What Lies Beneath: Advanced Attacks that Hide in SSL Traffic
While SSL encryption improves privacy and integrity, it also creates a blind spot in corporate defenses. Today, roughly half of all Internet traffic is encrypted, and this figure is expected to reach 67% by 2016.
Attackers can exploit the SSL blind spot to sneak past security controls. Almost every network attack can be encrypted in HTTPS, FTPS, SMTPS and other SSL-enabled protocols. Therefore, cataloging every attack that can hide in encrypted traffic would result in a very long and boring blog.
Instead, we will look at how malware developers use encryption to evade detection and how their evasion techniques have become stealthier over time.
SSL for Command and Control Communications
The Zeus banking Trojan is one of many types of malware that incorporate encryption. Zeus is not new—it was first identified in 2007—but it continues to be the most prevalent and dangerous Trojans around, having compromised roughly 4 million PCs as of December 2014.[i]
Zeus has outlived other types of financial malware because it is difficult to detect and remove. Plus, the widespread availability of the Zeus attack toolkit has enabled countless criminal groups to develop variants that are even more sophisticated and sneaky.
As a case in point, the Gameover Zeus Trojan leverages encryption for both malware distribution and command and control (C&C) communications. For example, the Upatre downloader utility, which is often used to install Gameover, downloads the Gameover software over an SSL connection from a compromised web server. Once the Gameover software is installed, it uses peer-to-peer networks to communicate to C&C servers.
Because Gameover used 2048-bit encryption and continually changed domain names, law enforcement agencies struggled to contain the Gameover botnet, although they eventually shut it down in June 2014 as part of Operation Tovar.
Command & Control Gets Social
In an effort to avoid detection, new malware strains use social networks and web-based email for C&C communications. Security researchers have discovered malware that receives C&C commands from malicious Twitter accounts and comments on Pinterest.[ii] Like most social networks, Twitter and Pinterest encrypt all communications. Therefore, organizations should inspect SSL traffic to detect botnet activity. Otherwise, IT security analysts might observe client machines accessing Twitter or Pinterest sites and assume the traffic is harmless.
Malware Steals a Page from the General Petraeus Playbook
Demonstrating how social malware has become, security researchers in Germany discovered a remote access Trojan (RAT) that receives C&C commands through online email accounts like Yahoo and Gmail.[iii] However, in an interesting twist, consultants at Shape Security discovered that at least one Icoscript strain receives C&C updates from Gmail draft messages. Much like disgraced General David Petraeus—who communicated with his mistress Paula Broadwell through Gmail draft messages—the malware attempted to evade detection by not quite sending emails.
Like most online email programs, Gmail and Yahoo Mail encrypt traffic. Malware developers use this encryption to their advantage to evade detection. To detect malicious activity, organizations should decrypt and inspect traffic to email sites. Otherwise, malware could be passing them by.
Learn about More Attacks that Hide in SSL Traffic
To find out about more dangers hidden in encrypted connections, register to attend the Webinar: “5 Threats Hiding in Your SSL Traffic” on October 21, 2015. During the webinar, we will discuss the cyber-attacks mentioned in this blog and other menacing threats that can hide in encrypted traffic.
[i]The State of Financial Trojans 2014, Symantec
[ii] Banking Trojan Targets South Korean Banks; Uses Pinterest as C&C Channel, Trend Micro
[iii]Stealth malware: botnet control via webmail, G Data