McAfee today released its McAfee Labs Threats Report: December 2016. The report’s third key topic illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible. Author Craig Schmugar of McAfee Labs also recommends policies and procedures that will help protect against this form of attack. The following is an excerpt from Schmugar’s key topic feature.
Earlier this year, the Internet blew up over the topic of whether Apple should assist the FBI by providing access to a deceased terrorist’s iPhone. Tim Cook, Apple’s chief executive, referred to the government’s demands as asking for the “equivalent of a master key, capable of opening hundreds of millions of locks.” In the end, the FBI gained access through undisclosed means and withdrew the request, but the notion of backdoor access is something that has been coveted by malware authors, spies, and nation-states for decades. Tactics for accomplishing this goal range from persuading victims via social engineering to hand over the keys to their devices, to intercepting hardware in the supply chain and inserting backdoors to surreptitiously gain remote access. However, the most common method is through the deployment of Trojan software.
Most malicious applications today are rotten to the core. They serve one purpose, to profit bad actors, subjecting their victims to attacks. The tactical objectives of such crimes are generally to reach the target, establish a presence, and persist for an extended time. To reach their targets, attackers either draw victims in through social engineering or intercept their everyday computer usage, most often through exploitation. In either case, the goal is for those unfortunate enough to cross paths with malicious code to be none the wiser.
The longer attacks can go unnoticed, the larger the payout. To this end, attackers are growing more sophisticated as they endeavor to create long-lasting, fully undetectable creations. The more authentic looking a piece of code, the more likely it is to be overlooked. This is the primary driving factor in an increasing trend of “Trojanizing” legitimate applications, which are injected with malicious nonreplicating code.
The abuse of reputable applications aﬀords attackers a number of benefits. Payloads are concealed behind a recognizable brand, contributing to the impression of legitimacy and helping ensure targeted users take the bait. This brand recognition continues after a system has been compromised, through recognizable directory, file, process, and registry key names and attributes. These elements can provide cover during security scans and forensics analysis, with recognizable properties blending with hundreds or even thousands of familiar programs.
Another benefit is built-in persistence, or a method of restarting code that was previously terminated. Malware persistence falls into one of two categories: self-persistence, involving the installation of start-up hooks to endure reboots; and companion-persistence, which leverages existing start-up hooks to automatically load before, during, or after other wanted applications. Each system change made by malicious code is an indicator of compromise. Thus the fewer the number of changes, the smaller the detection surface. Trojanizing legitimate applications provides free persistence; the software’s natural method of start-up is all that is necessary for the malicious code to load. In fact, if the program is run manually on a regular basis, then persistence is self-perpetuated by the victims themselves.