Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/15/2013
10:48 PM
50%
50%

Mass Customized Attacks Show Malware Maturity

The malware universe is typically divided into targeted attacks and mass, opportunistic attacks, but a middle category -- mass customized malware -- poses a more serious threat for business

Products frequently follow a trajectory from customized prototypes to mass-produced goods, and -- when the market matures -- manufacturers typically find ways to lure consumers by allowing efficient customization.

The evolution is no different for malware. At one time, each author built his own malicious program. Then, from early virus creation kits to more modern exploit kits, developers industrialized the creation of malicious programs, allowing criminals to easily create attacks to fit their needs. Increasingly, however, attackers are combining easy-to-create mass attacks with the ability to tailor the malware to target specific groups.

These mass customized attacks gain many of the benefits of targeted malware -- such as more readily fooling victims and evading defenses -- while also being easy to create, two researchers from Adobe told attendees at the recent Hack in the Box Conference in Amsterdam. With efficient creation of malware under their belts, malware authors are searching for customizations that will make their malware the most successful, Peleus Uhley, platform security strategist for Adobe, said in an e-mail interview.

"The techniques and code have reached a level where the process of creating an attack for a specific victim is becoming increasingly streamlined," he says. "If an attack of sufficient quality such that it involves interchangeable parts that can be easily customized for multiple individual target, then we consider that exploit to have achieved mass customization."

With security software companies gathering threat data from their networks of customer systems, mass malware is finding less success. Customizing the malware, however, can blunt the effectiveness of the fast exchange of threat information. Even basic customizations, such as polymorphism, has cause problems for security firms.

But mass customization goes beyond that. Adobe, for example, has seen malicious Flash and PDF files that have interchangeable components to allow for quick customization -- from changing the contents of the document to using different exploits.

[It's no secret that malware is dodging defenses; security experts pinpoint successful strategies, including the use of real-time communications, frequent disguises, and laying low. See Five Habits Of Highly Successful Malware.]

Social engineering is another aspect of malware that has seen major changes due to the trend toward customization. Combining data aggregation along with online marketing techniques can result in automated messages that use enough personal information to be convincing enough to fool many users, says Johannes Ullrich, director of the SANS Internet Storm Center.

"It is the intersection of spearphishing and mass-spam phishing," Ullrich says. "The e-mail received by people are customized for the victims, but in an automated way."

As such, companies should look to train their users to spot likely fraudulent messages.

"Users should all be informed, aware, and educated," says Adam Kujawa, the lead malware intelligence analyst for anti-malware software maker Malwarebytes. "That is the best way to fight any of these threats."

In many cases, mass customized attacks will chain together a number of bugs, sometimes in different products, forcing software developers to collaborate to better understand the chain of vulnerabilities.

While mass customized malware can evade detection by intrusion detection systems and antivirus -- and better fool users -- the added complexity needed to bypass defenses and disguise the software can make it easier for defenders to spot the attacks, Adobe's Uhley says.

"The one advantage that defenders have overall is that, as these attacks become larger and more complex, the ability for the defender to interfere with that complexity increases," he says. "The defender would likely only need to disarm the weakest component of an exploit to break it and thwart an attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...