Network and Desktop Operating Systems Have Too Much Trust

Jason Soroko
Part 1 of 3 in the Series — Identity Context: Defense's Next Play

Part One: Network and Desktop Operating Systems Have Too Much Trust

At Black Hat 2012, John Flynn showed a slide with the text, “The kids these days, they’re hacking the system as a whole.” There is a wide assumption that hackers must somehow be breaking systems, when in fact they are simply using operating systems and networks as they were originally designed to be used.

 A solid example of the point Flynn was making: there is no patch for the Zeus virus.  

 Let that sink in for a moment. We are all accustomed to Microsoft’s ‘Patch Tuesday,’ but after all these years, Zeus and all its variants are still very useful tools for malicious people wanting to steal money from bank accounts. How can that be true?

 On desktop operating systems like Microsoft Windows, running processes are able to hook the memory of other processes. This provides legitimate functionality that we use on a daily basis without thinking too much about it. You might recall the last time that you updated some running software on the fly without having to reboot. That bit of convenience was likely due to the update process-hooking the memory of the running process and replacing it with the updated functionality.  

 Zeus hooks your browser’s running process and replaces it with a malicious form of your browser. This is what enables the bad guy to perform man-in-the-browser attacks. The process-hooking it performs is much the same as a legitimate process hook.

 How do you attempt to detect Zeus? Each infection of Zeus and its variants is polymorphic, which means that each binary file constituting the virus code is going to have a different checksum or, in other words, a different antivirus signature. You must search the binary itself, looking for patterns that are common to Zeus. But even that can be changed as to not easily be recognized.

 What else can be done? We can look for Zeus’s command and control communications. There are vendors that specialize in doing this, but determined hackers and criminal groups are increasing the sophistication of their C&C encryption and are even using Tor — an anonymous, low-latency network not accessible by standard browsers — to make it difficult to track the source of the control server.

All of the above adds up to a lot of security layers. I use Zeus only as a common example. Everything stated regarding the Zeus virus is analogous to just about every other malware in existence. I often demonstrate very standard key-logging malware, and the memory-hooking process is used every time. At the heart of most malicious software are similar process-hooking concepts.

 A Deep Malware Pipeline

Traditional endpoint security has made a lot of assumptions and focuses on them incessantly. Not all malware requires configuration settings, which can be detected. Not all malware requires binary files (which can be detected through whitelisting techniques) and don’t need a long time to persist before the bad guy reaches the target.

 Certainly, malware in the wild does these things and is sometimes detected, but what I am suggesting is that the technology pipeline of malicious actors is deeper than we’ve been led to believe. Not all malware announces itself in such obvious ways.

 ‘Pass the Hash’

We have just explored the idea that Zeus does not have a patch. Let’s now consider an attack known as ‘Pass the Hash.’ This is an example of a single sign-on (SSO) technology added to Windows around 20 years ago that is still exploitable in most corporate networks.  

 Every time you log in to a Windows-based PC, a cryptographic hash of your username and password is stored in a protected portion of memory on your PC. That hash is simply an alphanumeric representation of your username and password.

 What happens if someone is able to get that hash? It can be used to authenticate to computers on the network where the user has credentials. It’s a safe bet that your corporate domain administrators use this to remotely log in to computers for legitimate reasons. Mark Russinovich, now working for Microsoft, introduced a tool to perform this years ago and it can still be downloaded for free.  

 Infiltrating the Target: Lateral movement inside your network

Imagine, for a moment, if an HR employee had their computer compromised by social engineering and a malicious actor was able to steal the hashes from that corporate PC. Imagine also that the HR employee had recently called for help and had a domain administrator log in to that computer remotely. The domain administrator’s hash is now going to be on that HR user’s PC, and also in the hands of the malicious actor. That’s a nightmare scenario.

 If you are a CIO or CISO and you are responsible for defending a corporate network with Active Directory, I sincerely hope you have already discussed this scenario with your staff. There are ways to mitigate this attack, but if Microsoft’s 80-plus page suggestions guide is any indicator, it is going to be difficult and expensive. Microsoft has provided new functionality to help mitigate the attack, but it’s still not solved and may not be for an indefinite time period.

 Desktop OS and Underlying Weaknesses

If you look into the toolbox of any good penetration tester, they will have a long list of powerful tools at their disposal to take advantage of the way that desktop operating systems were engineered to function. Desktop operating systems, and the networks they connect to, were originally designed to be very trusting, making the assumption that firewalls were sufficient to keep malicious activity at bay.  

 Even after layering security tools, the underlying systems have weaknesses that can allow perpetrators to bypass those systems. Not only does the Zeus virus not have a patch, but other attacks also do not have a definitive fix that will appear on ‘patch Tuesday,’ in a IDS/IPS snort command, or in a virus definition.

 Mandiant has stated that it takes a quite long time — a median of 416 days — to find malware or the presence of an attack after first infection.[1] From an offensive standpoint, having a mastery of the desktop OS and its underlying network will yield a great deal of malicious opportunity. Unless the bad guy makes a mistake and you have sufficient staff and defensive tools to detect this error, bad guys hide in the legitimate white noise happening on your corporate environment.

 Part Two of this series will go in depth about the death of blacklisting.

[1] “M-Trends 2013: Attack the Security Gap,” Mandiant, March 28, 201.

Jason Soroko
Jason Soroko
Manager, Security Technologies

Soroko has spent 17 years in systems architecture and development roles in diverse industries with an emphasis on security. As the threat landscape becomes more advanced, the need for Entrust to understand evolving threats requires deep and dedicated thinking in security concepts. Soroko's thought-leadership in security is rooted in connecting the threat perspective to how systems work as a whole. He frequents security conferences and publishes on important security topics.

1 Comment

Add to the Conversation