Mad Dog 21/21: Shamoon And Six Trends
October 1, 2012 Hesh Wiener
In a lengthy study published in September, IBM says vendors and users have done a pretty good job tackling computer security problems lately, despite some persistently festering issues. The report deals with threats to user organizations that arrive via the Internet. This was unfortunate because sabotage had just become a very hot topic in security circles. In August, destructive malware called Shamoon trashed 30,000 workstations at Saudi Aramco and an unspecified number of client systems at Qatar’s Rasgas. The vector was most likely a flash drive carried by an insider, not a website or email.
IBM’s star-crossed (or perhaps Shamoon-crossed) X-Force 2012 Mid Year Trend & Risk Report boils down data from Big Blue’s security operations centers, which monitor more than 15 billion security events a day on behalf of approximately 4,000 clients in more than 130 countries. Against that vast background, the attacks in the oil patch may seem relatively insignificant, but few malware attacks actually cause the kind of annoyance and disruption produced by Shamoon. Shamoon, also known as Disttrack, is said to have been inspired by Stuxnet, although apparently there are many differences. One key difference is that Shamoon infected Windows machines, while Stuxnet hit the Linux variant used in the industrial controllers of nuclear refinement centrifuges. One key similarity is that most observers believe Stuxnet, like Shamoon, was injected into the Iranian refinement facility via a flash drive.
Shamoon included a number of functions or services, including a disk driver that ran at a low level, sliding underneath Windows to directly write to the hardware on the infected machine and presumably elsewhere. This powerful feature of the malware is believed to be the key to two of the functions performed by the Shamoon package: One was its ability to propagate itself across the infected organization’s internal network. The other was its ability to kill its host by wrecking the master boot record (and very possibly other objects) on the host’s primary disk drive. From what has been published, it is not possible for me to say whether Shamoon also was able to locate and infect Windows servers on or above the infected client network, nor whether Shamoon included code that could run on X86 hardware beneath any operating system, including not only Windows but also Linux. Whatever the potential of an X86 server to impose protection and trap unauthorized I/O (including disk access), there may in practice be flaws in installed systems software that would allow malware to do more than knock, without an answer, on doors leading to the heart of a server.
Windows, Linux, and other operating systems, combined with current X86 hardware, provide pretty good security, but as events have shown time and again, it is not flawless.
The vulnerabilities that seem to get the most attention, at least according to IBM’s X-Force security group, are the ones that permit any of the several types of attack to succeed. Clients and servers are subject to attempted vandalism all the time, but nearly all the attacks fail. Still, an attack only has to succeed once to damage or destroy a vital computing resource.
One type of attack that evolved with the ongoing development of systems running SQL-compliant DBMS is the SQL injection. In the simplest terms, SQL injection occurs when input to an application passes a string to SQL in a way that tricks the SQL processor into treating the string as instructions rather than data. The injected SQL can pervert the course of execution and, at the extreme, enable malware to take over a server. Once a server is running code injected by malware, there may be no limit to the mischief that can ensue. Malware developers keep finding new ways to outwit client-side applications with code that comes to a server along the same paths used to process ordinary application data. IBM says that the number of SQL injection events its team detects keep climbing, month after month, year after year. No matter how client side software is improved, so far there has been no development that tips the trend line downward.
Another common type of attack on servers involves the introduction of cross-site scripting. In rudimentary terms, cross-site scripting involves the addition of code to an otherwise proper website to trick a visitor’s browser into doing something dangerous to the integrity of the client. The name of the technique comes from the way it is executed: A visitor to a website might think he’s getting all his code from the trustworthy web of safedomain.com but somewhere along the line the visitor’s browser will be hooked to badstuffcomesfromhere.com. The breach of integrity can result in mischief on the client, if the rogue code compromises client security, or it can end up lurking in the browser where it can attack a server at some future time. If such a server attack succeeds, the malware picked up by the client can plant a replica of itself or some other code on a formerly clean server.
A related trick malware attempts is called a dot dot exploit. Basically, dot dot is geek shorthand for dot dot slash, the notation in HTML (or other scripting code) that points a visitor’s browser to a folder above the one where the running script starts. The aim of this type of exploit is to get a browser or some malware on a client machine up in the folder tree above the starting point, from which it might have access to password or other data that the server owner thinks is sequestered.
IBM thinks the number of directory traversal exploit attempts are, like the number of SQL injection attempts, increasing all the time. No developments in browser or server technology seem to be reversing this trend. If anything, IBM says, the transition to HTML 5, which is the most powerful HTML to date, has most likely increased the vulnerability of client software and opened up dangers in web server software, too. Eventually HTML 5 interpreters may become more resilient, but currently the expansion of web horizons is proceeding faster than the evolution of web security technology.
Adding to the burden on technical staff charged with preserving the integrity of clients and servers is huge volume of unsolicited messages sent to clients. Spam is a huge burden. Various anti-spam groups and relevant government authorities have been winning some battles lately, but the war is far from over and will most likely never end. The big anti-spam event this year was the takedown of a botnet called Grum that pumped out millions of messages via zombie machines that had been infected with malware. IBM’s data shows that spam volume growth has been slowing for most of the past two years, but the best the spam fighters have been able to do is to reduce the rate at which spam messages climb. An actual downturn seems to lie beyond anyone’s reach at this time.
By contrast, the industry seems to have made some real gains in document security, an assertion IBM has based on the number of vulnerability bulletins issued by the creators of work processing packages and by Adobe, whose PDF technology is a world standard for document interchange. IBM points out that the current tenth generation of Adobe reader, called X, has gone down the road toward virtualization. PDF documents are read and executed inside a software sandbox. (PDF documents can include live links, script code and other active features.) The sandbox technique seems to have drastically reduced the openings through which rogue code can perform malicious actions.
Another bright spot stems from the emerging world of mobile computing. IBM’s X-Force group believes improvements in systems software, meaning mainly Android and iOS, have included very substantial improvements in security. In addition, policing of the app stores, particularly those run by Google, Apple, and Amazon, has been pretty effective. It is possible for mobile apps to include malware, but not to last long in mainstream app download libraries. The store operators have become very good at catching undesirable behavior. This is good and getting better, offsetting the risks corporate security specialists understandably worry about as their colleagues increasingly bring their own devices to work. In part, mobile devices look so good because legacy computers, including both PCs and Macs, look so bad.
IBM says the growth in the Mac base has made it as alluring a target for malware script kiddies as Windows. Mac developers don’t yet have to cope with as many attack attempts as Windows coders, but the Windows crowd has the offsetting advantage of extensive, if bitter, experience. IBM suspects Mac-related risks will loom larger in the future, even as Apple tries its best to close loopholes in its code. Basically, Mac systems software, like Windows, has to be continually enriched to remain competitive and with its expansion in new directions comes more opportunities for attackers to spot a security flaw.
The next Shamoon might not lead to client-side defenestration. Instead, it might mock the Mac.