Malware authors producing stealthier creations

By Dennis Fisher, Executive Editor 19 Oct 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As security researchers become more adept at detecting various forms of malware, attackers are beginning to develop techniques to prevent the detection and analysis of their creations.

In the past, the hackers who wrote viruses and worms spent little or no time trying to make their malware stealthy. They were far more concerned with finding effective techniques for spreading their viruses and causing the maximum amount of damage than with preventing security managers from finding the viruses. They figured, and rightly so, that by the time anyone found the virus or worm, it would have done its damage.

But as the focus of malware authors has shifted from digital vandalism to penetrating high-value networks for profit, evading detection has become a top priority. Their goal now is to drop a rootkit, bot or other piece of malware onto a target machine without being noticed and have the program stay in place for weeks or months while it gathers passwords, customer records or other valuable data, said Lenny Zeltser, a speaker at the Information Security Decisions conference here this week. Zeltser, the information security practice leader at Gemini Systems in New York, and an instructor at The SANS Institute, highlighted a number of techniques that are gaining favor in the hacker community at the moment.

Malware threats: Malware taunts storage and caching servers Malware authors eyeing Web-based applications Surveillance exposes malware that comes back from the dead Proof-of-concepts heighten mobile malware fears

Two such techniques in particular that have been seen in the wild of late are virtual machine detection and debugger detection. Antivirus researchers and security specialists in large enterprises commonly deploy virtual machines (VM) on their research networks and then infect those VMs with samples of new malware. This enables them to observe the behavior of the malware and analyze it without having to infect the underlying operating system on the PC or server. Virus writers of course know this, and many of them have begun including code in their viruses that can check to see whether it is running on a VM and then shut down if it is not running on the machine's actual operating system. This technique won't prevent researchers from eventually analyzing the program, but it can slow down the process, thereby delaying the creation of a signature for the malware.

Zeltser said he has seen examples of other pieces of malicious code that check to see whether they are attached to a debugger, another tool that researchers use to analyze viruses and worms. One way virus writers accomplish this is to have their programs time how long it takes for the code to execute, and if it's taking too long—an indication that a debugger is attached—the program shuts down.

"This is a very clever idea, and it's one that I've seen a couple of times and I think we'll probably see more in the future," Zeltser said.

Another technique, which at this point is believed to be only theoretical, is using a VM-based rootkit to compromise the host operating system and then implement malicious processes on the machine. To do this, the malware installs a virtual machine monitor underneath the host operating systems, then hoists them onto the virtual machine. The rootkit is then essentially undetectable because the host operating system can't access them. A group of researchers from Microsoft Corp. and the University of Michigan published a paper earlier this year on this technique and the proof-of-concept rootkit, called SubVirt .

"It's a very elegant idea that's likely to gain traction in the near future," Zeltser said. "The victim machine doesn't control the real OS, so all of their processes are executing within the virtual machine. Very difficult to detect and remove."

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary