I read some news about "magic" malware that communicates with its C&C infrastructure in an unusual way. Could you...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
explain how it communicates and what enterprises can do to defend against this malware?
Ask the expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
If someone asks you to pick a card out of a pack and then locates your card, that is considered magic. As with all magic though, such a trick ceases to seem so magical once the audience realizes the card was up the magician's sleeve the entire time. This holds true in programming as well; once you're aware of a concept called the magic number -- in which programmers occasionally use static numbers directly in source code, making code more predictable and susceptible to attack -- you understand what to look for in the future.
In this case, the "magic" malware described by Seculert (actually an updated variant of malware that has been dubbed Tilon, Asetus and Win32.Enchanim by other vendors) communicates with its command-and-control (C&C) infrastructure via a custom protocol, which is from the origination of its name. There are known, established C&C communication protocols that are reasonably strong and could be used to reduce development time, so utilizing a custom protocol is a unique and potentially high-risk endeavor on the part of the malware authors. One of the classic security failures by programmers is to think any algorithm they invent for cryptography is going to be the strongest ever, but using well-established and open cryptography algorithms will almost always be a better idea unless the programmer is a cryptography expert.
In terms of potential enterprise defenses, decoding the magic malware's communications could require reverse-engineering the malware and protocol, though reverse engineering is not necessary for detection. Seculert has released indicators of compromise, including a list of known IP addresses used by the malware. These addresses could change quickly, but if network traffic flows to one of the IPs, that could be reason enough to investigate an endpoint for other indicators of compromise or malware.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.