Malware is constantly evolving as malware authors seek new and innovative ways to infect victims. As of late, however,...
hidden malware has been popping up in even the most unlikely places, creating new malware-detection issues for enterprises and vendors alike.
Customized malware bypasses well-known defenses
A paper published last week by MRG Effitas Ltd. and CrySyS Lab detailed the results of four custom malware attacks against five well-known advanced persistent threat (APT) defense products. One malware sample, dubbed BaB0, was able to bypass all five products; a second sample avoided three products; and according to the paper, "only the two simplest samples" were detected, though they "triggered alarms with low severity in some cases."
The report does not reveal the names of the systems that fared badly, nor will the authors provide vendor-specific information. They do, however, plan on publishing details of the BAB0 malware to help APT defense vendors strengthen their products.
The report comments on the complacency of some businesses using products based on what the authors perceive to be slick vendor "marketing strategies and outrageously high prices."
"Some of the products that we tested seem to be overestimated by the users who believe that those products are silver bullets," said the authors in the report. "Our test is clear proof that mainstream APT attack detection tools can be bypassed (even with moderate effort), and if we could do that, then APT attackers will also be able to … if they have not done so yet."
Sandboxes: Not a malware catch-all
Sandboxes can be critical to bolstering an application's defense, restricting malicious files and programs to an isolated environment with no effect on the underlying application. However, many malware authors are altering their attacks to recognize and circumvent sandboxes; others are using methods such as cloaking to avoid detection.
In the November 2014 Patch Tuesday update, Microsoft released a fix for a vulnerability that allowed attackers to circumvent the Internet Explorer sandbox. A Trend Micro Inc. blog post published Wednesday provided more detail on the vulnerability, explaining that is "relatively easy" to exploit; a misconfiguration in the Discretionary Access Control List can potentially allow an exploit based on CVE-2014-6349 to break the IE sandbox and gain elevated privileges.
While the vulnerability was addressed with the release of MS14-065, it serves as a reminder that even those technologies that are assumed safe -- in this case sandboxes -- cannot always be trusted, underscoring the importance of defense-in-depth. A separate sandbox issue was fixed in Microsoft's October Patch Tuesday release; details of that vulnerability were published earlier this week by Google.
DeathRing: Preinstalled smartphone malware
Lookout Inc. posted a blog entry Thursday about "DeathRing," malware that is preinstalled on a variety of smartphones popular in Asia and Africa. The Trojan masks itself as a ringtone and is able to download SMS and WAP content from its command-and-control server to the victim's device.
The malware is especially troublesome, as it is preinstalled on the device and cannot be uninstalled, and because it is not readily apparent when the device is purchased; according to the blog, DeathRing is activated either when the device has been rebooted five times, or once it has been used 50 times.
DeathRing, which is mainly located in Vietnam, Indonesia, India, Nigeria, Taiwan and China, affects third-tier manufacturers including Tecno-Mobile, Gionee India and Jiayu. Lookout's security product manager Jeremy Linden suggested in the blog post that users be aware of the devices purchased, install mobile antimalware software on all devices and regularly check phone bills for fraudulent charges.
Smoke an e-cigarette, get malware?
Malware can certainly show up in some unlikely places -- but can you get it from an e-cigarette? A recent Reddit post has sparked controversy over a reported malware infection from an e-cigarette charger plugged into a computer USB port. The post claims the charger was hard-coded with malware.
While the truth behind the post is questionable, users and enterprises should be aware of malware-ridden devices connecting to (and infecting) computers and corporate networks. From mice and keyboards to smartphones and tablets, many devices rely on USB connections. However unlikely an infection from an e-cigarette charger may be, it should be noted that infections from benign devices are not entirely impossible.
The reality with these numerous and varied infections mechanisms is that malware will increasingly show up where it seems least likely, especially as the Internet of Things grows and evolves; expecting the unexpected is part of the process.
In other news
- Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism in the U.S. and member of Bit9 Inc.'s board of directors, published a blog post Thursday entitled "5 Key Pieces of Information Security Advice to CEOs." Clarke wrote that enterprises must "embrace the inevitability of a breach" and noted that while prevention is a key piece of the security puzzle, "detection and response are increasingly the critical components to protecting an organization." Another key point, Clark said, is that the government will not save the private sector should a malicious event occur; organizations are on their own to "stitch together the best-in-breed technologies to create a layered security approach" that will work best in their given situations.
- The results of EMC Corp.'s latest global data protection study announced Tuesday revealed that data loss and downtime have cost enterprises $1.7 trillion over the past 12 months. In a survey of 3,300 IT decision makers from midsize businesses and enterprises across 24 countries, it was found that data loss is up 400% since 2012, and 71% of organizations are not fully confident in their ability to recover from a disruption. The top three causes of disruption were hardware failures (53%), loss of power (39%) and software failure (38%). Security breaches -- including malware -- came in sixth at 23%. The report also found that the more data protection vendors an organization uses, the more likely it is to experience a disruption. Of those surveyed with more than three vendors, 38% experienced data loss and 54% experienced unplanned downtime, as compared to companies with one vendor, which experienced 24% data loss and 42% downtime.
- A report released late last week by security software firm BlueBox Labs revealed how "bargain" Android tablets (those costing less than $100) stacked up in terms of security. While consumers thought they were getting a good deal on the tablets from big-box stores like Best Buy Co., Walmart Stores Inc. and Target Corp., BlueBox's research found that the devices were riddled with security flaws. Of the 14 tablets tested, 11 were vulnerable to Futex, 11 were susceptible to FakeID, six were vulnerable to MasterKey, and two vulnerable to Heartbleed . The problems with the devices -- which included DigiLand, Nextbook and Worryfree Zeepad -- didn't stop there. Four tablets had known backdoors, three experienced USB data theft, and five had security misconfigurations. When it came to trustworthiness, only two earned a score of "Trustable," while three were "Suspicious"; one device had so many issues it could not be accurately scored. In the BlueBox blog post, security analyst Andrew Blaich recommended avoiding these devices, but if they must be used, only doing so for gaming and Web browsing -- never for online banking or shopping.
Find out how to get infosec buy-in from the executive team.
Get more data loss prevention help from SearchSecurity.
Uncover tablet security best practices.