Network Security Update: Beware Malware's "Green" Messaging
By Will Gragido CISSP CISA NSA-IAM / IEM, Digital Vaccine Labs, HP TippingPoint
Going green is not solely relegated to environmentalists
Environmentalists the world over rejoice whenever anyone decides to take a stand that is pro-environment. Stewardship of resources is imperative to preserving them for future generations.
This is a simple concept that is harder to put into practice—as is evidenced by the world we live in. Our complex world is full of motion, change, advancement, growth and development—all which come at a price.
The Internet threat landscape is no different. On one hand, we see advancement in the form of truly new threats and the vehicles which bring them to our doorsteps, such as browser exploits or compound document exploits delivering some form of malicious java script to us courtesy of an infected PDF. On the other hand, we also see a great deal of repurposing of malicious code and content which, not unlike developmental advancements in the “green” energy movement, sees developers doing more with less based on pre-existing technology. It’s a beautiful thing provided we are talking about irrigation systems that aid in the sustainment of crops—but not so beautiful when talking about artificially intelligent malicious code and content that aids in emptying bank accounts.
Examples of eco-friendly malicious code and content
I can think of no better example of eco-friendly malicious code and content than those associated with botnets.
We are inundated with information related to threats of varying design, severity and criticality on an almost daily basis. This onslaught of information forces us to set priorities while often overlooking the elephant in the room: botnets.
Botnets are quite eco-friendly in relation to the threat landscape. They have been in existence in one form or another since the late 1990s, experiencing a renaissance of sorts about five years ago. Botmasters (those who own, run and operate botnets) are masterful in their ability to repurpose or recycle pre-existing code in order to meet their needs and the needs of their customers and subscribers.
Many times large portions of source code are augmented with the preservation of key elements ensured to capitalize on the initial strengths demonstrated by the botnet—all this while overcoming any shortcomings. (Storm, Waldec and Koobface are excellent examples of this. ) The result is a new, repurposed piece of code fit for to serve the needs of its master.
Tackling this “green” menace
From a mitigation perspective, the challenge is sample acquisition which, in the case of botnet analysis (especially when examining command and control sequences), is integral.
We see this occur with other pieces of code as in the case of Monkif or Clampi Bots—both of which were Trojans repurposed and enabled with command and control elements to serve the needs of their masters.
In essence, I believe we will see this trend continue as it is effective, economical and profitable. As threat mitigation experts, we need to prepare ourselves and clients for the “greening” of the underground.
Create a non-traditional plan of action
Botnets will continue to proliferate the repurposing of malicious code and content. Be prepared with a solid risk-based security program and comprehensive , defense-in-depth architecture.
The reality is, enterprise organizations must embrace non-traditional technologies to mitigate these non-traditional threats. Enterprises that successfully combat botnets are those that increase their situational awareness. Be one of them!
Read up on botnets
To learn more, I suggestion reading these:
- Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos and Thorsten Holz.
- Botnet Detection: Countering the Largest Security Threat (Kindle edition) from editors Wenke Lee, Cliff
Wang and David Dagon
