Malware Authors Have Already Won the Iron Throne
As countless millions around the world prepared to watch HBO’s TV show Game of Thrones by putting the final touches on their Jon Snow costumes, ordering up pizza and chicken wings for their watch parties, and running speed tests on their Apple TVs for HBO’s streaming app, a flurry of activity was occurring behind the scenes to ensure a seamless premiere. HBO has been cranking up the capacity on its content delivery networks (CDNs) and hiring extra support staff to be on hand in the event of a repeat of the 2017 stream crash. Meanwhile, malware authors were ramping up their capabilities, too, and preparing their latest campaigns knowing they have a target-rich environment. Security researchers have consistently given HBO’s Game of Thrones the title of “Most malware-laden TV show” for a good reason.
Game of Thrones is unique in being one of the most popular TV shows that require a premium cable channel or dedicated streaming app to access. Due to licensing and contract agreements, Game of Thrones is not accessible legally in many parts of the world. In fact, until Season 5 of the show, many viewers around the world would get their episodes weeks or months after the premiere in primary markets such as the US and UK. These facts and the general notion that many people would rather get something for free than pay for it sets the stage to make Game of Thrones the most pirated TV show in history. When a show becomes the most desired and pirated show in history, it becomes ripe for abuse.
The oldest trick in the book for exploiting people who wish to watch Game of Thrones outside of legal means is to advertise websites with fake streams or downloads. Social media platforms such as Twitter, Reddit, and Twitch.tv give these fake links an even broader audience. Clicking on one of these counterfeit streams or fake download buttons generally starts a social engineering attack to trick the user into downloading and installing a special “player” or a “codec” to watch the TV show from a particular website. Even if a website does load a video stream where a user can watch the TV show, other malicious elements on the webpage can load and attack the system or browser.
Another popular method to download the show is to use the decentralized peer-to-peer BitTorrent protocol to “share” the file with other users. By design, the BitTorrent protocol cannot be shut down from a single location and no takedown order will force a single service provider to stop sharing the show. In response to this dilemma, content creators like HBO have turned to copyright law and the legal system (at least in the United States) by sending takedown notices to individual users who illegally download the TV show, often threatening legal action if the behavior continues. Because of the decentralized nature of BitTorrent, there is nobody to regulate the exchange of files to ensure only legitimate files are exchanged and that no malware is added. Malware authors take full advantage of this lack of oversight to spread a fake video file that appears corrupted when a user attempts to open it. Included with the file is a readme.txt that instructs the user to download a special player or codec to view the downloaded video. Just as in the previous example, this is a social engineering attack meant to trick users into installing malware on their systems.
The most ingenious method of attack involves a legitimate copy of the video file and a malicious subtitle file. In 2017, security researchers discovered a vulnerability in many popular video playback applications, including the favorite VLC Player, where a maliciously crafted subtitle file could lead to remote code execution. While VLC itself is open source and for the most part secure, the subtitle processor is an interpreter and its code is not scrutinized as much as the core player application. As a result, users watching pirated video files are loading malicious code at the same time.
There are many defenses organizations can employ to reduce the risk introduced by Game of Thrones fans. Many “good enough” security solutions rely on reputation and “top 1000” lists to perform content inspection due to platform or hardware limitations, especially when performing SSL Inspection. CDNs and “trusted websites” such as YouTube and Showtime are exempted from inspection to save precious CPU cycles and to avoid impacting the end-user experience. Security solutions that do not scale to the cloud or were not designed with SSL inspection in scope will often encounter performance issues once all categories for all traffic are set to inspection.
Cloud security proxies designed with scale in mind will scan every byte of data regardless of URL destination or site reputation. Scanning every byte of data with SSL inspection is essential to prevent attackers from leveraging gaps in other security solutions. File Type control ensures users do not download executable (EXE) files disguised as fake players or codecs. A cloud sandbox allows organizations to detonate an unknown file in a controlled environment and render a verdict before users are allowed to download questionable files. A cloud-based Next Generation Firewall can block port-hopping applications such as BitTorrent and shield organizations from the legal and technical risks associated with downloading illegal and questionable content without any hardware required.
Malware authors and attackers often take advantage of world events as a catalyst to their attack campaigns. Fans of Game of Thrones have been waiting almost a year and a half for the final season to begin and attackers feed off that desperation to spread their malware onto unsuspecting viewers. A framework of legal and regulatory requirements often forces users to use questionable or illegal streaming services even if they wish to pay for the service. “Good enough” security solutions expose many gaps that attackers exploit such as delivering malware through “trusted” websites and through SSL or TLS encryption. My guess as to who will rule Westeros at the end of Season 8? Samwell Tarly.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Christopher Louie, CISSP, is a sales engineer at Zscaler