March 16, 2012 Leave a comment
So what, Triumfant guy, exactly gets through my shields? You tell me I will be breached and you give me statistics, but I have AV, whitelisting, deep packet inspection, and every other acronym and buzzword in place. Oh yea, and I have “the cloud” (pause for tympani emphasis) providing me prevalence information and other cloud-based stuff.
Well, digitally signed malware gets past your protections. Not according to me, but according to several sources – Symantec, Kaspersky, AlienVault and BitDefender – cited in a March 15, 2012 PC World article “Digitally Signed Malware Is Increasingly Prevalent, Researchers Say”.
It is the blackhat version of “these are not the droids you are looking for”, using the certificates to get the malicious code waved through. Some of the first evidence of this technique was found in 2010 in the analysis of Stuxnet. The PC World article provides evidence that the technique is showing up with increasing frequency. The article tells in good detail how it works and what protections it can evade, including whitelisting.
This technique is illustrative of the ongoing battle between good and evil in IT security. Operating system advances in Windows 7 and other OS versions were thought to advance the security of systems, and the adversary then takes the very techniques used to make the systems more secure and subverts them to find new ways to deliver malicious code and evade protections. I have no interest in impugning the efficacy of prevention software and I have never said to turn off protection software. What I have said consistently is that attacks will get through your shields. Here is yet another example of how, and demonstrates that the adversary will always find a way to get through. No FUD here – I would point out that every vendor cited in this story is a protection software vendor.
This story also illustrates that there are no silver bullets in protection. Prospects often cite the use of whitelisting tools as their raison d’etre of why they do not need something like Triumfant, but here is a clear example of how such tools are being evaded. If you need more, there is a video from Shmoocon that shows multiple techniques for evading several whitelisting tools. Yet another silver bullet falls short. I am not singling out whitelisting – it is just the current “It” tool of IT security.
Lastly, it is illustrative of how the foundations of trust have become less…well…trustworthy. I have seen the validation process of a certificate authority up close, and let’s just say I am not shocked to know that malware writers can obtain certificates with false identities. With the RSA breach and other certificate authorities being hacked, the foundation of trust was already showing cracks. Now we see examples of how trust can be subverted using this technique.
So if this technique essentially waves malware through your shields, how are you going to detect the infiltration? That is where Triumfant fills the gap, detecting the zero day attacks and targeted attacks, including the advanced persistent threat, that infiltrate your endpoint machines and servers.
I once had a product manager from another company disdainfully tell me “when you find something that gets past my shields, you call me”. I am looking for his number as soon as I finish this post.