It’s Halloween – goblins, ghouls and ghosts gather in haunted houses and corporate offices alike. In security, while we’ve spent a good portion of 2014 focused on trick-or-treaters of the “advanced persistent threat” and “cybercrime” varieties, this Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly. By zombies, I mean recycled tools and techniques from years gone by that have come back from the dead and are increasingly used in modern attacks.
Like their undead human counterparts, they aren’t always nimble, but these malware zombies can be just as dangerous. Take data destruction attacks, for example: prior to 2003, data destruction attacks were the norm with malware. Viruses were primarily designed to erase the hard drive or create other troubles for the end user.
Starting roughly ten years ago, hackers realized that they could make money through cybercrimes like stealing credentials or credit cards. Malware became more subtle and stealthy. However, recently those old data destruction attacks have come back from the grave and are surging in the form of ransomware, such as Cryptolocker.
To add insult to injury, these new data destruction attacks are often polymorphic and evade most antivirus systems. Even worse, they are intelligent enough to avoid detonation in a virtual or sandboxed environment. They encrypt both local and networked drives and, while generally not lethal, can be a real pain to recover from.
Another 1990s technique that revisits us from the grave is Microsoft Office malware. Microsoft Office-based macro malware had largely fallen out of vogue, but has returned in the last year or so as a powerful vector for targeted attacks. For example, the recently uncovered “Sandworm” campaign came in the form of a PowerPoint dropper.
The specific vulnerabilities exploited and techniques have evolved, such as in-memory attacks that never even hit the drive but hijack an in-memory DLL; however, the vector is the same – a complex Office suite on top of a complex operating system remains an attractive method for malicious code execution.
Finally, in the 1990s, malware generation kits allowed budding virus authors to experience some of the “thrill of the game” without having to develop the malware itself. Malware generation kits have recently enjoyed a resurgence. This technique refuses to die because, like everyone, hackers look for labor savings to achieve their end goals.
These days, Trojan generators are used by Advanced Persistence Threat (APT) groups and cyber criminals because they spread the workload and allow for the quick generation of code that is “unique enough” to bypass most targets’ controls.
One thing all of these techniques share is that they are evading traditional security controls. In-memory attacks like the one described above can’t be seen on the network, and antivirus software is often unable to detect these attacks. Adversaries have brought them back for just that reason: they still work in most of our organizations.