Vulnerabilities / Threats

5/15/2013
10:48 PM
50%
50%

Mass Customized Attacks Show Malware Maturity

The malware universe is typically divided into targeted attacks and mass, opportunistic attacks, but a middle category -- mass customized malware -- poses a more serious threat for business

Products frequently follow a trajectory from customized prototypes to mass-produced goods, and -- when the market matures -- manufacturers typically find ways to lure consumers by allowing efficient customization.

The evolution is no different for malware. At one time, each author built his own malicious program. Then, from early virus creation kits to more modern exploit kits, developers industrialized the creation of malicious programs, allowing criminals to easily create attacks to fit their needs. Increasingly, however, attackers are combining easy-to-create mass attacks with the ability to tailor the malware to target specific groups.

These mass customized attacks gain many of the benefits of targeted malware -- such as more readily fooling victims and evading defenses -- while also being easy to create, two researchers from Adobe told attendees at the recent Hack in the Box Conference in Amsterdam. With efficient creation of malware under their belts, malware authors are searching for customizations that will make their malware the most successful, Peleus Uhley, platform security strategist for Adobe, said in an e-mail interview.

"The techniques and code have reached a level where the process of creating an attack for a specific victim is becoming increasingly streamlined," he says. "If an attack of sufficient quality such that it involves interchangeable parts that can be easily customized for multiple individual target, then we consider that exploit to have achieved mass customization."

With security software companies gathering threat data from their networks of customer systems, mass malware is finding less success. Customizing the malware, however, can blunt the effectiveness of the fast exchange of threat information. Even basic customizations, such as polymorphism, has cause problems for security firms.

But mass customization goes beyond that. Adobe, for example, has seen malicious Flash and PDF files that have interchangeable components to allow for quick customization -- from changing the contents of the document to using different exploits.

[It's no secret that malware is dodging defenses; security experts pinpoint successful strategies, including the use of real-time communications, frequent disguises, and laying low. See Five Habits Of Highly Successful Malware.]

Social engineering is another aspect of malware that has seen major changes due to the trend toward customization. Combining data aggregation along with online marketing techniques can result in automated messages that use enough personal information to be convincing enough to fool many users, says Johannes Ullrich, director of the SANS Internet Storm Center.

"It is the intersection of spearphishing and mass-spam phishing," Ullrich says. "The e-mail received by people are customized for the victims, but in an automated way."

As such, companies should look to train their users to spot likely fraudulent messages.

"Users should all be informed, aware, and educated," says Adam Kujawa, the lead malware intelligence analyst for anti-malware software maker Malwarebytes. "That is the best way to fight any of these threats."

In many cases, mass customized attacks will chain together a number of bugs, sometimes in different products, forcing software developers to collaborate to better understand the chain of vulnerabilities.

While mass customized malware can evade detection by intrusion detection systems and antivirus -- and better fool users -- the added complexity needed to bypass defenses and disguise the software can make it easier for defenders to spot the attacks, Adobe's Uhley says.

"The one advantage that defenders have overall is that, as these attacks become larger and more complex, the ability for the defender to interfere with that complexity increases," he says. "The defender would likely only need to disarm the weakest component of an exploit to break it and thwart an attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...