Vulnerabilities / Threats
5/15/2013
10:48 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Mass Customized Attacks Show Malware Maturity

The malware universe is typically divided into targeted attacks and mass, opportunistic attacks, but a middle category -- mass customized malware -- poses a more serious threat for business

Products frequently follow a trajectory from customized prototypes to mass-produced goods, and -- when the market matures -- manufacturers typically find ways to lure consumers by allowing efficient customization.

The evolution is no different for malware. At one time, each author built his own malicious program. Then, from early virus creation kits to more modern exploit kits, developers industrialized the creation of malicious programs, allowing criminals to easily create attacks to fit their needs. Increasingly, however, attackers are combining easy-to-create mass attacks with the ability to tailor the malware to target specific groups.

These mass customized attacks gain many of the benefits of targeted malware -- such as more readily fooling victims and evading defenses -- while also being easy to create, two researchers from Adobe told attendees at the recent Hack in the Box Conference in Amsterdam. With efficient creation of malware under their belts, malware authors are searching for customizations that will make their malware the most successful, Peleus Uhley, platform security strategist for Adobe, said in an e-mail interview.

"The techniques and code have reached a level where the process of creating an attack for a specific victim is becoming increasingly streamlined," he says. "If an attack of sufficient quality such that it involves interchangeable parts that can be easily customized for multiple individual target, then we consider that exploit to have achieved mass customization."

With security software companies gathering threat data from their networks of customer systems, mass malware is finding less success. Customizing the malware, however, can blunt the effectiveness of the fast exchange of threat information. Even basic customizations, such as polymorphism, has cause problems for security firms.

But mass customization goes beyond that. Adobe, for example, has seen malicious Flash and PDF files that have interchangeable components to allow for quick customization -- from changing the contents of the document to using different exploits.

[It's no secret that malware is dodging defenses; security experts pinpoint successful strategies, including the use of real-time communications, frequent disguises, and laying low. See Five Habits Of Highly Successful Malware.]

Social engineering is another aspect of malware that has seen major changes due to the trend toward customization. Combining data aggregation along with online marketing techniques can result in automated messages that use enough personal information to be convincing enough to fool many users, says Johannes Ullrich, director of the SANS Internet Storm Center.

"It is the intersection of spearphishing and mass-spam phishing," Ullrich says. "The e-mail received by people are customized for the victims, but in an automated way."

As such, companies should look to train their users to spot likely fraudulent messages.

"Users should all be informed, aware, and educated," says Adam Kujawa, the lead malware intelligence analyst for anti-malware software maker Malwarebytes. "That is the best way to fight any of these threats."

In many cases, mass customized attacks will chain together a number of bugs, sometimes in different products, forcing software developers to collaborate to better understand the chain of vulnerabilities.

While mass customized malware can evade detection by intrusion detection systems and antivirus -- and better fool users -- the added complexity needed to bypass defenses and disguise the software can make it easier for defenders to spot the attacks, Adobe's Uhley says.

"The one advantage that defenders have overall is that, as these attacks become larger and more complex, the ability for the defender to interfere with that complexity increases," he says. "The defender would likely only need to disarm the weakest component of an exploit to break it and thwart an attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web