A few thousand years ago, the Greeks (according to the Greek mythology) built a trojan horse to enter and overtake the heavily fortified city of Troy. What anway to break into such a secure stronghold. 2000 years later, we still hear the name “Trojan” – however today we know it as a software program masquerading as a normal program… again a clever way to break into your computer.
Malware is a particularly insidious area of cyber security that constantly changes in the way that it infects and steals information from its victims. Whilst the nature of the attacks evolve over time, the intent is always the same – to steal information for the financial gain of the attacker.
At FraudWatch International, we specialise in malware analysis and removal and have created this blog series to share our experiences and provide insights into the type of cyber security concerns that affect our customers along with the broader community.
In this article, we discuss a recent attack that saw a multi-vector malware attack that used an uncommon transport mechanism to aid in the stealth of the attack.
Case Study – SQL Drop Zone Trojan
An analysis of malware recently detected by FraudWatch International uncovered a multi-part malware which was initiated by a client-based Trojan. The originating file was detected on a free Dropbox account which served as a common and innocuous distribution point for the attackers.
After decompiling the file, it was determined that the Trojan ran as a .NET 4.0 application and upon installation it modified a number of client-side processes to avoid detection. The attack profile was such that it logged keystrokes, captured screenshots and harvested guest system configuration settings. Each of these are commonly by FraudWatch International as a package which is used to not only collect information but contextualise the content for the attacker so that it can be re-orchestrated once they receive it.
Whilst the behaviour described above is common practice for a Trojan, it was the chosen method of transport that was unique in this case. The attack was designed to take the information and push it out of the infected machine through a standard Microsoft SQL Server port (Port 1433).
This method of transport is relatively invisible to a non-technical user and therefore hard to detect and very effective as a result.
As traditional anti-virus applications are solely focussed on preventing an infection, they are ineffective once the infection has occurred and the malware is operating. This is where intelligence sharing in combination with takedown services take over to neutralise the attack. In general terms, for any attack of this nature to work, each part of the malware “system” needs to be functional and available. Intelligence sharing throughout the security community helps to understand the behaviour of these attacks and the takedown activity disrupts the information flow and nullifies the effect of the malware.
The takedown strategy for attacks of this nature is to target the drop zone. The drop zone is usually programmatically configured into the Trojan and therefore if it doesn’t exist, there is little opportunity for the attacker to update the target on the remote machine and therefore the malware vector is disrupted and the attack is nullified.
A second and equally important reason to target the drop zone is to protect the information that may have already been harvested from infected machines. Without this information, the attacker has effectively wasted their time and energy for no return.
The outcome of this approach was positive not only for the affected individuals, but equally for the businesses innocently implicated in the attack. As businesses are able to identify compromised accounts, they can proactively minimise their risk and exposure by tracking fraudulent transactions and credentials for their customers. This type of active defense also reduces the attractiveness of targeting the brand and indirectly increases the typical costs of attacking the brand.
FraudWatch International specialises in online takedown services for Malware and Phishing content and have over 13 years’ experience in disrupting attacks of this nature. Our security teams work around the clock protecting global brands and their clients from imminent or actual attacks and we absolutely love taking these types of attacks offline. If you think your business or your customers could benefit from this level of protection, then get in touch with us and we would be happy to make a difference for you!