Security Laboratory

Security Laboratory: Defense In Depth Series

View Archives »

Hybrid Threats

Jun 18th, 2008
By Stephen Northcutt

In the early days of malware, it was fairly easy to classify malware as a virus, worm, or Trojan. These days, many attacks use features of each other. For example, an e-mail worm may appear in a user's inbox as a Trojan screen saver. The user is tricked into running the screen saver, and ends up installing the worm. Many worms, like Klez, drop viruses. An e-mail virus may spread using its own SMTP engine, which is a bit worm-like. These types of mixed-up varieties are known as hybrid threats. Antivirus vendors will call them hybrids, or classify them after the most potent part of the malware.

Throughout 2007, the Storm worm was quick to infect hundreds of thousands of systems worldwide. Whether is is a worm or not is up for debate, but, it certainly was successful. If you stick to the strict definition of a worm spreading without human intervention, Storm was a mulit-partite virus. However, this is not an important fact, the most important thing to understand about Storm is that it mostly spread by social engineering. Some of the Storm subject lines inluded:[1]

230 dead as storm batters Europe
Saddam Hussein Alive!
Naked teens attack home director
A killer at 11, he's free at 21 and
( For more Storm subject lines please visit: http://www.snopes.com/computer/virus/storm.asp )

The subject lines tended to be creative and were changed often. Once infected, your system becomes part of a botnet. In 2008, it became much harder to track Storm as the infected systems were moved to smaller quieter botnets. And there is really no such thing as an old obsolete worm/virus/whatever, "According to the researchers, Storm was born from the ashes of the "Bobax worm," one of the most successful botnet-related computer worms of the past few years. Bobax spread by exploiting various vulnerabilities in the Microsoft Windows operating system, and turned infected machines into spam-spewing zombies. By early 2005, Bobax had spread to hundreds of thousands of PCs, after a highly successful spam campaign that used infected e-mail attachments disguised as pictures purportedly showing Saddam Hussein or Osama Bin Laden captured or dead."[2] And now many researchers believe Storm was supplanted by Kraken, which comprises over 400,000 infected machines according to research firm Damballa.[3] Regardless of the name, being infected by one of these blended threats could be a pretty big deal. Some of the common problems are shown below.

Destroying Data
Destroying data is one of the most insidious actions that a malware specimen can take after infecting a system. For example, the CIH virus, which began spreading in June 1998, had a particularly destructive payload. CIH was programmed to activate every year on April 26, at which point it overwrote data on the computer's hard drive. Additionally, the virus attempted to overwrite the flash-BIOS of the infected system, often rendering the computer unusable. (CIH is also known as the Chernobyl virus, because April 26 marks the anniversary of the nuclear plant disaster that occurred in Chernobyl, Ukraine, in 1986.)[4]

If you lose data as a result of a malware infection, your most practical means of recovery is to retrieve files from backup. If backups are not available, and lost data was very valuable, you may be able to restore it via low-level forensic recovery techniques, although such methods tend to be time-consuming and expensive. Unfortunately, destruction of data is only one danger associated with a malware infection.

Leaking Information
The possibility that a malware incident led to information leaking to unauthorized parties can be as devastating as the destruction of data. You may recall that the Melissa virus, which we discussed in the Taxonomy section, often resulted in sensitive Word documents being e-mailed to recipients listed in the victim's address book. The SirCam worm, discovered in July 2001, is another notable example of a mass-mailing malware specimen. SirCam selected a random document from the victim's "My Documents" folder and e-mailed the file, merged with a copy of SirCam, to recipients found in the person's address book and browser cache.

Of course, a document is only one type of information whose confidentiality can be compromised by malware. The Caligula virus, which appeared in January 1999, was programmed to locate the victim's Pretty Good Privacy (PGP) private key file and transmit it to the creator of the virus via FTP. The Marker virus, discovered about half a year later, used a similar technique to obtain information about the infected user from the system's registry, and transferred the data to the author's FTP site. This capability allowed Marker to maintain a trail of infected users, empowering its creator to study relationships between members of the targeted organization.[5]

Trojans can be just as effective at leaking information as worms and viruses. The SubSeven server has the ability to monitor the user's keystrokes, and is capable of retrieving passwords saved on the infected computer. Unlike a virus or a worm, a remote access Trojan's consequences may be felt long after the malware is eradicated. Additionally, various ad-supported applications have been implicated in leaking information without the user's knowledge, often by monitoring the user's browsing habits without permission. Such software is often called spyware. Imagine for a minute having every URL you visited logged, every password your type recorded, every piece of sensitive information such as a Social Security Number recorded. Do you do online banking, spyware can record your account and account balance. Spyware can take screenshots so they know how you compute. Suppose this type of software was on your system for two or three months, they would know as much about you as you do!

Historical Backdoor Access
Attackers use backdoors to ensure that they retain access to the system after it was compromised. Historically, they might employ a Trojan such as SubSeven or Back Orifice to listen on a pre-determined port of the infected system, allowing the attacker to remotely control the victim's computer at will. The official release of OpenSSH in July 2002 was tainted with a Trojan for a similar purpose. The backdoor was activated during the compilation process of OpenSSH source files, and initiated a network connection to an external server. This enabled the attacker to execute arbitrary commands on the system that compiled the Trojaned version of OpenSSH.

A more elaborate example of using an early backdoor that had botnet functionality can be found in the functionality built into the Leaves worm. By June 2001, Leaves quietly infected nearly 15,000 computers, providing its author with a capable army of zombies that he could centrally control. The Leaves worm spread by scanning for hosts that were already infected with the SubSeven Trojan. When such a system was located, the worm attempted to authenticate to the Trojan using a master password that was known to work with some versions of SubSeven. Once Leaves gained access to the computer through this backdoor, it removed the pre-existing Trojan, presumably to prevent anyone else from getting into the system through such means.

As the next step, Leaves acted to provide its author with a backdoor of his own, by connecting to a channel on a remote Internet Relay Chat (IRC) server. As the worm spread, infected computers logged into the IRC channel, awaiting additional instructions from the worm's creator. This gave the attacker the ability to authenticate to all instances of the worm simultaneously, and issue commands for launching programs, manipulating files, and obtaining system information. Using IRC to access infected computers carried several advantages:
• The attacker could be several network hops away from computers that he was controlling, making it more difficult to trace the attack's origin.
• The attacker could rely on the IRC network to automatically relay commands to all instances of the worm, providing him with a powerful DDoS attack platform.
Unlike commercial chat services, IRC is not tightly controlled, and, in many ways, continues to be the wild west of chat networks. Powerful scripting agents exist for IRC that can provide the attacker with a convenient way to automate tasks for maintaining his army of compromised machines.

*** Begin note
IRC is frequently used by malware writers for staying in touch with their creations. If you only block several outbound ports on the firewall at your organization, consider blocking TCP ports 6666 and 6667, which are frequently used for connecting to IRC servers.
*** End note

Today, more and more botnets are using peer to peer networks for their remote command and control.

Altering System Configuration
Malware almost always manipulates system files or coding to ensure that it gets placed into memory each time the computer system starts. There are many commonly manipulated files on a Windows system including: autoexec.bat, config.sys, system.ini, win.ini, dosstart.bat, winstart.bat, and wininit.ini.

Detecting malware
Getting infected is easy, detecting malware is a harder problem. One of the malicious payloads storm used was Trojan.Peacomm, "once the computer is infected, Trojan.Peacomm attempts to establish peer-to-peer communication on UDP port 4000 with a small list of IP addresses, in order to download and execute more malicious files. If you use a personal firewall with egress filtering, you will be notified that the services.exe process is attempting to connect to a remote address on this port."[6] That might be your best opportunity to detect you are infected. Much of the modern malware can evade detection by anti-virus tools.

The Security Manager's Bottom Line
Though it is certainly true that malware has evolved a lot in this decade, the tools in use today are more similar than different from the attacker tools of ten years ago. The command and control is better, they are better able to evade detection, but still they are very similar. We have discussed Storm Worm as an exceptionally successful malware. It was a blended threat, using clever email subject lines to encourage people to doubleclick on the attachment. The attachment could be any number of malicous payloads, a common one was Trojan.Peacomm. A 2008 study by AusCERT found, "As many as 23 percent of home computers are infected with malware, and of those, more than 70 percent had been infected in the past year."[7] According to Panda Security, "Approximately 11 percent of computers worldwide have become a part of criminal botnets, which are responsible for 85 percent of all spam sent."[8] Other studies and estimates suggest even higher numbers. Some of this malware is very sophisticated at information gathering, if you have a diligent employee doing company work on her home computer, your intellectual property may be stored in an attacker repository. In May 2008 we got a glimpse into this world of data collection when an ID theft repository with information on home users and over 40 businesses was found, "the server was located in Malaysia but contained data from all around the world, including North America, Europe and Asia. The server was up only three weeks, but was able to collect 1.4 GB of data."[9]

All links were valid June 17, 2008
1. http://www.time.com/time/magazine/article/0,9171,1666279,00.html
2. http://blog.washingtonpost.com/securityfix/2008/02/the_storm_worms_family_tree_1.html
3. http://www.damballa.com/downloads/news/ITN_Register_2.pdf
4. http://vil.nai.com/vil/content/v_10300.htm
5. http://www.zeltser.com/agents
6. https://forums.symantec.com/syment/blog/article?message.uid=305096
7. http://www.computerworld.com.au/index.php/id;1680510504
8. http://pandasecurityuk.blogspot.com/2008/01/half-million-computers-infected-with.html
9. http://www.scmagazineus.com/Massive-hacker-server-discovered/article/109847/

Questions?

Email us at info@sans.edu.

SANS Phoenix 2012

Featured Research

Student Presentations

Expanding Response: Deeper Analysis for Incident Handlers
By Russ McRee | Nov 2011 | 622 KB

Detecting and Responding to Data Link Layer Attacks with Scapy
By TJ O'Connor | Sep 2011 | 2.44 MB

Scoping Security Assessments: A Project Management Approach
By Ahmed Abdel-Aziz | Sep 2011 | 387 KB

View More Student Presentations »

Featured Student/Alumni

TJ O'Connor STI Alumn

TJ O'Connor

TJ O'Connor is a member of the US Department of Defense and a former faculty member at the US Military Academy, where he taught courses on forensics, exploitation, and information assurance.

Click here to read more »

 

Internet Storm Center

View our Site Directory

Contact Us

Phone: (720) 941-4932
Questions: info@sans.edu
Web: webmaster@sans.edu

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role. "
- Jerome Radcliffe, SANS Technology Institute Student