example IP addresses, or DNS names for drop sites, things that you can back to your network devices and do checks and searches for. Also, grab the unique strings and things that are in this binary and search the rest of your network for it, and you can find other instance of this same malware.
You have to be able to codify the behaviors of the software into a general format. You cannot depend on a specific signature or an MD5 checksum. You have to be able to reverse engineer, or find some other means to come up with small features, and many of them, which in combination create a larger description of what that malware does, or what that program does. If you can do that, then you can search the rest generically, more of like a fuzzy system. That is, of course, what we do at HB Gary, which you are leading me into that, I can tell. We call that digital DNA. The general concept is very sound. Generalized detection of behaviors is far superior to a signature based system, especially when you are talking about what bad guys actually did get into my network. When they get through everything else, and they are on the machine, I do not care so much about the false positive; I do not care about a developer tool showing up as suspicious. If it is keylogging, even if it is supposed to keylog, because that is what it does, it is still suspicious. I do not need a signature, what I need to know is what got into that machine looks bad, and then I can go and look at it in greater detail.
Removal can be done if you analyze the malware to the point where you got the registry keys, the file paths, things of that nature, but that takes some time. A lot of enterprises do not have time, and furthermore, they may just simply, by policy decide, 'We do not know if we got it all.' Removing is not really a concept they are going to embrace; they are just going to wipe the machine and just put a whole new clean build out. Still, behavioral analysis should be performed to make sure you did not get a re-infection. We have seen situations where machines are cleaned, and then 50 percent of them get re-infected with the malware again shortly after they are deployed. Behavioral analysis can help you ensure that those machines didn't get re-infected. The vulnerability that was in the machine to begin with that allowed it to be infected is probably still there -- just remember that.