A common thread among most of these unusual or odd malware samples that typically fly under the radar is that they're all about going after specific information or data, rather than more general attacks that cast a wide net and make the headlines. And the writers of these lesser-known and uncommon malware packages are using new methods to keep the attacks alive longer -- even if it means brazenly attacking researchers who try to study them.
Even so, most attacks over the next five years will still come from the morphing malware variants that are common today, but in higher and higher volumes, experts say. "We're going to have to deal with more volume and attacks. And at the same time, there will be instances of really high quality attacks, where the attackers have thought things through -- and not for a quick buck, but for something sustainable," says Patrik Runald, chief security advisor for F-Secure.
"We'll see more malware families that are technically advanced and stay around for longer periods of time," he says. "Instead of recompiling variants of existing [malware], they will be refined slowly but surely, in a controlled manner" with new features, as Conficker and Torpig were, he says.
Security researchers are seeing some intriguing malware in small pockets. One piece of malware found on a desktop machine during a forensics investigation was actually pre-coded to steal specific information from the victim's organization, says Greg Hoglund, CEO and founder of HBGary, whose company sees about 5,000 new pieces of malware a day. "It knew what it was looking for," he says. And the malware was disposable so that it could disappear without a trace after doing its dirty work.
That's a step up from an advanced method used by some malware writers to "clean up" after they infiltrate a system in order to cover their tracks, according to Hoglund.
Then there was the malware that was written specifically to crawl for, and to steal intellectual property. What was most unusual about the malware is that could crawl different file types -- Excel, PDF, for instance -- for intellectual property to steal, Hoglund says. Then it would encrypt and send the stolen information to its own servers. The malware likely initially infected the machine via a spear-phishing or in a cross-site scripting (XSS) attack, he says.
Another method researchers are seeing emerge are what they call "hack-back" techniques by malware writers. Gunter Ollmann, vice president of research for Damballa, says some malware is being written with built-in functions that allow it to hack a researcher's machine. Fighting back isn't new for malware writers: "Some malware today has the ability to identify if it's being run in a sandbox or virtual environment and then it runs a different process if it detects that" in order to throw off the researchers, he says.
But Ollmann says the "hack-back" feature, where malware can detect if it's being studied by a researcher and then turns around and compromises the researcher's machine, is the next step. "There are hints that it's out there," he says. "I've seen a few discussions on hacker forums that are developing and selling the latest DIY kits that offer this functionality."
He says a few proof-of-concepts have demonstrated how to detect malware in VMware. "Then the attacker could use public exploits for VMware to break out and compromise the researcher's machine," he says.
Some botnet malware wages distributed denial-of-service (DDoS) attacks on researchers if they get too close to the command-and-control (C&C) system. "If you try to reach out to a command and control server without the right credentials, then that C&C may issue commands to the botnet to attack you. It would take the form of a DDoS attack against the enterprise trying to manually connect to the C&C," Ollmann says. "The command and control server can detect the machine isn't one of its bots."
And as in the case of Conficker, the malware can actually blacklist investigators trying to access the botnet server. "So the good guys are being blacklisted," he says. But Ollmann says these types of techniques used by malware writers are still rare. "And it's either very sophisticated cybercrime teams investing a lot of money in it, or tinkerers [trying] new techniques," he says.
Despite all of the hype and attention that went to the Conficker threat, there are still 5 million infected machines out there today, according to F-Secure's count. F-Secure's Runald points to some of the malware features built into the code that make it difficult for researchers to take down Conficker.
Unlike the infamous Storm botnet, Conficker doesn't include an initial seed-list of victims that researchers can ultimately contain. "I'm confident that was a response to the work we were doing ... how they moved to a peer-to-peer command and control, and that Conficker doesn't even contain an initial seed list," he says. "This is a clear example of where they thought things through and had a clear response to anything we threw at them. And that's part of the reason we haven't been able to close them down."
"I fear that in the future, we'll see more malware that is developed in that way to actively" deflect what we throw at it, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.