The "g01pack" toolkit apparently downloads in multiple stages to victim machines in order to avoid antivirus detection....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Is there no way to detect such multi-stage attacks in the early stages of their propagation? If not, what's the most effective method for sniffing out such attacks as they download their malicious components?
Ask the Expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email . (All questions are anonymous.)
In order for malware authors to be successful, they must constantly adopt new techniques and technologies. The "g01pack" -- a general toolkit for malware authors that includes functionality to customize or improve individual malware components over time -- is becoming an increasingly popular example of a multi-stage toolkit. Since preventing detection of malware is often more important to the author than advancing the functionality, many authors may add an additional step to the malware attack process, often to obfuscate the Java applet used in the malware's initial infection.
Detecting multi-stage toolkits early in their infection process can be done in several different ways, depending on the malware and the tools available. One of the most effective techniques for identifying such attacks is detecting irregular outbound network traffic originating from the infected host -- this is often an indicator that it could be signaling to download the next stage of the malware. Organizations can also pick up on anomalous interactions with the Java Runtime Environment (JRE) by monitoring what commands are executed on a system. Another common next-step malware authors will likely take to separate the exploit, and the downloader could include functionality from Metasploit or a vulnerability scanning tool that identifies the weakest vulnerability and best place for the malware to exploit on the system.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Conficker malware was found in a German nuclear power plant computer system. Expert Nick Lewis explains the possible impact of malware infections of ...continue reading
OneSoftPerDay, an adware program can install backdoors on PCs, is able to avoid detection from antimalware tools. Expert Nick Lewis explains how to ...continue reading
The hot-patching feature in Windows servers is vulnerable to attacks from APT groups. Expert Nick Lewis explains what hot patching is and how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.