Researchers find that attackers are hiding behind existing apps and using old attacks in new ways.
Researchers find that attackers are hiding behind existing apps and using old attacks in new ways.

The Palo Alto Networks 2014 Application Usage and Threat Report found that attackers are hiding in plain sight in corporate networks, masking potentially harmful threats with existing applications and adding new twists to old exploits.

Analyzing network traffic assessments from more than 5,500 organizations globally, researchers at the California-based security firm found that code execution exploits delivered across common sharing applications accounted for 19 percent of the threats they observed. While common sharing applications represented 27 percent of all apps and accounted for 32 percent of all threats, Palo Alto Networks noted that the threat activity was “disproportionately low” at around five percent.

“The low activity is an example of attackers gaining access (attack delivery) through the front door (email) but leaving through an alternative door (User Datagram Protocol),” Matt Keil, senior research analyst, Palo Alto Networks, told in Thursday email correspondence. Attackers often infect a system using one application, like email, but use a different method, like UDP, to command their malware or exfiltrate data, Keil explained.

Commonly used data-sharing applications, like email, IM and social media apps, are "all great delivery mechanisms but not well-suited for command and control of a botnet," he said.

A small number of applications seem to generate the most action, researchers found, with 94 percent of the vulnerability exploit logs observed being found in just 10 applications (among 539 apps observed by Palo Alto).

The Smoke.Loader botnet controller, which enables remote management of endpoints, generated a lot of activity in many of the applications, including social media apps Facebook and Twitter.

Once installed, Smoke.Loader allows the download and installation of other malware, the installation of files based on the geographical location of the infected system, the theft of passwords and the disabling of antivirus programs. It can also help an attacker's traffic skirt IP-based authentication systems, the report found.

While it comes as no surprise that malware creators manipulate “malware executables” to get around threat prevention measures, the report noted that they are getting quite adept at modi­fying and customizing their communications. A clear case in point – the “heavy” use of UDP. Of the 66 botnets the analysts detected, a good number used the protocol for their command and control channels. In fact, analysis shows that “99 percent of malware logs were found in UDP; the majority of which were generated by a single threat.”

The ZeroAccess botnet, which not only generates spam e-mails and click-fraud against online advertisers but also taps computer resources to solve hash challenges in an attempt to generate Bitcoins, the report said, spun out the most malware activity.

Pointing out that UDP “is connectionless, and often the packets simply contain parts of a compressed video or audio stream,” Keil said "it's harder to evaluate than TCP connections, which have more structure.” Because it's “found on every network as one of the foundational applications,” it is often overlooked or ignored, he said. “Finally, it's more difficult to write IPS signatures that detect malicious UDP traffic, but that doesn't mean we can simply ignore it. Identifying the source and purpose of all traffic – known and unknown – then systematically managing that traffic is an important part of securing a network.”