Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/15/2013
10:48 PM
50%
50%

Mass Customized Attacks Show Malware Maturity

The malware universe is typically divided into targeted attacks and mass, opportunistic attacks, but a middle category -- mass customized malware -- poses a more serious threat for business

Products frequently follow a trajectory from customized prototypes to mass-produced goods, and -- when the market matures -- manufacturers typically find ways to lure consumers by allowing efficient customization.

The evolution is no different for malware. At one time, each author built his own malicious program. Then, from early virus creation kits to more modern exploit kits, developers industrialized the creation of malicious programs, allowing criminals to easily create attacks to fit their needs. Increasingly, however, attackers are combining easy-to-create mass attacks with the ability to tailor the malware to target specific groups.

These mass customized attacks gain many of the benefits of targeted malware -- such as more readily fooling victims and evading defenses -- while also being easy to create, two researchers from Adobe told attendees at the recent Hack in the Box Conference in Amsterdam. With efficient creation of malware under their belts, malware authors are searching for customizations that will make their malware the most successful, Peleus Uhley, platform security strategist for Adobe, said in an e-mail interview.

"The techniques and code have reached a level where the process of creating an attack for a specific victim is becoming increasingly streamlined," he says. "If an attack of sufficient quality such that it involves interchangeable parts that can be easily customized for multiple individual target, then we consider that exploit to have achieved mass customization."

With security software companies gathering threat data from their networks of customer systems, mass malware is finding less success. Customizing the malware, however, can blunt the effectiveness of the fast exchange of threat information. Even basic customizations, such as polymorphism, has cause problems for security firms.

But mass customization goes beyond that. Adobe, for example, has seen malicious Flash and PDF files that have interchangeable components to allow for quick customization -- from changing the contents of the document to using different exploits.

[It's no secret that malware is dodging defenses; security experts pinpoint successful strategies, including the use of real-time communications, frequent disguises, and laying low. See Five Habits Of Highly Successful Malware.]

Social engineering is another aspect of malware that has seen major changes due to the trend toward customization. Combining data aggregation along with online marketing techniques can result in automated messages that use enough personal information to be convincing enough to fool many users, says Johannes Ullrich, director of the SANS Internet Storm Center.

"It is the intersection of spearphishing and mass-spam phishing," Ullrich says. "The e-mail received by people are customized for the victims, but in an automated way."

As such, companies should look to train their users to spot likely fraudulent messages.

"Users should all be informed, aware, and educated," says Adam Kujawa, the lead malware intelligence analyst for anti-malware software maker Malwarebytes. "That is the best way to fight any of these threats."

In many cases, mass customized attacks will chain together a number of bugs, sometimes in different products, forcing software developers to collaborate to better understand the chain of vulnerabilities.

While mass customized malware can evade detection by intrusion detection systems and antivirus -- and better fool users -- the added complexity needed to bypass defenses and disguise the software can make it easier for defenders to spot the attacks, Adobe's Uhley says.

"The one advantage that defenders have overall is that, as these attacks become larger and more complex, the ability for the defender to interfere with that complexity increases," he says. "The defender would likely only need to disarm the weakest component of an exploit to break it and thwart an attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17185
PUBLISHED: 2019-12-09
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2019-12424
PUBLISHED: 2019-12-09
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2019-18380
PUBLISHED: 2019-12-09
Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication.
CVE-2019-19687
PUBLISHED: 2019-12-09
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, whic...
CVE-2019-19682
PUBLISHED: 2019-12-09
nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the ...