Modern malware, stealthy botnets, adapt quickly, expert says

Malware detection has become more difficult as cybercriminals adapt quickly to security technologies to find a way into corporate networks, create botnets and ultimately steal data. A new class of modern malware is wreaking havoc on corporate networks by lying low enough to avoid most network intrusion detection systems. As security technologies evolve, so does the malware they're designed to detect, continuing the cat and mouse game between security professionals and cybercriminals, says Ashar Aziz, founder and CEO of network security appliance vendor FireEye Inc. In this interview, Aziz gives his take on the constantly evolving threat landscape and explains why it will continue to be difficult for security researchers to eradicate malware and the botnets they create.

SearchSecurity.com:

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

How has network security evolved to address the rapidly changing threat landscape?
In the last three or four years there has been a major transformation in the nature of threats in the wild and how they have mutated into an extremely stealthy and hard to detect direction. That's been the most fundamental change in the last few years. [Malware] is not noisy, it's not designed to be obvious. It stays under the radar while it's doing its criminal activity; trying to make money for the criminal or nation state. That's really where the malware and the threat landscape have evolved. Malware is the key part of what the threat landscape is all about today. We have major cybercriminal activity on the Internet today with theft of identities, theft of credit card data, theft of intellectual property and actual theft of money from banks from within their corporate networks. All of this is enabled by this new sophisticated evolved class of malicious software. 

Modern malware:

Enterprise botnets contain thousands of malware variants: Smaller and contained on company networks, enterprise botnets pose a greater danger because they are difficult to detect and remove, according to new research.

Computer worm infections up, scareware antivirus down, Microsoft says: Microsoft's biannual report finds rogue antivirus infections and Trojan and downloader attacks down in the first six months of 2009.

As enterprises deploy data center virtualization more widely and as virtual clients become more ubiquitous, won't this reduce the opportunity for cybercriminals to gain access to sensitive data?
I don't believe so. Malware will adapt to whatever changes take place in the threat landscape. The most important evolution is these scanning worms that found a way in. The desktop evolved to become firewalled. Desktop firewalls made the scanning worms harder to penetrate and they started coming in via Web content. When there's an infrastructure shift they will move. There is ultimately going to be some software that is running somewhere that will be vulnerable because we don't know how to write perfect software. That is the issue at hand. We have hundreds of millions of lines of software in the context of browsers, plug-ins and widgets, and it's exploitable. If it's running on the client, that's not good and if it's running on the server then it's going to get exploited. I don't see a way out of this. What is modern malware? Is this malware that is coded to contact command and control?
 

That is one of the attributes of modern malware. Modern malware exists for a purpose and in order to accomplish its purpose that malware needs to be able to communicate back to the party that distributed it. The most effective way to do that is via a callback channel or some kind of outbound communications initiated post infection. You used to be able to come in via vulnerable services and open a backdoor for somebody to connect into that. Firewalls and corporate firewalls have made that hard to do. So this has led to the adaptation of malware that we've seen taking into account network security measures and changes. It comes in passively via a Web exploit, a .pdf attack, a JavaScript class of attack and then it's going back out via HTTP or other permissible outbound protocol. That is one of the attributes of modern malware. The other is that it is there for a purpose. It's not there to do mischief. It's there to do real damage in terms of data theft or stealing of financial information. 

How strong are botnets today? When we look at Conficker, it was thought to be very large, but the security community was able to block its command and control.
Conficker is a botnet and most drive-by downloads also create botnets today. I call it a botnet because once they crawl in, they crawl right back out and the machine becomes controllable. So the drive-by is merely an infection vector and Conficker was spreading using traditional services exploits much like the worms of the 2004-2005 era. However, from an overall structure perspective, there's an isomorphism between a Conficker-class of attack and a drive-by class of attack. The only difference is the infection vector. So, botnets are not going away because botnets drive more botnets. Why aren't we doing more to go after these rogue ISPs and holding registrars more responsible for selling, in some cases, tens of thousands of websites at a time to cybercriminals? Why not take a less technological approach and go after some of these cybercriminals?
 

I think we are going to find it exceedingly difficult to eliminate malware from the Internet. The reason is that not all the people in the business of distributing malware are even aware that they are doing that. For example, drive-by attacks come from a lot of sites, many of which are legitimate. There are Web 2.0 sites that allow you to upload malicious content. It's tough to shut down the Web 2.0 infrastructure because that is where the Internet is headed, but that same flexibility that allows communities to share ideas and content gives the bad guys the vehicle to introduce malware into the Internet. Now you are getting exploited. That is the infection vector side of it. I can find similar, hard to shut down things on the call-back channel side where the registrar doesn't know. It would also be very difficult for the registrar to know it was a malicious forward channel because the technology doesn't exist for them to figure that part out either. So that approach of going after all these parties is a good one because we should be doing that, but the challenges in getting it to succeed in a manner we would hope are very significant.

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close