Technology Sectors
Tainted information: Poisoned document control
 |
| Derek Manky |
Attacking systems for sensitive information for the purpose of espionage or monetization is certainly not new. In fact, it's a predictable aspect of crime because in our modern cyber era, digital information flows with ease, as systems become further integrated. The new trend that we continue to observe involves the vehicles that are used for these attacks.
Documents are used frequently by governments, corporations and beyond. There are many forms of documents (PDF, DOC, XLS), with many readers to display and edit these documents. In the eyes of a cyber-criminal, where there is high traffic and data usage, there is an opportunity to attack.
Poisoned document attacks occur when a legitimate document file is altered to contain malicious byte sequences. When the reading software opens the document file, it comes across the unexpected information which subverts the process to the malicious code.
To successfully execute an attack, the attack must be tailored for the reading software. For example, an attack that works on Adobe Reader (PDF) might not work with a FoxIt Reader, and vice versa. Likewise, an attack that works on a specific version of a reader might not work on subsequent versions, since the vulnerability that the attack exploits may have been patched.
Poisoned document attacks have been around for a while. The key difference now is the growing number of techniques (vulnerabilities) that are available to an attacker to execute the poisoned code that lies in a document. Due to a number of hurdles that have been implemented by developers, a successful attack is harder to execute today than it was 10 years ago. For example, technologies such as MS Windows 7's implementation of data execution prevention (DEP) and address space layout randomization (ASLR) have been implemented to stop traditional attack techniques. As software is patched, new security holes must be discovered and exploited.
There are two problems here. First, patch management practices are not always up to par when they should be. Software patches that fix security issues should be patched immediately, since that closes the gap that would let an attacker through. Time and time again, we have observed old (patched) attacks that continue to be successful because of this problem -- the Conficker worm is a great example.
The second problem is that even though attacks today are harder to implement, the amount of resources available to an attacker are far greater than they were before. This means that though the challenge confronting the attacker is more complex, the net effort is less because an attacker may use a network of machines, tools and humans to help create and launch such an attack.
Typical poisoned document attacks today occur in two categories: blanketed and targeted attacks. Blanketed attacks have no specific target in mind, aiming to infect as many users as possible. This is usually done through a mass spam campaign, with a poisoned document attached. The more effective (and increasingly more popular) method is a targeted attack, which has one or more specific recipients in mind. These attacks are usually undertaken through a convincing-looking e-mail, which may detail events that the recipient would be familiar with. The result means the user is more likely to open the document, initiating the execution of the malicious code.
Once a poisoned document has been opened, the reading software begins executing malicious code that drops payload onto the machine. Today, the most common payloads are botnets and spy trojans. In these scenarios, a botnet agent will be installed first. Then, it reports to the attacker and downloads malware -- typically a remote administration tool (RAT). A RAT is actually a legitimate tool, in that it allows an administrator to access and service a machine remotely. Unfortunately, today, many of these tools are developed and used for malicious purposes. Such RATs allow attackers to download files, capture screenshots, enable live Webcam and audio feeds, etc. A well documented case of poisoned document attacks against governments using this process is Gh0stNet.
Moving forward, we will continue to see more targeted attacks using documents because document-based vulnerabilities are being uncovered on a regular basis. We’ll see more of these cases occur through social networks, since they are well suited for targeted document attacks.
To prepare for these attacks, we recommend proper patch and identity management. Consider alternate software and operating systems, when feasible. Be cautious about opening document files, even when they seem legitimate. Always remember a layered security solution -- with antivirus, intrusion prevention, Web filtering, anti-spam and application control -- is the best way to mitigate botnets, RATs, the poisoned documents themselves and the way they travel.
Derek Manky is the lead author of Fortinet's monthly Threat Landscape Report. He blogs and regularly writes on breaking security developments. He can be reached at: DManky@fortinet.com
