The "g01pack" toolkit apparently downloads in multiple stages to victim machines in order to avoid antivirus detection. Is there no way to detect such multi-stage attacks in the early stages of their propagation? If not, what's the most effective method for sniffing out such attacks as they download their malicious components?
Ask the Expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email . (All questions are anonymous.)
In order for malware authors to be successful, they must constantly adopt new techniques and technologies. The "g01pack" -- a general toolkit for malware authors that includes functionality to customize or improve individual malware components over time -- is becoming an increasingly popular example of a multi-stage toolkit. Since preventing detection of malware is often more important to the author than advancing the functionality, many authors may add an additional step to the malware attack process, often to obfuscate the Java applet used in the malware's initial infection.
Detecting multi-stage toolkits early in their infection process can be done in several different ways, depending on the malware and the tools available. One of the most effective techniques for identifying such attacks is detecting irregular outbound network traffic originating from the infected host -- this is often an indicator that it could be signaling to download the next stage of the malware. Organizations can also pick up on anomalous interactions with the Java Runtime Environment (JRE) by monitoring what commands are executed on a system. Another common next-step malware authors will likely take to separate the exploit, and the downloader could include functionality from Metasploit or a vulnerability scanning tool that identifies the weakest vulnerability and best place for the malware to exploit on the system.
This was first published in November 2013