Monday, September 14, 2015

Malware's Use of Legitimate Software

Hey everyone.  I was browsing the Internet when I stumbled across a couple of links that got me thinking.  In this post, we will discuss malware that leverages "legitimate" software to do its dirty work.

The first article is from Talos, entitled Malware Meets Sysadmin - Automation Tools Gone Bad.  In short, this article talks about a piece of malware floating around that tricks a user into downloading AutoIt and an associated script via a macro in a Word document.  AutoIt is a piece of software for Windows that allows a the user to write a script that simulates key presses, manipulates processes, and calls Windows API functions among other things.  It has legitimate uses, like automating repetitive sysadmin tasks.  However, like lots of other tools, it can be used in ways that are not intended.

First, let's take a moment to talk about how malware is deployed on a computer.  Malware is typically deployed in stages.

Stage 1 is initial infection.  This is the stage where the malware is first deployed onto the computer, usually via a drive-by download (man-in-the-middle) or phishing.  The stage 1 tool is typically small and might be used to check the environment for anything that the malware author might not want to deal with (like the malware running in a VM, because that might indicate that someone is examining it).  In the article above, the Stage 1 tool is the Word document that contained the malware.  Stage 1 tools will also survey a machine to see if it can determine vulnerabilities in installed software (usually by checking the versions).  This data is sent back to a server that the malware author controls, and the software for the next stage is selected and downloaded.

Stage 2 tools are loaders.  Loaders are tools used to prepare the environment for the persistent malware and pave the way for the malware to be installed.  Once the Stage 2 tool is downloaded, it will exploit a vulnerability identified before and unpack (or even download) the Stage 3 malware.  The stage 2 tool in the example above is AutoIt and the associated script.

Stage 3 is the persistent malware that the malware author communicates with.  Using this deployment, a malware author will download files, capture keystrokes, and make your computer a pivot to other computers in your network.  The stage 2 tool in the example above is the RC4 encrypted binary.

So the malware in the example above uses a tool intended to automate system administration tasks for loading malware and surveying the computer.  Why would the malware author do this?

Motivations for Re-Purposing Legitimate Software

Using software that appears legitimate gives the malware credibility in the eyes of the user.  The crux of phishing attacks is to get the user to click on your malware (or a link to it) without knowing that it is malware.   If you downloaded something and it appeared to be digitally signed, a user might be more inclined to trust it.  It is all about appearances.

Another Example

This next example also uses AutoIt, but its initial delivery is different.  The prior example used e-mail as a delivery mechanism for enticing the user.  Phishing is not the only threat that a user needs to be aware of.  He has to be aware of the software he or she downloads.  Where is it from?  Do I trust the author?  Even if the user trusts the source and the author, that is not a guarantee that the software is benign.

Recently, a Reddit user posted that a beta for a game he downloaded from a link on Steam's Greenlight service contained malware.  Steam is a digital software distribution service primarily for games.  Greenlight is a service that allows Steam users to vote for games they want to see available for sale on the Steam store.  It sounds like a great idea in theory since game developers can see if there is an audience for their game, and gamers get to experience new games.  I will not get into the all of the pros and cons of Greenlight, but there is one aspect that I would like to talk about: the low barrier for entry.

In most software ecosystems, such as Apple's iTunes, Google Play, Sony's Playstation Network, and Microsoft's XBox Marketplace, the host company does some degree of vetting of the software that a developer submits to the store.  This is to make sure that there is nothing in there that might violate the terms of use of the service (like malware embedded in the code).  It does not appear that Greenlight has any sort of vetting mechanism.  Alledgedly, on the Greenlight page for a game called Dynostopia, a link to download a beta version was in fact malware.  According to reddit user toilet-roll, the malware ran a number of AutoIt scripts that manipulated his Steam profile and corrupted his Windows installation.  To be clear, the malware was not hosted by Valve (the company that hosts Steam).  Rather, the malware was on a link on a Greenlight page.  It has since been removed by Valve because this story gained so much attention.

To me, this is an interesting technique to entice users to download malware.  The barrier for entry on Greenlight is very low.  All you have to do is buy access to publish on the service here for $100.  That is it.  If you had the intent, you could create a page, put some fake screenshots on it, and host a "beta" version of your game that really contained some sort of malware.  This might be slightly harder in other ecosystems, like iTunes, but I still think it is possible.  Have you ever installed an app from iTunes or Google Play and paid attention to some of the permissions?  For example, there are games on Google Play that want permissions to retrieve running apps, find accounts on the device, and modify contents of USB storage.  The things the apps want to do might be innocuous, but without analyzing the software, you have to trust the author.

As an awareness of information security becomes more widespread, malware authors will think of progressively sneakier ways to deploy their software.  So, how do you know if someone or the software they offer is trustworthy?  Some people say by using open source software.  That can certainly help, but there are pitfalls there too.  First, someone (or some group) has to vet the code.  Assuming you trust that someone or group, you might think you are in the clear.  However, how do you know that the build of the software does not have "additions" that are not present in the code?  You would have to build it yourself, which is not a process that everyone is willing to do.  Closed source software is not any better.  Take Windows 10 for example.  Even if you turn off all of the instances where data is sent back to Microsoft, you cannot turn off all of them, as in this screenshot:

At the end of the day, you have to trust someone (such as whoever develops your operating system) unless you want to throw your computer out of the window or use it as a boat anchor.  Even then, your data is on someone's computer subject to the security practices they employ.  Therefore, my advice is not to place your trust in any one particular piece of software.  There is a motto that I have taken to heart, and it applies here: "Trust, but verify."  Verify could mean monitoring network connections or filesystem changes externally (such as a lab environment) or by listening to people you trust.

What are your thoughts?  Let me know in the comments below.  Thanks for reading!

1 comment:

  1. Wow, very interesting. I know that mobile app stores have their own app review processes, but from what I have read Steam does not. I wonder how much effort attackers have expended in attempting to gain access to developer Steam accounts? It would be crazy if a big dev's account was owned and they replaced the game's binary with Cryptolocker or something. I'm sure it would only be up for ~30 minutes if it were that blatant, but they could probably hit ~5,000 users in that time.

    I agree with you about having to trust developers and manufacturers. I'm not going to roll my own system or browse the web in text -- and I'm certainly not going to give up gaming, so I'm trapped. I feel pretty secure just practicing good internet hygiene, reading/listening to netsec blogs/podcasts, and use a separate system for sensitive stuff (banking).