Attacks/Breaches
12/10/2013
05:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

'Mystery' Malware Files Often Missed In Cleanup

Some malware infections leave stealthy beachhead files behind after the main malware is detected and removed

The newly disrupted ZeroAccess botnet was previously spotted putting a new spin on infecting a user: injecting itself into the download process of Adobe Flash. It used a new variant of the infamous Trojan that the victim's anti-malware program didn't yet recognize.

"It was pretty clever because it was combining social engineering with technical prowess. Sometimes you see attacks based solely on tricking users, so it's weird to see both together in one attack," says Zulfikar "Zully" Ramzan, principal engineer of the Security Business Group at Cisco's Sourcefire.

Ramzan says the Flash application was legitimate, but ZeroAccess quietly injected itself into the Flash download, thus infecting the user. The malware-laden file was then able to remain under the radar, and the AV program didn't catch it.

ZeroAccess's nifty trick of hiding from anti-malware and other tools is just an example of how many malware cleanup processes today miss some elements of the malware. Leftover infected files that appear legit and don't get detected often remain behind after a malware cleanup, causing the machine to become reinfected over and over, Ramzan says.

"We see that kind of behavior about 20 percent of the time: seeing the thing that got dropped by the original malware, without seeing the original malware right away. ZeroAccess is an example of where the actual initial threat goes undetected, but we see the stuff that gets on after that point," he says. "It happens very frequently that we see the detection taking place, and there's actually a broader infection under that initial detection."

And most malware creates new files, seven-eighths of which are deemed unknown, Ramzan says. "We don't know if the file is good or bad," he adds.

Anti-malware programs in those cases don't have a signature for those files, he says.

Ramzan says three-quarters of the time his group sees new malware on a corporate system, the malware was created by an unknown file. "Often times, these unknowns should have been marked as malicious, but they just weren't. The key is really looking at the unknowns that are created and that created something."

[Microsoft, FBI, and Europol say they have disrupted ZeroAccess, a botnet that infected more than 2 million machines. See Microsoft Teams With Law Enforcement, Disrupts ZeroAccess Botnet.]

These residual malicious files don't get detected, and the machine ends up infected all over again. "If you don't clean up that mystery file, there's a good chance you'll stay in a persistently infected state," Ramzan says. The files may do nothing more than bring in other files, but the bottom line is the machine remains in an infected state, he says.

Anti-malware software typically misses those related files, which are designed to evade AV software. "You have to know what the file did, and all the files around it. Is there a guilt-by-association happening?"

Where does such an undetected file typically reside? "It can be all over the place. Sometimes it's directly on the file system. Some systems of malware will create a hidden system file layer," he says. "It's not completely invisible, but it's invisible to simple checks. Once something is on your system and compromises it, there's a good chance that it's going to embed itself so deeply that it will be hard to find except by really deep inspection."

At the heart of the problem is that malware writers continue to raise the bar in the way their code infects, hides, and spreads, security experts say.

"It's smarter, shadier, and stealthier," says John Shier, senior security adviser for Sophos, which published a new report today that shows how malware is getting better at hiding and persistence. "There's been an evolution of malware techniques."

Shier says the ZeroAccess botnet is a good example of how botnets are also becoming more resilient to takedowns. "Some 500,000 nodes were taken down in a sinkholing [operation] in the summer. Then they responded ... and increased the number of droppers, so within weeks it was back up again," he says.

Meanwhile, technology alone isn't enough to ensure malware is completely eradicated, Cisco's Ramzan says: "You cannot detect it using traditional techniques. "You can look for [related] behaviors to ZeroAccess," for example, in other files.

"It's a paradigm shift because people typically focus on detection, which is really about saying if something is good or bad based on what you're able to see in the content," he says. "But you need to look at the file and the overall context around it, and make sure you have that visibility as your overall foundation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web