Thursday, December 3, 2009

Exposing Malware - Part 2: Infestation

A little while ago I wrote part 1 of this series malware forcusing on it's insane efficiency ... and since that time I've had some more time to do additional research and play with a few more "code samples" which continue to baffle and amaze so I'm writing this second part of the series on "infestation".

The semantic issue here is critical to the post - this isn't necessarily an article about infection but really about infestation of connected computing devices by what can only be described, collectively, as malware.  Malware in this definition is essentially the collection of traditional viruses, trojan horses, worms, ad-ware, scare-ware, crime-ware, ransom-ware and everything else ... did I miss a catchy buzzword?

Anyway, the rate at which a connected computing device gets over-run by malicious software is incredible.  Recent statistics I've heard peg the average compromise time of a non-protected workstation on the open Internet at around 8 minutes.  This was 2+ years ago that this metric was measured ... I'm confident it's even less time now.  These types of studies in time to compromise are interesting because it serves to illustrate the sheer volume of evil circulating the Internet.  I've thought about the vectors for compromise (or over-run if you like) and have classified them into 5 categories:
  1. Self-Inflicted-Accidental
  2. Self-Inflicted-Ignorant
  3. Unattended-Circumstancial
  4. Targeted
  5. Delivered
I think these five (5) categories can be applied to all infections/infestations and each have unique qualities let me dive into them here.

  • Self-Inflicted-Accidental
 While many people "do it to themselves" I firmly believe there is a segment of the Internet-using population that simply hasn't gotten the memo yet.  The Internet is a nasty, hostile, and vile place boys and girls.  This is easily dismissed as the naive crowd, those that just haven't been awakened to the stark reality of interconnectedness.  I will grant you this- this group shrinks faster than new members are added ... with education everywhere, and security-aware individuals (much like you reading this) beating the drums it's tough to be naive for very long, unless you operate your brand new computing device in a cave ... but that brings up other issues!

  The problem here with this group is that they are too trusting.  They're like your grandparents, who trust the maid who's "so nice" but is cleaning them out of every piece of valuable in the house.  They will be shocked when they find out they've been infested; then they will become educated (and some become jaded) and their outlook changes and they fall out of the group.

Impact: sadly, when these folks get hit, it's epic
Remedy: Either more education, or simply let them get whacked

  • Self-Inflicted-Ignorant
 This is the other self-inflicted group.  Unfortunately, I feel no sympathy for these folks that get infested.  They've been warned, maybe they've even gotten whacked before - but like the kid who keeps sticking his finger in the fire they just don't learn.  The really unfortunate thing here is that a vast majority of these folks feel like they're entitled to be compensated for the pain they self-inflict with their ignorance.  They'll likely get infested, have their banking credentials or credit card info swiped and money stolen then demand that their banks fix it.  Even more insane are the banks and institutions (primarily in the financial industry) who continue to foster this type of behavior.  Now, I understand there is a fine, very blurry line between being compromised where you can do nothing about it, and being just ignorant ... but if you're getting whacked repeatedly there has to be some accountability.

  I've met many threat-ignorant people in my years in IT and I'm certain you have too.  In fact, many of you chuckle as you read this because it's either your manager, your CEO, your parent, spouse or in-laws that drop into this category.  I'm sorry in advance for saying it but ... these folks should have their Internet-usage ability revoked.

  I just don't understand how people can be so ignorant and keep at it.  Maybe it's our fault (I say our and mean collectively the business & IT world) for allowing them to be this way.  Maybe we're not giving them enough responsibility for their own actions (or non-actions)?  I mean, look ... if you have a gun you have to be licensed to use it right?  ...and you're responsible if you cause yourself or someone else harm?  I know Internet access doesn't require a license or certification but maybe it should?  Maybe you should have to take a "basic certification" to get an IPV6 IP address (if that ever happens...)  I don't quite have the logistics worked out but there absolutely MUST be some accountability here ... we as an industry group must find a way to educate and drive out ignorance from the connected masses.

Impact: Epic fail ... made worse by the coddling currently coming from financial services industry
Remedy: Education and accountability ...or something!

  • Unattended-Circumstantial
  This category of infestations just happens by circumstance.  Picture a computing device Internet-connected just sitting there humming away serving up web pages, widgets or data.  Along comes a malicious agent ...doesn't matter whether it's a human being or a script - only that an infestation happens.  My favorite example here in this category is the kiosk at the airport or hotels.  These are unwilling participants set in place by people who for what-ever reason haven't fortified them enough against malicious intent.  Getting infested like this is painful because there is often someone to blame - but it's hard to point the finger.  Computing devices are connected to the Internet every minute of every day ... many of them for no good reason.  These devices are constantly getting infested in spite of any kind of "anti-virus protection" that is placed on them, and as worms and other automated attack vectors advance this problem is going to get worse!

  Look around, I am willing to bet you can name at least 5 connected devices within arms' reach right where you are this minute.  Whether it's a refrigerator, a video gaming console, your mobile phone, laptop, DVR or even television everything is becoming connected and too often there is no thought given to answering the "what if this thing gets infested?" question.

  What would you do if you woke up tomorrow morning only to find that your Internet-connected DVR has suddenly been taken over?  The warranty may or may not cover this problem because technically it's not a manufacturer's defect right?  There is no broken hardware, no smoking hard disk or sparking internals - only a malicious piece of software now embedded inside the device that randomly deletes your favorite non-watched hows, and orders adult material when you're not around.  What do you do!?

Impact: Everything from mischief to malice to catastrophic failure.  If your refrigerator becomes infested with malware and malfunctions, that's one thing, but if your car's on-board computer suddenly shuts down your car in the center lane on your way home at 65mph - that's an entirely different issue.  It could happen, soon.
Remedy:  I honestly don't have an answer to this.  Better SDL-integrated security is the only answer here that even makes sense as many of these devices and infestations are outside the realm of reasonable responsibility of not only the owners but even the operators!

  • Targeted
 Sometimes, you're just screwed.  We in information security have long told audiences, businesses and managers that if you are targeted for an attack there is very little you can do to "be safe".  Attackers have a way of getting their way.  This works the exact same way with malicious software and infection/infestation.  If someone writes a purpose-built piece of code that attacks users of AT&T broadband (as if we don't have enough problems with our carrier) who run Windows Vista (again...why? isn't this situation enough pain in itself?) and use a specific social media application (a la Facebook) I have news for you - they're going to win.  It's like the Canadian Mounties ... they'll get their man/woman/target.

  My main take on this specific segment of the problem is this - if you're worrying about this infestation type that to me means you've solved the other 3 previous ones (above) and I want to know how you did it.

Impact: What ever the bad-guys want.  Generally the impact isn't "catastrophic failure" ... and the less you notice the impact, the better for the bad guys.
Remedy: Stop worrying about this one, you're not going to solve this problem.

  • Delivered
  Finally we come to the "delivered" infestation type.  This type of infestation is very similar to the targeted type - except that the delivery mechanism is generally someone else's.  To elaborate further it's easier to just give an example.  Say you've a user of Twitter (and I know you are), and you use TweetDeck.  Now, in its own right, TweetDeck isn't a malicious piece of software ... I hope.  Now, if someone compromises the TweetDeck update system and you get a notification next time you fire up your client that an update is available, you click OK's not your fault that you were just delivered a piece of malware and now are infested!  There are no ignorant actions on your part, and you're not naive because you're using reasonably trusted software which is being used as the delivery mechanism for malware.

  Again, just as in the previous example, there are very few things you can to do avoid being infested here in this situation.  You can't review every application you use manually, and it's unrealistic to think that you're not going to load up any 3rd party tools or software on your computing devices.  Again ...welcome to screwed-ville.  Take a number, get a seat and wait to be re-imaged.

Impact: As with targeted infestation ... this can be anything from annoyance to identity theft and digital impersonation!
Remedy: ... hrmm.... I'll let you know if I figure this one out.  I'm open to suggestions!

  There you have it, infestation by malware is ugly.  Sometimes you can prevent it, many times you can't.  The results are incredibly diverse and range from your search results being compromised and "swapped out" for someone else's targeted results, to identity theft and impersonation, to catastrophic failure.  Problem is ... out of these 5 types we're only realistically able to do something about 2 or so of them.

  What do you think?


nickhacks said...

I like it and it makes it easy to categorize. Would the recent card-processor/restaurant POS one fall under Unattended-Circumstantial? (My answer is yes)

As far as financial institutions reimbursing customers, well, unfortunately that is a business decision. The cost of losing customers is more than what they're paying out, so they keep paying it out. Is it the right call? Maybe not. But until the balance flips, it will be hard to convince them to handle it in another manner.

I think these categories are generally pretty solid, but now my question is - where can we use these categories in order to improve security?

Rafal Los said...

@Nickhacks -I think there is an opportunity here. Most anti-malware (because it's inappropriate to call them anti-virus anymore) software is written or designed to protect only one of those groups, and sold to everyone. That's not only wrong but also irresponsible because we know the others are out there... obviously.

What's next? How do we make use of this piece for the betterment of human-kind? I'm going to start to try and see if any of the anti-malware vendors would be willing to work with me to do some fundamental re-design of their tools around this idea I present. While I'm not holding my breath it would be cool, and I feel an advancement.