Last week, I discussed security-aware attacks that are capable of identifying and evading security solutions deployed on a system. One of the hallmarks of the new class of security-aware attacks is that they are specifically designed to bypass or avoid traditional security tools such as gateways and firewalls. In some cases, the design is so clever that that the security system never has a chance to stop the intrusion.
Security-aware attacks are frightening because they provide the intruder with precious time to deliver the exploit and get it operational. As we have seen recently in the retail space, once an undetected exploit is active, it can cause significant damage to the enterprise and its customers, both immediately and over the long term.
Cybercriminals use a variety of novel approaches to creating these security-aware attacks.
One that we felt was particularly compelling takes advantage of the sophisticated capabilities HTML5 offers to deliver an exploit to a target environment in pieces so the security network defense infrastructure never even sees it. The HTML 5 feature isn’t a vulnerability per se, but simply a feature that is exploitable by the cybercriminals.
Our R&D team recreated this attack to analyze its operation.
The attack starts with simple old-fashioned social engineering, by sending our target a standard email with a catchy invitation to open a link, which he did.
The link was opened in Chrome, which has a premium implementation of HTML5 to render content and execute dynamic web capabilities. In this scenario, there is no underlying vulnerability, but rather the power to use javascript to fetch multiple components of the exploit in pieces and re-build the executable in the browser. By building the executable in the browser, the executable is never seen by any network infrastructure.
To pull the pieces of the exploit in a manner that would not raise alarm if the pieces were analyzed by network infrastructure, the content was encoded into standard images and toolbars that the webpage would display. What was not apparent by looking at the images was that additional binary data was hidden in the image and could be extracted by an algorithmic process called steganography. Steganography works by using extremely small changes in the images data that are not perceivable by human observation, but can be extracted algorithmically.
HTML5 is comprised of HTML, CSS and Javascript. The javascript capabilities can access elements on the page and even create new elements. By accessing the images on the page and extracting a binary data using a steganography algorithm, the local code in the browser can recreate a malicious executable. The javascript can also create and modify HTML elements which allows it to post the new executable for “download” to the client. When the user downloads the file, it is being downloaded from the browser, not the internet.
The firewall never saw the exploit, nor did any other infrastructure such as sandbox appliances as the exploit itself never existed anywhere until it assembled itself inside the user’s computer.
How do you stop a malware like that? The answer is you need a security architecture that has endpoint and infrastructure collaborating to provide a comprehensive solution.
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.
