A Sneaky Online Security Threat: Encrypted Malware in SSL

Unfortunately, the bad guys use encryption, too

Every time you connect to the
internet, whether it’s from a phone, tablet, or computer, you accept a certain
level of risk. Hackers continue to find new ways to exploit security flaws and
compromise your device or data. You need to be on alert at all times in order
to avoid dangerous malware and other attacks that sometimes come from where you
least expect them.

When you see a padlock icon at the top of your browser, it means that you’re communicating with the site you are viewing via a connection encrypted with a valid SSL/TLS certificate. But many people make the mistake of assuming that as long as an SSL certificate is present, then they are safe from all forms of attack, end of story. In this article, we’ll explore how new types of malware are actually being hidden behind this trusted symbol.

SSL encryption is critical for any site or application that requires
sensitive information to be transferred. This includes passwords, credit card
numbers, and other financial data. SSL certificates are an excellent defense
tactic against intruders who’re trying to eavesdrop on your internet activity,
protecting your data from criminals. Here’s the thing, though: bad guys can use
encryption, too. And hackers and cybercriminals are using SSL/HTTPS to hide
malicious code.

Let’s hash it out.

Firewalls & Intrusion Detection Systems Have a Loophole

Companies and organizations
spend a lot of money and resources on IT security solutions. One popular
approach is to combine intrusion detection systems and firewalls to monitor and
analyze all incoming traffic to your local network. The idea is for the system
to automatically detect and block cyber attacks and hacking threats before any
users become vulnerable.

For example, let’s say Bob in
customer service clicks on a link in a phishing email that leads to a URL with
malware. The organization’s security systems
could detect and block this visit before Bob’s machine can become infected with
malware.

However, there is an inherent loophole in how intrusion detection systems are built to operate. They involve the scanning of network traffic to identify patterns that correspond to malware or other malicious attacks. If the systems are unable to decode the full body of each incoming network request, then they remain blind to a certain portion of traffic.

For example, when you
download a document from an external website, your firewall or intrusion
detection system can inspect the packets of data that come through the local
network. But if that communication is happening over an SSL connection, then
the system cannot see through the encryption to detect what is really inside
the document.

Some newer intrusion detection solutions are introducing the concept of deep packet inspection, where the tool looks at the lower levels of each network request to understand more about its content. But not many organizations have this option available to them, which means that data passing over HTTPS could be a threat.

Another technique for detecting the presence of SSL malware is SSL inspection. This is the process of intercepting SSL/TLS-encrypted internet communication between the client and server. Interception can be executed between the sender and the receiver, and vice versa (receiver to sender). This, strangely, is the same technique used in man-in-the-middle (MitM) attacks, but if deployed carefully can be used to filter out malware in SSL. (The key difference between inspection and a man-in-the-middle attack is that with SSL inspection, the network administrator modifies the computers to allow inspection only by the authorized device/certificate.)

The Mechanics of SSL Malware

To understand how hackers encrypt malware with SSL, we need to look at the Transport Layer Security (or TLS,) which refers to the encryption process that goes on behind SSL. The latest Google numbers tell us that 93% of the internet is now encrypted. As discussed, it is designed to be locked to all outside parties, including firewalls that don’t support deep packet inspection.

When it comes to SSL malware, hackers are not able to inject directly into existing streams of HTTPS content. For example, if you are shopping on Amazon and submit your credit card number to pay for a book, that information is transmitted over SSL. If a hacker tries to modify that traffic and inject malware, your browser will notice that the keys have changed and will automatically reject the request.

However, there are ways around this “problem.” One of the most common is for cybercriminals to get free SSL certificates for their sites that contain malware. Though legitimate SSL certificates are not expensive — particularly given their importance in protecting data from theft — hackers may find it easier to get a free certificate without using any financial info that could be used to track them.

Another variation on this technique for the delivery of SSL malware is for criminals to use SSL certificates on phishing sites that deliver malicious code to victims’ systems while looking like a legitimate websites. The hacker will send out a series of fraudulent emails that look like they are coming from a reputable sources. If users click on them, they will be directed to websites that look secure because they have free SSL certificates. At that point, the hackers can embed their malware into the encrypted traffic and try to bypass any firewall system.

These types of attack are becoming worryingly prevalent. Security Week reported in 2017 that in the first half of that year, Zscaler’s products blocked roughly 600,000 threats hidden in encrypted traffic every day. That number grew to 800,000 in the second half of the year, which represents an increase of 30%.

Other security analysts have also raised concerns. As Bill Conner, CEO of SonicWall, told TechRepublic earlier this year, SSL is now implicated in 4.2% of malware. That represents, he says, a 400% increase over the previous year. “That’s because of the ease of finding bad SSL certificates,” he continued, but also because “only 5% of customers are turning on DPI, deep packet inspection for SSL.”

The important thing to remember is that SSL does not guarantee safety. It simply ensures that your requests are encrypted. But the actual data being transmitted can still contain dangerous elements, including viruses and other forms of malware. Therefore, you should always be suspicious when visiting a new website. (Note: If the website in question is using an organization validation [OV] or extended validation [EV] SSL certificate, which are very hard for hackers to get, you can check their certificate details to get additional details about the organization that’s running the website.)

7 Tips For Protecting Yourself

Staying safe online requires
a consistent level of diligence. Your best bet is to take proactive steps to
control and protect your online privacy. Here are a few tips to protect against
SSL malware and other threats:

  1. You should always look for the padlock symbol in your browser to confirm that the site you are using has SSL encryption enabled. But don’t assume that’s sufficient because, in fact, many nefarious websites spoof their own SSL certificates to appear legitimate.
  2. Any time that you enter personal information or make a financial transaction, take an extra minute to consider the platform you are using and whether the URL in your browser and any organization details on the SSL certificate correspond to the correct organization.
  3. Advanced DNS spoofing can even provide seemingly correct URLs that will capture user credentials. Strong password managers often protect against this by cross referencing URLs but users need to be vigilant when entering login info.
  4. Consider adding a virtual private network (VPN) to your online security regimen. This moderately priced service is deployed by an increasing number of internet users. It’s easily available by subscription and uses different forms of encryption than SSL to secure and anonymize your online session.
  5. Ensure your organization has correctly configured firewalls and intrusion detection systems. Hackers aren’t getting any dumber with their cyberattacks, which means that even if you take all of the right precautions, there is still a chance you could be vulnerable to malware. While we recounted the limitations of intrusion detection systems earlier, you’d be silly not to use them. Even if some of the hacker’s packets make it into your system, there is at least a decent chance your intrusion detection strategy will detect and quarantine it before too much damage is done.
  6. Be sure your organization is using deep packet inspection and/or SSL inspection to ferret out threats in encrypted web traffic.
  7. Invest in credible anti-virus tools from reputable sources and keep them up to date! While not foolproof, there is no better way, given current technology, to protect yourself than having a firewall and anti-malware and anti-virus software watching your back.

The Bottom Line

Don’t make the mistake of blaming this on SSL. Without it, the internet would be a MUCH more dangerous place. With the current level of hacking, going anywhere online would be hazardous. You would not be able to trust that your passwords and credit card numbers were being sent safely anywhere. The larger point here is that even when an SSL connection is present, remain aware that you still can be a target thanks to malware or other threats hidden inside of SSL traffic.

No need to be afraid. Just be vigilant with your cybersecurity strategy.

As always, leave any questions or thoughts in the comments!