Wednesday, June 15, 2011

TrustDefender Labs - Torpig: Back to The Future

Executive Summary

We have seen many different examples how improvements in the security landscape have forced the bad guys to change tactics and achieve their results via different, potentially less useful, methods.

A prime example is the introduction of UAC in Windows 7 together with the default user not running as administrator. This poses a tricky question for malware developers: Do I ask for elevation (UAC) and risk that users get suspicious, or do I do whatever I can without administration privileges?

Well the answer has been given. We’ve analysed Zeus before and Zeus will not bring up the UAC and will only infect the currently logged in user.

In this TrustDefender Labs report we look at a new strain of the notorious Torpig Trojan that gained massive publicity in 2008 when it was distributed together with the Mebroot / MBR virus. In this report we look at a new variant that will do an impressive amount of things completely without administrator privileges.

On a positive note, the lack of privileges restricts the trojan’s ability to hide itself deep in the system and is much easier to detect and remove.


As Windows 7 and the practice of running non-admin becomes more standard, malware will most likely adapt in the three following ways:

  • Some malware will run without admin privileges. Although per-user malware is not as dangerous as privileged malware (e.g., it can't infest the kernel to install a rootkit or keylogger), it can easily acquire and exfiltrate any data on the system that the user has access to. This is already happening, as noted in SecureWork’s March 2010 report on Zeus & and the Torpig report above.
  • Other malware will utilize exploit local privileges escalation vulnerabilities in Windows 7 to bypass UAC and acquire administrative privilege itself. This can only happen after the malware is already on the system, so it will require the malware to exploit two or three different vulnerabilities, which is pretty rare at this point. This type of attack would work, even if the user is only a standard user. This is already been seen in a couple of cases. In 2008, F-Secure noticed a worm that was using a public escalation of privileges (EoP) vulnerability to gain admin rights on system and install a rootkit. In 2010, Stuxnet used a local privilege escalation zeroday vulnerability to get admin privileges on both Windows 7 / 2008.
  • Protected Admin Users of Windows 7 (i.e. those running as Admin under UAC) might even see some malware attempting to trick the user into self-elevating, thru the use of social engineering techniques. Once the user self-elevates using UAC, the malware will have full run of the kernel. Foreseeing this, Microsoft has implemented a "Secure Desktop" in UAC.

No comments:

Post a Comment