7 sneak attacks used by today's most devious hackers

Most malware is mundane, but these innovative techniques are exploiting systems and networks of even the savviest users

Millions of pieces of malware and thousands of malicious hacker gangs roam today's online world preying on easy dupes. Reusing the same tactics that have worked for years, if not decades, they do nothing new or interesting in exploiting our laziness, lapses in judgment, or plain idiocy.

But each year antimalware researchers come across a few techniques that raise eyebrows. Used by malware or hackers, these inspired techniques stretch the boundaries of malicious hacking. Think of them as innovations in deviance. Like anything innovative, many are a measure of simplicity.

[ Verse yourself in 14 dirty IT security consultant tricks, 9 popular IT security practices that just don't work, and 10 crazy security tricks that do. | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Take the 1990s Microsoft Excel macro virus that silently, randomly replaced zeros with capital O's in spreadsheets, immediately transforming numbers into text labels with a value of zero -- changes that went, for the most part, undetected until well after backup systems contained nothing but bad data.

Today's most ingenious malware and hackers are just as stealthy and conniving. Here are some of the latest techniques of note that have piqued my interest as a security researcher and the lessons learned. Some stand on the shoulders of past malicious innovators, but all are very much in vogue today as ways to rip off even the savviest users.

The more nefarious hackers will ask their victims to create a new access account to use their WAP. These users will more than likely use a common log-on name or one of their email addresses, along with a password they use elsewhere. The WAP hacker can then try using the same log-on credentials on popular websites -- Facebook, Twitter, Amazon, iTunes, and so on -- and the victims will never know how it happened.

Lesson: You can't trust public wireless access points. Always protect confidential information sent over a wireless network. Consider using a VPN connection, which protects all your communications, and don't recycle passwords between public and private sites.

Answer: When a hacker steals our cookies, and by virtue of doing so, becomes us -- an increasingly frequent occurrence these days. Rather, they become authenticated to our websites as if they were us and had supplied a valid log-on name and password.

Sure, cookie theft has been around since the invention of the Web, but these days tools make the process as easy as click, click, click. Firesheep, for example, is a Firefox browser add-on that allows people to steal unprotected cookies from others. When used with a fake WAP or on a shared public network, cookie hijacking can be quite successful. Firesheep will show all the names and locations of the cookies it is finding, and with a simple click of the mouse, the hacker can take over the session (see the Codebutler blog for an example of how easy it is to use Firesheep).

Worse, hackers can now steal even SSL/TLS-protected cookies and sniff them out of thin air. In September 2011, an attack labeled "BEAST" by its creators proved that even SSL/TLS-protected cookies can be obtained. Further improvements and refinements this year, including the well-named CRIME, have made stealing and reusing encrypted cookies even easier.

With each released cookie attack, websites and application developers are told how to protect their users. Sometimes the answer is to use the latest crypto cipher; other times it is to disable some obscure feature that most people don't use. The key is that all Web developers must use secure development techniques to reduce cookie theft. If your website hasn't updated its encryption protection in a few years, you're probably at risk.

Lessons: Even encrypted cookies can be stolen. Connect to websites that utilize secure development techniques and the latest crypto. Your HTTPS websites should be using the latest crypto, including TLS Version 1.2.

Years ago, malware virus programs known as "twins," "spawners," or "companion viruses" relied on a little-known feature of Microsoft Windows/DOS, where even if you typed in the file name Start.exe, Windows would look for and, if found, execute Start.com instead. Companion viruses would look for all the .exe files on your hard drive, and create a virus with the same name as the EXE, but with the file extension .com. This has long since been fixed by Microsoft, but its discovery and exploitation by early hackers laid the groundwork for inventive ways to hide viruses that continue to evolve today.

Among the more sophisticated file-renaming tricks currently employed is the use of Unicode characters that affect the output of the file name users are presented. For example, the Unicode character (U+202E), called the Right to Left Override, can fool many systems into displaying a file actually named AnnaKournikovaNudeavi.exe as AnnaKournikovaNudexe.avi.

Lesson: Whenever possible, make sure you know the real, complete name of any file before executing it.

For example, suppose you wanted to run the built-in, harmless Windows calculator (calc.exe). It's easy enough (and often faster than using several mouse clicks) to open up a command prompt, type in calc.exe and hit Enter. But malware could create a malicious file called calc.exe and hide it in the current directory or your home folder; when you tried to execute calc.exe, it would run the bogus copy instead.

I loved this fault as a penetration tester. Often times, after I had broken into a computer and needed to elevate my privileges to Administrator, I would take an unpatched version of a known, previously vulnerable piece of software and place it in a temporary folder. Most of the time all I had to do was place a single vulnerable executable or DLL, while leaving the entire, previously installed patched program alone. I would type in the program executable's filename in my temporary folder, and Windows would load my vulnerable, Trojan executable from my temporary folder instead of the more recently patched version. I loved it -- I could exploit a fully patched system with a single bad file.

Linux, Unix, and BSD systems have had this problem fixed for more than a decade. Microsoft fixed the problem in 2006 with the releases of Windows Vista/2008, although the problem remains in legacy versions because of backward-compatibility issues. Microsoft has also been warning and teaching developers to use absolute (rather than relative) file/path names within their own programs for many years. Still, tens of thousands of legacy programs are vulnerable to location tricks. Hackers know this better than anyone.

Lesson: Use operating systems that enforce absolute directory and folder paths, and look for files in default system areas first.

Stealth attack No. 6: Waterhole attacksWaterhole attacks received their name from their ingenious methodology. In these attacks, hackers take advantage of the fact that their targeted victims often meet or work at a particular physical or virtual location. Then they "poison" that location to achieve malicious objectives.

For instance, most large companies have a local coffee shop, bar, or restaurant that is popular with company employees. Attackers will create fake WAPs in an attempt to get as many company credentials as possible. Or the attackers will maliciously modify a frequently visited website to do the same. Victims are often more relaxed and unsuspecting because the targeted location is a public or social portal.

Waterhole attacks became big news this year when several high-profile tech companies, including Apple, Facebook, and Microsoft, among others, were compromised because of popular application development websites their developers visited. The websites had been poisoned with malicious JavaScript redirects that installed malware (sometimes zero days) on the developers' computers. The compromised developer workstations were then used to access the internal networks of the victim companies.

Lesson: Make sure your employees realize that popular "watering holes" are common hacker targets.

Lesson: Beware of any link to any content not under your direct control because it can be switched out on a moment's notice without your consent.

Stealth fallout: Total loss of controlHackers have been using stealth methods to hide their maliciousness since the beginning days of malware. Heck, the first IBM-compatible PC virus, Pakistani Brain, from 1986, redirected inquiring eyes to a copy of the unmodified boot sector when viewed by disk editors.

When a hacker modifies your system in a stealthy way, it isn't your system anymore -- it belongs to the hackers. The only defenses against stealth attacks are the same defenses recommended for everything (good patching, don't run untrusted executables, and so on), but it helps to know that if you suspect you've been compromised, your initial forensic investigations may be circumvented and fought against by the more innovative malware out there. What you think is a clean system and what really is a clean system may all be controlled by the wily hacker.

Related articles

This story, "7 sneak attacks used by today's most devious hackers," was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Read more about security in InfoWorld's Security Channel.

This story, "7 sneak attacks used by today's most devious hackers" was originally published by InfoWorld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies