Vulnerabilities / Threats
5/15/2013
10:48 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mass Customized Attacks Show Malware Maturity

The malware universe is typically divided into targeted attacks and mass, opportunistic attacks, but a middle category -- mass customized malware -- poses a more serious threat for business

Products frequently follow a trajectory from customized prototypes to mass-produced goods, and -- when the market matures -- manufacturers typically find ways to lure consumers by allowing efficient customization.

The evolution is no different for malware. At one time, each author built his own malicious program. Then, from early virus creation kits to more modern exploit kits, developers industrialized the creation of malicious programs, allowing criminals to easily create attacks to fit their needs. Increasingly, however, attackers are combining easy-to-create mass attacks with the ability to tailor the malware to target specific groups.

These mass customized attacks gain many of the benefits of targeted malware -- such as more readily fooling victims and evading defenses -- while also being easy to create, two researchers from Adobe told attendees at the recent Hack in the Box Conference in Amsterdam. With efficient creation of malware under their belts, malware authors are searching for customizations that will make their malware the most successful, Peleus Uhley, platform security strategist for Adobe, said in an e-mail interview.

"The techniques and code have reached a level where the process of creating an attack for a specific victim is becoming increasingly streamlined," he says. "If an attack of sufficient quality such that it involves interchangeable parts that can be easily customized for multiple individual target, then we consider that exploit to have achieved mass customization."

With security software companies gathering threat data from their networks of customer systems, mass malware is finding less success. Customizing the malware, however, can blunt the effectiveness of the fast exchange of threat information. Even basic customizations, such as polymorphism, has cause problems for security firms.

But mass customization goes beyond that. Adobe, for example, has seen malicious Flash and PDF files that have interchangeable components to allow for quick customization -- from changing the contents of the document to using different exploits.

[It's no secret that malware is dodging defenses; security experts pinpoint successful strategies, including the use of real-time communications, frequent disguises, and laying low. See Five Habits Of Highly Successful Malware.]

Social engineering is another aspect of malware that has seen major changes due to the trend toward customization. Combining data aggregation along with online marketing techniques can result in automated messages that use enough personal information to be convincing enough to fool many users, says Johannes Ullrich, director of the SANS Internet Storm Center.

"It is the intersection of spearphishing and mass-spam phishing," Ullrich says. "The e-mail received by people are customized for the victims, but in an automated way."

As such, companies should look to train their users to spot likely fraudulent messages.

"Users should all be informed, aware, and educated," says Adam Kujawa, the lead malware intelligence analyst for anti-malware software maker Malwarebytes. "That is the best way to fight any of these threats."

In many cases, mass customized attacks will chain together a number of bugs, sometimes in different products, forcing software developers to collaborate to better understand the chain of vulnerabilities.

While mass customized malware can evade detection by intrusion detection systems and antivirus -- and better fool users -- the added complexity needed to bypass defenses and disguise the software can make it easier for defenders to spot the attacks, Adobe's Uhley says.

"The one advantage that defenders have overall is that, as these attacks become larger and more complex, the ability for the defender to interfere with that complexity increases," he says. "The defender would likely only need to disarm the weakest component of an exploit to break it and thwart an attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web