ChangeUp is a worm with trojan characteristics. “It spreads,” said McAfee at the time, “by creating copies of itself in removable storage devices and mounted network shares. It will also create an ‘autorun.inf’ to allow it to automatically execute itself when attached to another system with autorun enabled.”
But it is also a polymorphic stealth worm/trojan that can fairly be described as an APT, and it seems likely that Staples is having difficulty in both containing and cleaning its systems. Although CRN reported the incident last week, there is still very little information about the infection. “Staples spokesperson Mark Cautela said last week that he would look into the matter but has not returned repeated requests for information about the attack or whether any customer data was exposed as a result of the incident,” said CRN yesterday. All that seems to be known is that the malware is ChangeUp, and that Symantec has been brought on board to help – but Symantec is also keeping shtum.
“The fact that they are saying nothing implies that they are still fighting fires,” Adrian Culley, technical consultant at Damballa, told Infosecurity. The situation would appear to be ongoing and current. The problem is that ChangeUp is difficult to detect and consequently difficult to remove. Two particular features conspire. Firstly, it is written in Visual Basic and changes its signature everytime it copies itself as it progresses around the victim’s network; and, secondly, it uses dynamic URL generation to disguise the C&C server in order “to make sure that the C&C server isn’t detected and blocked by conventional gateway and perimeter security,” explained Culley.
So while traditional defenses might be able to detect the malware that ChangeUp downloads from its C&C server, it is difficult to stop ChangeUP itself. “You may be lucky enough to find an incarnation of the worm,” said Culley, “but outside of that you have to profile your network communications – the only way you can see this is by looking at what’s happening with your communications to the outside world. By its very nature ChangeUp defeats blacklisting.” You cannot just block ChangeUp because you can’t find what to block.
Dana Tamir, enterprise security director at Trusteer, agrees that traditional blacklisting is of little help against the more advanced contemporary threats such as ChangeUp. “To effectively protect against advanced malware,” she explains, “you need solutions that are not based on malware detection, but rather on validating that sensitive operations are only executed by legitimate applications. You need to restrict unknown processes from executing sensitive operations like logging keystrokes or opening communication channels.”
ChangeUp is an advanced persistent threat. It demonstrates that techniques and characteristics originally associated with nation-state threats (APT is itself a military term) are now also adopted by mainstream criminality.