The "g01pack" toolkit apparently downloads in multiple stages to victim machines in order to avoid antivirus detection....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Is there no way to detect such multi-stage attacks in the early stages of their propagation? If not, what's the most effective method for sniffing out such attacks as they download their malicious components?
Ask the Expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email . (All questions are anonymous.)
In order for malware authors to be successful, they must constantly adopt new techniques and technologies. The "g01pack" -- a general toolkit for malware authors that includes functionality to customize or improve individual malware components over time -- is becoming an increasingly popular example of a multi-stage toolkit. Since preventing detection of malware is often more important to the author than advancing the functionality, many authors may add an additional step to the malware attack process, often to obfuscate the Java applet used in the malware's initial infection.
Detecting multi-stage toolkits early in their infection process can be done in several different ways, depending on the malware and the tools available. One of the most effective techniques for identifying such attacks is detecting irregular outbound network traffic originating from the infected host -- this is often an indicator that it could be signaling to download the next stage of the malware. Organizations can also pick up on anomalous interactions with the Java Runtime Environment (JRE) by monitoring what commands are executed on a system. Another common next-step malware authors will likely take to separate the exploit, and the downloader could include functionality from Metasploit or a vulnerability scanning tool that identifies the weakest vulnerability and best place for the malware to exploit on the system.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
A Gmail phishing attack brought users to fake login pages designed to look like Google's. Expert Nick Lewis explains how users can prevent similar ...continue reading
A HummingBad malware variant, HummingWhale, was discovered being spread through 20 apps on the Google Play Store. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.