This article was first published at Lumension’s Optimal Security blog: http://blog.lumension.com/6684/anatomy-of-reflective-memory-attacks/
Ophiocordyceps unilateralis is a parasitiodal fungus that, beginning with a microscopic spore, infects a certain species of ant using a series of attacks, one building on the other until it controls the ant’s brain for its own bidding. The fungus can’t just land on the ant, consume it and reproduce. It needs to get inside the ant – in order to eat it – and it needs the ant to travel far away from the ant’s normal home in tree to an environment more suitable for the fungus’ growth and reproduction. The whole process requires a chain of attacks, each one very different in method and each allowing the fungus to gain more strength needed for the next stage and ultimately its reproduction. That progressive chain of attacks, is in a very creepy way, not unlike the bootstrap process of today’s attacks reflective memory attacks.
Like a piece of malformed content delivered to a PC, the spore uses enzymes to silently penetrate the ant’s shell. Then as the malformed content (e.g. a PDF, Office document, JPEG) is parsed, a buffer overflow in the content triggers an initial, tiny shell code to execute arbitrary instructions within the victim process. Many factors limit how large the shell code can be and thus what it can do at this point on the victim PC. Similarly the young fungus sprouting from the spore is far from taking over the ant’s brain at this point.
The shell code solves this problem by contacting a server somewhere on the Internet that is controlled by the attacker and downloading a larger module of malicious code. In this way the malware on the victim PC grows in size and capability. In comparison the newly penetrated spore must consume nearby soft tissues of the ant in order to grow.
The fungus has to be careful at this point. It needs to convert tissue of the ant, to grow, so that it can reach the ant’s brain but it can’t kill the ant. It needs the ant to stay alive for now until it can get the ant to crawl to the fungus’ optimum location for reproduction.
Likewise the computer attacker has to be careful. A poorly written buffer overflow/shell code exploit can inadvertently crash the process – in essence killing the “ant”. But more importantly the currently active shell code is insufficient to take over the entire PC and begin moving to other systems and/or stealing information. Obviously the shell code needs to download a larger module of malware but if it writes a malicious executable to the local file system and runs it, antivirus or application control running on the PC can easily catch and block the attack from proceeding.
In the case of the fungus, it carefully consumes non-vital parts of the ant until it reaches the brain. In the cyber world, the attacker has the shell code download the larger malware but refrains from writing it to the file systems. Instead it loads the code into a chunk of allocated memory. Then it uses something called reflective programming to link symbolic references in the malware to the actual addresses of standard functions and system APIs. This is much easier said than done but the result is that the attacker succeeds in activating a very large and highly functional malware on the target system without touching the file system or even starting a new process on the PC. The malware lives inside the process that originally parsed the little piece of malformed content. The process itself as well as the operating systems and security applications have no idea that the process is now a zombie under to control of the bad guys.
Back in “meat space”, as the fungus consumes the ant’s non vital soft tissues it grows towards the ant’s brain. Having reached the head, the fungus secretes chemicals that take control of the aunt’s brain first throwing the ant into convulsions that cause it to fall from the tree where the colony lives. Next the fungus causes the ant to climb the north side of a suitable plant stem to a certain height and latch onto the vein of a leaf with all the strength of its mandibles. Now the fungus, with no further need of the ant’s continuing life, consumes the ant with abandon. Branches of the fungus sprout from the ant to more securely anchor it to the leaf and structurally reinforce the ant’s exoskeleton. Secretions ward off other microbial competitors. As the fungus matures, the ant’s soft tissues are fully consumed and finally, fruiting bodies sprout from the ant’s head and new spores leave to repeat the process.
In the compromised PC, the attacker uses the malware activated through the reflective memory attack to elevate its privileges to control the operating system and become persistent. At this point the attacker can fully exploit the compromised PC and the victim user’s authority much like the fungus in its final stages of consuming the ant.
Attack methods are always changing but right now the most fascinating – and dangerous – aspect of a cyber-attack like this is the reflective memory attack. It pays for all of us to learn how it works because these attacks are very hard to detect and require a completely new and different technology than file system based AV and application control.
Want to learn how reflective memory attacks work? Join Randy for “Reflective Memory Attacks Deep Dive: How They Work; Why They’re Hard to Detect”.