Attacks/Breaches
12/10/2013
05:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

'Mystery' Malware Files Often Missed In Cleanup

Some malware infections leave stealthy beachhead files behind after the main malware is detected and removed

The newly disrupted ZeroAccess botnet was previously spotted putting a new spin on infecting a user: injecting itself into the download process of Adobe Flash. It used a new variant of the infamous Trojan that the victim's anti-malware program didn't yet recognize.

"It was pretty clever because it was combining social engineering with technical prowess. Sometimes you see attacks based solely on tricking users, so it's weird to see both together in one attack," says Zulfikar "Zully" Ramzan, principal engineer of the Security Business Group at Cisco's Sourcefire.

Ramzan says the Flash application was legitimate, but ZeroAccess quietly injected itself into the Flash download, thus infecting the user. The malware-laden file was then able to remain under the radar, and the AV program didn't catch it.

ZeroAccess's nifty trick of hiding from anti-malware and other tools is just an example of how many malware cleanup processes today miss some elements of the malware. Leftover infected files that appear legit and don't get detected often remain behind after a malware cleanup, causing the machine to become reinfected over and over, Ramzan says.

"We see that kind of behavior about 20 percent of the time: seeing the thing that got dropped by the original malware, without seeing the original malware right away. ZeroAccess is an example of where the actual initial threat goes undetected, but we see the stuff that gets on after that point," he says. "It happens very frequently that we see the detection taking place, and there's actually a broader infection under that initial detection."

And most malware creates new files, seven-eighths of which are deemed unknown, Ramzan says. "We don't know if the file is good or bad," he adds.

Anti-malware programs in those cases don't have a signature for those files, he says.

Ramzan says three-quarters of the time his group sees new malware on a corporate system, the malware was created by an unknown file. "Often times, these unknowns should have been marked as malicious, but they just weren't. The key is really looking at the unknowns that are created and that created something."

[Microsoft, FBI, and Europol say they have disrupted ZeroAccess, a botnet that infected more than 2 million machines. See Microsoft Teams With Law Enforcement, Disrupts ZeroAccess Botnet.]

These residual malicious files don't get detected, and the machine ends up infected all over again. "If you don't clean up that mystery file, there's a good chance you'll stay in a persistently infected state," Ramzan says. The files may do nothing more than bring in other files, but the bottom line is the machine remains in an infected state, he says.

Anti-malware software typically misses those related files, which are designed to evade AV software. "You have to know what the file did, and all the files around it. Is there a guilt-by-association happening?"

Where does such an undetected file typically reside? "It can be all over the place. Sometimes it's directly on the file system. Some systems of malware will create a hidden system file layer," he says. "It's not completely invisible, but it's invisible to simple checks. Once something is on your system and compromises it, there's a good chance that it's going to embed itself so deeply that it will be hard to find except by really deep inspection."

At the heart of the problem is that malware writers continue to raise the bar in the way their code infects, hides, and spreads, security experts say.

"It's smarter, shadier, and stealthier," says John Shier, senior security adviser for Sophos, which published a new report today that shows how malware is getting better at hiding and persistence. "There's been an evolution of malware techniques."

Shier says the ZeroAccess botnet is a good example of how botnets are also becoming more resilient to takedowns. "Some 500,000 nodes were taken down in a sinkholing [operation] in the summer. Then they responded ... and increased the number of droppers, so within weeks it was back up again," he says.

Meanwhile, technology alone isn't enough to ensure malware is completely eradicated, Cisco's Ramzan says: "You cannot detect it using traditional techniques. "You can look for [related] behaviors to ZeroAccess," for example, in other files.

"It's a paradigm shift because people typically focus on detection, which is really about saying if something is good or bad based on what you're able to see in the content," he says. "But you need to look at the file and the overall context around it, and make sure you have that visibility as your overall foundation."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web