If you’ve been using the internet for decades rather than years – since last century, say – then you’ll remember that quick-and-easy file sharing has gone through several stages.
First came public FTP servers, which allowed anyone with an FTP (file transfer protocol) client to upload files to a public directory from where they could later be downloaded by anyone else who knew the server’s name or IP number, and the name of the file to retrieve.
Most FTP servers had private areas for official users, which required a username and password, but many provided free access using anonymous FTP, usually implemented simply by creating the catch-all username anonymous and allowing any old password to be used.
Polite convention was to use your own email address as your “password,” so that the sysadmin of the server – often a community-friendly department at a university with a decent internet connection – could keep track of how popular their service was, and perhaps even contact you to say, “Hi.”
To be clear, those were simpler times, not least because many users voluntarily left their real email addresses.
They expected and accepted that those addresses, even though entered into a password field, would be saved in plaintext in log files where the sysadmins at the other end could read them out later.
Never write passwords to log files, or store them in plaintext, because you simply don’t need to. Store them in what’s known as salted-and-hashed form instead, where the hash can be used to verify a password next time it’s provided, but can’t easily be wrangled backwards to extract the password, even if the hash database gets stolen in a breach.
FTP servers of this sort vanished some time ago from our online world, for the reasons you probably expect:
Email was a also a popular way to distribute both legitimate and malicious files for many years, using email attachments that could easily be extracted at the other end.
But our collective experience with email worms such as Melissa and the infamous LoveBug led to email attachments being heavily scrutinized and aggressively filtered or quarantined.
It’s therefore tempting to suggest that we now live in a more cautious age, with a much better community focus on making free and anonymous malware dissemination difficult, and with a less tolerant attitude from providers and vendors to the dissemination of malware from their servers.
Sadly, however, malware distributors and cybercrime groups have more online places than ever to hide, and, worse still, have a wider range of online haunts to hang out in.
Also, at the turn of the century, malware creators began to shift from attacks based on worms and viruses – malicious programs that needed just one entry point into a business, such as via email, and would then aggressively and automatically spread around by themselves.
Today’s attacks by custom-written malware programs typically take the form of Trojans, or Trojan Horses, after the legendary fake gift (a wooden horse that was supposedly a peace offering but had undercover troops concealed inside) that brought to an end the Trojan war depicted in Homer’s epic poem The Iliad.
That’s because viruses and worms, as aggressive and destructive as they may be, share some characteristics that make them less attractive to attackers these days:
Viruses and worms do still show up from time to time, such as the self-spreading ransomware known as WannaCry, a well-remembered example from back in 2017.
But for close to 20 years already, most malware has generally been of the non-self-spreading sort, for several reasons:
As we wrote last year in an article about the evolution of malware:
[M]alware descriptions these days don’t tell you as much as they used to, because that is no longer possible.
Cybercriminals have learned not merely to play their cards closer to their chests, but to play without dealing their hands at all until the very last moment possible.
Sometimes, the crooks behind an active bot network, or botnet for short, may simply sell it on to someone else, swapping their malware out for code that they themselves couldn’t have told you about in advance, even if they’d been inclined to do so.
These days, malware that doesn’t announce itself until the last moment has become even better at hiding in plain sight, by assembling itself from multiple different online sources.
These sources notably include public download servers that often provide even more anonymity than those long-discontinued FTP servers of last century.
For example, researchers at Belgian cybersecurity outfit NVISO recently wrote up their analysis of a malware campaign that they suspected originated out of North Korea.
This country is frequently accused of overt cybercriminality as a means of acquiring foreign exchange (notably in the form of stolen cryptocoins) to evade sanctions.
In this attack, the cybercriminals targeted independent software developers, enticing them using a variety of online services that are routinely used by legitimate software developers, and that give the impression of being reasonable and innocent at first glance:
pastebin.com. These URLs were scrambled to make them hard to spot via static analysis of the Python code. They were tried in turn; the first URL that worked was used to fetch yet another a chunk of scrambled JSON data referencing yet another URL in the US.At this point, the tortuous trail went dead, because the final URL wasn’t working.
Nevertheless, the researchers had tracked this malware campaign from social media platform LinkedIn, to widely-used coding service GitLab, to the popular data-sharing site JSON Keeper, through a cloud provider in France, via the free public snippet-sharing site Pastebin, to a final but non-working URL at a web hosting company in the US.
The last step used a URL of the form http://[REDACTED]/introduction-video, as though it might be an innocent download of interest to the victim.
But the researchers guessed, admittedly without explaining how they arrived at their supposition, that this “video” might have been malicious code with the nickname Tsunami, malware that is what’s known as a bot or zombie.
Bots, short in this context for software robot malware, routinely download instructions on what to do next from the internet, so they can be controlled remotely using only outbound web connections, which are typically allowed out even through corporate firewalls that block inbound connections strictly.
This means that bot-herders, the jargon word for cybercriminals who control a collection of bots, can remotely command them to perform a wide variety of malicious activities.
They can control their armies of zombie computers either one at a time or, if they seek to make a show of force such as ganging up on a victim’s website for blackmail purposes, all at once.
Remote commands built into most zombies include: logging keystrokes; searching through files for keywords; taking screenshots; uploading password files; retrieving detailed system data; updating themselves; and installing yet more malware, often in return for payment from other cybercrime gangs.
Many bots also include a “feature” whereby they will instantly shut down and uninstall themselves, for example if the bot-herders suspect that law enforcement investigators have infiltrated their operation.
Some Tsunami variants, say the NVISO researchers, even allow their bot-herders to download new malware via an embedded copy of the Tor network software.
Tor is short for the onion router, a privacy-protecting online service that allows cryptographically-shielded and largely untraceable downloads from pseudo-anonymous .onion addresses.
The last-century shutdown of public FTP servers for reasons of community safety and security happened when their number was quite small, at a time when enumerating them and blocklisting them would have been a fairly reliable protective measure.
Ironically, perhaps, free and public data-sharing services are more prevalent than ever today.
Many popular online services, including social media, instant messaging, web hosting, source code management, backup, and data sharing, are so widely used in real life that relying entirely on blocklisting them in bulk would not only be disruptive, but also an unwinnable game of whack-a-mole.
To be clear, well-managed threat detection and prevention tools – including scanning, behavioral detection, and blocklists – will still help you greatly, but, as Mr Miyagi of the Karate Kid franchise famously said․․․
․․․“Best way to avoid punch, no be there.”
So, why not ask how SolCyber can help you achieve cybersecurity in the most human-friendly way, to help stop your staff getting sucked in by scammers or cyberattackers in the first place?
Stay on top of cyberthreats without distracting yourself or your staff from your core business.
Sign up with SolCyber to do it for you, human style.
Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
