9/30/13

7 sneak attacks used by today's most devious hackers

PublishedonInfoWorld(http://www.infoworld.com) Home>Security>Malware>7sneakattacksusedbytoday'smostdevious...>7sneak attacksusedbytoday'smostdevioushackers

7sneakattacksusedbytoday'smost devioushackers
ByRogerA.Grimes Created2013093003:00AM

Millionsofpiecesofmalwareandthousandsof malicioushackergangsroamtoday'sonline worldpreyingoneasydupes.Reusingthesame tacticsthathaveworkedforyears,ifnotdecades, theydonothingneworinterestinginexploiting ourlaziness,lapsesinjudgment,orplainidiocy. Buteachyearantimalwareresearcherscome acrossafewtechniquesthatraiseeyebrows. Usedbymalwareorhackers,theseinspired techniquesstretchtheboundariesofmalicious hacking.Thinkofthemasinnovationsin deviance.Likeanythinginnovative,manyarea measureofsimplicity. [Verseyourselfin14dirtyITsecurityconsultanttricks,9popularITsecuritypractices thatjustdon'twork,and10crazysecuritytricksthatdo.|Learnhowtosecureyour systemswiththeWebBrowserDeepDivePDFspecialreportandSecurityCentral newsletter,bothfromInfoWorld.] Takethe1990sMicrosoftExcelmacrovirusthatsilently,randomlyreplacedzeroswithcapital O'sinspreadsheets,immediatelytransformingnumbersintotextlabelswithavalueofzero changesthatwent,forthemostpart,undetecteduntilwellafterbackupsystemscontained nothingbutbaddata. Today'smostingeniousmalwareandhackersarejustasstealthyandconniving.Hereare someofthelatesttechniquesofnotethathavepiquedmyinterestasasecurityresearcher andthelessonslearned.Somestandontheshouldersofpastmaliciousinnovators,butall areverymuchinvoguetodayaswaystoripoffeventhesavviestusers. StealthattackNo.1:Fakewirelessaccesspoints NohackiseasiertoaccomplishthanafakeWAP(wirelessaccesspoint).Anyoneusingabit ofsoftwareandawirelessnetworkcardcanadvertisetheircomputerasanavailableWAP

www.infoworld.com/print/227557

1/6

9/30/13

7 sneak attacks used by today's most devious hackers

thatisthenconnectedtothereal,legitimateWAPinapubliclocation. Thinkofallthetimesyouoryourusershavegonetothelocalcoffeeshop,airport,or publicgatheringplaceandconnectedtothe"freewireless"network.HackersatStarbucks whocalltheirfakeWAP"StarbucksWirelessNetwork"orattheAtlantaairportcallit"Atlanta AirportFreeWireless"haveallsortsofpeopleconnectingtotheircomputerinminutes.The hackerscanthensniffunprotecteddatafromthedatastreamssentbetweentheunwitting victimsandtheirintendedremotehosts.You'dbesurprisedhowmuchdata,evenpasswords, arestillsentincleartext. Themorenefarioushackerswillasktheirvictimstocreateanewaccessaccounttousetheir WAP.Theseuserswillmorethanlikelyuseacommonlogonnameoroneoftheiremail addresses,alongwithapasswordtheyuseelsewhere.TheWAPhackercanthentryusing thesamelogoncredentialsonpopularwebsitesFacebook,Twitter,Amazon,iTunes,and soonandthevictimswillneverknowhowithappened. Lesson:Youcan'ttrustpublicwirelessaccesspoints.Alwaysprotectconfidentialinformation sentoverawirelessnetwork.ConsiderusingaVPNconnection,whichprotectsallyour communications,anddon'trecyclepasswordsbetweenpublicandprivatesites. StealthattackNo.2:Cookietheft Browsercookiesareawonderfulinventionthatpreserves"state"whenausernavigatesa website.Theselittletextfiles,senttoourmachinesbyawebsite,helpthewebsiteorservice trackusacrossourvisit,orovermultiplevisits,enablingustomoreeasilypurchasejeans,for example.What'snottolike? Answer:Whenahackerstealsourcookies,andbyvirtueofdoingso,becomesusan increasinglyfrequentoccurrencethesedays.Rather,theybecomeauthenticatedtoour websitesasiftheywereusandhadsuppliedavalidlogonnameandpassword. Sure,cookiethefthasbeenaroundsincetheinventionoftheWeb,butthesedaystoolsmake theprocessaseasyasclick,click,click.Firesheep,forexample,isaFirefoxbrowseraddon thatallowspeopletostealunprotectedcookiesfromothers.WhenusedwithafakeWAPor onasharedpublicnetwork,cookiehijackingcanbequitesuccessful.Firesheepwillshowall thenamesandlocationsofthecookiesitisfinding,andwithasimpleclickofthemouse,the hackercantakeoverthesession(seetheCodebutlerblogforanexampleofhoweasyitisto useFiresheep). Worse,hackerscannowstealevenSSL/TLSprotectedcookiesandsniffthemoutofthinair. InSeptember2011,anattacklabeled"BEAST"byitscreatorsprovedthatevenSSL/TLS protectedcookiescanbeobtained.Furtherimprovementsandrefinementsthisyear,including thewellnamedCRIME,havemadestealingandreusingencryptedcookieseveneasier. Witheachreleasedcookieattack,websitesandapplicationdevelopersaretoldhowtoprotect theirusers.Sometimestheansweristousethelatestcryptocipherothertimesitistodisable someobscurefeaturethatmostpeopledon'tuse.ThekeyisthatallWebdevelopersmust usesecuredevelopmenttechniquestoreducecookietheft.Ifyourwebsitehasn'tupdatedits

www.infoworld.com/print/227557

2/6

9/30/13

7 sneak attacks used by today's most devious hackers

encryptionprotectioninafewyears,you'reprobablyatrisk. Lessons:Evenencryptedcookiescanbestolen.Connecttowebsitesthatutilizesecure developmenttechniquesandthelatestcrypto.YourHTTPSwebsitesshouldbeusingthe latestcrypto,includingTLSVersion1.2. StealthattackNo.3:Filenametricks Hackershavebeenusingfilenametrickstogetustoexecutemaliciouscodesincethe beginningofmalware.Earlyexamplesincludednamingthefilesomethingthatwould encourageunsuspectingvictimstoclickonit(likeAnnaKournikovaNudePics)andusing multiplefileextensions(suchasAnnaKournikovaNudePics.Zip.exe).Untilthisday,Microsoft Windowsandotheroperatingsystemsreadilyhide"wellknown"fileextensions,whichwill makeAnnaKournikovaNudePics.Gif.ExelooklikeAnnaKournikovaNudePics.Gif. Yearsago,malwarevirusprogramsknownas"twins,""spawners,"or"companionviruses" reliedonalittleknownfeatureofMicrosoftWindows/DOS,whereevenifyoutypedinthefile nameStart.exe,Windowswouldlookforand,iffound,executeStart.cominstead.Companion viruseswouldlookforallthe.exefilesonyourharddrive,andcreateaviruswiththesame nameastheEXE,butwiththefileextension.com.Thishaslongsincebeenfixedby Microsoft,butitsdiscoveryandexploitationbyearlyhackerslaidthegroundworkforinventive waystohidevirusesthatcontinuetoevolvetoday. AmongthemoresophisticatedfilerenamingtrickscurrentlyemployedistheuseofUnicode charactersthataffecttheoutputofthefilenameusersarepresented.Forexample,the Unicodecharacter(U+202E),calledtheRighttoLeftOverride,canfoolmanysystemsinto displayingafileactuallynamedAnnaKournikovaNudeavi.exeas AnnaKournikovaNudexe.avi. Lesson:Wheneverpossible,makesureyouknowthereal,completenameofanyfilebefore executingit. StealthattackNo.4:Location,location,location Anotherinterestingstealthtrickthatusesanoperatingsystemagainstitselfisafilelocation trickknownas"relativeversusabsolute."InlegacyversionsofWindows(WindowsXP,2003, andearlier)andotherearlyoperatingsystems,ifyoutypedinafilenameandhitEnter,orif theoperatingsystemwentlookingforafileonyourbehalf,itwouldalwaysstartwithyour currentfolderordirectorylocationfirst,beforelookingelsewhere.Thisbehaviormightseem efficientandharmlessenough,buthackersandmalwareusedittotheiradvantage. Forexample,supposeyouwantedtorunthebuiltin,harmlessWindowscalculator(calc.exe). It'seasyenough(andoftenfasterthanusingseveralmouseclicks)toopenupacommand prompt,typeinc a l c . e x e andhitEnter.Butmalwarecouldcreateamaliciousfilecalled calc.exeandhideitinthecurrentdirectoryoryourhomefolderwhenyoutriedtoexecute calc.exe,itwouldruntheboguscopyinstead. Ilovedthisfaultasapenetrationtester.Oftentimes,afterIhadbrokenintoacomputerand neededtoelevatemyprivilegestoAdministrator,Iwouldtakeanunpatchedversionofa

www.infoworld.com/print/227557

3/6

9/30/13

7 sneak attacks used by today's most devious hackers

known,previouslyvulnerablepieceofsoftwareandplaceitinatemporaryfolder.Mostofthe timeallIhadtodowasplaceasinglevulnerableexecutableorDLL,whileleavingtheentire, previouslyinstalledpatchedprogramalone.Iwouldtypeintheprogramexecutable's filenameinmytemporaryfolder,andWindowswouldloadmyvulnerable,Trojanexecutable frommytemporaryfolderinsteadofthemorerecentlypatchedversion.IloveditIcould exploitafullypatchedsystemwithasinglebadfile. Linux,Unix,andBSDsystemshavehadthisproblemfixedformorethanadecade.Microsoft fixedtheproblemin2006withthereleasesofWindowsVista/2008,althoughtheproblem remainsinlegacyversionsbecauseofbackwardcompatibilityissues.Microsofthasalso beenwarningandteachingdeveloperstouseabsolute(ratherthanrelative)file/pathnames withintheirownprogramsformanyyears.Still,tensofthousandsoflegacyprogramsare vulnerabletolocationtricks.Hackersknowthisbetterthananyone. Lesson:Useoperatingsystemsthatenforceabsolutedirectoryandfolderpaths,andlookfor filesindefaultsystemareasfirst. StealthattackNo.5:Hostsfileredirect Unbeknownsttomostoftoday'scomputerusersistheexistenceofaDNSrelatedfilenamed Hosts.LocatedunderC:\Windows\System32\Drivers\EtcinWindows,theHostsfilecan containentriesthatlinktypedindomainnamestotheircorrespondingIPaddresses.The HostsfilewasoriginallyusedbyDNSasawayforhoststolocallyresolvenametoIP addresslookupswithouthavingtocontactDNSserversandperformrecursivename resolution.Forthemostpart,DNSfunctionsjustfine,andmostpeopleneverinteractwiththeir Hostsfile,thoughit'sthere. HackersandmalwarelovetowritetheirownmaliciousentriestoHosts,sothatwhen someonetypesinapopulardomainnamesay,bing.comtheyareredirectedto somewhereelsemoremalicious.Themaliciousredirectionoftencontainsanearperfectcopy oftheoriginaldesiredwebsite,sothattheaffecteduserisunawareoftheswitch. Thisexploitisstillinwideusetoday. Lesson:Ifyoucan'tfigureoutwhyyou'rebeingmaliciouslyredirected,checkoutyourHosts file. StealthattackNo.6:Waterholeattacks Waterholeattacksreceivedtheirnamefromtheiringeniousmethodology.Intheseattacks, hackerstakeadvantageofthefactthattheirtargetedvictimsoftenmeetorworkataparticular physicalorvirtuallocation.Thenthey"poison"thatlocationtoachievemaliciousobjectives. Forinstance,mostlargecompanieshavealocalcoffeeshop,bar,orrestaurantthatispopular withcompanyemployees.AttackerswillcreatefakeWAPsinanattempttogetasmany companycredentialsaspossible.Ortheattackerswillmaliciouslymodifyafrequentlyvisited websitetodothesame.Victimsareoftenmorerelaxedandunsuspectingbecausethe targetedlocationisapublicorsocialportal.

www.infoworld.com/print/227557

4/6

9/30/13

7 sneak attacks used by today's most devious hackers

Waterholeattacksbecamebignewsthisyearwhenseveralhighprofiletechcompanies, includingApple,Facebook,andMicrosoft,amongothers,werecompromisedbecauseof popularapplicationdevelopmentwebsitestheirdevelopersvisited.Thewebsiteshadbeen poisonedwithmaliciousJavaScriptredirectsthatinstalledmalware(sometimeszerodays)on thedevelopers'computers.Thecompromiseddeveloperworkstationswerethenusedto accesstheinternalnetworksofthevictimcompanies. Lesson:Makesureyouremployeesrealizethatpopular"wateringholes"arecommonhacker targets. StealthattackNo.7:Baitandswitch Oneofthemostinterestingongoinghackertechniquesiscalledbaitandswitch.Victimsare toldtheyaredownloadingorrunningonething,andtemporarilytheyare,butitisthen switchedoutwithamaliciousitem.Examplesabound. Itiscommonformalwarespreaderstobuyadvertisingspaceonpopularwebsites.The websites,whenconfirmingtheorder,areshownanonmaliciouslinkorcontent.Thewebsite approvestheadvertisementandtakesthemoney.Thebadguythenswitchesthelinkor contentwithsomethingmoremalicious.Oftentheywillcodethenewmaliciouswebsiteto redirectviewersbacktotheoriginallinkorcontentifviewedbysomeonefromanIPaddress belongingtotheoriginalapprover.Thiscomplicatesquickdetectionandtakedown. ThemostinterestingbaitandswitchattacksI'veseenasoflateinvolvebadguyswhocreate "free"contentthatcanbedownloadedandusedbyanyone.(Thinkadministrativeconsoleor avisitorcounterforthebottomofaWebpage.)Oftenthesefreeappletsandelementscontain alicensingclausethatsaystotheeffect,"Maybefreelyreusedaslongasoriginallink remains."Unsuspectingusersemploythecontentingoodfaith,leavingtheoriginallink untouched.Usuallytheoriginallinkwillcontainnothingbutagraphicsfileemblemor somethingelsetrivialandsmall.Later,aftertheboguselementhasbeenincludedin thousandsofwebsites,theoriginalmaliciousdeveloperchangestheharmlesscontentfor somethingmoremalicious(likeaharmfulJavaScriptredirect). Lesson:Bewareofanylinktoanycontentnotunderyourdirectcontrolbecauseitcanbe switchedoutonamoment'snoticewithoutyourconsent. Stealthfallout:Totallossofcontrol Hackershavebeenusingstealthmethodstohidetheirmaliciousnesssincethebeginning daysofmalware.Heck,thefirstIBMcompatiblePCvirus,PakistaniBrain,from1986, redirectedinquiringeyestoacopyoftheunmodifiedbootsectorwhenviewedbydiskeditors. Whenahackermodifiesyoursysteminastealthyway,itisn'tyoursystemanymoreit belongstothehackers.Theonlydefensesagainststealthattacksarethesamedefenses recommendedforeverything(goodpatching,don'trununtrustedexecutables,andsoon),but ithelpstoknowthatifyoususpectyou'vebeencompromised,yourinitialforensic investigationsmaybecircumventedandfoughtagainstbythemoreinnovativemalwareout there.Whatyouthinkisacleansystemandwhatreallyisacleansystemmayallbe controlledbythewilyhacker.

www.infoworld.com/print/227557

5/6

9/30/13

7 sneak attacks used by today's most devious hackers

Relatedarticles Truetalesof(mostly)whitehathacking 14dirtyITtricks,securityprosedition IT's9biggestsecuritythreats 9popularITsecuritypracticesthatjustdon'twork 10crazyITsecuritytricksthatactuallywork MalwareDeepDiveReport DataLossPreventionDeepDiveReport InsiderThreatDeepDiveReport MalwareIQtest:Round1 MalwareIQtest:Round2 Thisstory,"7sneakattacksusedbytoday'smostdevioushackers,"wasoriginallypublished atInfoWorld.com.FollowthelatestdevelopmentsinsecurityatInfoWorld.com.Forthelatest developmentsinbusinesstechnologynews,followInfoWorld.comonTwitter. Security CyberCrime DataSecurity Malware NetworkSecurity Security
SourceURL(retrievedon2013093011:59AM):http://www.infoworld.com/d/security/7sneakattacksused todaysmostdevioushackers227557

www.infoworld.com/print/227557

6/6