As long as there are targets to exploit and money to be made, malware will continue to advance.
To remain relevant and receive a paycheck, malware authors will adopt advanced evasion techniques and include new features to meet their customers' requests so the attacks using the malware can be more effective and profitable. There are many instances of malware becoming more sophisticated over the past months, including Zeus transitioning from 32-bit to 64-bit and the advancement of the iBanking malware to target Android devices.
In addition to new features in malware, there is a relatively new idea around "living off the land," where attackers use built-in or legitimate tools to prevent their attacks from being detected by antimalware software. The Poweliks malware is the most recent example of this happening.
In this tip, I will discuss recent malware advancements and the enterprise controls necessary to detect and control the malware.
The TROJ_POWELIKS.A or Poweliks is fileless malware designed to download other malware that will control the compromised system. Poweliks requires a separate initial infection vector to compromise the local system and install the malware, which, it has been reported, is a malicious Word file. After the initial infection, the malware is installed and stored in the registry as an encoded dynamic link library (DLL) that is extracted and injected into legitimate dllhost.exe processes running on a system, which will then execute it.
While storing a DLL in the registry isn't a common method of installing malware on an endpoint, it does make it more difficult to detect the malware, because not all antimalware tools check the registry. However, for tools that do check the registry, finding a registry key with a significant amount of data would certainly be something to alert on. The Poweliks malware also runs PowerShell commands to complete the attack. PowerShell commands could have been used to avoid detection by living off the land, since PowerShell is installed on most systems and has the advanced functionality for interacting with the operating system that is necessary to complete the attack.
Other malware has also continued to make advancements so it can remain profitable for malware authors. The mature Zeus malware continues to incorporate new features; the most recently reported functionality added to it was an improved social-engineering attack where the malware spoofed a browser warning message to get the user to install the malware. Similarly, the iBanking.Android has added new functionality where it uses fake security software to get the user to install the malware. It then steals SMS messages used in two-factor authentication.
Enterprise controls necessary to detect and control advanced malware
Detection of advanced malware can be done many different ways. Multistage malware, such as Poweliks, and multistage attacks could give enterprises more time to detect the malware because each step takes time; however, each step might not necessarily need to be detected because the individual steps themselves might not be malicious.
In the example of Poweliks, its multistage aspect may be difficult to detect when each individual stage happens, but correlating all of the stages and actions can help detect and mitigate malicious activity.
For example, while PowerShell scripts are useful for system administrators or power users, few end users develop and use them. Detecting malicious PowerShell commands is difficult because there are many legitimate enterprise uses of PowerShell functions. However, for PowerShell scripts used by end users, system admins could require the script to be signed before execution; this would help block any malware from executing malicious scripts. While this policy would not stop a dedicated attacker, it could raise the bar enough to frustrate them and prevent an attack.
Though detecting the PowerShell aspect of the Poweliks malware may be difficult, detecting its command and control infrastructure and network connections could be easier. TrendMicro's blog post mentions a specific IP that can be used as an indicator of compromise so an enterprise could monitor its network for any connections to the IP and investigate each connection. Monitoring for anomalous network connections could also help identify a compromised system that requires additional investigation. This could include looking at NetFlow logs to see which systems are the top talkers to external IPs or systems with a significant number of failed authentication attempts.
The newly modified Zeus malware and iBanking.Android malware can be identified through steps similar to those used to identify Poweliks, as they rely on security awareness. The Zeus variant can be detected by monitoring the network for connections to the command-and-control IP; iBanking.Android can be detected by using a mobile antimalware tool that scans the system looking for malicious files.
Note that detection is only one part of effectively controlling malware in the enterprise. Rigorous response to incidents involving malware is critical for minimizing the effects from a compromised system.
It should be no surprise that malware will continue to advance and automate some of its most effective manual attack techniques. As enterprise malware defense measures become more sophisticated, malware will inevitably find new methods to circumvent them. This will require constant attention from enterprises in order to control and mitigate potential attacks. Enterprise security controls and technologies will need to be vetted constantly to ensure they are effective against current attacks. Changing security programs and controls when new attacks or vulnerabilities are discovered is essential to remaining ahead of the curve.
It is also critical for an enterprise to not only evaluate how it manages its systems, but also assess the management of its systems to decide whether certain functionality -- such as PowerShell scripts -- could potentially introduce new risks into its environment and will require additional policies to prevent vulnerabilities from being exploited.
About the author:
Nick Lewis, CISSP, is the former information security officer at Saint Louis University. Nick received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
Learn more about the changing face of advanced malware
Discover how sandboxing can help detect advanced malware
Become familiar with the ways advanced malware can use the network against you