Q

Turla spyware: Defending against undetectable malware

Is there a way to detect malware that's designed to avoid detection? Nick Lewis explains how the Turla spyware works and how to defend against it.

In reading recently about the advanced Turla spyware, I'm concerned about how it can go dormant when its controllers sense a possible detection effort. How do attackers do this, and what's the best way to work protect against undetectable malware?

As computing and computer security advance, so do attackers. It shouldn't be a new concern that malicious attackers are adopting professional software development techniques. In fact, it would be more concerning if attackers weren't adopting these techniques, as that would mean they were so far ahead of the defenders that their attacks were undetectable.

The Turla APT campaign has incorporated many cutting-edge techniques used by advanced malware and demonstrates professional disciplined software development practices. The developers appear to have put significant efforts into planning the long-term development and operation of the malware, as well as its recently discovered cousin Epic. It has a modular framework design where the different components of the attack are automated. When a new attack technique is found, the development team can easily incorporate the new functionality into the attack plan and have the malware check into the command-and-control system to get an update.

According to an unnamed source in a Reuter's article, the Turla development team used a technique that is often leveraged by manual attackers. Once a manual attacker sees that one part of the attack is detected, he or she knows the other components of the attack are at a heightened risk of being detected and will change tactics, suspend the attacks, or accelerate the attack to gain access or steal the targeted sensitive data. In Turla, much like other malware, attackers will also remove logs from the local system so they can't be used to identify attacker activities.

The Turla spyware is designed to pause operations if a detection effort is sensed, so an update can be released to reduce the chances of the attack being detected. Turla lowers its odds of getting caught by monitoring the command-and-control infrastructure and, if a central node is detected as going offline, forces the malware to go dormant until further notice.

Enterprises can combat Turla by using an antimalware network appliance, a domain name system malware analysis tool, a network anomaly detection tool, or advanced endpoint security tools.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)

This was first published in August 2014

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close