Earlier this week, I talked about malware threats. Today, we'll address a new trend. Turns out the perpetrators of targeted attacks are pragmatic, and are happy to borrow techniques that are even a decade old.
Trend #2 in M-Trends: An Evolving Threat is titled "Everything Old Is New Again," and talks about how we saw a real uptick in the use of web shells and miniport drivers for persistence in 2011. Our consultants remember seeing these same techniques used by organized crime groups ten years ago. So if these techniques are not cutting edge, why are we seeing their resurgence?
It helps to recall the early days of malicious backdoors. The first backdoors inbound connections to take control. As our defenses evolved and the ubiquitous use of firewalls made this method less effective, attackers used backdoors that beacon out for commands. We then disallowed any outbound connections except via proxy, and the malware started tunneling out through our HTTP proxies. Eventually, organizations got better at detecting outbound C2 traffic and blocking it. Rather than re-inventing the next phase, today's attackers just reverted to the tried & true web shells.
A web shell is a really simple concept -- It is a file (php, asp, etc.) that provides a simple dashboard for the attacker. It might have buttons for preset commands, or have a window that echoes a shell to the web page. When placed on a web server with the right kind of back-end connectivity, a web shell can give you direct command-line access into an enterprise. All of the control with none of the beacons. You can see why this is an interesting backup method of persistence. If a victim gets wise (and lucky) and can eliminate all of your existing active backdoors into their environment, you can just hit that web-facing server that they are kindly maintaining for you, and tunnel back in.
Using layered or intermediate NDIS miniport drivers are a twist on this method. The malicious layered driver will allow the compromised system to continue communication on a known good port, but then route traffic to resident malware upon receiving a particular traffic sequence. This makes network detection nearly impossible, as the traffic flows appears normal.A company we worked with in 2011 had this installed on their primary .com web servers. Tens of thousands of users hit their site every day, and never had any idea that their requests were passing through a filter just waiting to control a backdoor.
I have always emphasized network detection first and foremost, but these two methods have underscored for me the need for both a host-based and network-based detection method.