Research

Extreme Makeover: Malware Edition

Hackers using Construction Kits to quickly renovate malware

Recently, the SecureWorks Security Research Group discovered many new, previously unknown variants of the Prg Trojan. SecureWorks already has countermeasures in place which protect our clients from the Prg Trojan and its variants. Also, SecureWorks immediately notified research partners, anti-virus vendors and law enforcement officials upon discovering the new variants.

Further investigation into this threat revealed that the variants were being created by hackers using a kit they purchased from the Trojan’s original author. Complete with a three-page instruction manual on how to create new variants, this construction kit lets the hackers develop new versions of the Trojan at a faster pace than antivirus vendors can keep up with. As a result, the hackers have been able to continually evade most anti-virus software just by launching a new variant as soon as they notice an older variant being detected.

"Construction kits" such as this one are a growing trend in the underground malware "industry." Several organized hacker groups are using the kit described above to streamline their illegal operations. The criminals behind most of the Prg Trojan schemes to date have gathered the account records of more than 10,000 individuals. Considering this was done with minimal effort using a pre-packaged tool, such malware construction kits will become more and more prevalent.

So what does this mean for businesses? For starters, it means there’s a greater chance of being attacked with malware that will go undetected by your antivirus. Antivirus products that rely on signatures to identify threats cannot stop this threat alone. Signatures can only detect known threats and malware construction kits let even novice cyber criminals easily create their own new variants. Already, multiple organized hacker groups have purchased the Prg Trojan kit and are using it to carry out their own unique attacks that evade antivirus detection.

The best approach to protecting against threats such as these is defense-in-depth. Instituting multiple layers of security controls such as the following (in addition to traditional antivirus products) will minimize the risk of variants damaging your business:

  • Behavior-based, or heuristic, security systems. These technologies help to detect previously unknown malware by analyzing past network traffic and identifying irregular behavior. While not a replacement for signature-based systems, behavior-based technology can help detect zero-day attacks that slip past them.
  • Well-maintained spam filters. A large percentage of Trojans and worms are distributed by email. Keeping spam filters up to date will help to keep malicious attachments and URL links from reaching user inboxes.
  • Installing the latest operating system and application security patches. Even though malware variants can be significantly different than known viruses, etc., chances are they will still attempt to exploit the same vulnerabilities. Using the latest patches will remove many of these vulnerabilities.
  • Network and Host Intrusion Prevention Systems (IPS). Many IPS technologies, including SecureWorks’ iSensor, identify and block attacks based on the vulnerability that is targeted as opposed to the exploit method used by the malware. Having IPS deployed will protect against any variants, even brand new ones, which try to exploit known vulnerabilities. 

While these measures will reduce the risk presented by malware, there is no "silver bullet" when it comes to defending against IT threats. Even if all of the above security controls are in place, vigilance is still essential to safeguarding your assets in today’s security landscape. Ongoing correlation and analysis of logs and alerts from security technologies, servers, and applications is key to protecting against malware variants that evade individual security controls.

What are Botnets?

Introduction

Responsible for spreading vast amounts of malware, deploying Distributed Denial of Service (DDoS) attacks, supporting phishing scams, and distributing 70% of all spam on the Internet, botnets are a serious threat to consumers and businesses of all sizes. While millions of infected computers belong to botnets, few users are aware that their PCs are supporting corrupt botnet activity.

What are Botnets?

Botnets, derived from the terms ‘robot’ and ‘networks’, are networks of malware infected computers controlled by a remote server. Botnets consist of bots that discreetly install themselves on hundreds, thousands or millions of different computers. In this case, bots are the applications that distribute the spam, malware, etc. The bots continuously infect new computers and create an army of zombies that work together to conduct malicious activity.

What are Zombies?

The infected computers are referred to as zombies. All zombies of the bot herder’s army blindly follow orders to conduct DDoS attacks, phishing scams, spam operations, and other criminal activities. Though the infection is usually transparent to the user, behind the scenes the zombie is working overtime taking commands from the remotely located bot herder.

What is a Bot Herder or Bot Master?

Bot herder and bot master are terms used interchangeably to describe the hacker who controls a botnet.  The bot herder can be located anywhere in the world (though approximately 30% are found in the US). Bot herders usually target unpatched computers that can easily be exploited and ‘trained’ for attack. There are thousands of bot herders and each can control millions of computers in a single botnet. More often than not, bot herders are motivated by financial gain.

How are Botnets Used?

Zombie PCs in a botnet can execute any program the bot herder writes for it. Some of the more common ways botnets are used are:

  • Distributed Denial of Service (DDoS). These attacks involve using a botnet to flood a network’s bandwidth or resources, preventing legitimate network traffic. With a large enough botnet, the bot herder can slow or even shut down networks.
  • Identity Theft. Because bot herders can have virtually unlimited access to zombie computers, they can easily collect any account numbers, usernames, passwords and other confidential information stored on the zombies.
  • Spam. Zombie machines are commonly used to generate huge volumes of spam. According to Merrick Furst, associate dean for undergraduate programs at Georgia Tech’s College of Computing, “over 80% of all spam messages are coming from bot armies right now.”
  • Malware. Botnets are frequently the launching point for viruses, worms, Trojans, and other types of malicious code.

How can you Protect against Botnets?

  • Keep your systems updated. Download the most recent updates of anti-malware tools (anti-virus, anti-spyware, etc) and patches. Keep applications updated by downloading or installing the latest versions.
  • Be wary of suspicious email. Educate users to always verify questionable emails and never click on a link or open an attachment in a message from an unverified source.
  • Control the use of ActiveX and JavaScript. Hackers take advantage of active web content to automatically download and execute malware once a web page is visited. Disabling or limiting the use of ActiveX and JavaScript will keep the malicious code from infecting user PCs.
  • Use Network Intrusion Prevention Systems (NIPS). Properly managed NIPS devices will block attempts to compromise hosts as well as detect tell-tale zombie activity and prevent additional infections.
  • Monitor your Firewall logs. With the capability to develop the botnet infinitely, zombies are promiscuous in their attempts to infect others. Close scrutiny of both ingress (inbound) and egress (outbound) firewall traffic can alert you to zombies on your network.
  • Know your ISP’s emergency contact number. The best way to mitigate DDoS attacks is to filter the traffic at the ISP before it reaches your network.
  • Filter malicious content. Use content filtering technology to block malicious web pages and spam that would otherwise infect user PCs.

How can SecureWorks help?
SecureWorks provides a wide array of services that protect our clients from Internet threats, including botnets. Our services include:

Security Management

Security Monitoring

Self-Service Security

Professional Services

 

Join Newsletter