Persistent, Covert Malware Causing Major Damage

LAS VEGAS–Security technology and practice have advanced quite a bit in the past few years, but one thing that has become clear is that whatever gains have been made are just not keeping pace with the innovation of attackers. The advances being made by malware authors and crimeware gangs are keeping them well ahead of the curve and will continue to do so for the foreseeable future, researchers say.

LAS VEGAS–Security technology and practice have advanced quite a bit in the past few years, but one thing that has become clear is that whatever gains have been made are just not keeping pace with the innovation of attackers. The advances being made by malware authors and crimeware gangs are keeping them well ahead of the curve and will continue to do so for the foreseeable future, researchers say.

While money has been the main driver for targeted attacks for some time now, recent developments have shown that attackers are now intent on keeping control of a compromised system for as long as possible and they’re finding new and interesting ways to stay hidden all the time. In a talk at the Black Hat conference here Wednesday, a pair of researchers from Trustwave showed demonstrations of several pieces of custom malware that they’d run across in incident investigations in the last year, some of which were clearly written specifically for the networks on which they were found. And some of the attack tools had been on the systems for several months, siphoning off credit and debit card data.

In one incident, a sports bar in Miami was targeted by attackers who used a custom-designed rootkit that installed itself in the machine’s kernel, making detection particularly difficult. The rootkit had a simple, streamlined design and was found on a server that handled credit card transactions at the bar. It searched for credit card track data, gathered whatever it found and dumped the data to a hidden folder on the machine. The attacker behind the rootkit took the extra step of changing a character in the track data that DLP software looks for in order to identify credit card data as it’s leaving a network, making the exfiltration invisible to the security system.

“You won’t see this in the task manager or even in Process Explorer,” said Jibran Ilyas of Trustwave, who gave the talk with Nicholas Percoco. “You see nothing.”

That kind of persistent, evasive custom malware has become a major worry for security staffs and IT departments, many of whom don’t have much experience with sophisticated targeted attacks. Most network security systems were set up to defend against known and relatively easily identifiable threats such as viruses and DDoS attacks. So when an attacker spends weeks or months doing reconnaissance on a network, mapping it out and planning an attack, the defenders don’t have much of a chance.

And that was exactly the case with another of the incidents that Ilyas described. In that case, the attacker had spent some time watching the company, learning its organizational structure and observing the ways that it worked. He then crafted an email memo that looked like it was coming from the company’s CEO, complete with the CEO’s exact email signature and using the same phrases the CEO favored. The email contained a malicious PDF attachment that exploited a then-unknown vulnerability in Adobe Reader and the victim’s system was compromised.

[block:block=47]

“The key thing for the attackers is to maintain persistence. People are sticking around for a very long time on these systems, and if you have that much time you can mine a lot of data,” Percoco said. “This data is stolen in transit and a lot of these pieces of malware have anti-forensics tools included in them to make it harder to analyze them. These attacks are not slowing down anytime soon. We’re seeing them increase.”

Suggested articles

Discussion

  • Anonymous on

    So let me get this straight, the message is, "WE'RE DOOMED."  It's nice to know the enemy, but isn't there any good news out there?  What research is being done?  Who's doing that research and what advances are being made.  It sounds like the criminals have won the war.

  • Emily on

    I am old enough to remember warehouses full of paper files.  And companies saving all that space and all those hours - not to mention all that paper - when the computers arrived.  I do not put any income sensitive information on my computer, and the only credit card is a gift card I fund with an amount close to what I spend.  This might not be a good plan for corporate globals, but it works fer me!

  • JoeFam on

    Emily...You do not have to put sensitive information on your computer. It is available at your credit card's web site, or your bank's web site. It's just a matter of a criminal hacking those websites. Not too easy, as explained in Threatpost, but not impossible. Luckily for us little guys, we are not worth the criminal effort....yet

  • noug on

    The cybercriminals have not "won the war" and AV is alive and kicking. Get this -- four thousand cars are stolen in the US every day. FOUR THOUSAND. Has "security" for a larger, more established industry made the same progress over the past 10 years as the software security industry? No. Stuff gets stolen every day -- whether it is cars, stuff in warehouses, whatever. It's the software security researchers out there talking about it and making the issues better understood that spurs customer awareness and progress.

  • Saganist on

    No. What I get from such modern discussions about computer software design is that there are too many points of entry, both in the code and in the way computers connect on the net and between themselves. Every IT security convention or conference seems to uncover huge, major flaws in software design. These latest Black Hat conference highlights are huge. Something basic has to change. Security cams and the propagation of cell phone cams have helped deter many forms of crime. Caller ID put an end to most crank phone calls. Constantly updating spam server lists have made gains against spammers.   Modern IT needs some kind of similar innovation.

     

    In the example above the email and attachment were the entry vehicles. It is hard to think of ways to block such 'trusted entry' into any shared system.

     

    In this case it makes me wonder about one-time email receivers and viewers and have such a device NOT connected to anything else in a system.

     

    All of IT security since we're all on the net also makes me think of massive class action suits.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.