Next-Gen Malware: Destructive Devices

Posted on by Christopher Burgess

The word malware (malicious or malevolent software) has permeated our lexicon, especially for those in the security world. A cyber-criminal's intent has been either to utilize your resources in their criminal endeavors (i.e., put their malware on your system and launch from within your hosted spaces) or to extract information from your entity that could be monetized quickly and effectively.

At the recent RSA Conference 2014, George Kurtz and Dmitri Alperovitch, the CEO and CTO, respectively, of CrowdStrike, presented "Hacking Exposed: Day of Destruction." And destroy they did. They effectively rendered multiple devices brick-like through the use of sophisticated and not-so-sophisticated techniques. More importantly, they drove home the point that the next generation of malware may give us more headaches than we are prepared for.

In a recent Cisco Security Threat Report (2014), 100 percent of the reporting companies noted that they had encountered malicious malware hosts from within their own networks, and that such penetrations go many years without detection.

In other words, the criminal entity has their malware resident and dormant on your network; they find an unethical competitor willing to pay to have your company disrupted. Would there be a deleterious effect if the CFO's or the controller's laptop were "bricked" during the last week of the fourth quarter of a year, immediately prior to the earnings call? Or perhaps, if the servers that host the client support databases were compromised? Thus, disruption becomes more painful than simply an infected machine that needs to be cleaned; in this case, you need a new machine and you're left crossing your fingers that your data has been replicated effectively and backed up appropriately.

Or perhaps that same competitor has hired the criminal entity to launch the malware from within your corporation to be aimed at your customers. Imagine destructive malware launched from your hosts onto your customers' devices—customers who may or may not have the most sophisticated or up-to-date software/hardware configurations. When your customers' machines begin to brick and melt, there is no doubt that there would be a good deal of angst both internally and externally.

The CrowdStrike presentation walked the audience through a memory lane of malware, including the various iterations of "ransomware" (encrypting or otherwise rendering inaccessible an individual's data until a ransom is paid). Ransomware was the closest example to destructive activity that Kurtz and Alperovitch had demonstrated—until they began melting down their laptops. They modified and corrupted a firmware update, which when installed, spiked the CPUs of the machines and turned off the cooling fans. Then they watched the temperature rise to above boiling-water level. An attack like this could cause injury to the laptop owner, permanently damage the internal electronics of the device, or start a fire.

How do you prevent this particular type of exploitation? Ensure that firmware updates come with certificates of authentication from the creator of the firmware. Without authentication, those with access may be able to adjust your firmware on the fly and render your device inoperable or destroyed, or they could create additional destructive devices by infecting your system and others with malware that they can then spread to further devices.

In sum, the CrowdStrike team put some food for thought on the table about the evolution of malware, tracing the path from attacks we've become accustomed to over the years to attacks that will truly disrupt your operations and cause physical destruction of your hardware.

Christopher Burgess

, Prevendra Inc.

hackers & threats anti-malware

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community