Don’t Let The Hunter Become The Hunted

Zuly Gonzalez’s work on protecting online research networks was featured at Techno Security Myrtle Beach 2018.

Zuly Gonzalez: Alright, so we’re going to go ahead and get started. Sorry about that – there were a couple of technical issues there, getting started. But good morning everybody, thank you for joining my talk. My name is Zuly Gonzalez and I’m going to talk to you today about malware and how that can impact your online investigations and research activities, and how you can protect yourself while you’re on the web.

So, we’ll just dip right into it. I was told to remind you guys in the beginning, if you’re using the mobile app, to use the feedback mechanism built into the app.

Just before we dive in, to give you a little background on myself: I am the cofounder and CEO of Light Point Security, and Light Point Security – we pioneered the concept of remote browser isolation, which is really a way to provide malware-free and anonymous web browsing. Prior to Light Point Security, I spent over a decade at the NSA. I started my career as an engineer protecting our information security systems from bad guys breaking in. And then I later transitioned to program manager, where I managed multimillion-dollar projects. I’d say one of the most rewarding things that I did while I was there at NSA was being the program manager for the counter-IED efforts, and it was really rewarding to see our efforts directly impacting the lives that we were able to save, of our combat men and women overseas.

Alright, so just to lay the groundwork here and go through a couple of basic topics, just to summarize – the focus of the talk, as I mentioned, is malware. Basically, malware is a fancy way of saying ‘malicious software’. Malicious software is really just any type of software that’s doing something on your computer that’s unwanted, something that you don’t want the software to be doing. Another commonly used term that’s less correct but used quite frequently is computer virus. And really, computer virus is a type of malware, but it’s not the broader category. Most cybercrime today has some sort of malware component, somewhere along the chain. A cybercriminal can use malware maybe not to get into your bank account specifically, but they’ll use the malware to grab your username and password, and then use that to get into your bank account and withdraw money.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

As far as malware as a threat – really, it needs to be able to execute on your computer in order to really cause any harm. This is known as remote code execution, which really means – kind of the cybercriminal taking over your computer and running his malware on your computer. If you keep the malware from running on your computer, then the malware can’t harm you, it can’t hurt you. But if the malware does achieve that remote code execution, then basically, you have to consider that computer as fully compromised, it’s… think of it as the computer is now the bad guy’s, the hacker’s computer, and he’s basically just letting you use it. Or not, in the case of something like ransomware, where they’re preventing you from accessing your data.
85% of all malware is spread through web browsers, and that really takes into account things like malicious emails.

So, if you receive an email with a link in it, that malicious link is going to lead you to a website, so in that case, the malware is coming from the malicious website, not the email itself that you received. And the more and more that you learn about typical network defenses, the more you realize that, really, web browsers are really the ideal mechanism and way for malware to get in. We’ll talk in the coming slides more about that here.

So, why the web browser? There’re a few reasons why the web browser is really the preferred method to a network. The first one is pretty simple – basically, the web browser is the most commonly used business application today. So, it really gives the bad guys the incentive to go after that, since so many folks are using it all the time.

Second, almost every network you can think of out there has perimeter defenses that really keep the bad guys from just strolling on into the network. This means that an attacker can’t just – from the outside, can’t get into your perimeter and just start launching attacks directly on the computers on the inside. But the core design of how a web browser works – it’s really intended to go outside of your network, go grab that untrusted code, and then bring it back into the network and execute it within your network. This is really the most dangerous action that a computer program can perform.

Now, if the web browser were perfect, it’d be able to do that in a safe way. But it’s not, so that’s why we have these issues. It can’t do so in a perfect way, in a safe way.

This really brings us to the third reason there, of why browsers are such a common way to get into your network. And that is that web browsers are extremely complex, which makes them inherently dangerous to … inherently difficult to secure. Web browsers have hundreds of vulnerabilities and bugs and it really just takes one to bypass all of your network security and network defenses. People use web browsers all day long to bring that untrusted code that’s hosted externally into the network. And really, then, that means that the hackers, the cybercriminal’s challenge focus is figuring out ways to get you to land on malicious websites, where they can then leverage that browser and break into your network.

So, let’s talk a little bit about how exactly you can get malware from your web browser. There’s two ways to do that. One is through downloads, and one is through just the browser vulnerabilities.

Malware through a download is the simplest method for an attacker, but it’s also the most easily avoided by the victims. The hackers then use lots of tricks to try and disguise their malware as something that you really want to download, and voluntarily download and execute on your network. You have a few examples here to show that. In this example here, we have an attacker trying to trick the victim into downloading malware that’s disguised as a media player plugin or update. The bad guys are really good at convincing users to take action basically by trying to use strong emotional and psychological responses from the user.

In these examples here, we have two different ones, one claims that Chuck Norris died, and the other one is claiming that it’s a Katy Perry sex tape. So, if the victim clicks on that link there to try and download that update or that plugin, their … instead of being able to see that sex tape, they’re going to be really disappointed when they realize, “Oh, wait a minute, I just downloaded some malware.” And speaking to that emotional, psychological response that the bad guys are really great at leveraging, they’re always watching for big international, big national news, things like, for example, the Olympics, or like the big, massive hurricanes that we had last year. And then, really trying to create malware campaigns around those events. Because people are … that’s something that people are out there searching for, looking for that type of information. So it’s a big draw for them, to pay attention to the news and see what’s going on.

This example here is a scareware example. Here, the attacker is attempting to trick the victim into downloading malware by claiming that the victim already has malware and they’re being nice enough to try to help you clean it up. This one’s also interesting because if, for some reason, the cybercriminal fails at getting the user to download the malware by clicking on that button there to download, they have a fallback mechanism – basically, they provide the victim with a support number there, so that the victim can call, and their super-helpful support staff will walk the victim through how to download the malware step by step.

This is another scareware example, but in this case here, the attacker makes it look like it’s the Firefox browser that’s detected malware, detected something on the system. And of course, obviously, Firefox doesn’t do that – that’s not something that Firefox does. But they’re going to make it look that way, and then try to encourage the user to download the malware by clicking on that ‘Start Protection’ button there.

This is a phishing email example. In this case here, the attacker is trying to convince the CFO to think that this is a legitimate email coming from the CEO, asking to do a wire transfer. And the wiring instructions that come with this can easily be an attached document that, if opened by the CFO, then installs malware on the computer.

Then, looking back to what we were talking about, in terms of how malware is introduced to your network – the second method of getting malware into your network is through an exploit of a vulnerability in your browser that’ll install malware in a way that requires no user interaction or knowledge or permission at all. It just happens silently in the background. It takes a more sophisticated attacker to get away with this, but if they can pull it off, it can be pretty devastating. All the attacker has to do is basically lure anybody to their own malicious website that they’ve developed, and then, simply landing on that web page is enough to infect the computer. No download or interaction, again, is needed by the user in this case.

Here, this graph is just showing a number of the discovered vulnerabilities that allow remote code execution in the main four browsers here, and this is from last year. These are just the ones that the good guys found and reported, but when you think about it, there’s really many more out there that only the bad guys know about and they’re leveraging, and they’re just out there. Or countless others that are out there and nobody knows about yet and it’s just a matter of who’s going to find it first – is it going to be the good guys or is it going to be the bad guys? And trying to stay protected from those vulnerabilities.

Now we know how we get browser-based malware, it’d be good to talk about the effects that that malware can have once it actually gets a foothold on to your network. The keylogger, that’s one of the oldest types of malware. A keylogger will just silently sit on your computer and log all the keystrokes that are pressed on that keyboard. And then send that information back to the cybercriminal. This type of malware is really easy – it’s extremely easy to write and can have a pretty nice payoff for the attacker. Even if they don’t get into your bank account, or in terms of getting their credentials for your bank account, they might still be able to, for example, get your email credentials, get your email password. And that may be enough for them to then be able to reset your bank account password or any other type of login password and login account, and then use that as a way in.

Using something like two-factor authentication will defeat a lot of this password stealing stuff that’s out there. But if you’ve got a keylogger on your computer, the keylogger is still there, it’s still able to record all of these keystrokes. So maybe they don’t get into your bank account, but again, they can see all the keystrokes. So, writing emails, for example, they’ll be able to see that, and depending on what you’re doing, that could be pretty bad. It could be very damaging, it could be embarrassing, who knows? So, it’s still a matter of that information getting out in some way.

Ransomware is kind of the malware, the type of malware that’s been getting all the press lately, these past few years. Ransomware will encrypt all the files on your computer, you guys know, and then demand that you pay a ransom in order for them to unencrypt all the files. It’s really a pretty big business right now, ransomware is. Because it’s extremely attractive for the attackers. Victims are sending them hundreds and thousands of dollars, and it’s very scalable, because a single attacker can pretty much infect millions of users and be getting payments from millions of users, all at the same time. If we look at some of the statistics from the Justice Department, for examples, they say that there are about 4,000 malware attacks every day, and that it’s the fastest growing type of malware out there.

Since not everybody that’s infected with ransomware is making that public and letting the world know that they were infected, it’s really impossible to put an exact number on the damages that have resulted from ransomware. But it’s estimated to be over five billion dollars, and that was back in 2017. And that’s up from one billion in 2016. So, that amount doesn’t take into account only the ransom payments. It’s taking into account other things, other costs like cleaning up after the malware, remediation, other types of costs like downtime.

Ransomware is a lot more complicated to create and develop than something like a keylogger. But now there’s something called ransomware as a service, which really makes ransomware accessible to just about anybody – you don’t need skills to get into the game now, if you will. For less than $200, even a 16-year-old kid with no knowledge, no experience, can buy a ransomware kit on the dark web and start infecting victims. The good news that is – although ransomware has become more easily accessible to folks, it also means that the average quality of ransomware has decreased, and then that’s allowed a lot of security companies to now be able to create and distribute free decryptors that they can pass along to the victims so that they don’t have to pay the ransom in order to get their files back.

If you are infected with ransomware, the best way to recover as quickly as possible is to make sure that you have backups, have all your important files backed up. The important thing to know or keep in mind is that your backups have to be located somewhere where that ransomware can’t access it, because obviously, if they access it, then they’re going to encrypt your backup and your backups are then useless at that point.

Another big moneymaking type of malware is banking malware. Banking malware is more sophisticated than a keylogger. It’s more focused than a keylogger. Instead of just catching everything that’s going on, all the keystrokes that are on your computer, it’s sitting there and attaching itself to your computer’s browser and really waiting to see that you’re going to be logging into a bank account. Once it detects that the user’s trying to log into a bank account, it’s going to silently grab a copy of your credentials and then send that back to the malware author. More sophisticated banking malware can even do this a way that beats two-factor authentication. So, it can be pretty devastating. And obviously, the end goal there is to grab that information so that it can get into your bank accounts and drain your bank account.

Banking malware can be more attractive to attackers than ransomware for a couple of reasons. One is that it’s not up to the victim to pay – if they get into your bank account, they can take your money. They don’t need to ask you for a payment. And the second is that if they’re in your bank account, they can potentially get a lot more money from one single victim than that one victim would be willing to pay in a ransom to get their files back. This chart here shows some of the common ones that are … common exploits for banking malware. And Zeus is one of the most common and successful ones. And just between 2007 and 2010, it stole over $100 million. Dridex is another example, and that one made over $40 million, just in 2015 alone.

Audience member: Can you speak briefly – [how it can defeat] two-factor?

Zuly: Yeah, so – sure. Because they’re tying into your webpage there, so basically, kind of the flow, if you look at it, it would be – they’re on your computer, they see that the user’s trying to log into a banking website.

They’ve created their own banking website, malicious site, that looks exactly like the original. They give you that malicious website. You type in your credentials, they then take that information and redirect it to the original banking site. The original banking site either logs you in or, in case we have two-factor authentication, send that text message to the user’s phone. The user gets their code, they type that code into the – the website sees that, the malicious website sees that, presents the user with a “Hey, type in your code,” then the user gets the code on their phone, types the code into that malicious website. That malicious website redirects to the original, which logs them in, and they’ve got all the information there that they need. So, it’s because they’re kind of a man in the middle there, they can see that information.

Another example here – this is a common one, is zombies – botnet zombie. Really, this is where an infection takes over and then makes your computer part of a botnet. A botnet is really just a collection of computers spread across the world, all connected through internet, being controlled by the botmaster. Most of the time, the bot army is just laying dormant, not doing much of anything. But at any given time, the botmaster can call upon its army of computers and ask that it do all kinds of stuff, like launch DDOS attacks. I’d say probably most of you guys are probably familiar with botnets being used for DDOS attacks. But they’re not limited to just that. They can do all kinds of other stuff, for example, they can be used as a covert channel to store and distribute illegal content, even going as far as doing things like using your computer to store child pornography and things like that. So, it can be pretty bad.

This one’s interesting too – crypto-mining malware, it’s one of the newest threats. And it’s kind of interesting because it shows just how creative these bad guys, the cyber criminals are when it comes to monetizing their efforts. Crypto-miners don’t actually steal your money or steal credential information or anything like that. Instead, they’re just kind of sitting silently on your computer and consuming your system’s processing power to mine crypto-currencies like bitcoin, for example. And that can sound kind of lame, pretty lame, but surprisingly, it’s making them a lot of money, making them millions of dollars. The harm from the victim’s perspective really comes mostly in the fact that your computer gets really sluggish and slow because all the processing power is being used by the malware, and it’ll cause your electric bill to go up and things like that.

This one’s also interesting for another reason as well – not only does it work like the standard malware that we’ve been talking about, where it infects the victim’s computer, but it can do its work without actually infecting the victim’s computer and actually executing malware on that computer. The crypto-mining can be done entirely in JavaScript. And that means that it doesn’t – as I mentioned – it doesn’t really need to infect the victim’s computer. It can do this really in the background, as long as the victim is on a webpage that the criminal has control over. Once that victim closes the browser or moves away from that page, then that’s all over with though. So, it’s not as persistent as traditional malware, but it can still be done while that victim’s on that webpage. So, the goal then becomes for the attacker to try to develop sites that will keep people on those sites for longer periods of time – maybe some of those really addictive games and things like that, that people are just doing for hours.

So far, we’ve kind of discussed pretty common malware that’s really untargeted and is designed to attack the broadest group possible without really directing that malware towards a specific individual or a specific group.

But then, when we start talking about more the targeted malware, we get into a whole different category of threats. These threats are more likely to target intellectual property or your sensitive or confidential information, rather than just trying to get into your bank account. And the malware is usually less automated in these cases. Really what happens is this type of malware allows the author to get into your computer, get into your system, and kind of browse around and check around and see what’s going on on your computer, look around and see whatever it is that he’s looking for, and find it. This is usually the type of malware that very sophisticated attackers use, something like nation states, for example.

When you talk about nation state, they’re looking for things like finding top secret military information and things like that. But an average attacker can use malware to target specifically whoever it is that maybe has gotten on their bad side. And so, we look at the folks in this room here for you guys – imagine if the criminals that you’re investigating basically turned the tables on you and now they’re inside of your network and accessing all of your information, everything that you’ve gathered on them during the course of your investigation, during the course of your case, they’ve got access to all of that, maybe even getting their hands on a source or an information, name of a source or informant or something like that.

Obviously, that would be pretty dangerous and could have some serious repercussions. Not only will they have access to all the information that’s on that computer, but once in your computer, they can also start hopping around, going from computer to computer on your network, and find whatever it is that they’re looking for. If they’re looking for something specific they can just go around till they find what they’re looking for.

Once an attacker’s inside of your system, not only can they steal that sensitive information and documents that we’re talking about, but they can also do things, as you guys know, like turn on your microphone and webcam.

Now, obviously, besides that just being creepy and ugh, it can have some pretty devastating effects for law enforcement as well. Imagine if these criminals that you’re investigating are recording everything that’s being done and said in your office. They can even see your face and listen to all the phone calls that you’re making from your desk.

Okay, so – done with all the scary talk of malware. Let’s shift gears now to talk a little bit more about how you can protect yourself from all these different online threats that we’ve just talked about.

When we think of online malware protection, the first and obvious one that most people think about is the antivirus software. And that’s actually really interesting. As soon as I said that – you guys can’t see it here, but a little pop up came up that says something about antivirus software.


Zuly: Perfect timing. [laughs]

So, there’s really a ton of different antivirus products out there, but they all basically work the same way. They scan your computer for files that match signatures of known malware. And up until about a decade ago, antivirus did a pretty good job of providing protection. The antivirus vendors were able to, mostly, keep up and find and develop signatures for new malware as fast as the malware was being created and developed. And some did slip through the cracks, but for the most part it was pretty good.

I know it’s probably really hard to see here, but in this graph, if you can – probably [around that point there], where it starts going up, that’s 2007, and that’s when things really started to drastically change and shift. Suddenly, malware creation started accelerating, and it’s slowly at first but then faster and faster each year. And then, by 2013 there, it completely went beyond the ability of antivirus software, antivirus vendors to keep up. And just to give you a little perspective there on the scale, there were over 120 million new malware variants that were created in 2017. That’s over 300,000 per day, about four different variants that were created every second in that year. With malware [authors] now having that ability to create so much new malware, it really makes it really hard for the malware vendors to keep up.

Another common defense is secure web gateways, which are commonly referred to as web proxies. The goal of the products here with web proxies is to keep users away from websites that might be dangerous, might be considered dangerous. This approach has numerous problems to be aware of, especially for the kind of folks here in this room that are doing a lot of research and investigations online, and going to just a lot of unknown websites. The first is that the only real protection that proxies can provide is to block access to a known bad website, known malicious site. Similar to antivirus, if it doesn’t know about a newly created malicious site, it can’t block that site, can’t block you from accessing that site.

And because of this, a lot of organizations now resort to not just blocking known malicious sites but blocking unknown sites, which is basically a site that is not known whether it’s safe or not. And then, that’s where that leads to problems for folks that are doing a lot of research and investigations online, because you’re probably going to come across a lot of websites that you need to access to do your research, but aren’t able to because it’s an unknown site and it’s being blocked.

Something else to consider again, especially targeting towards the audience here, is that sometimes you do need to access a known malicious site for whatever reason, as part of your investigation, but if you override that proxy to then allow you to access that site, that proxy can’t provide any protection at all for that malicious site. So once you’re on the site, you could be easily compromised, because there’s no additional security there.

The third thing to keep in mind is that at any given time, most of the sites that are spreading malware aren’t sites that are designed to be malicious, but pretty legitimate, trusted sites that have been either hacked or have been tricked into showing malicious ads. This can happen not just with smaller hobby sites, but also large, legitimate, big sites. So, things like Yahoo!, MSN, YouTube can have this problem, where they’re now spreading malware. So, even blocking access to everything except those most trusted sites still leaves you kind of exposed on the internet.

Antivirus and proxies are really the two most common products and methods used for defending against web-based malware, but they have a lot of shortcomings, but at least they provide some level of protection. These next couple I wanted to talk about really, really briefly, because they don’t provide any protection at all from web-based malware, though a lot of people mistakenly think that they do. And they do a great job, these solutions do a great job at what they were designed to do. But malware protection is just not one of those things that they were actually designed to do.

The first is Tor browser, which I’m guessing some of you in this room probably use. It’s used commonly in research environments, and again, it’s great at protecting your identity online, in keeping websites from knowing that it’s you that’s accessing those sites. But it’s not designed for malware protection, so it really can’t provide any malware protection to the user when you’re using it, so you have to use it with caution.

The same thing applies to the browser’s incognito or private browsing mode. It may cover your tracks so that your browsing history and your logs aren’t exposed, but again, no malware protection.

And although – unrelated to malware protection, something else that I wanted to mention really quickly is that a lot of folks also mistakenly think that the incognito mode makes you anonymous online, but that’s not true. It really doesn’t. All it’s doing is really preventing the browser from saving your cookies and cache browsing history, so that someone that accesses your system can’t see your browsing history. But it doesn’t do anything to prevent websites that you’re accessing from seeing your IP address or any other identifying information about you. So again, something to use for its purpose, but used with caution, and make sure you have other security layers to provide the malware protection when you’re using these solutions.

Finally, to wrap up, I wanted to close the talk with some of the newer and more effective methods of protecting you from web-based malware. The first is a virtual machine – you can create a virtual machine on your computer and then do all of your browsing within that virtual machine, so that it’s happening in that virtual machine instead of directly on your computer. But one thing to do is – to be sure that you’re not getting malware all the time and that from session to session things are getting polluted, if you will, is that you have to regularly reset that virtual machine to a known safe snapshot, so that each time you’re getting a clean image and there’s no kind of tampering from the previous session.

Virtual machine is a pretty solid method for preventing malware and protecting yourself, but it’s got a couple of drawbacks to keep in mind. First, it’s a little tedious for the average user, so it’s not something that every user’s going to want to do. And starting up a virtual machine and resetting it to that known safe snapshot could take several minutes. So, again, most of us are a little impatient and just … not a huge drawback, but something to keep in mind.

Also, virtual machines, probably the biggest one is they take up a lot of resources on your computer. So, it could slow down your whole system when you’re using it. Other applications outside of that virtual machine may feel sluggish, just beyond the browser itself.

Lastly, it is possible for malware to escape that VM by basically launching very specialized attacks on that virtualization software, or it could just start launching network-based attacks and try to attack other computers on that network that’s connected to the computer you’re using.

Another method that we see that’s, again, effective is the use of Chromebooks. If you’re not familiar with Chromebooks, it’s just a pretty inexpensive laptop and it allows you to pretty much … web browsing. Because it’s extremely limited in its functionality – it’s not installing software, it’s not modifying the core OS, it’s very hard for malware to infect the system in a way that’s lasting and permanent. Chromebooks do a pretty good job of defending against malware. Really, the biggest malware threat that comes with using a Chromebook is from a malicious extension that you download from the Chrome Store. But those are a lot easier to know and see and avoid, as compared to a malicious site or a drive-by download.

The biggest downside to this method is the cost and the user experience. Chromebooks are inexpensive laptops, but they’re still a few hundred dollars each. So, if you’re going to have an organization where you’re going to be protecting several thousand or several dozens of users or something like that, it could cost over $10,000 to implement. And then the user needs to be trained and remember that when they’re doing this type of browsing, they need to go to their Chromebook and do that browsing, and then use their normal workstation for everything else other than browsing, their normal day-to-day job.

Finally, the last approach our remote browser isolation. Obviously, I’m a little biased here, because that’s the technology that our company pioneered. But hopefully, you guys can also kind of see the benefit that it provides and how it can potentially eradicate this web-based malware problem.

Just having curiosity – has anybody heard of browser isolation in the room?

Audience member: [inaudible]

Zuly: Okay. So, a couple … browser isolation, but not remote. Okay.
The concept’s really very similar to using the virtual machine approach that I talked about earlier, but without those downsides – so instead of running the browser in that heavy VM that’s running on your desktop in your network, the browser is moved out of your network and completely running in the cloud.

That lets the user access any website that they want without any of that website content that’s where the malware is and where it’s coming from, reaching your network. And this can be done right inside of your normal browser, right on your workstation, so it doesn’t have those high hardware costs and usability issues that like a Chromebook would have.

There’re some additional benefits to using this type of technology, beyond the malware protection itself. For example, you can define things like browser policies that prevent users from just being able to download any software, any piece of software, and restrict it based on the type of file and where that file is being downloaded from. So, you can put some restrictions there. This is also nice because a lot of those social engineering examples that we talked about are trying to trick users into downloading malware would be stopped, because even if the user gets tricked into trying to download it, this will then put a stop to that attack. Lastly, I’d say probably another nice thing is that it adds a pretty powerful layer of anonymity on top of your web browsing.

So, hopefully, for you guys, the main takeaway from the talk is that yes, web-based malware is a huge problem and something to be aware of, but there are some new technologies out there that can help you stay protected as you’re doing your online research and investigation, something more than just your traditional approaches.

Thank you for your time. Again, I hope you guys learned something. I’m happy to take any questions.

Any questions? No? Okay, well, thank you, guys, and again, don’t forget to use mobile app, if you’re using it, and rate the session. Thank you.


End of Transcript

Zuly Gonzalez’s work on protecting online research networks was featured at Techno Security Myrtle Beach 2018. The Texas chapter will take place next month – Forensic Focus readers can get 30% off the registration price by entering the code FFOCUSTX18 at the checkout.

Zuly Gonzalez has over 18 years of experience in cybersecurity and national security as both a practitioner and manager. She is the Co-founder and CEO of Browser Isolation pioneer, Light Point Security. The company’s product protects organizations from all web-based malware and provides anonymous browsing for online researchers by moving and isolating a user’s web browsing activity to a remote virtual environment. Prior to founding Light Point Security, Zuly spent over a decade serving the nation as a cybersecurity leader at the National Security Agency (NSA).

Leave a Comment

Latest Articles