Embedded Windows XP systems targeted by new Chinese malware

Chinese firm uses unusual techniques to infected legacy computer systems.

Eastern hackers use phishing-led APT to steal millions from banks
Eastern hackers use phishing-led APT to steal millions from banks

A research firm has spotted a piece of Windows XP malware designed specifically for embedded systems - effectively making the darkware code a highly targeted attack on the now-obsolete version of Windows.

As reported previously, Windows XP went end-of-life in early April, although Microsoft has privately contracted with a number of major organisations to continue supplying critical security updates in return for an annual licence fee.

Although Microsoft has been exhorting WinXP-using companies to upgrade to later versions of Windows for some time, many companies – for example, banks with their ATMs - have little choice but to continue using their Windows XP-driven ATMs, as they are based on an embedded version of the operating system.

Now researchers with TrapX have discovered an APT piece of malware. Known as Zombie Zero, the code targets embedded versions of Windows XP, and is one of the first of its type. Once infected, the malware starts looking for financial information, which is relayed to a remote command-and-control (C&C) server.

Poisoned supply chain

The research firm says that malware was delivered through the Windows embedded XP operating system installed on the hardware at the manufacturer's location in China and can also be downloaded from the Chinese manufacturer's support Web site.

This suggests that the malware is effectively being propagated using a poisoned supply chain, rather than the more usual infection processes, 

A variant of this malware, adds the company, was also sold and delivered with the same hardware product to a large manufacturing company as well as to seven other identified customers of this hardware product worldwide.

TrapX discovered the Windows XP infection after it pro-actively deployed its honeypot technology to seek out this type of APT attack.

Commenting on the embedded Windows XP APT malware, Tim Keanini, Lancope's CTO said that, whilst this is not the first report on malware being pre-installed into hardware or software sold, his guess is that we are going to have to hear about many more before consumers demand some type of authenticity.

"But, even if they do, a better assurance will be advance detection because this is not the only method the advanced threat will use for their campaign.  While there are thousands of different ways they can infiltrate your networks, once in they must carry out a series of operations undetected and this is where the defender has the advantage if they choose to take it," he said.

"Having the right telemetry on your network to identify advanced threat is no longer an option. While the threat will remain advanced, your job is to make it not persist," he added.

Tim Erlin, director of security and risk at Tripwire, said that, along with the risk of backdoors and surveillance from the NSA, and the Chinese implanting malware in embedded devices, any security-minded enterprise is hard pressed these days to ensure a safe supply chain.

"It is exceedingly hard to protect against malware when it ships pre-installed from the factory. The average business, even a large enterprise, simply isn't set up to perform this kind of due diligence on incoming hardware with embedded systems, whether it's Windows, Linux or another platform. If an organisation wants to ensure privacy for itself and its customers, it must bear the cost of security somewhere in the supply chain, whether that's in increased cost of a higher assurance supplier, or in post-purchase testing," he explained.

Erlin went on to say that the security of the supply chain will grow even more complex as the Internet of Things grows through an inevitable start-up boom, including a flurry of acquisitions.

Rob Bamforth, a principal analyst with Quocirca, said that, now that Windows XP is truly obsolete, he expects to see more of these specialised types of malware, especially since the challenge with embedded systems is that they are difficult to monitor in the same way that desktop platforms are.

"Desktop systems tend to get streamed updates, especially on the security front. This doesn't happen with embedded systems, so you are then left with infrequent updates being the norm," he said.

One solution, he added, is to adopt a logical separation approach to the system concerned, effectively limiting any potential damage.

This will become increasingly likely, he argues, as we move to the Internet of Things (IoT), and developers will need to `air gap' the systems in order to prevent their direct infection.