Inside Cyber Warfare - Jeffrey Carr [93]
Simple email forgery is easily done through the use of custom SMTP servers. Several programming languages provide simple APIs that can be used to forge emails, making them appear to come from any source the attacker chooses.
Once the email is sent, it becomes a weapon. The Word document attached to the mail carries a payload to infect anyone who opens the document. Signature-based intrusion-detection systems and anti-virus software will be unable to detect this attack; only the attacker has knowledge of its structure and the heuristics, since it is a 0day exploit.
Once the unsuspecting victim opens the Word document, he will be silently infected, compromising all the data on his system. The attacker then installs a rootkit on the infected system, allowing for unfettered future access. The rootkits are sophisticated and can hide from even the most discerning detection mechanisms. As detection routines improve, so does the rootkit evasion logic, creating a dangerous game of cat and mouse, with the victim’s data as the price.
Command, control, and exfiltration of data
Ten years ago, detecting an infected system was somewhat simple. The majority of infected systems simply connected back to an attacker requesting commands to be executed. Many times, unencrypted communications channels were used to control infected systems, and exfiltration of sensitive data was easily spotted by intrusion-detection teams. Connection back to IRC channels in foreign countries was a telltale sign that a system was compromised, and monitoring of clear-text communications from infected systems was even used in intelligence/counterintelligence efforts. Figure 10-7 shows a small portion of captured IRC communications from antiquated malware.
Figure 10-7. Clear-text command and control communication from malware
Today’s malware is more sophisticated and more covert. Generally speaking, today’s malware is never written to disk and is stored only in the system’s memory. This makes the forensics effort extremely difficult. Researchers from Core Security Technologies and researcher John Heasman from NGSSoftware Insight Security Research have demonstrated practical examples of how memory and PCI-based rootkits can be deployed against targets.
Additionally, gone are the days when compromised systems transmitted stolen data in the clear, directly back to the attackers’ systems. Today’s sophisticated malware takes excruciating steps to hide its communication and intentions. Encrypted commands, communications over HTTP and decentralized command and control, and exfiltration of data through covert means are the norm. For example, take the advanced versions of the Nugache malware. Researchers Dave Dittrich from the University of Washington and Sven Dietrich from the Stevens Institute of Technology studied the Nugache malware and demonstrated how it used 256-bit Rijndael to encrypt P2P command and control communication. Due to the implementation of proper crypto algorithms, even after the researchers had full access to runtime in memory data structures, the researchers were able to decrypt data flow in only one direction.
Why client-side 0day vulnerabilities can be so devastating
Client-side exploits target software installed on a victim’s system. Web browsers, web browser plug-ins (Java, Flash, Silverlight, etc.), word-processing software, PDF readers, and even the operating system itself are all considered client-side software. On the other hand, server-side software includes web and email servers.
Client-side 0day exploits have gained popularity with organizations employing offensive operations. Discovering vulnerabilities in a popular client-side component affects millions of users, and the research required to discover them can be done covertly, with no external indication that it is being conducted. Once a client-side vulnerability is discovered and an exploit is developed, the attacker has a weapon, ready to be deployed at a moment’s notice.
Client-side exploitation carries with