RSAC 2016: Demystifying a Malware Attack
At RSAC last week, Christopher Elisan, Principal Malware Scientist at RSA, gave the talk, Demystifying a Malware Attack. This was an inside look into how malware is spread and the different types of attacks, as well as a dissection of the malware attack infrastructure.
How Malware is Spread
Malware is spread through opportunistic attacks, such as drive-by downloads, malware attachment links, etc. with the objective of spreading malware in any way possible. Free apps are another way malware can infect personal devices, some can even charge your credit card.
Other attacks target certain individuals by name or position, typically those with more privileged access to corporate systems and infrastructure, such as IT administrators and Chief Information Security Officers (CISOs). Attackers will also target contractors of bigger companies, as smaller contractors often don’t have the same IT security policies as their targets.
Social media is a major target - the family of a target can reveal information about their whereabouts, perhaps revealing that the target is attending the RSA conference. An attacker might use that information to send RSA-related emails to targets; some will even send USB sticks or DVDs loaded with malware.
Another way to gather information about targets is to find out what systems/security solutions their company uses. One way to find that information is by going to their job site to find out what systems and software they have, as companies will often include that information in a job description that calls for candidates with experience with those systems. More security-savvy companies won’t list that information, but sometimes people from within the company will join tech forums and talk about their systems publicly online.
Malware Attack Infrastructure
It all starts with deployment technology - something an attacker uses to deploy malware, such as via an email or USB stick. After malware deployment, a malware installer is deployed. After installing malware, the malware installer completely deletes itself from the system to avoid detection.
That way, security solutions will only get information about the malware installer. And that’s also the problem with many security solutions - they only report data on the malware installer and not the actual malware itself, which can lead IT administrators to believe that their systems are not infected, when in fact, they are.
The malware installer checks the cloud for new malware updates before installing malware in the targeted system. The malware serving domain installs many different malware components. In the early days, the malware was just one file. Nowadays, malware comes in packages with several different malware components that help the malware get a foothold into your system. There are five different malware components that include:
- A configuration file - sends commands from a bot agent
- An attack component
- A regeneration component - checks the malware infection in system regularly - if a component is missing, it’ll try to rebuild it
- A rootkit component - to help deter against reverse engineering and pirating of their malware code
- A bot agent - contains a keylogging component that checks for malware updates, also receives commands from an attacker’s server to attack the company with a DDoS attack
Then, the malware sends stolen information to a domain drop zone. If attackers are bold enough, they may just use the information to charge cards an insignificant amount of money that won’t warrant an investigation.
Malware kits are also popular and distributed widely online, not just on underground dark web forums, but via search engines. Malware kits are now customizable through automated programs. If they’re sold for just 10 cents each, they can be profitable if millions are sold.
Malware attacks require a holistic look at the roles and systems of a target, the malware infrastructure, and the different roles required to support the infrastructure. As Christopher stated, we can get an even bigger picture with by pairing this information with more technical and legal research.