Gunter Ollmann
Gunter Ollmann

Practically every corporation has its own internal team of malware experts tasked with preventing infections and dealing with the consequences of a successful compromise.

Depending upon the size of the organization and its propensity for being targeted by professional hackers, the skill sets of these internal malware investigation teams can vary greatly. Regardless of their technical skills, many experts struggle to understand how malware is able to successfully breach their perimeter and host-based defenses, despite their deep understanding of how each layer of defense is meant to cope with the threat.

The delivery method of most concern — largely due to its repeated success in breaching anti-malware defenses — is "drive-by-downloads." In such an attack scenario, the victim is drawn to a website hosting some malicious hidden code. How that malicious code got there, and why the victim was drawn to the website, doesn't really matter. What matters, though, is that upon the victim's web browser rendering the content of the page, vulnerabilities are exploited, malware is downloaded and installed, and host-based security products are either subverted or rendered inoperable.

How, despite having anti-virus products deployed upon the victim's computer, did the attacker succeed in bypassing them with a known (and detectable) piece of malware?

The critical component of the attack that corporate malware experts fail to grasp lies in the importance of the exploitation phase — in particular leveraging application permissions.

The web browser being used by the victim will be operating under the same permissions as the user. If he or she is logged in with administrator permissions, then any code rendered inside the web browser will inherit those permissions — the same applies if the user employed lesser permissions.

But in many ways, the permissions of the victim doesn't necessarily matter — for while we typically use the term "web browser exploit," this vector shouldn't be used purely in a singular term. Many successful web browser exploits are, in reality, concatenations of multiple exploits — with each one constructed in such a way to extend the probability of success and elevate permissions locally, thereby allowing the attacker greater flexibility in what they can do on the victim's computer once the code has been executed.

The net result is that a successful attack chains together multiple exploits against multiple vulnerabilities on the host and simultaneously escalates the permissions with which the shellcode payload will finally be executed.

The goal of the escalation process is to ensure that the shellcode payload — the initial commands that the attackers want to execute on the victim's computer — will execute with the highest possible permissions. By achieving root or system level permissions, any malware files that are eventually downloaded, executed and installed will have higher permissions than the security products already deployed and running on the victim's computer. As such, the first steps of the malware installation are to kill or permanently disable the services and processes belonging to the security products keeping watch for the malware.

In a nutshell, by achieving higher levels of permissions and system privileges than the security devices already present on the victim's computer, the attacker can ensure that they are disabled before the malware payload can be detected and effectively prevented from compromising the host and, in today's bot-enabled world, breaching the corporate network.