Download Weaponized Malware

Weaponized Malware:
A Clear and Present Danger
Weaponized malware and advanced persistent threats
raise the bar on endpoint security. Originally intended
for cyber-espionage and cyber-warfare, these
sophisticated attacks are now available to
any cyber-criminal. How can security pros
protect their organizations from these
emerging perils?
September 2012
WP-EN-09-12-12
Weaponized Malware: A Clear and Present Danger
Overview
But today, security experts and government offi-
In one of Aesop’s fables, a doe can see out of
cials alike are recognizing that weaponized mal-
only one eye. She grazes along a cliff with her
ware and APTs are a menace to virtually any orga-
blind eye to the sea and her seeing eye toward
nization, large or small, in any industry.
land. In this way she keeps watch over her pasture, alert to predators. Alas, she is unaware of an
“What the general public hears about—stolen
approaching ship that carries a hunter, who fells
credit-card numbers, somebody hacked LinkedIn—
her with a single shot.
that’s the tip of the iceberg,” said Shawn Henry in
a July 2012 Bloomberg.com report. Henry, the for-
The moral: Danger lurks where we least expect it.
mer FBI executive in charge of the agency’s cyberdivision, continued: “I’ve been circling the iceberg
Corporations and their IT departments now face a
in a submarine. This is the biggest vacuuming up of
similar scenario. Weaponized malware and advanced
U.S. proprietary data that we’ve ever seen.”
persistent threats, or APTs, have emerged as new
and very real perils. Yet many security pros believe
There’s no single, simple panacea and any vendor
these threats pose no danger to their organizations.
that claims that they have the silver bullet is trying to sell on pure fear and misinformation. What’s
Weaponized malware, they figure, is created by
needed is for organizations to invest in the strate-
governments to enable cyber-espionage or engage
gies and technologies that enable a comprehen-
in cyber-warfare. APTs, they assume, are perpe-
sive, defense-in-depth approach to safeguarding
trated by rogue nations and organized crime rings
their endpoints and data. Executed effectively, the
to steal government data or target only very large
benefits include reduced risk, improved endpoint
organizations in specific industries.
management and stronger information security.
[Figure 1]
AV
Control
the Known
Device Control
Control the Flow
Application Control
Successful risk mitigation
starts with a solid
vulnerability management
foundation, together
with layered defenses
beyond traditional
black-list
approaches.
Control the Grey
Patch and Configuration Management
Control the Vulnerability Landscape
1
Weaponized Malware: A Clear and Present Danger
Too Hot to Handle
DuQu— Uncovered in September 2011, DuQu
Stuxnet, DuQu, Flame: We’ve all seen the head-
was considered the next generation of Stuxnet.
lines about a new class of weaponized malware.
It was likely created by the authors of Stuxnet or
But what’s different about them, and what are their
by programmers who had access to the Stux-
long-term implications?
net source code. This malware also targeted
Iran’s nuclear program, but with the purpose of
Stuxnet— Stuxnet was uncovered in June 2010.
capturing data such as keystrokes and system
Designed specifically to shut down centrifuges
information. DuQu exploited zero-day Windows
in Iran’s nuclear-refinement plants, it was initially
kernel vulnerabilities. It also featured a modular
propagated through USB drives. Experts agree
payload-delivery system and a unique central-
it was the work of a well-trained team backed
ized command-and-control capability.
by significant resources. In June 2012 the New
York Times reported that American, European
Flame— Flame was designed for cyber-espio-
and Israeli officials involved in the program have
nage, targeting government organizations and
confirmed that the U.S. and Israeli governments
educational institutions in Iran and other Middle
were behind the worm.
Eastern countries. At 20 MB, it was even more
sophisticated than Stuxnet or DuQu. It has been
Stuxnet simultaneously exploited four zero-day
called the “Swiss army knife” of malware and a
vulnerabilities in Microsoft Windows. It was also
“new high-water mark” for complexity of attack.
the first malware to include a programmable logic
The malware was uncovered in May 2012, but
controller (PLC) rootkit, which permitted ongoing
it had been operating in the wild since at least
privileged access while hiding its presence.
February 2010, with some experts pegging its
creation date as early as 2007.
After attacking the Iranian nuclear facility, Stuxnet escaped its intended targeted environment
Flame could take control of USB devices, and in
and infected nearly 100,000 computers in the
fact its primary method of propagation was USB
United States and other countries. Many ob-
stick or LAN. It captured keystrokes, network
servers believe this eventuality was not intend-
activity, screenshots, audio files and Skype con-
ed by the worm’s creators. The good news is
versations. It could scan documents and create
that because Stuxnet targeted a specific indus-
a text summary, avoiding the need to exfiltrate
trial control system, it had no ill effects on other
large amounts of data. It also featured a trickle
computers. The bad news is that now that the
uploader that transmitted data in inconspicu-
code is “in the wild,” cyber-criminals have the
ous 8-KB packets. Flame transmitted this stolen
opportunity to exploit its nefarious innovations.
data to command-and-control servers at 24 IP
addresses around the world.
2
Weaponized Malware: A Clear and Present Danger
If Flame infected a computer running Bluetooth,
Surging Attacks
it turned the system into a Bluetooth beacon.
Time was, most data-security breaches were com-
It could then download data from any nearby
mitted by lone hackers who wanted bragging rights.
Bluetooth-enabled mobile device. If those de-
When organized crime realized that big money
vices had a wireless connection to the Internet,
could be made through the theft and sale of credit-
they became alternate routes to the command-
card and other data, malware grew more advanced
and-control servers.
and targeted.
If Flame infected a computer with domain ad-
Today we’re witnessing another shift in both per-
min authority, it could enter Active Directory and
petrator and motivation. Governments are using
create backdoor admin accounts. It could also
malware and hacking to spy on one another and
function as a proxy server, enabling it to propa-
achieve political ends. Some are even targeting
gate to other systems.
businesses to steal intellectual property and gain
competitive advantage for their nations.
One of the more pernicious aspects of Flame
was that it could make itself appear to be a
In July 2012 President Barack Obama warned in
Windows Update server. An infected computer
the Wall Street Journal that “the cyber-threat to our
would pose as a Windows Update site, to which
nation is one of the most serious economic and
other Windows computers could connect and
national security challenges we face.” That same
download a “patch” that was actually Flame.
month, National Security Agency Director Keith
Flame signed the bogus patch with a certificate
Alexander said that the electronic theft of propri-
that appeared to be from Microsoft. This effec-
etary information constitutes “the greatest transfer
tively undermined the foundation of trust that
of wealth in history.”
digital certificates were created to provide.
And like begets like. As more governments engage
Some experts have pointed out that, with the ex-
in cyber-attacks, their allies and enemies alike will
ception of exploiting the trust-certificate flaw in
respond. In the past 18 months the United King-
Windows Update, very little of Flame’s functionality
dom, Germany, India, China and Iran have all an-
was new. But most agree that the sophistication of
nounced that they’re creating military cyber-units.
its packaging and deployment is a game-changer.
And that has implications for any organization con-
Meanwhile, malicious attacks continue to surge
cerned about information security.
from a variety of vectors. And trends suggest a
shift toward more sophisticated and persistent
threats. For example, Symantec blocked more than
3
Weaponized Malware: A Clear and Present Danger
5.5 billion malicious attacks in 2011, a jump of 81
Verizon tracked 855 breaches that resulted in 174
percent over 2010. It uncovered 403 million unique
million compromised records in 2011, the second-
malware variants that year, a 41 percent increase.
highest since it began tracking in 2004. Ninety-
1
eight percent were caused by external sources, and
Advanced targeted attacks reached an average
83 percent were linked to organized-crime groups. 2
154 per day by the end of 2011. Those attacks
Analysis suggests that the vast majority of breach-
were distributed equally across large organiza-
es are motivated by financial gain. (See Figure 3.)
tions—those with more than 2,500 employees—
and small-to-midsize organizations—those with
Eighty-one percent of beaches involved hacking
fewer than 2,500.1 Most of those threats aim for
in 2011, and 69 percent leveraged malware. (See
government targets, but they increasingly seek
Figure 4.) Fewer than 10 percent of those security
out businesses in manufacturing, financial ser-
failures were detected by the organization. In fully
vices and other sectors. (See Figure 1.) By job
92 percent of cases, the victim had to be informed
title, executives are most at risk, but employees in
by a third party that it had been breached. 2
sales and R&D are increasingly in the crosshairs.
(See Figure 2.)
Interestingly, Verizon reports that for 97 percent of
those breaches, basic security controls would have
thwarted the attack.
[Figure 2]
Targeted Attacks by Job Title
Executive
Sales
Media
R&D
Senior Management
Administrative Assistant
Recruiting
Source: Symantec Internet Security Threat Report, 2012
0%
5%
10%
15%
20%
25%
Targeted attacks largely go after the email accounts of executives, but employees in sales and R&D are increasingly at risk.
1. Symantec Internet Security Threat Report, 2012
2. Verizon Data Breach Investigations Report, 2012
4
Weaponized Malware: A Clear and Present Danger
Collateral Damage
To date Byzantine Candor has electronically stolen
Threats associated with cyber-espionage are al-
oil-reserve maps from major energy companies, mar-
ready seeping into the private sector. In mid-2011
ket analysis from investment banks and client trade
U.S. intelligence and private researchers tracked
secrets from patent law firms. By some estimates the
the activities of a sophisticated group of hack-
group has hacked more than 1,000 organizations.
ers, dubbed Byzantine Candor, linked to China’s
military. Over a two-month period the hackers
In many cases the hackers used a simple and con-
breached computers of Halliburton, the Wash-
sistent approach. They initiated attacks through
ington law firm Wiley Rein, the European Union
malware-infected email. Once inside the network
Council, and Indian tobacco and technology con-
they decrypted passwords and posed as network
glomerate ITC. A July 2012 Bloomberg.com report
administrators. They were then free to turn off se-
detailed the attacks.
curity safeguards and exfiltrate data.
[Figure 3]
The Byzantium Candor case is hardly the only example.
And the attacks don’t target only large organizations.
Motives for Data Security Breaches
Financial gain
As just one example, in July 2012 malware dubbed
ACAD/Medre.A struck design firms largely in and
Protest
around Peru. Written in AutoLISP, the worm leaked
thousands of AutoCAD drawings such as blueprints.
Fun
The attack operated by replacing an AutoCAD startup file with Visual Basic scripts. Then, every time
Grudge
an engineer opened an AutoCAD file, the document
Source: Verizon Data Breach Investigation Report, 2012
0%
20%
40%
60%
80%
100%
The vast majority of data thieves are motivated by financial gain.
was automatically emailed to the hackers.
Such threats even extend to the lowly Gmail account. In June 2012 Google began alerting Gmail
users if their accounts had been affected by what
the company believes are “state-sponsored” attacks. Google gauges the likelihood of an attack’s
being state-sponsored based on analysis of the
oceans of data that flows across its servers.
5
Weaponized Malware: A Clear and Present Danger
Coming in From the Cold
Patch and Configuration Management— Wea-
How should organizations respond to the threat of
ponized malware and APTs inevitably exploit
weaponized malware and APTs? Clearly, no single
application vulnerabilities. Patch and configura-
tool or technique would have thwarted Flame, or
tion management lie at the heart of a layered,
the majority of other recently discovered APTs. But
defense-in-depth approach to endpoint security.
tried-and-true security approaches can significant-
Implemented effectively, these mechanisms can
ly shrink your attack surface and reduce your risk.
eliminate much of the attackable surface area of
your endpoints.
Bear in mind that 90 percent of successful attacks
exploit known vulnerabilities for which a patch or
An effective patch and configuration solution
configuration standard is already available, ac-
enables patching of all versions of Microsoft and
cording to Gartner research. Renewed vigilance
other operating systems, as well as Microsoft,
and investment in data-security basics can go a
third-party and custom applications. It should
long way toward protecting your organization.
also support patching based on the Common
Vulnerabilities and Exposures (CVE) database.
Many of the lessons learned from Flame and other
weaponized malware point to effective endpoint-
The solution should let you establish patch
security strategies and technologies:
baselines. That way, if a user installs an earlier
[Figure 4]
Threat Sources
Hacking
Malware
Physical
Social Eng.
Data Misuse
Error
Source: Verizon Data Breach Investigation Report, 2012
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Hacking and malware have long been the biggest threats to data security, and they continue to grow.
6
Weaponized Malware: A Clear and Present Danger
version of an application or reverts to an ear-
ing business needs. Whitelisting has the poten-
lier state, the application will automatically be
tial to stop much weaponized malware and APTs
patched, without reporting a new problem and
dead in their tracks.
requiring manual intervention. It should also enforce the rule of least privilege, enabling you to
An effective whitelisting solution is built around
set up your endpoints with the most secure con-
a trust engine that lets you define criteria for
figuration your business needs allow.
trusted applications. You can define trusted
publishers, updaters, paths or locations. You
Finally, your patch management solution should
can specify trusted authorizers, so certain us-
support a life-cycle approach:
ers can run software that would otherwise be
blocked. You can approve or deny globally, for
» » Discover—Gain complete visibility of your
groups of users or for individual endpoints.
network environment.
» » Assess—Identify known issues before they
can be exploited.
» » Prioritize—Focus on your most critical
security risks first.
Intelligent whitelisting also lets you maintain a
blacklist of denied applications. The blacklist can
override the whitelist to block specific applications, regardless of publisher or path, for example.
» » Remediate—Automatically deploy patches
across your entire network.
» » Report—Consolidate discovery, assessment
The intelligent whitelisting life cycle includes the
following key phases:
and remediation data in a single
management console.
» » Discover—Gain a snapshot of all endpoints
to identify all running executables.
Control—Traditional application
» » Define—Set policies that automate how new
control blocks all executables except those
applications are introduced and executed on
on your whitelist. This offers a strong security
endpoints.
Application
model, but it’s not flexible enough for today’s dy-
» » Enforce—Block unknown and unauthorized
namic endpoints, which continually require new
applications from executing by default, and
applications, patches and updates.
prevent zero-day attacks automatically.
» » Manage—Leverage the trust engine to
The solution is intelligent whitelisting. Intelligent
update your whitelists to deploy software,
whitelisting prevents malware and unapproved
and generate reports to demonstrate
applications from running on your endpoints,
compliance.
while giving you the flexibility to adapt to chang-
7
Weaponized Malware: A Clear and Present Danger
Device Control— Removable devices such
Antivirus— Let’s face it, AV is no match against
as USB sticks are useful for sharing files.
zero-day, weaponized malware. But that doesn’t
They’re also a popular vector for attacks such
mean AV isn’t a crucial layer in your defense-in-
as Stuxnet and Flame. That calls for effective
depth approach to security.
device control.
Effective AV quickly and accurately identifies all
A good device-control solution centrally auto-
known viruses, worms, Trojan horses, rootkits,
mates the discovery and management of remov-
keyloggers, spyware and adware. It also em-
able devices. It defines and enforces device use
ploys multiple detection techniques to identify
and data encryption policies by group and by
and block zero-day exploits.
user. It also captures detailed forensic information to track data events.
Your AV should combine traditional signature-matching capabilities with newer “DNA
The device control life cycle covers the following:
matching,” sandbox and exploit- detection
technologies to provide the most proactive
» » Discover—Identify all removable devices
connected to your endpoints.
» » Define—Create rules at both default and
machine-specific levels for groups and
protection. It should also enable granular
policy management, with the ability to schedule multiple AV scans per endpoint with various scan settings and times.
individual users.
» » Monitor—Continuously observe device
The AV life cycle involves these steps:
and data-use policies by logging all device
connections and tracking all file transfers.
» » Enforce—Implement device and data-use
policies through file-copy limiters and filetype filtering. Also enforce encryption of
data moved onto removable devices.
» » Manage—Generate reports on device and
data activity to track events and show
compliance.
» » Assess—Leverage signature-based scanning
to identify known malware, and behavioral
analysis to assess suspicious code.
» » Monitor—Prevent known malware and
suspicious code from executing, and remove
it from network assets.
» » Remediate—Use customized triggers to
generate alerts and continually understand
network health.
» » Report—Generate reports to analyze
incidents and ongoing network status.
8
Weaponized Malware: A Clear and Present Danger
Integrate and Conquer
duplication of agents on every endpoint. Results
The crux of effective endpoint security is that all
include reduced total cost of ownership, improved
your safeguarding technology be integrated to
endpoint management and stronger endpoint and
achieve truly layered, defense-in-depth security.
data security.
(See Figure 5.) And that doesn’t mean disparate
solutions lashed together with a common user in-
Effective endpoint security does more than simply
terface. Rather, it calls for real integration, with a
protect against weaponized malware, APTs and
shared database, common workflows and a single
other threats. After all, you don’t invest in infor-
management console.
mation security merely for the sake of protecting
data. Defense-in-depth security gives your em-
An integrated security suite delivers the same
ployees safe access to the tools and information
functionality as individual applications, but it gives
they need to do their jobs. And, it better positions
you a consistent, accurate and comprehensive pic-
your enterprise to compete and win in the mar-
ture of your security posture. It also lets you con-
ketplace. That’s a weapon that should be in every
trol your environment from a single screen, without
organization’s arsenal.
[Figure 5]
Defense-in-Depth Endpoint Security
Traditional Endpoint
Security
Emerging Endpoint
Security Stack
A nt i V i r u s
p
l
ic a
De
t
ro
Ap
Malware
As a Service
pl
ro l
3rd Party
Application Risk
Patch &
Configuration
Mgmt.
Ap
Consumerization
of IT
Zero Day
v i c e C o nt r o
l
on Co
i
t
a
lic
De
nt
Blacklisting
As The Core
Defense-NDepth
tion C on
v i c e C o nt r o
l
Traditional safeguards can leave your endpoints vulnerable. A more effective approach is defense-in-depth, in which layers protection
deliver true security.
9
Weaponized Malware: A Clear and Present Danger
About Lumension Security, Inc.
Lumension Security, Inc., a global leader in endpoint management and security, develops, integrates and markets security
software solutions that help businesses protect their vital information and manage critical risk across network and endpoint
assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a
proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection,
Antivirus and Reporting and Compliance offerings. Lumension
is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona,
Lumension has operations worldwide, including Texas, Florida,
Washington D.C., Ireland, Luxembourg, Singapore, the United
Kingdom, and Australia. Lumension: IT Secured. Success Optimized.™ More information can be found at www.lumension.com.
Lumension, “IT Secured. Success Optimized.”, and the Lumension logo are trademarks or registered trademarks of
Lumension Security, Inc. All other trademarks are the property of their respective owners.
Global Headquarters
8660 East Hartford Drive, Suite 300
Scottsdale, AZ 85255 USA
phone: +1.480.970.1025
fax: +1.480.970.6323
www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
10