C&C infrastructure explained: Tilon malware
lessons learned
Nick Lewis, Enterprise Threats searchsecurity.techtarget.com
If someone asks
you to pick a card out of a pack and then locates your card, that is considered
magic. As with all magic though, such a trick ceases to seem so magical once
the audience realizes the card was up the magician's sleeve the entire time.
This holds true in programming as well; once you're aware of a concept called
the magic number -- in which programmers occasionally use static numbers
directly in source code, making code more predictable and susceptible to attack
-- you understand what to look for in the future.
In this case,
the "magic" malware described by Seculert (actually an updated
variant of malware that has been dubbed Tilon, Asetus and Win32.Enchanim by
other vendors) communicates with its command-and-control (C&C)
infrastructure via a custom protocol, which is from the origination of its
name. There are known, established C&C communication protocols that are
reasonably strong and could be used to reduce development time, so utilizing a
custom protocol is a unique and potentially high-risk endeavor on the part of
the malware authors. One of the classic security failures by programmers is to
think any algorithm they invent for cryptography is going to be the strongest
ever, but using well-established and open cryptography algorithms will almost
always be a better idea unless the programmer is a cryptography expert.
In terms of
potential enterprise defenses, decoding the magic malware's communications
could require reverse-engineering the malware and protocol, though reverse
engineering is not necessary for detection. Seculert has released indicators of
compromise, including a list of known IP addresses used by the malware. These
addresses could change quickly, but if network traffic flows to one of the IPs,
that could be reason enough to investigate an endpoint for other indicators of
compromise or malware.
No comments:
Post a Comment