LAS VEGAS–Security technology and practice have advanced quite a bit in the past few years, but one thing that has become clear is that whatever gains have been made are just not keeping pace with the innovation of attackers. The advances being made by malware authors and crimeware gangs are keeping them well ahead of the curve and will continue to do so for the foreseeable future, researchers say.
While money has been the main driver for targeted attacks for some time now, recent developments have shown that attackers are now intent on keeping control of a compromised system for as long as possible and they’re finding new and interesting ways to stay hidden all the time. In a talk at the Black Hat conference here Wednesday, a pair of researchers from Trustwave showed demonstrations of several pieces of custom malware that they’d run across in incident investigations in the last year, some of which were clearly written specifically for the networks on which they were found. And some of the attack tools had been on the systems for several months, siphoning off credit and debit card data.
In one incident, a sports bar in Miami was targeted by attackers who used a custom-designed rootkit that installed itself in the machine’s kernel, making detection particularly difficult. The rootkit had a simple, streamlined design and was found on a server that handled credit card transactions at the bar. It searched for credit card track data, gathered whatever it found and dumped the data to a hidden folder on the machine. The attacker behind the rootkit took the extra step of changing a character in the track data that DLP software looks for in order to identify credit card data as it’s leaving a network, making the exfiltration invisible to the security system.
“You won’t see this in the task manager or even in Process Explorer,” said Jibran Ilyas of Trustwave, who gave the talk with Nicholas Percoco. “You see nothing.”
That kind of persistent, evasive custom malware has become a major worry for security staffs and IT departments, many of whom don’t have much experience with sophisticated targeted attacks. Most network security systems were set up to defend against known and relatively easily identifiable threats such as viruses and DDoS attacks. So when an attacker spends weeks or months doing reconnaissance on a network, mapping it out and planning an attack, the defenders don’t have much of a chance.
And that was exactly the case with another of the incidents that Ilyas described. In that case, the attacker had spent some time watching the company, learning its organizational structure and observing the ways that it worked. He then crafted an email memo that looked like it was coming from the company’s CEO, complete with the CEO’s exact email signature and using the same phrases the CEO favored. The email contained a malicious PDF attachment that exploited a then-unknown vulnerability in Adobe Reader and the victim’s system was compromised.
“The key thing for the attackers is to maintain persistence. People are sticking around for a very long time on these systems, and if you have that much time you can mine a lot of data,” Percoco said. “This data is stolen in transit and a lot of these pieces of malware have anti-forensics tools included in them to make it harder to analyze them. These attacks are not slowing down anytime soon. We’re seeing them increase.”