7 sneak attacks used by today's most devious hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://news.idg.no/cw/art.cfm?id=B8958B99-A4E3-FD7B-06C23DAAEB400AD0

Millions of pieces of malware and thousands of malicious hacker gangs roam
today's online world preying on easy dupes. Reusing the same tactics that
have worked for years, if not decades, they do nothing new or interesting
in exploiting our laziness, lapses in judgment, or plain idiocy.

But each year antimalware researchers come across a few techniques that
raise eyebrows. Used by malware or hackers, these inspired techniques
stretch the boundaries of malicious hacking. Think of them as innovations
in deviance. Like anything innovative, many are a measure of simplicity.

Take the 1990s Microsoft Excel macro virus that silently, randomly replaced
zeros with capital O's in spreadsheets, immediately transforming numbers
into text labels with a value of zero -- changes that went, for the most
part, undetected until well after backup systems contained nothing but bad
data.

Today's most ingenious malware and hackers are just as stealthy and
conniving. Here are some of the latest techniques of note that have piqued
my interest as a security researcher and the lessons learned. Some stand on
the shoulders of past malicious innovators, but all are very much in vogue
today as ways to rip off even the savviest users.

Stealth attack No. 1: Fake wireless access points

No hack is easier to accomplish than a fake WAP (wireless access point).
Anyone using a bit of software and a wireless network card can advertise
their computer as an available WAP that is then connected to the real,
legitimate WAP in a public location.

Think of all the times you -- or your users -- have gone to the local
coffee shop, airport, or public gathering place and connected to the "free
wireless" network. Hackers at Starbucks who call their fake WAP "Starbucks
Wireless Network" or at the Atlanta airport call it "Atlanta Airport Free
Wireless" have all sorts of people connecting to their computer in minutes.
The hackers can then sniff unprotected data from the data streams sent
between the unwitting victims and their intended remote hosts. You'd be
surprised how much data, even passwords, are still sent in clear text.

The more nefarious hackers will ask their victims to create a new access
account to use their WAP. These users will more than likely use a common
log-on name or one of their email addresses, along with a password they use
elsewhere. The WAP hacker can then try using the same log-on credentials on
popular websites -- Facebook, Twitter, Amazon, iTunes, and so on -- and the
victims will never know how it happened.

Lesson: You can't trust public wireless access points. Always protect
confidential information sent over a wireless network. Consider using a VPN
connection, which protects all your communications, and don't recycle
passwords between public and private sites.

Stealth attack No. 2: Cookie theft

Browser cookies are a wonderful invention that preserves "state" when a
user navigates a website. These little text files, sent to our machines by
a website, help the website or service track us across our visit, or over
multiple visits, enabling us to more easily purchase jeans, for example.
What's not to like?

Answer: When a hacker steals our cookies, and by virtue of doing so,
becomes us -- an increasingly frequent occurrence these days. Rather, they
become authenticated to our websites as if they were us and had supplied a
valid log-on name and password.

Sure, cookie theft has been around since the invention of the Web, but
these days tools make the process as easy as click, click,
click. Firesheep, for example, is a Firefox browser add-on that allows
people to steal unprotected cookies from others. When used with a fake WAP
or on a shared public network, cookie hijacking can be quite successful.
Firesheep will show all the names and locations of the cookies it is
finding, and with a simple click of the mouse, the hacker can take over the
session (see the Codebutler blog for an example of how easy it is to use
Firesheep).

Worse, hackers can now steal even SSL/TLS-protected cookies and sniff them
out of thin air. In September 2011,an attack labeled "BEAST" by its
creators proved that even SSL/TLS-protected cookies can be obtained.
Furtherimprovements and refinements this year, including the well-named
CRIME, have made stealing and reusing encrypted cookies even easier.

With each released cookie attack, websites and application developers are
told how to protect their users. Sometimes the answer is to use the latest
crypto cipher; other times it is to disable some obscure feature that most
people don't use. The key is that all Web developers must use secure
development techniques to reduce cookie theft. If your website hasn't
updated its encryption protection in a few years, you're probably at risk.

Lessons: Even encrypted cookies can be stolen. Connect to websites that
utilize secure development techniques and the latest crypto. Your HTTPS
websites should be using the latest crypto, including TLS Version 1.2.

Stealth attack No. 3: File name tricks

Hackers have been using file name tricks to get us to execute malicious
code since the beginning of malware. Early examples included naming the
file something that would encourage unsuspecting victims to click on it
(like AnnaKournikovaNudePics) and using multiple file extensions (such as
AnnaKournikovaNudePics.Zip.exe). Until this day, Microsoft Windows and
other operating systems readily hide "well known" file extensions, which
will make AnnaKournikovaNudePics.Gif.Exe look like
AnnaKournikovaNudePics.Gif.

Years ago, malware virus programs known as "twins," "spawners," or
"companion viruses" relied on a little-known feature of Microsoft
Windows/DOS, where even if you typed in the file name Start.exe, Windows
would look for and, if found, execute Start.com instead. Companion viruses
would look for all the .exe files on your hard drive, and create a virus
with the same name as the EXE, but with the file extension .com. This has
long since been fixed by Microsoft, but its discovery and exploitation by
early hackers laid the groundwork for inventive ways to hide viruses that
continue to evolve today.

Among the more sophisticated file-renaming tricks currently employed is the
use of Unicode characters that affect the output of the file name users are
presented. For example, the Unicode character (U+202E), called the Right to
Left Override, can fool many systems into displaying a file actually named
AnnaKournikovaNudeavi.exe as AnnaKournikovaNudexe.avi.

Lesson: Whenever possible, make sure you know the real, complete name of
any file before executing it.

Stealth attack No. 4: Location, location, location

Another interesting stealth trick that uses an operating system against
itself is a file location trick known as "relative versus absolute." In
legacy versions of Windows (Windows XP, 2003, and earlier) and other early
operating systems, if you typed in a file name and hit Enter, or if the
operating system went looking for a file on your behalf, it would always
start with your current folder or directory location first, before looking
elsewhere. This behavior might seem efficient and harmless enough, but
hackers and malware used it to their advantage.

For example, suppose you wanted to run the built-in, harmless Windows
calculator (calc.exe). It's easy enough (and often faster than using
several mouse clicks) to open up a command prompt, type in calc.exe and hit
Enter. But malware could create a malicious file called calc.exe and hide
it in the current directory or your home folder; when you tried to execute
calc.exe, it would run the bogus copy instead.

I loved this fault as a penetration tester. Often times, after I had broken
into a computer and needed to elevate my privileges to Administrator, I
would take an unpatched version of a known, previously vulnerable piece of
software and place it in a temporary folder. Most of the time all I had to
do was place a single vulnerable executable or DLL, while leaving the
entire, previously installed patched program alone. I would type in the
program executable's filename in my temporary folder, and Windows would
load my vulnerable, Trojan executable from my temporary folder instead of
the more recently patched version. I loved it -- I could exploit a fully
patched system with a single bad file.

Linux, Unix, and BSD systems have had this problem fixed for more than a
decade. Microsoft fixed the problem in 2006 with the releases of Windows
Vista/2008, although the problem remains in legacy versions because of
backward-compatibility issues. Microsoft has also been warning and teaching
developers to use absolute (rather than relative) file/path names within
their own programs for many years. Still, tens of thousands of legacy
programs are vulnerable to location tricks. Hackers know this better than
anyone.

Lesson: Use operating systems that enforce absolute directory and folder
paths, and look for files in default system areas first.

Stealth attack No. 5: Hosts file redirect

Unbeknownst to most of today's computer users is the existence of a
DNS-related file named Hosts. Located under C:\Windows\System32\Drivers\Etc
in Windows, the Hosts file can contain entries that link typed-in domain
names to their corresponding IP addresses. The Hosts file was originally
used by DNS as a way for hosts to locally resolve name-to-IP address
lookups without having to contact DNS servers and perform recursive name
resolution. For the most part, DNS functions just fine, and most people
never interact with their Hosts file, though it's there.

Hackers and malware love to write their own malicious entries to Hosts, so
that when someone types in a popular domain name -- say, bing.com -- they
are redirected to somewhere else more malicious. The malicious redirection
often contains a near-perfect copy of the original desired website, so that
the affected user is unaware of the switch.

This exploit is still in wide use today.

Lesson: If you can't figure out why you're being maliciously redirected,
check out your Hosts file.

Stealth attack No. 6: Waterhole attacks

Waterhole attacks received their name from their ingenious methodology. In
these attacks, hackers take advantage of the fact that their targeted
victims often meet or work at a particular physical or virtual location.
Then they "poison" that location to achieve malicious objectives.

For instance, most large companies have a local coffee shop, bar, or
restaurant that is popular with company employees. Attackers will create
fake WAPs in an attempt to get as many company credentials as possible. Or
the attackers will maliciously modify a frequently visited website to do
the same. Victims are often more relaxed and unsuspecting because the
targeted location is a public or social portal.

Waterhole attacks became big news this year when several high-profile tech
companies, including Apple, Facebook, and Microsoft, among others, were
compromised because of popular application development websites their
developers visited. The websites had been poisoned with malicious
JavaScript redirects that installed malware (sometimes zero days) on the
developers' computers. The compromised developer workstations were then
used to access the internal networks of the victim companies.

Lesson: Make sure your employees realize that popular "watering holes" are
common hacker targets.

Stealth attack No. 7: Bait and switch

One of the most interesting ongoing hacker techniques is called bait and
switch. Victims are told they are downloading or running one thing, and
temporarily they are, but it is then switched out with a malicious item.
Examples abound.

It is common for malware spreaders to buy advertising space on popular
websites. The websites, when confirming the order, are shown a nonmalicious
link or content. The website approves the advertisement and takes the
money. The bad guy then switches the link or content with something more
malicious. Often they will code the new malicious website to redirect
viewers back to the original link or content if viewed by someone from an
IP address belonging to the original approver. This complicates quick
detection and take-down.

The most interesting bait-and-switch attacks I've seen as of late involve
bad guys who create "free" content that can be downloaded and used by
anyone. (Think administrative console or a visitor counter for the bottom
of a Web page.) Often these free applets and elements contain a licensing
clause that says to the effect, "May be freely reused as long as original
link remains." Unsuspecting users employ the content in good faith, leaving
the original link untouched. Usually the original link will contain nothing
but a graphics file emblem or something else trivial and small. Later,
after the bogus element has been included in thousands of websites, the
original malicious developer changes the harmless content for something
more malicious (like a harmful JavaScript redirect).

Lesson: Beware of any link to any content not under your direct control
because it can be switched out on a moment's notice without your consent.

Stealth fallout: Total loss of control

Hackers have been using stealth methods to hide their maliciousness since
the beginning days of malware. Heck, the first IBM-compatible PC virus,
Pakistani Brain, from 1986, redirected inquiring eyes to a copy of the
unmodified boot sector when viewed by disk editors.

When a hacker modifies your system in a stealthy way, it isn't your system
anymore -- it belongs to the hackers. The only defenses against stealth
attacks are the same defenses recommended for everything (good patching,
don't run untrusted executables, and so on), but it helps to know that if
you suspect you've been compromised, your initial forensic investigations
may be circumvented and fought against by the more innovative malware out
there. What you think is a clean system and what really is a clean system
may all be controlled by the wily hacker.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.