Malware Authors Have Already Won the Iron Throne

As countless millions around the world are getting ready for HBO’s TV show Game of Thrones by putting the final touches on their Jon Snow costumes, ordering up pizza and chicken wings for their premiere watch parties, and running speed tests on their Apple TVs for HBO’s streaming app, a flurry of activity is occurring behind the scenes to ensure a seamless premier.  HBO is cranking up the capacity on their content delivery networks (CDNs),  maxing out their marketing budgets to generate hype for the final season, hiring extra support staff to be on hand in the event of a repeat of a 2017 stream crash occurs, and  getting their money counting machines ready as the final season of the much-beloved show begins on April 14th.  In parallel, malware authors are also ramping up their capabilities and preparing their latest and most significant campaigns knowing they have a target rich environment.  Security researchers have consistently given the title of “Most malware-laden TV show” to HBO’s Game of Thrones and for a good reason.

Game of Thrones has been wildly successful and has made the author of the books, which the TV series is based upon, George R.R. Martin fabulously wealthy.  Game of Thrones is unique in being one of the most popular TV shows that require a premium cable channel or dedicated streaming app to access.  Due to licensing and contract agreements, Game of Thrones is not accessible legally in many parts of the world.  In fact, until Season 5 of the show, many viewers around the world would get their episodes weeks if not months after the premiere in primary markets such as the US and UK.  These facts and the general notion that many people would rather get something for free than pay for it sets the stage to make Game of Thrones the most pirated TV show in history.  When a show becomes the most desired and pirated show in history, it becomes ripe for abuse.

The oldest trick in the book for exploiting people who wish to watch Game of Thrones outside of legal means is to advertise websites with fake streams or downloads.  Social media platforms such as Twitter, Reddit, and Twitch.tv give these fake links an even broader audience.  Clicking on one of these counterfeit streams or fake download buttons generally starts a social engineering attack to trick the user into downloading and installing a special “player” or a “codec” to watch the TV show from their website.  Security-savvy readers will know never to download and install any software from untrusted publishers.  Even if a website does load a video stream where a user can watch the TV show, other malicious elements on the webpage can load and attack the system or browser.

Another popular method to download the show is to use the decentralized peer-to-peer BitTorrent protocol to “share” the file with other users.  By design, the BitTorrent protocol cannot be shut down from a single location and no takedown order will force a single service provider to stop sharing the show.  In response to this dilemma, content creators such as HBO have turned to copyright law and the legal system (at least in the United States) by sending takedown notices to individual users who illegally download the tv show often threatening legal action if the behavior continues.  Because of the decentralized nature of BitTorrent, there is nobody to regulate the exchange of files to ensure only legitimate files are exchanged and that no malware is added.  Malware authors take full advantage of this and spread fake video files that appear corrupted when a user attempts to open it.  Included with the file is a readme.txt that instructs the user to download a special player or codec to view the video file they just downloaded.  Just as in the previous example, this is a social engineering attack meant to trick the user into installing malware on their system.

The most ingenious method of attack involves a legitimate copy of the video file and a malicious subtitle file.  In 2017, security researchers discovered a vulnerability in many popular video playback applications, including the favorite VLC Player, where a maliciously crafted subtitle file could lead to remote code execution.  While VLC itself is open source and for the most part secure, the subtitle processor is an interpreter and its code is not scrutinized as much as the core player application.  This lead to users watching pirated video files while loading malicious code at the same time.

Legitimate websites where users can pay to watch the streams legally are not immune to malicious behavior.  In 2017, Showtime was the target of a malicious code injection attack where paying subscribers had their CPU cycles stolen to mine Monero cryptocurrency for the attackers.  In 2018, YouTube, parent company to YouTube TV was also hit with a malvertising campaign that caused video viewers to load malicious advertisements full of malicious JavaScript that mined Monero on behalf of the attackers.  Even with users have the best of intentions and pay for the streaming services, they can still be the target of cyber attacks.  

There are many defenses organizations can employ to reduce the risk introduced by Game of Thrones fans.  Many “good enough" security solutions rely on reputation and “top 1000” lists to perform content inspection due to platform or hardware limitations, especially when performing SSL Inspection.  CDNs and “trusted websites” such as YouTube and Showtime are bypassed from inspection to save precious CPU cycles and not impact end user experience.  Security solutions that do not scale to the cloud or were not designed with SSL Inspection in scope will often encounter performance issues once all categories for all traffic are set to inspection.

Cloud security proxies designed with scale in mind will scan every byte of data regardless of URL destination or site reputation.   Scanning every byte of data with SSL inspection is essential to not allow attackers to leverage gaps in other security solutions.  File Type control ensures users do not download executable (EXE) files disguised as fake players or codecs.  A cloud sandbox allows organizations to detonate an unknown file in a controlled environment and rendering a verdict before users are allowed to download questionable files.  A cloud-based Next Generation Firewall can block port-hopping applications such as BitTorrent and shield organizations from the legal and technical risks associated with downloading illegal and questionable content without any hardware required.  

Malware authors and attackers often take advantage of world events as a catalyst to their attack campaigns.  Fans of Game of Thrones have been waiting almost a year and a half for the final season to premiere and attackers feed off that desperation to spread their malware onto unsuspecting viewers.  A framework of legal and regulatory requirements often forces users to use questionable or illegal streaming services even if they wish to pay for the service.  “Good enough” security solutions expose many gaps that attackers exploit such as delivering malware through “trusted” websites and through SSL or TLS encryption.  My guess as to who will rule Westeros at the end of Season 8? Samwell Tarly. 

Cross-posted to: https://www.chrislouie.net/