TISC Insight, Volume 4, Issue 12

Welcome to Volume 4, Issue 12 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.

TISC is about sharing clue. So is this newsletter. We promise to provide something useful each issue. If we don't, flame me. If you like the issue, let us know!

Enjoy, and be safe,

Dave

From The Editor

Non-viral malware. When you first hear this phrase, it sounds like an oxymoron George Carlin might use in a comic routine ("Jumbo shrimp? How can it be a shrimp and jumbo?"). The characteristics of non-viral malware also remind me of a benign tumor ñ inconspicuous, non- replicating, unremarkable.

But non-viral malware is anything but benign. Today, Pete Carfacchio explains how non-viral malware or "pest-ware" takes many forms, and can be used to steal information, spy on unsuspecting user and organizations, and abuse any electronic privacy rights you may believe you still have.

The Challenge of Non-Viral Malware

Pete Cafarchio, PestPatrol

"We have a firewall and anti-virus software in place, so our network is protected." To a certain extent, that's true. But don't fall into the trap of thinking that if you have a firewall and AV (maybe VPNs and IDS, too), you're protected from everything. A false sense of total security is more dangerous than recognizing that your network isn't - and can't ever truly be - 100% secure. This is especially true in the case of non-viral malware.

Differentiating between viral and non-viral malicious code

As a background for our discussion, we need to explain the differences between viral and non-viral malware.

Viral malware typically replicates rapidly and fairly indiscriminately. Worms like Code Red are able to spread worldwide in a matter of hours. You usually recognize a viral infection from the odd system behavior it causes, but if, by some chance, you don't, the recipients of your unwitting mass e-mails or a system administrator will notify you soon enough.

Viruses and worms, if they work, always have malicious intent. The result of a viral infection is essentially a denial of service, since it denies you the use of your computing resources until the problem is fixed. The dollar costs of such attacks are fairly simple to determine, since it's largely a measure of the time taken to restore those resources to operation.

Non-viral malicious software doesn't replicate. It is planted by hackers, or unknowingly downloaded by unsuspecting users, or foisted on systems as part of a software package to track the user's behavior or software usage. By its nature, non-viral malicious software is designed to be inconspicuous and stealthy. Frequently, the damage to a system or network isn't immediate, so infections can go undetected for long periods of time. Or, in the case of tracking software, data is simply collected over a period of time for later use in who knows what manner.

Certain categories of non-viral malware fall in a gray area. For instance, a powerful administrative tool like a network sniffer is widely and legitimately used for diagnostic purposes, but it can also be used to breach security in the wrong hands.

While viruses generally damage individual files or file types, or simply cause annoyance by jamming up e-mail systems, the potential damage from non-viral pests extends into data theft, espionage, electronic privacy violation, and issues of legal liability.

Examples

Some examples of non-viral malware include hacker tools, Remote Administration Trojans (RATs), spyware, and DDoS zombie agents. Let's take a closer look at some of these.

Keylogger - A keylogger is a hacker tool that, once installed on a system, captures all keystrokes and stores them in a file. Some employers use keyloggers to monitor productivity, but hackers use them to capture passwords and IDs or the contents of confidential documents, then typically have the results e-mailed back to them. Keyloggers are also finding a niche in surveillance activities - legally sanctioned or otherwise. In an illustration of the new blended threat approach, the BadTransB virus installed a keylogger, as do many Remote Administration Trojans (see below).

Remote Administration Trojans (RATs) - RATs give a hacker complete control over the victim's computer, as if the hacker were at the keyboard. Early examples of RATs included Back Orifice and Netbus, which were relatively simple tools. But new types like SubSeven, Bionet, and hack'a'tack are far more sophisticated. They have easy to use point and click interfaces and are widely available on the Internet. Entire development communities have grown around RATs, where script kiddies are busy creating and distributing plug-in modules to increase the RAT's capabilities, including: random port connections; encrypted communications; move, copy, rename, or delete any file; run any program; log all keystrokes; grab password files; relay an attack through the victim's system to another system; and a host of annoying 'features' like text to speech synthesis and changing screen settings. The real danger of RATs is that they are used to obtain information which can in turn be used for a much more serious attack against a network.

Commercial Remote Administration Tools - Commercial software programs that can be used for legitimate purposes by authorized personnel but which can pose serious security threats in the wrong hands. In March of this year, Newsbytes reported that "the Naval Computer Incident Response Team (NAVCIRT) received several computer incident reports involving the installation of RemotelyAnywhere on compromised computer systems which in turn enables scanning, probing, and compromising of additional Defense Department systems." Programs such as LoudPC, pcAnywhere, GoToMyPC, and RemotelyAnywhere are easy for users to obtain and install, and have the potential to open huge security holes in your network.

Hacker tools - As with commercial Remote Administration Tools, users can install unauthorized port scanners, network sniffers, and password crackers. These may have a useful role as part of a security administrator's toolkit, but why does Joe in Accounting have LOphtCrack on his system? It's important to know where these kind of tools are installed on your network and to have and enforce a policy that governs their use.

DDoS zombie agents - Are used to turn a client system into an agent for a Distributed Denial of Service attack, and allow hackers to share lists of compromised systems. DDoS attacks first appeared in early 2000, and the SANS Institute reports that they are now seeing attacks using 100 times the number of zombies just two years later. The rise of "always on" broadband connections and the availability of much greater computing power in everyday PCs have contributed to the rapid growth of this threat.

Spyware and Adware - Such programs often piggyback on freeware applications, and then deliver advertisements to the user. While this may in itself seem harmless, they also collect surfing habits, sites visited, and other information from the user and return it to the parent company. Even though the users are almost always unaware of this activity, they probably inadvertently granted permission when they clicked "Yes" to accept the program's license agreement without reading the 'fine print' when they installed the software. At a minimum, spyware is an invasion of privacy; however, it also sends unauthorized information out, which is not only a security concern but can actually bring down a firewall through excessive traffic.

Challenges

Evasion

Non-viral malware poses unique challenges to network and security administrators. First and foremost, it can easily evade existing security measures. Even today, many systems administrators mistakenly believe that anti-virus software will provide adequate protection against all types of malware, but the leading AV products don't even attempt to deal with illicitly installed hacker tools, spyware, or commercial RATs. And while they may detect standard forms of some well-known trojans, those trojans can be easily "packed" with a custom encryption program to evade detection. And anti-virus programs generally can't remove trojans.

After a non-viral malware infection occurs, the threat changes from a content security issue to a network security issue - and that's just the beginning of the problem. Let's look at a RAT infection, using SubSeven as an example.

Once installed on a PC behind a corporate firewall, the RAT silently tries to connect to its sender. Because most firewalls are configured to allow any outbound connection, they simply see this connection as a legitimate session, and the hacker easily establishes control over the victim's machine. Intrusion Detection Systems could use a rule to identify earlier versions of RATs because they opened the same port connection every time, but newer RATs will use port 80 or other "must allow" ports. Other RATs may open a different random port every session, and will notify the hacker via e-mail exactly which port he should connect to for that session.

If the infected system is used by a remote user, when the user logs in to a corporate network via VPN, the hacker gains access to the corporate network as well. The VPN simply encrypts the session ñ it does nothing to stop the hacker from getting in.

Removal

Another challenge of non-viral malware is that it is extremely difficult to remove. Unlike viruses, which infect a portion of existing files, RATs and spyware install themselves as discrete programs, and will often modify the registry and start up areas so that they are the first processes activated during a boot. They may even rename themselves to appear as legitimate Windows processes. So removing them often requires changes to registry and start up areas as well as file deletion, and may require a system re-boot. In some cases, it may be necessary to compare the binary of a suspected file against a signed, legitimate executable. Anti-virus products aren't designed to perform these functions, and usually just refer users to a generic help document about editing the registry.

Human Behavior

Human behavior is one of the most difficult aspects of security to regulate. Even a minimally skilled but disgruntled employee can wreak havoc when equipped with a vengeful mindset and a piece of malware.

Disgruntled employees can cause chaos with tools that are easily available on the web. For instance, prior to a mass layoff, a user could install a RAT in order to retain continued access to the company's electronic assets. He might use hacker tools against the company's systems to gain administrator privileges. He could hijack those systems to use as a launching pad to attack other networks, or set up rogue servers for his own use.

Remote users (mobile employees and telecommuters) are the #1 security concern for many security administrators. Such users generally have a lax attitude toward or complete lack of understanding of the importance of security. The following scenario probably takes place thousands of times every day all over the world - and it's enough to send shivers up the spine of any security-conscious systems administrator.

A remote employee's family member uses the company computer during off hours, and inadvertently downloads a RAT during an IRC session, giving a hacker full access to the machine. The next day, the employee logs into corporate network, but the VPN sees and stops nothing. Bingo - the hacker has access to the entire network.

Liability

Non-viral malware hiding on your network also poses a liability risk. The body of case law relating to the responsibility of companies to ensure that their computers cannot be unwittingly used in a DDoS attack is growing [see http://www.pestpatrol.com/Whitepapers/LiabilityofPests.asp]. The reasoning is that, if hackers use your company's resources to attack others and due diligence could have prevented it, your company can be held liable. The same argument holds true for other types of attacks that are routed through your systems. Right now, you don't read much about such cases since they are generally settled out of court - mainly to avoid the negative publicity and consequent share price damage any publicity would cause. But that may not be the case for long. And you can bet that, even if such a lawsuit never sees the inside of a courtroom, heads will roll in the IT department.

Practical Prevention

Here are some practical steps to prevent non-viral malware infections:

Shore up your security and personnel policies regarding the use of hacker tools by employees
Block all executable e-mail attachments, and don't open any type of unsolicited e-mail attachments
Enable your personal firewall to block applications that initiate outbound connections
Keep your anti-virus software up-to-date - some of the more popular RATs are recognized by anti-virus software
Use dedicated anti-trojan and anti-spyware products to provide additional protection beyond the capability of anti-virus
Only obtain software from legitimate sources, not from "warez" or hacker sites which may trojanize their downloads.
And, of course, never install software if you don't know where it came from.

Conclusions

It's clear that non-viral malicious code poses a clear and present danger to corporate networks far beyond that posed by viruses and worms. If reading this article has opened your eyes to some of the realities of non-viral malware, then it's done its job, and you're on the road to better security.