SnailLoad (Exploit Kit) – Malware

Overview

In the ever-evolving landscape of cybersecurity threats, the emergence of SnailLoad malware represents a significant advancement in the exploitation of network vulnerabilities. Discovered by researchers at Graz University of Technology, SnailLoad is a sophisticated side-channel attack that leverages network latency to infer users’ web activities without direct access to the victim’s system. This attack exploits a fundamental bottleneck present in all Internet connections, demonstrating how even seemingly innocuous aspects of network performance can be weaponized for surveillance and data extraction.

The core functionality of SnailLoad revolves around its ability to remotely monitor and analyze network latency. By tricking a target into downloading a benign asset, such as an image or a file, from a server controlled by the attacker, SnailLoad manipulates the inherent delay in network traffic to extract sensitive information about the victim’s online behavior. This is achieved through the measurement of round-trip time (RTT) variations, which reflect the volume of data being transmitted and processed. The unique RTT patterns associated with different web activities enable the attacker to classify and infer the specific content being accessed by the user with notable accuracy.

How they operate

Exploitation of Network Latency

At its core, SnailLoad leverages the concept of network latency, specifically focusing on the Round-Trip Time (RTT) of network packets. RTT is the time taken for a data packet to travel from the sender to the receiver and back. In SnailLoad, an attacker tricks the target into downloading a seemingly innocuous asset, such as an image or a file, from a server under their control. This process causes variations in RTT due to network bottlenecks and buffering delays. By measuring these latency fluctuations, the attacker can infer the amount of data being transmitted and thus determine the type of content being accessed by the victim.

Technical Mechanism

The technical operation of SnailLoad involves several key steps. First, the attacker sets up a server that delivers content to the victim at a controlled and slow rate, effectively creating a “snail-paced” transmission. This deliberate throttling introduces detectable latency variations based on the volume of data being processed. As the victim interacts with the web content, these latency variations are recorded and analyzed.

The attacker employs a convolutional neural network (CNN) trained on latency traces from a similar network setup to interpret the RTT data. The CNN is capable of distinguishing between different types of web content based on the unique latency patterns associated with each activity. For instance, watching a video or accessing a specific website generates distinct RTT signatures that the CNN can classify with high accuracy. This process allows the attacker to infer the exact nature of the victim’s web activities with up to 98% accuracy for videos and 63% for websites.

Bufferbloat and Its Role

Bufferbloat is a significant factor in SnailLoad’s effectiveness. It refers to excessive buffering in network nodes, typically the last device before the user’s modem or router, which leads to increased latency and jitter. SnailLoad exploits this buffering issue to measure latency changes over time. Since the buffering delays affect RTT measurements, the attacker can use these variations to deduce the amount and type of data being transmitted.

References:

• Off-path TCP hijacking in NAT-enabled Wi-Fi networks