As the Conficker worm has evidenced, with an estimated 10 million systems infected, the problem of criminally motivated malware infiltration and computer compromise is highly pervasive. The billion-dollar cyber crime economy is relatively under-policed. As a result, cyber criminals have become very aggressive in pushing the malware technology envelope. The latest exploits render traditional security solutions ineffective as cyber criminals capitalize on newly discovered vulnerabilities and leverage mainstream applications such as the Internet. These Web exploits provide access to the target system so that hackers can employ other malware to execute lucrative payloads. Often a covert callback channel is established between the compromised machine and a command and control (C&C) infrastructure to siphon data and resources without detection. It is this marriage of the Web exploit and the callback channel that poses one of today’s greatest “insider threats.” By understanding how cyber criminals employ this special blend of malware attacks, organizations can better detect and prevent infiltration and uncover hidden extraction channels.

 

Malware is increasingly sophisticated and difficult to detect, even as cyber criminals move toward more mainstream applications such as the Web to establish a foothold within a target network. The predominance of browser-based computing and Web 2.0 have created a dependence on the Internet that cyber criminals simply cannot ignore. Web exploits have become the vector of choice for hackers since most companies must allow Internet access for business critical communications. Fraudulent Web sites, bogus third-party ads, user generated content sites and other social media destinations all contribute to the Web malware equation. In fact, Gartner (News - Alert) estimated that by 2009, banner ad networks would be responsible for up to 30 percent of malware on users’ desktops and the European Network & Information Security Agency estimates browser exploits account for 65 percent of all client-side public exploits.

 

Cyber criminals continually add new layers of deception, no longer relying upon social engineering tactics to execute their payloads. Previously, e-mail attachments or other threats would need user interaction to initiate a download. Today’s stealthy “drive-by” tactics require no such activation and users are infected unwittingly, without any direct engagement. Hundreds of vulnerabilities exist that require no activation from users who can become infected just through casual browsing. Some popular exploits include the DNSChanger Trojan that can override ISP settings, rerouting traffic through rogue DNS servers and taking users to exploit sites; fake antivirus sites and other counterfeit software gimmicks that lure unsuspecting users; .gif files that appear harmless but in actuality house stolen data within images; and more.

 

Cyber criminals will often up the ante, combining exploits or vectors in order to extract the greatest payload. One of most popular blended attacks today is the marriage of a Web exploit and the use of non-Web callback channels. Under common security policies, communications originating from within the enterprise network are allowed, as are the subsequent inbound responses. So, once malware has infected a machine, its outbound and subsequent inbound communications, whether generated by the user or the malware, are allowed through the network perimeter. Most organizations focus security efforts on intrusion detection for unauthorized inbound traffic, leaving the malware-generated, unauthorized outbound traffic unprotected and unsupervised.

 

The outbound callback from the initial infiltration establishes a relatively unrestricted channel for two-way communication between the compromised machine and the C&C infrastructure. Cyber criminals use the callback channel to get new instructions and malware payloads to siphon resources, steal data, and to open backdoors into the network. It may be more accurate to characterize the so-called “insider threat” as actually a problem of malware-infected PCs that initiate unauthorized callback channel communications over HTTP, SMTP, TFTP, and other commonly allowed protocols.

 

To combat Web malware, organizations need tools that can flag suspicious traffic using signatures, anomaly detection and behavioral heuristics. They must also eliminate false positives with tools that examine or replay suspect network traffic in real-time to clearly identify malware, both known and zero-day. Identified malware should also be uniquely fingerprinted. Utilizing a blended defense comprising these components, organizations can protect against debilitating Web malware infiltrations.

 

Most organizations are ill equipped to tackle malicious data theft stemming from the callback channel. Data leakage protection (DLP) solutions which monitor primarily the e-mail channel, intrusion prevention systems (IPS) which focus on inbound traffic, and URL filtering products which lack in granularity, all fall short in adequately monitoring traffic over covert callback channels.

 

In order to effectively eliminate callback channels, organizations must examine outbound communications with a finely tuned eye. Security solutions should monitor where outbound communications are going to identify whether traffic is going to legitimate or bad destinations. Additionally, they must monitor the contents of outbound communications to determine whether they contain attack or botnet commands designed to infect other machines, contact a C&C server, execute a payload, etc. With this level of surveillance, organizations can identify covert channels and prevent targeted data theft.