Cloud computing: Malware persistence with thin clients

18 Dec 2010

I hate discussing "the cloud" as it's largely an abused buzz word for nothing truly significant. Anything that uses more than one computer can be thought of as having something to do with "the cloud" these days. However, the two most useful, and completely different, concepts of today that are both called the cloud, are using multiple computers for greater processing power, and using thin clients. Both of these concepts have been around for about as long as computers have. In reference to more computers for greater processing power, there isn't much I have to discuss. Take a bunch of data, disperse it to multiple computers, and let them all crunch the data at the same time, yielding faster results than a single computer could. Not all problems are appropriate for this, and it takes some work to make this happen in any sort of efficient way, but the concept is obvious and doesn't have any implications for security beyond "more can be done faster", which can create game changers (faster fuzzing, faster password cracking, better anomaly detection in large data sets, etc.) but I have nothing to say now on that.

I want to talk about thin clients. This concept has been around since mainframe computers: You have some remote dumb terminals that connect to a single big computer. In one manifestation of this, you can use your laptop to connect to google docs, and you'll always be using the latest google docs software without having to update it, and if you are working on the doc with other people, you can ensure that you are always working on the latest version. In another manifestation, which seems to be where google's new Chrome OS is going, you have the entire OS hosted remotely, which is what the original thin clients did. Now all of your software is always the latest, and in terms of security, you can immediately patch everything across an enterprise and scan for anomalies in one central location. For example, you might install Didier Stevens' new HeapLocker tool to try to identify heap sprays. Also, you can create some type of ability to wipe the OS every day, removing many of the persistent threats out there.

However, HBGary recently discussed how one can still maintain some form of persistence in such an environment in their article "Malware Persistence In The Cloud". The concept is to store your malware in the data that will be used, which exploits the app that opens it, and gives you execution that way. The cloud won't wipe the data, because that's what people need to persist, so hide there. This is fragile, because if the exploitation is discovered or patched, it can be patched everywhere immediately, and potentially the malware can removed from the data more easily since in theory all of those data files are centrally located. Furthermore, you can't rely on getting execution immediately when a system boots, or a user logs in. But this is one interesting paradigm for malware to move to as thin clients become more pervasive.