Malware: Attack and Prevention

An analysis of an organization’s exposure to Malware, weaknesses in
existing perimeter defenses, its effects, and mitigating recommendations

 

By Daniel I. Didier

June 6th, 2008

---

Table of Contents

Executive Summary.............................................................................................. 3

Introduction............................................................................................................. 4

Malware: Attack and Prevention.......................................................................... 5

Malware: Definition, Threat, and Motivation....................................................... 5

Malware Infections and their Impact.....................................................................7

Existing Perimeter Defenses............................................................................... 8

Firewall................................................................................................................... 9

Proxy..................................................................................................................... 11

Spam firewall....................................................................................................... 14

Recommendations.............................................................................................. 15

Conclusion............................................................................................................ 17

Works Cited......................................................................................................... 18

Executive Summary

Malware seriously threatens an organization's ability to protect its critical information resources.  This includes confidential business and client information.  This report analyzes weaknesses in existing technical infrastructure, associated risks, past incidents, and the potential impact of malware.  In addition, this report provides recommendations for mitigating the exposures and subsequent liabilities associated with malware infection.

The key findings from this report are as follows:

• Malware presents serious risks to the information assurance of all organizations
• The overall risk, threat, and complexity of malware is continually increasing
• Many organizations have experienced past malware infections
• Future malware infections are very likely
• There are critical weaknesses in traditional perimeter security
• There is typically limited visibility for Internet based activities
• Existing perimeter security technologies are often not strongly integrated

The key recommendations for mitigation are:

• Develop a perimeter security policy
• Implement a comprehensive content control system
• Implement a strong firewall egress filter
• Leverage log correlation tools for full visibility and proactive notification
• Identify technology roadmap to ensure ongoing protections against malware

Financially motivated malware continues to increase in frequency and its ability to thwart existing security controls.  The effects of malware have directly impacted thousands of organizations and their ability to provide sustained business functions.  Unfortunately, in many organizations, existing security controls are too weak to prevent the onslaught of today’s malware. 

To address this issue, organizations must adopt a unified approach to managing and limiting Internet based risks.  In doing so, an organization can help to ensure the security of its confidential business information, the availability of its information system, and sustain ongoing business operations.  By thoroughly understanding traditional perimeter security weaknesses associated with malware, organizations will be enabled to make informed decisions that will improve their overall security posture and prevent future malware attacks. 

---

Introduction

Your network is under attack.  Everything is at risk.  The impact of just one successful malware attack may lead to the unauthorized access, disclosure and use of your information systems and the exploitation of private business information.  By not properly securing the network, you and your organization may be violating regulations such as HIPAA, GLBA, SOX or enabling criminal organizations to take advantage of your computing resources.

The information in this report is a culmination of efforts by Daniel I. Didier, Information Security consultant, designed to educate individuals and organizations alike on the risks associated with malware.

Malware has reached unprecedented heights, and there is no end in sight to its continued proliferation.  Many IT professionals are aware of the risks associated with malware and the potential impact they pose.  However, IT departments have limited budgets, time, and resources.  As such, the criticality of these initiatives, their requirements, benefits, and the risks they address may not be sufficiently communicated throughout an organization including key decision makers and management.

This report analyzes traditional perimeter defenses and associated weaknesses as they pertain to malware.  Specific policy, configuration, and technical weaknesses are identified and explained.  Potential attack scenarios and their potential impact on organizations are analyzed.  Specific recommendations are provided to improve perimeter security and reduce the overall threat posed by malware.

Ultimately, the information in this report is designed to effectively communicate to management-level individuals the critical risks that malware presents and the actions that should be taken to mitigate them.

---

Malware: Attack and Prevention

 

Malware: Definition, Threat, and Motivation

Malware infections have reached an unprecedented high and pose serious risk to the information assurance of all organizations large and small.  Malware knows no physical bounds and is designed to exploit any vulnerable system, organization, or individual.  There is some confusion as to the definition of the term ‘malware’ as even security vendors lack consistency in the way they define the term.[1]  This issue is further compounded by the use of terms with similar meaning such as spyware and adware.  For the purposes of this paper, malware is defined in accordance with the definition provided by the Anti-Spyware Coalition and is as follows:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

 

§         Material changes that affect their user experience, privacy, or system security;

§         Use of their system resources, including what programs are installed on their computers; and/or

§         Collection, use, and distribution of their personal or other sensitive information.[2]

Malware includes any malicious application and may be described by various terms including Trojan, virus, worm, adware, spyware and backdoors.[3]  Delivery and infection methods employed by malware are only limited by the ability and imagination of the authoring criminal.  Malware infection may occur while accessing web-based content such as web sites and email or while using applications such as instant messaging, file-sharing utilities, digital media players, and other applications.  In some cases, malware is the result of a focused attack that may result from hacking or social engineering efforts.[4] 

The number of malicious applications detected in the wild has grown significantly between 2004 and 2007.  Well-known security testing organization, AV-Test, recently published a report that identified a rise in the number of unique malicious applications from 972,606 in 2006 to 5.49 million in 2007.  The graph in Figure 1 shows the unique samples of malicious programs detected by AV-Test from 1990 to 2007. 

Figure 1 – Unique Samples of Malicious Programs[5]

The sharp increase in the number of malicious applications and their effectiveness is due in large part to the involvement of organized crime and strong financial motivation.  As of 2005, it was estimated that more than seventy percent of virus writers have shifted their efforts to financially motivated spyware development.  Financially focused spyware is favored among malware developers since it lets them package their own technology and either sell it or use it in their own criminal ventures.[6] 

An individual may fall prey to malware even while browsing supposedly friendly sites.  In 2006, hackers created an article on the German edition of Wikipedia, de.wikipedia.org, claiming to include a link to a patch that protected against a new Blaster worm.  However, the link to the supposed patch was actually linked to malware designed to infect unsuspecting user PCs.[7]  In April of 2007, Google, the Internet’s largest marketing network, fell victim to criminals that hijacked components of its paid advertisements.  The compromised ads were designed to steal banking and other personal information from users that were searching for the Better Business Bureau and similar sites.[8] 

The impact of malware can be difficult to quantify on a personal, organizational, and national level and often creates more questions than answers.  A recently uncovered hacker server helps to answer some of these questions by providing an inside look at the types of information gathered by cybercriminals and how they operate.  The server contained over 1.4 Giga Bytes of both email and web-based data.  More than 40 major financial institutions had compromised customer data on the server.  The information also “contained a mountain of healthcare information, including personal data, health data, treatment, medications, insurance details, Social Security Numbers, and healthcare provider’s data, including physician’s name.”[9]  Shortly after the discovery of the first server, three more servers were discovered.  Perhaps the most worrisome finding was that the person running these systems seems to have very little knowledge in regards to computer security and was using pre-packaged tools to gather this information.[10]

According to a report submitted to congress in May of 2007, the estimated annual loss due to computer crime was $67.2 billion for U.S. organizations.[11] As professional criminal hackers continue to produce increasingly sophisticated malware motivated and funded by financial gain, the threat, impact, success and frequency of these attacks is also likely to increase.

Malware Infections and their Impact

Once a malware infection has been detected, additional impact is incurred by an organization, its employees, and clients during the recovery process.  In some cases, the infected system can be cleaned by a technical resource from the IT department.  However, in other cases, the system must be completely rebuilt with a fresh installation of the operating system and necessary applications.  In either case, the recovery process causes lost productivity for both the end-user and the responding IT resource.  Additional trickle down affects are experienced by the staff and clients that depend on the services provided by these systems. Ultimately, the infection and necessary mediation processes impairs an organization’s ability to provide timely services.

It is very likely that a considerable number of malware infections are not identified by organizations, or they may run undetected for a long period of time.  Anti-virus software is not capable of detecting all infections; in fact, a recent test published by av-comparitives.org shows that anti-virus is extremely ineffective at detecting and preventing malware infections.  The report showed that for threats known to be in the wild for one month or less, Anti-virus software yielded an average detection rate between 30 and 50%.  The best detection rate was 81% with the worst at only 3%.[12]

While the operation of a Trojan key logger has been discussed in some detail, it is important to understand that malware comes in many other forms.  One such form, bot networks, has gained much attention recently and has been recognized as a substantial threat.  A bot can be described as a combination of a worm and a Trojan that scans the network for vulnerable hosts, infects them, and then reports back to a central command system.  As more hosts become infected, this network of compromised hosts is referred to as a botnet.  The distributed power of the botnet is then used by the controlling individual or organization for criminal activities such as spamming, Denial of Service (DoS) attacks, and other illegal activities.[13]

Gartner predicted that by the end of 2007, “75% of enterprises will be infected with financially motivated, targeted malware”.[14]  The effectiveness and negative impact potential will continue to increase as the motivation of criminal organizations to produce ever stealthier and more damaging malware continues to provide financial reward. 

The aforementioned infections and potential impacts are only a brief exploration into the effects of malware on our organization.  As these topics were discussed, it became clear that many potential methods of attack and exploitation could not be quantified.  However, based on the findings and knowledge of successful malware infection it was realized that information systems are vulnerable and traditional defenses are not adequate to protect against future attacks.

Traditional Perimeter Defenses

Typical defenses of an organization are commonly composed of several different items such as a firewall, spam filter, or proxy.  These systems, working together, help to protect an organization from Internet based threats, including malware.  Each system addresses a specific type of threat.  The diagram below in Figure 1 is a logical representation of an organization's exiting perimeter defenses and Internet resources, assuming the aforementioned common components.  The firewall, proxy, and spam filter will be discussed in more detail so that weaknesses in the perimeter defenses can be adequately quantified.

 

Firewall

Though multitudes of firewall products are available, most function in a similar manner, and they are responsible for either permitting or denying traffic to and from the Internet.  There are two specific rule-sets, otherwise known as filters that enforce these permissions; ingress and egress.  Briefly, there are 65,535 individual ports that can be used to communicate over the Internet.  These ports are used to access and establish communication to services on remote systems.  Ports 0 through 1023 are classified as well known ports and have statically defined services associated with them.  For example, port 80 is reserved for “World Wide Web HTTP” commonly used to access web sites, port 443 is reserved for “HTTP protocol over TLS/SSL” commonly used to access secure web sites.  Ports 1024 through 49151 are registered ports and ports 49152 through 65535 are dynamic and/or private ports.  The assignment and management of all port numbers are managed by the Internet Assigned Numbers Authority (IANA).[15]

The ingress filter is configured on the external firewall interface.  The ingress filter is applied to traffic as it enters the firewall from the Internet.  Depending on the destination and source address and port, this traffic will either be permitted or denied based on the defined policy.  There are traditionally only a very few, discrete connections permitted into the network such as email traffic and web server responses. Most organizations have a very strong ingress filter permitting only specifically required and approved network services and hosts.  A graphical representation of the ingress firewall filter is depicted in Figure 2, Firewall ingress filter.

The egress filter is configured on the internal firewall interface and is applied as traffic leaves the internal network destined toward the Internet.  Traditionally, the egress filter is more lax in its configuration as compared to the ingress filter.  This is because organizations typically view internal resources as trusted and therefore do not configure a restrictive egress filter.  A graphical representation of the egress filter is depicted in Figure 3, Firewall egress filter.

As malware threatens to infect systems and transmit confidential information to unauthorized locations, the need to limit these abilities through strong controls, including a discretely restrictive egress filter and definition of a strong governing policy has become imperative.  If a strong egress filter is not implemented, malware will be able to create outbound connections from an infected host and may then transmit confidential information to unauthorized locations.  To better understand the infection process, an example of a Trojan infection is provided below with a supporting illustration in Figure 4, Trojan infection diagram – weak egress filter / proxy.

Trojan Infection – weak egress filter / proxy, step 1:  An employee may access an external website, as represented by the initial web request identified by the green line that has been infected by malware.  The destination website may be a relevant business resource that has fallen victim to criminal hackers. 

Trojan Infection – weak egress filter / proxy, step 2:  When the employee clicks on a link within the compromised website, it may execute a script that promiscuously downloads and installs a Trojan, as represented by the orange line. 

Trojan Infection – weak egress filter / proxy, step 3:  Once installed, the Trojan attempts to make an outbound connection, as represented by the red lines, to notify of its success and enable remote command execution.  If successful, a hacker may use this connection to access confidential information, compromise internal hosts, or perform other malicious activities. 

Strong perimeter security depends partially on enabling policy through device configuration and the use of cooperative layers of security.  For instance, a strong egress filter can not be enabled unless access to Internet resources is provided through a centralized proxy solution as hosts would otherwise be required to make direct outbound connections through the firewall.

Proxy

A proxy acts as an internal termination point for Internet communications.  In doing so, internal hosts do not need to make direct connections through the firewall to obtain access to Internet resources.  Instead, the proxy will receive a user request, access the desired Internet resource and then relay that information back to the internal host. 

 If deployed enterprise wide, a proxy solution provides a central point to manage and inspect web content.  In addition, it enables a critical layer of security in the form of a strong firewall egress filter.  Unfortunately, many existing solutions lack the advanced features necessary to effectively manage web content and protect against malicious software. 

Because of this, systems must access some web content directly and this requires exceptions to be configured in the firewall egress filter.  In addition, traditional URL filtering only blocks access to web sites that have been manually defined or are part of a pre-defined list.  Furthermore, even if all web content was delivered through a proxy and a strong egress filter was configured to block all outbound Internet access, organizations would still be susceptible to the majority of malware attacks as traditional proxy solutions lack the advanced security features necessary to protect against today’s web based threats.  To better understand the drawbacks of traditional proxies, an example of a Trojan infection through a proxy is illustrated below in Figure 5, Trojan infection diagram – proxy weakness.

 

Trojan Infection – proxy weakness, step 1:  An employee may access an external website, as represented by the initial web request identified by the green line. This web site may very well be a relevant business resource but has fallen victim to criminal hackers wishing to distribute malware.

Trojan Infection – proxy weakness, step 2:  When the employee clicks on a link within the website, it may execute a script that promiscuously downloads and installs a Trojan, as represented by the orange line.  Because the proxy offers no advanced features such as content inspection or anti-virus scanning, the compromised site and the malicious payload it contains is effectively delivered to the user workstation.

Trojan Infection – proxy weakness, step 3:  Once installed, the Trojan attempts to make an outbound connection, but is blocked by the strong firewall egress filter.  However, another outbound connection attempt over a standard web port is made via the proxy and successfully connects to the hacker system.  The hacker may use this connection to access confidential information, compromise internal hosts, or perform other malicious activities.

While the implementation of strong egress filter is a necessary layer of security and may help stop and alert to malicious activity, it is also necessary for a proxy solution to perform the following functions:  deep packet inspection, URL categorization, SSL termination, Instant Messaging support, Streaming media controls, inline virus scanning, P2P file sharing controls, real-time site categorization, and the ability to support and inspect other common web protocols.  In addition, these functions must be enabled in an intuitive and easy to manage interface.  The ability to report on various metrics including usage statistics, blocked content, and efficiency is necessary so that the requirements specified in an organization’s security policy can be monitored and enforced.  To demonstrate the effectiveness of strong perimeter security, including the use of a strong egress filter and adequate proxy solution and to more effectively communicate their benefits, an attempted Trojan Infection is illustrated in figure 6, Attempted Trojan infection – strong egress / proxy. 

Trojan Infection – proxy weakness, step 1:  An employee may access an external website, as represented by the initial web request identified by the green line. This web site may very well be a relevant business resource but has fallen victim to criminal hackers wishing to distribute malware.

Trojan Infection – proxy weakness, step 2:  Since the website is categorized as a valid business resource and the proxy permits access to the site, the initial page will be displayed.  When the user clicks on the link that attempts to execute and install the Trojan, the proxy identifies an invalid file extension and the anti-virus engine detects malicious code and the connection is blocked. 

If a malicious application infects the network by some other means, such as email, and then tries to establish a connection out of the network either through the firewall or the proxy, it will be blocked.  The strong perimeter security enabled through an effective proxy solution and strong egress filter protects not only against external web threats, but also against already infected internal systems.  In addition, if proper logging, monitoring, and notification facilities are configured on the firewall and proxy, an organization will be notified of blocked malware traffic and identify existing internal infections.  This ability does not currently exist and can only be gained by strengthening perimeter security as demonstrated in this report. 

Spam firewall

A spam firewall is an appliance solely responsible for filtering email that contains malicious content including viruses and spam.  All inbound and outbound email is sent though the spam firewall. 

Email is capable of transmitting malicious code, such as viruses, worms and Trojans through attachments or by tricking recipients into accessing malicious web sites.  For these reasons, a system may become infected with malware through email thereby compromising the information security of an organization.  

If a malicious email dupes a user into accessing a malicious web site, it is likely that their system will be attacked and infected with malware.  It is also likely that this infection will go unrecognized and will continue to function unrestricted due to lax perimeter security.  If an organization had a strong perimeter defense, such as the one outlined in Figure 6, containment and notification of infection would be highly likely.  To clearly demonstrate this, an attempted Trojan infection via email with strong perimeter defenses is illustrated in Figure 7 – Attempted Trojan infection – email.

 

Attempted Trojan infection – email, step 1:  A hacker sends spam to various organizations with malicious emails containing a URL that links to a site designed to install a Trojan.  The initial sending of email is represented by the orange line.  The message is allowed to pass through the perimeter firewall per the security policy and arrives at the spam filter.  The spam filter fails to identify the email as spam and forwards it to the corporate email server.  The email is then delivered to the inbox of the recipient. 

Attempted Trojan infection – email, step 2:  Upon delivery, the recipient opens the message and clicks on the enclosed URL.  At this point, the system will attempt to access this URL either via the proxy or directly, depending upon its configuration.  Both of these scenarios are represented by the red line.  Any traffic destined for the firewall is dropped by the restrictive egress filter.  If the URL request goes to the proxy, either the destination address is identified as a malicious site and the request is blocked or if the initial URL request is allowed, upon inspection the anti-virus engine will identify the malicious payload and block its delivery.

If a layered perimeter security solution is not in place in this type of attack scenario, it is likely that the infection will succeed and remain undetected.  However, with comprehensive perimeter defenses including a strong egress filter and adequate proxy controls, the success of email based malware attacks can be greatly limited.

Recommendations

The information in this report clearly identifies malware as a serious, ongoing risk that if left unaddressed will continue to threaten an organization's ability to function efficiently.  To effectively limit the risks associated with malware and its potential impact, an organization must perform the following actions:

• Develop a perimeter security policy

The goal of a perimeter security policy is to define the procedures, guidelines, and practices for implementing and managing security in the environment.  Through creation and enforcement of this policy, an organization can minimize its risk and prove due diligence for compliance requirements and confidentiality of private information.  The policy should also define high-level product deployment standards to ensure the integration and scalability of the perimeter security solution and supporting technologies. 

• Implement a comprehensive web content control system

A comprehensive web content control system will enable an organization to utilize a centralized proxy solution for all web-based communication.  To be effective, the solution must provide the features necessary to protect against the attack and exploitation methods used by malware today and support the wide array of technologies used in web-based communications.  In addition, the solution must support the technical requirements defined in the perimeter security policy including the ability to monitor and audit performance metrics for compliance.  

• Implement a strong firewall egress filter

Once a centralized proxy solution has been deployed, an organization can take advantage and implement a strong firewall egress filter.  In doing so, an additional layer of security will be employed resulting in greater protections against malware attacks.  Furthermore, the implementation of an egress filter will provide an organization with the ability to monitor firewall policy violations and proactively alert to potentially malicious network activity.

• Leverage existing log correlation tools to provide monitoring and alerting

Existing log correlation tools can be greater enabled once the deployment of a centralized proxy solution and strong egress filter have been completed.  The firewall should be configured to log violations against the newly implemented egress filter and forward this information to the log correlation system.  The ability to proactively monitor egress filter violations enables an organization to identify and respond to unauthorized outbound connection attempts.  In addition, the ability to monitor egress filter violations enables the enforcement of the guidelines and practices defined in the perimeter security policy.

• Identify technology roadmap to ensure ongoing protections against malware

The identification of a technology roadmap will help ensure compatibility of technical solutions as upgrades and changes are applied to the perimeter security.  The technology roadmap should identify the individual requirements and interdependencies of the key technical solutions that are necessary to enable the security requirements defined in the perimeter security policy.  For example, the ability to integrate the logging capabilities of the perimeter firewall with the existing log correlation solution must continue to function as technology changes and upgrades occur. 

 

---

Conclusion

Any organization is at great risk to the threats presented by malware.  The findings of industry experts and the identification of recently infected systems demonstrate an alarming increase in the complexity, frequency, and number of successful malware attacks. This upward trend is expected to continue for the foreseeable future.  The risk of malware places the security of information systems in great jeopardy.  The potential to disrupt an organization's ability to operate efficiently or even at all, also exists.  Organizational management must clearly understand and sufficiently respond to these risks by providing the funding and support necessary to mitigate weaknesses identified in the existing perimeter security defenses, implement a comprehensive perimeter security policy, and define a supporting technology roadmap.  In doing so, an organization will provide a heightened level of protection for the confidentiality, integrity, and availability of its data, enable sustained business functions through the reduction of productivity-hindering malware infections, and ensure ongoing compliance with industry regulations.

 

---

Works Cited

Anti-Spyware Coalition, “Anti-Spyware Coalition Definitions Document, working report,” (November 2007) http://antispywarecoalition.org/documents/2007definitions.htm

Associated Press, “Data theft scam targets Google ads,” MSNBC (April 2007),
http://www.msnbc.msn.com/id/18348120/

AV Comparatives, “Anti-Virus Comparative No.16, Proactive/retrospective test,” (November 2007),
http://www.av-comparatives.org/seiten/ergebnisse/report16.pdf

Didier, Daniel, “A Penetrating Analysis,” (April 2008)

Didier, Daniel. “Quantifying the cost of computer security incidents” (February 2008)

Dix, John, Bots on Your Net? Look twice, Network World (June 2007),
http://www.networkworld.com/columnists/2007/060707edit.html

Health Insurance Reform: Security Standards; Final Rule (2003)

HIPAA Privacy, “HIPPA Guidance/Frequently Asked Questions,”
http://hipaa.yale.edu/guidance/index.html, (accessed May 2008)

Internet Assigned Numbers Authority, “Port Numbers,” http://www.iana.org/assignments/port-numbers

Keizer, Gregg. “Hackers Write Spyware For Cash, Not Fame,” Information Week (April 2005), http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=160403715

Khare, Sharon, “Wikipedia Hijacked to Spread Malware,” Tech2.com (November 2006),
http://www.tech2.com/india/news/telecom/wikipedia-hijacked-to-spread-malware/2667/0

Landesman, Mary, “What is a Keylogger Trojan?,” About.com (May 2008), 
http://antivirus.about.com/od/whatisavirus/a/keylogger.htm

“Malicious programs hit new high,” BBC News (February 2008),
http://news.bbc.co.uk/2/hi/technology/7232752.stm

Malware Help.org, “Methods of Infection,”
http://www.malwarehelp.org/methods-of-infection.htmlU (accessed May, 2008)

Nance, Barry, “Still no ‘malware’ definition,” Network World (September 2006),
http://www.networkworld.com/reviews/2006/091806-antispyware-test-definition.html

Slade, Robert, “Computer Viruses and Worms,” Handbook of Information Security, Vol III, Part 1 (2006): 94

Tommy, comment on “Cybercrime Poses Challenges for Government, Industry Says Report,” Linux Electrons, posted July 23, 2007, http://www.linuxelectrons.com/news/general/10857/cybercrime-poses-challenges-
government-industry-says-report

Westervelt, Robert, “hacker server contains thousands of sensitive business, healthcare files,” Information Security (May 2008), http://go.techtarget.com/r/3592030/6621098