As you’ve no doubt heard by now, security researchers over the weekend uncovered a computer espionage network – dubbed Ghostnet – based in China that so far has affected nearly 1,300 computers in 100 countries spanning the globe. What’s particularly interesting or noteworthy about this apparent cyber-espionage incident is the low-level technology used to infiltrate the attack – this lack of innovation actually points the finger at amateur work versus full-on cyber-espionage activity which would likely involve much more sophisticated technology than what was used here. Rootkit technology that provides the ability to remotely control multiple compromised PCs through a management console and to not only provide access to all files but to also monitor a PC camera and microphone has been around since the 90’s (i.e. “Back Orifice” from “Cult of The Dead Cow”) and, more recently, this level of spy technology has even found its way to cell phones (2006) with “FlexiSpy.”
That aside, I applaud the efforts by the team that uncovered this rootkit and, though without raining on their parade, the good guys certainly got lucky with this one. The rootkit that was deployed was readily detected using standard tools. Had this been a “current generation” rootkit that embedded itself below the OS within a driver or at the kernel level and used a covert channel for communications, chances are they would have missed it…and it would still be operating.
Application control is the most effective rootkit prevention that has ever been available; simply put, the malicious applications that would install the rootkit would not be permitted to run – nevertheless the applications directly associated with an operational rootkit.
One other consideration – typically malicious software like rootkits and back-door Trojans are deployed using targeted attacks that are enabled through the use of unpatched application vulnerabilities. An innocent looking email – spoofed from an address the user generally trusts – with malicious/specially-crafted attachments like Excel spreadsheets, Word docs or PDF files continues to be a security concern. The bad guys are simply taking advantage of the many known vulnerabilities in these socially acceptable email attachments that can allow them to execute arbitrary code due to the failure of organizations to responsibly patch the respective applications to mitigate the vulnerabilities. Many organizations waste a great deal of time and effort on trying to figure out the bad guys next delivery method with glorified gold plated gateway devices, when in reality, they could have fully mitigated their risk by simply using responsible patch management.
I read in one report:
“They say prevention against such attacks will be difficult since traditional defense against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tedious operational security procedures.”
Personally, I find this a poor and unacceptable excuse – governments should be setting the example for the enterprise. Clearly, they have not explored current generation application control and vulnerability management. Simply put, these technologies are fully transparent to the user and the administrative burden has been significantly reduced, given that its most often handled via an intuitive centralized management console.
Bottom line - had they been responsibly using vulnerability management and application control technologies, this incident would have been entirely preventable.
In closing – the most effective risk mitigation for malware such as a rootkits or back-door trojans available today can be found in application control. Simply put, if it is not a known, trusted and verified binary that was explicitly permitted by the organization’s policy, it cannot execute on the protected system. With that being said, responsible patch management is a layer that for many organizations has been too long overlooked. The bad guys know it and routinely take advantage of it – the vast majority of malware used in today’s exploits take advantage of known, but unpatched vulnerabilities, as noted in a recent Verizon study which cited that over 70% of web-borne malware had a vendor patch available for a year or more.
