February 25, 2013

Proxy is transparent for malware

In this post I would like to break a myth for the people that know how to protect, but don't know how to attack. Proxy can be a good solution for performance, but not necessarily for security.

Proxy is good
  1. If a malicious user connects a computer to the network, then he might be limited in case the proxy requires authentication and protects against replay authentication attacks. 
  2. It is good for basic content filtering. 

Proxy is not enough
I would like to split the explanation to two scenarios - The first uses the framework's commands, while the second have direct access to windows API using non-frameworked language, e.g. C++.
First scenario:
  1. In this scenario, the malware is based on Java/.NET. Therefore, It can access the methods of the frameworks in order to gain the proxy settings of Internet Explorer. e.g. in .NET, a malicious user is able to create WebClient that sends a request. Anyway, proxy settings are reflected from WebRequest.GetSystemProxy() method.
  2. The framework runs the code and calls the WinAPI in order to the the proxy settings. Note: this is invisible for the malware developer (black box).
  3. WinAPI returns the proxy settings.
  4. The framework returns the settings to the malware.
  5. The malware access to the proxy server as authorized user with the information that should be sent to the C&C. Since the malware have the IE settings, it uses the credentials to authenticate to the server exactly as IE does. Note: in order to reduce blocking by content filtering, the communication should be established over SSL.
  6. The C&C gets the information from the proxy server and responses. The Malware will be able to receive the response
Second scenario:

  1. The malware creates WinAPI calls in order to get proxy configurations, e.g. WinHttpGetIEProxyConfigForCurrentUser (with few adjustments).
  2. The WinAPI updates the pointer that includes the proxy configurations.
  3. Exactly as step 5 in scenario 1 above.
  4. As step 6  in scenario 1 above.

  1. Antivirus does not recognize the Malware, e.g. by using thread timeouts, packers and all other cool stuff.
  2. Windows 8 does not allow to open network connections, unless it accepted in the UAC. Hence, an exploit or other way to gain higher privileges is required. 
  3. New JREs require re-authentication when accessing the internet.  

Acceptable solution
I don't think that the solution is unique, however, I would recommend to take into account the following actions:
  1. Install a sandbox solution that restricts access to proxy settings.
  2. Educate users to not allow unknown connections - java re-authentication request or windows UAC. (Sure... security awareness is only part of the solution...)
  3. All other action items to prevent malware infection.