Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:25 AM
Connect Directly

Malware: The Next Generation

Zero-day and rapidly morphing malware is proliferating across the Web. Is your enterprise ready to stop it?

The Pyramid Of Sophistication
While the nastiest malware is growing in effectiveness and sophistication, the bulk of what's out there looks a lot like malware did years ago. That's because both consumer and business users are giving attackers little reason to advance their game to the next level. "If you look at what's actually being exploited, it's by and large the same vulnerabilities that have been exploited for the last five to 10 years," Gragido says.

The malware economy has stratified based on who the targets are and which adversaries are looking to attack them, says HD Moore, chief security officer for vulnerability management firm Rapid7 and chief architect of the Metasploit penetration testing framework. Think of it as a malware pyramid, with the least sophisticated and most frequent attack methods at the base and the very rare, cutting-edge targeted attacks up top.

The base level attacks are against consumers and lightly protected business endpoints that are behind on patches and have poorly updated antivirus tools or no security software at all. Attackers at this level aim to infect machines with online banking Trojans, keystroke loggers and other malware designed to steal credentials for identity theft, Moore says. Most online criminals make their money at this level, using cheap or free drive-by exploit kits.

The next level up is slightly more complex malware that spends more time propagating itself on the network once it has infected a machine, gathering more data and obfuscating itself more effectively. This level of malware is more exclusive and expensive.

Another level up the pyramid is where you run into higher-end exploit kits, Moore says. This is the level that most businesses should be concerned about. Organized criminals and industrial spies are the main perpetrators here, seeking to steal customer data and important intellectual property for financial gain.

These higher-level exploits are "designed to pull data out of businesses and do things like large-scale bank transfers or gathering customer databases," he says. "Granted, it's advanced compared to consumer-level malware out there, but it's not Stuxnet or Flame." >>

Stuxnet and Flame belong at the top of the pyramid. They're elite attacks created by state-sponsored purveyors for the sake of espionage and cyber warfare, Moore and other researchers say. Stuxnet, for instance, is generally believed to have been created by the U.S. government to attack Iranian nuclear reactors.

"With the really crazy stuff [at the top of the pyramid], there may be some commonalities among them in terms of how code is done, but they're not as widely available in dev kits, and they're not widely used against most of corporate America," Moore says.

It's that class of malware just below the top that should give enterprise IT leaders pause, Moore says.

At that level, the risk comes from the way the malware propagates, and how developers and attackers target specific online populations and are profiting from their crimes. The attackers usually are crooks running criminal enterprises, and they're looking to pay as little as they can for malware they use, so it doesn't eat into their profit margins. Zero-day vulnerabilities are expensive, so they're more likely to go with less sophisticated, cheaper methods like duping targets to open an infected email or visit an infected site, says Anup Ghosh, founder and CEO of Invincea, a breach detection platform developer.

"They don't want to pull out the 'A' team or the unused zero days if they don't have to," he says, but they are willing to do a lot research on their targets. They have the funding and the wherewithal to spend time trolling social media sites and conducting Google searches to dig up information about a company's employees that can be used to customize spearphishing messages designed to get a malware payload onto those employees' computers.

"They've got groups of people whose job it is to do nothing but go after these companies or organizations, get on their networks, search for what they're after and steal that data," Ghosh says.

Attackers will even go so far as to set up watering-hole attacks where they infect a legitimate website that would be of interest to a specific type of employee in an organization. Bad guys have been infecting websites for a long time, but watering-hole attacks show criminals putting more thought and research into who they're attacking. For example, an attacker might buy malware designed to exploit an SAP accounting system, then try to infect the website of a U.S. accounting professionals' organization. Their hope is to infect visitors with a drive-by download of malware that lets the attacker take control of their machines and check to see if they have connections to the SAP systems the attacker wants to exploit.

"The concept of the attack is similar to a predator waiting at a watering hole in a desert," wrote Gavin O'Gorman and Geoff McDonald in Symantec's "The Elderwood Project" research paper. "The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him."

Why can't you count on your antivirus software to detect and prevent the drive-by download malware? As mentioned earlier, attackers are using so many variants of code and methods of obfuscation such as encryption and packers that it's easy for malware to slip by AV programs.

diagram: Web injection process used in watering hole attacks
(click image for larger view of the diagram)

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...