Another day. Another hack. One day it’s black hats making headlines with a massive hack on Home Depot. The next, it’s the theft of 4.5 million U.S. hospital records or 1.2 billion web credentials. The connected world is under siege and the current cyber security approach is falling woefully short — as evidenced by the headlines.
Why are cyber criminals winning?
Today’s cyber security paradigm is a reactive cycle: when a threat is exposed, it is analyzed and a counter-solution is designed with response times varying from weeks to years. The trouble is that attackers can easily reuse pieces of previous malware, modify them, and create a brand new threat, bypassing the newly updated security measures.
Attackers can simply copy pieces of code from previous malware, such as exploits, decryptors or modules (keyloggers, backdoors etc.), and incorporate them into the new malware they are developing. Alternatively, attackers can imitate the operational methods performed by other malware, needed for the success of the operation (persistence methods for example).
By reusing code and methods, hackers gain the upper hand. New malware is cheaper and easier to develop, while the tools needed to locate and disable it are only becoming more expensive. All the while, defenders need to cover a growing array of potential targets, each with their own set of weaknesses. For every dollar spent by cyber attackers, hundreds of dollars are being spent by the IT security industry. This economic imbalance is the springboard from which cyber-crime, cyber-terrorism and cyber-warfare are launched. Thus, code and method reuse has become an intrinsic part of the DNA structuring of malware development today.
A number of malware used in prominent cyber attacks over the past year, both in espionage program Advanced Persistent Threats (APTs) and in cybercrime, serve as prime examples of reuse of both code and methods – BlackPOS, Mask, Snake,and Zberp to name a few.
BlackPOS is the malware responsible for stealing credit card information from the Target and Neiman-Marcus department stores in December 2013. The attackers reused the entire code of an earlier variant of the BlackPOS malware, modifying it slightly to deal with the specific PoS software used in Target. Yet another variant of the BlackPoS model returned in April-May 2014, stealing an even bigger number of credit cards from the Home Depot retail chain.
Mask, revealed in February 2014, is a large (and possibly state-sponsored) malware operation that attacked 31 countries, covering more than 380 unique victims. The malware uses a complex implant that performs a large number of surveillance functions on the target. Mask reuses known vulnerabilities in the Java Runtime Environment and Adobe Flash Player.
The Snake (AKA Turla, Uroburos) APT was revealed in March 2014 to have been targeting government and military organizations in countries of the Former Soviet Union, the European Union, U.S.and U.K. Based on several similarities, the malware is assumed to be the work of the creator of Agent.BTZ, that infiltrated the US Department of Defense network in 2008.
A very recent example of the reuse phenomenon is Zberp, which attacked some 450 financial institutions around the world during the first half of 2014. Zberp enables attackers to steal information such as SSL certificates and FTP account credentials, and allows attackers remote access to the infected target. It reuses code and methods from Zeus, the infamous banking malware, and Carberp, another major banking malware discovered in 2010. The reused methods include Steganography, which hides malicious code in pictures, and API Hooking, whose code was copied from Carberp with only slight modifications.
The bottom line is that as long as we give cyber criminals the opportunity to reuse and recycle code, hacking makes financial sense. Until hackers are forced to create attack chains from scratch they will continue to win. And therein lies the challenge.
Shlomi Boutnaru is CTO of CyActive and has a decade of cyber security experience. Formerly manager of COE (Center of Excellence) Cyber & Security at Matrix, he managed Matrix’s entire cyber security operation, including development and integration of security products, analysis of malicious code, and penetration-testing. Prior to that, he served in elite Israeli military units (Intelligence and IAF). He is a lecturer on information security in leading institutes in Israel and abroad.