New Attack Binds Malware in Parallel to Software Downloads

Open source software distribution systems that lack security processes and integrity checks are prone to a new attack that binds malware to a download without modifying the original application.

In order to solve problems—problems such as intelligence agencies or hackers infecting open source software distribution systems with malware—one must first understand how problems may be exploited.

Researchers from Ruhr University in Bochum, Germany, have developed a proof-of-concept attack in which they are able to inject malicious code into a download that runs in parallel to the original application, without modifying the code.

The attack targets free and open source software, in particular those where code signing verification and other integrity checks are lacking in the download process.

“This situation can obviously be exploited by cyber criminals, and also by governments intending to deploy spyware against suspects,” wrote researchers Felix Grobert, Ahmad-Reza Sadeghi, Marcel Winandy and Horst Gortz in a paper published recently called “Software Distribution Malware Infection Vector.”

Rather than spike the original application with malware, the researchers use a binder that links the binder application, malware and original download.

“Since original application is not modified one has the advantage that the malicious code can be of a larger size, and thus provide more functionality,” the researchers wrote. “Then, upon starting the infected application the binder is started. It parses its own file for additional embedded executable files, reconstructs and executes them, optionally invisible for the user.”

The paper points out that the attacker would need only to control an intermediate network node in the chain of nodes from the client to the download server. The attacker can compromise the network link via an insider tricked via social engineering, for example, or also by compromising a router or using a network redirection attack to a server under their control. Using the binder, meanwhile, saves the attacker from having to buffer the file which would delay the download and possibly raise suspicion, the paper said.

The attack succeeds against open source software distribution systems, the paper says, because many lack encryption or integrity verification of traffic. For example, files are not cryptographically checked after transmission by comparing a hash of the downloaded file to a trusted database of hashes, the paper said.

“Due to the nature of the binder, the original application may embed signatures and decryption algorithms: the binder reconstructs the original application file and creates a process from the original file,” the researchers wrote. “Thus the application will then be in the same state as if the user had run it manually.”

The researchers’ implementation involved two components: one is a toolchain called Cyanid that fetches, filters and modifies HTTP downloads; and another called Calcium, which is the binder that infects binary executables.

The toolchain is made up of three tools: Netfilter, Transproxy and Privoxy. Netfilter and Transproxy drop a proxy between any TCP connection established over a network node under the attackers control. Netfilter, the researchers said, can be used to filter packets, do NAT and port translation and redirect the target to the attackers’ localhost. Transproxy forwards connections to Privoxy, which the researchers patched in order to modify the binary. Privoxy filters HTTP cookies and filters website ads normally; the researchers use it to filter and rewrite HTTP requests and responses, the paper said.

“As the binder technique does not modify the original application, it is well-suited for executables with embedded signatures or code decryption algorithms,” the researchers wrote.

As the paper explores only some possible means of infecting a binary in transmission, the researchers also discussed some potential countermeasures, including the effectiveness of VPNs or HTTPS that would trigger alerts malware detection systems may not. File-integrity checks post-download to could also raise alerts, but the researchers point out that most applications are unsigned. Also, on older systems such as Windows XP, users must manually check file signatures.

Some virtualization and Trusted Computing solutions could offer relief against these types of attacks, the paper said by isolating critical applications and through the use of a secure, verifiable boot process.

Suggested articles