Last week, I discussed security-aware attacks that are capable of identifying and evading security solutions deployed on a system. One of the hallmarks of the new class of security-aware attacks is that they are specifically designed to bypass or avoid traditional security tools such as gateways and firewalls. In some cases, the design is so clever that that the security system never has a chance to stop the intrusion.
Security-aware attacks are frightening because they provide the intruder with precious time to deliver the exploit and get it operational. As we have seen recently in the retail space, once an undetected exploit is active, it can cause significant damage to the enterprise and its customers, both immediately and over the long term.
Cybercriminals use a variety of novel approaches to creating these security-aware attacks.
One that we felt was particularly compelling takes advantage of the sophisticated capabilities HTML5 offers to deliver an exploit to a target environment in pieces so the security network defense infrastructure never even sees it. The HTML 5 feature isn’t a vulnerability per se, but simply a feature that is exploitable by the cybercriminals.
Our R&D team recreated this attack to analyze its operation.
The attack starts with simple old-fashioned social engineering, by sending our target a standard email with a catchy invitation to open a link, which he did.
To pull the pieces of the exploit in a manner that would not raise alarm if the pieces were analyzed by network infrastructure, the content was encoded into standard images and toolbars that the webpage would display. What was not apparent by looking at the images was that additional binary data was hidden in the image and could be extracted by an algorithmic process called steganography. Steganography works by using extremely small changes in the images data that are not perceivable by human observation, but can be extracted algorithmically.
The firewall never saw the exploit, nor did any other infrastructure such as sandbox appliances as the exploit itself never existed anywhere until it assembled itself inside the user’s computer.
How do you stop a malware like that? The answer is you need a security architecture that has endpoint and infrastructure collaborating to provide a comprehensive solution.