Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:50 PM
Connect Directly

Rare Malware A Hint Of Threats To Come

Researchers are spotting new forms of malware features that could signal a new generation of harder-to-kill badware

While pervasive, widespread malware attacks like Conficker get all the attention, there's another generation of obscure and dangerous malware that so far is too rare to be considered a threat -- but could provide a hint of things to come.

A common thread among most of these unusual or odd malware samples that typically fly under the radar is that they're all about going after specific information or data, rather than more general attacks that cast a wide net and make the headlines. And the writers of these lesser-known and uncommon malware packages are using new methods to keep the attacks alive longer -- even if it means brazenly attacking researchers who try to study them.

Even so, most attacks over the next five years will still come from the morphing malware variants that are common today, but in higher and higher volumes, experts say. "We're going to have to deal with more volume and attacks. And at the same time, there will be instances of really high quality attacks, where the attackers have thought things through -- and not for a quick buck, but for something sustainable," says Patrik Runald, chief security advisor for F-Secure.

"We'll see more malware families that are technically advanced and stay around for longer periods of time," he says. "Instead of recompiling variants of existing [malware], they will be refined slowly but surely, in a controlled manner" with new features, as Conficker and Torpig were, he says.

Security researchers are seeing some intriguing malware in small pockets. One piece of malware found on a desktop machine during a forensics investigation was actually pre-coded to steal specific information from the victim's organization, says Greg Hoglund, CEO and founder of HBGary, whose company sees about 5,000 new pieces of malware a day. "It knew what it was looking for," he says. And the malware was disposable so that it could disappear without a trace after doing its dirty work.

That's a step up from an advanced method used by some malware writers to "clean up" after they infiltrate a system in order to cover their tracks, according to Hoglund.

Then there was the malware that was written specifically to crawl for, and to steal intellectual property. What was most unusual about the malware is that could crawl different file types -- Excel, PDF, for instance -- for intellectual property to steal, Hoglund says. Then it would encrypt and send the stolen information to its own servers. The malware likely initially infected the machine via a spear-phishing or in a cross-site scripting (XSS) attack, he says.

Another method researchers are seeing emerge are what they call "hack-back" techniques by malware writers. Gunter Ollmann, vice president of research for Damballa, says some malware is being written with built-in functions that allow it to hack a researcher's machine. Fighting back isn't new for malware writers: "Some malware today has the ability to identify if it's being run in a sandbox or virtual environment and then it runs a different process if it detects that" in order to throw off the researchers, he says.

But Ollmann says the "hack-back" feature, where malware can detect if it's being studied by a researcher and then turns around and compromises the researcher's machine, is the next step. "There are hints that it's out there," he says. "I've seen a few discussions on hacker forums that are developing and selling the latest DIY kits that offer this functionality."

He says a few proof-of-concepts have demonstrated how to detect malware in VMware. "Then the attacker could use public exploits for VMware to break out and compromise the researcher's machine," he says.

Some botnet malware wages distributed denial-of-service (DDoS) attacks on researchers if they get too close to the command-and-control (C&C) system. "If you try to reach out to a command and control server without the right credentials, then that C&C may issue commands to the botnet to attack you. It would take the form of a DDoS attack against the enterprise trying to manually connect to the C&C," Ollmann says. "The command and control server can detect the machine isn't one of its bots."

And as in the case of Conficker, the malware can actually blacklist investigators trying to access the botnet server. "So the good guys are being blacklisted," he says. But Ollmann says these types of techniques used by malware writers are still rare. "And it's either very sophisticated cybercrime teams investing a lot of money in it, or tinkerers [trying] new techniques," he says.

Despite all of the hype and attention that went to the Conficker threat, there are still 5 million infected machines out there today, according to F-Secure's count. F-Secure's Runald points to some of the malware features built into the code that make it difficult for researchers to take down Conficker.

Unlike the infamous Storm botnet, Conficker doesn't include an initial seed-list of victims that researchers can ultimately contain. "I'm confident that was a response to the work we were doing ... how they moved to a peer-to-peer command and control, and that Conficker doesn't even contain an initial seed list," he says. "This is a clear example of where they thought things through and had a clear response to anything we threw at them. And that's part of the reason we haven't been able to close them down."

"I fear that in the future, we'll see more malware that is developed in that way to actively" deflect what we throw at it, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
PUBLISHED: 2020-02-22
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
PUBLISHED: 2020-02-22
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.