Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Rare Malware A Hint Of Threats To Come

Researchers are spotting new forms of malware features that could signal a new generation of harder-to-kill badware

While pervasive, widespread malware attacks like Conficker get all the attention, there's another generation of obscure and dangerous malware that so far is too rare to be considered a threat -- but could provide a hint of things to come.

A common thread among most of these unusual or odd malware samples that typically fly under the radar is that they're all about going after specific information or data, rather than more general attacks that cast a wide net and make the headlines. And the writers of these lesser-known and uncommon malware packages are using new methods to keep the attacks alive longer -- even if it means brazenly attacking researchers who try to study them.

Even so, most attacks over the next five years will still come from the morphing malware variants that are common today, but in higher and higher volumes, experts say. "We're going to have to deal with more volume and attacks. And at the same time, there will be instances of really high quality attacks, where the attackers have thought things through -- and not for a quick buck, but for something sustainable," says Patrik Runald, chief security advisor for F-Secure.

"We'll see more malware families that are technically advanced and stay around for longer periods of time," he says. "Instead of recompiling variants of existing [malware], they will be refined slowly but surely, in a controlled manner" with new features, as Conficker and Torpig were, he says.

Security researchers are seeing some intriguing malware in small pockets. One piece of malware found on a desktop machine during a forensics investigation was actually pre-coded to steal specific information from the victim's organization, says Greg Hoglund, CEO and founder of HBGary, whose company sees about 5,000 new pieces of malware a day. "It knew what it was looking for," he says. And the malware was disposable so that it could disappear without a trace after doing its dirty work.

That's a step up from an advanced method used by some malware writers to "clean up" after they infiltrate a system in order to cover their tracks, according to Hoglund.

Then there was the malware that was written specifically to crawl for, and to steal intellectual property. What was most unusual about the malware is that could crawl different file types -- Excel, PDF, for instance -- for intellectual property to steal, Hoglund says. Then it would encrypt and send the stolen information to its own servers. The malware likely initially infected the machine via a spear-phishing or in a cross-site scripting (XSS) attack, he says.

Another method researchers are seeing emerge are what they call "hack-back" techniques by malware writers. Gunter Ollmann, vice president of research for Damballa, says some malware is being written with built-in functions that allow it to hack a researcher's machine. Fighting back isn't new for malware writers: "Some malware today has the ability to identify if it's being run in a sandbox or virtual environment and then it runs a different process if it detects that" in order to throw off the researchers, he says.

But Ollmann says the "hack-back" feature, where malware can detect if it's being studied by a researcher and then turns around and compromises the researcher's machine, is the next step. "There are hints that it's out there," he says. "I've seen a few discussions on hacker forums that are developing and selling the latest DIY kits that offer this functionality."

He says a few proof-of-concepts have demonstrated how to detect malware in VMware. "Then the attacker could use public exploits for VMware to break out and compromise the researcher's machine," he says.

Some botnet malware wages distributed denial-of-service (DDoS) attacks on researchers if they get too close to the command-and-control (C&C) system. "If you try to reach out to a command and control server without the right credentials, then that C&C may issue commands to the botnet to attack you. It would take the form of a DDoS attack against the enterprise trying to manually connect to the C&C," Ollmann says. "The command and control server can detect the machine isn't one of its bots."

And as in the case of Conficker, the malware can actually blacklist investigators trying to access the botnet server. "So the good guys are being blacklisted," he says. But Ollmann says these types of techniques used by malware writers are still rare. "And it's either very sophisticated cybercrime teams investing a lot of money in it, or tinkerers [trying] new techniques," he says.

Despite all of the hype and attention that went to the Conficker threat, there are still 5 million infected machines out there today, according to F-Secure's count. F-Secure's Runald points to some of the malware features built into the code that make it difficult for researchers to take down Conficker.

Unlike the infamous Storm botnet, Conficker doesn't include an initial seed-list of victims that researchers can ultimately contain. "I'm confident that was a response to the work we were doing ... how they moved to a peer-to-peer command and control, and that Conficker doesn't even contain an initial seed list," he says. "This is a clear example of where they thought things through and had a clear response to anything we threw at them. And that's part of the reason we haven't been able to close them down."

"I fear that in the future, we'll see more malware that is developed in that way to actively" deflect what we throw at it, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-16
The MuleSoft Mule runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections.
PUBLISHED: 2019-10-16
NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option, Ghidra will try to ex...
PUBLISHED: 2019-10-16
NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it loads jansi.dll from the current working directory.
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk before installation.
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.