Law enforcement and the information security industry often work together to disrupt and stop the latest malware. The malware is typically detected, sandboxed, reverse engineered and ultimately stopped by a combination of a kill switch (if there is one) or seizing the servers used for the malware’s command and control (C&C). From there, the domains used to communicate between the infected computers can be controlled.
Yet some older malware families continue to impact business today, often exploiting old vulnerabilities and spreading via phishing emails, infected USB drives, suspect email attachments and compromised web pages. For example, in a recent CheckPoint report, the Conficker worm and the Zeus Trojan - both over five years old - featured among the top ten most common malware globally.
Often these older malware families are repackaged, repurposed and then made available for sale on the dark web. “Core components of older malware are still in use today. Malware authors salvage sections of code and make use in 'modern' or recently launched campaigns,” said Richard De Vere, director at The Antisocial Engineer. “It's more a case of if it works then don't change it.”
What do CISOs think?
“All of this makes it hard for CISOs and their SOC teams,” explains Christian Toon, CISO at legal firm Pinsent Masons. “The speed in which old types change to avoid traditional signature based detection is challenging, and normally quicker than enterprises react.”
This comes down to patch management and AV, but also “situational awareness.” The malware evolution, he says, is “beyond the realms of traditional IT folk,” who are under-resourced and too time pressured to truly mitigate these threats. “Less mature organizations just don't have capacity to deal with the history or understand the malware ecosystem. They just fix the immediate problem and move on.”
Geordie Stewart, principal consultant at Risk Intelligence and a consulting CISO, adds, “Historical malware remains a big problem for many organizations. Many are still carrying far too much security debt with high risk out of support operating systems which are perpetually ‘about to be upgraded’. The upgrade date often keeps moving back due to complexity. It can be difficult to discover all the dependencies which need to be addressed before a system can be retired or migrated.”
“The way that we often run projects can make this worse,” Stewart continues. “Typically, the organization sets up projects which are scoped around an application. It’s then difficult to understand the extent of integrations at a platform level, since the knowledge exists in the organization as the sum of all the application projects. We’re much better off implementing security controls for the legacy systems we have and taking all talk of imminent replacement with a large pinch of salt. This means segmenting high risk devices into limited network connectivity, avoiding the use of internet access from these systems and using white-listing if possible to control the code that can run on them.”
Here, we look at four of the worst malware threats still hanging around business like a bad smell.
Conficker caused a global outbreak when first discovered in 2008. Exploiting unpatched flaws in Windows, the worm leveraged a variety of attack vectors – from injecting malicious code to phishing emails – to ultimately crack passwords and hijack Windows devices into a botnet.
Conficker infected up to 15 million Microsoft server systems running everything from Windows 2000 to Windows 7 Beta. The UK’s Ministry of Defense, the French Navy, the German armed forces, the Norwegian police and even Royal Navy warships were thought to be affected by this malware. Yet Conficker continues to impact organizations. In June, researchers at TrapX Labs found that clinical IoT medical equipment, running Windows XP and unpatched Windows 7 and 8, were being targeted by a resurgence of old malware such as networm32.kido.ib and Conficker. This is backed up by plenty of others.
Dave Palmer, director of technology at machine learning company Darktrace, says Conficker’s success owes largely to poor patch management. “What is surprising about the staying power of this infection is that patches have always been released by Microsoft very quickly, so it seems that there are a lot of unpatched Windows XP/Server 2008 machines that linger on in real businesses.”
Adding that Conficker most often spreads from spam emails (followed by USB sticks), Palmer believes Conficker’s continued success indicates poor network visibility. “Detecting Conficker so much highlights the enormous gaps in security visibility that many organizations have. This is not a subtle piece of malware, it can cause vast numbers of failed login attempts every day, it will cause large volumes of DNS requests to a sinkhole maintained by the FBI, almost any AV product should catch it, and it will constantly be attempting to move laterally within the business.”
Rodney Joffe, senior VP and fellow at analytics firm Neustar, agrees. “Conficker was derided and ignored by many organizations six or seven years ago, because aside from the first couple of events, ‘It doesn’t do anything anymore, so why go through the bother of rebuilding a machine just for it?’ This is the wrong attitude.”
Indeed, he adds that the Conficker Working Group and others have seen Conficker infections continue at “around the 600,000 level globally for at least the last five years,” although IBM X-Force research provided to CSO suggests the total event activity for Conficker in January until mid-August was just 1 percent of that of WannaCry, which didn’t surface until May.
Before Wannacry, ransomware was not so prolific, but there was one notable exception: CryptoLocker. Released in September 2013, CryptoLocker spread through email attachments and encrypted the user’s files so that they couldn’t access them. The criminal group would then send a decryption key in return for money. System restore did work on occasion, but many people still lost files that weren’t backed-up.
After a large international campaign, the FBI and Europol coordinated to run “Operation Tovar” which resulted in the arrest of Evgeniy Bogachev, the leader of the group behind CryptoLocker. The criminal group is believed to have made $30 million in 100 days from approximately 500,000 victims.
While CryptoLocker is officially dead (thanks to a law enforcement sinkhole), that hasn’t stopped its code appearing in numerous newer versions, from Crypt0Locker to CryptoLocker v3 and CryptoGraphic Locker. “Zeus and CryptoLocker live on in the code that have been published and re-used to create more recent malware strands, meaning businesses are still being victimized by old malware threats reincarnated,” says Pieter Arntz, malware Intelligence researcher, Malwarebytes.
Zeus was an extremely successful Trojan horse, which, having been successful in financial services, has undergone a recent transformation. Prolific between 2007 and 2009, Zeus – which ran on versions of Windows – stole banking details through man-in-the-browser keystroke logging and form grabbing, and it would also attempt to install CryptoLocker for extra monetary gain.
Zeus spread through phishing emails and drive-by-downloads and hit some notable targets, including the US Department of Transportation. Today, Zeus lives on in other forms. According to Denmark-based Heimdal Security, the potent nine-year-old malware has morphed into the up-and-coming Atmos malware which has been targeting banks in France.
Now Zeus is wider-spread than just financial services. “I see still Zeus and Conficker popping up on most LANs,” says Steve Armstrong, SANS instructor and incident response expert. “Zeus probably once a month for medium or large companies with poor controls.”
“As Zeus's source code was leaked, many banking Trojans are still based on it,” adds Chris Doman, security researcher at Alienvault. “Malware authors even advertise ‘not based on Zeus’ when selling their malware, and charge a premium if so.”
Duqu was discovered September 2011 and is believed to be closely related to the infamous Stuxnet worm, which resulted in the destruction of Iranian centrifuges. Indeed, many say that Duqu borrows much of the same source code as Stuxnet.
Duqu was used in a number of intel-gathering attacks against industrial targets, and was suspected of being used to spy on Iranian nuclear negotiations. The latest version – Duqu 2.0 – is believed to be the most sophisticated malware ever. FireEye has found Duqu 2.0 on the networks of European hotels used by participants in the Iranian nuclear negotiations, while Symantec has identified it has been on networks of telco operators and electronics companies.
Duqu 2.0 was signed using a legitimate digital certificate issued to Chinese electronics manufacturer Foxconn, whose customers include Microsoft, Google and Amazon. Kaspersky Lab found the code-signing and says that Windows trusts the Foxconn-signed code because the certificate was issued by VeriSign, a trusted certificate root. As such, device operating systems will load and run Duqu 2.0’s 64-bit kernel-level driver with no alarms, and this allows the malware to get complete control over the infected machine.
“Duqu is rumored to be the work of the Israeli government. As a technically capable nation in an unstable region, I have no doubt they are still active. But you are very unlikely to see them,” says Doman.