Threat Management, Incident Response, TDR

The emergence of crimeware as a service

As the malware threat landscape continues to evolve, hackers are constantly changing techniques to counteract detection technologies vendors develop. By using sophisticated methods to evade antivirus technologies, hackers continue to be relentless in their pursuit of damaging IT systems and gaining access to personal information.

In the past, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism, the virus would morph itself into different variations to bypass signature-based technologies. The antivirus industry eventually responded to polymorphism by creating emulation technologies to counteract this new breed of virus. Emulation engines were designed to mimic the properties of the morphed virus so it could be detected by other means (signature and heuristics). This approach was dependent on the researcher's access to the polymorphic engine -- meaning the logic had to be decoded before you could develop protection for specific mutations.

Subsequently, proactive technologies were developed (behavioral, heuristics). This helped when worms began to self-replicate across networks and exploit zero-day vulnerabilities faster than a signature could be created. The idea was to provide protection without depending solely on reactive technologies that were slow and clunky, and to use innovative methods that predicted dangerous characteristics. By using a statistical probability model to calculate a file's potential of being damaging, heuristics really were the first stride in proactive detection. However, as malware has evolved, organized criminals are creating new techniques and have simply adapted to the technologies that vendors have developed over the years.

Hackers are shifting their interests from fame (among shady peers) to profit and go after  financial gain by developing new and innovative ways to slip below the radar. Some of these methods are innovative and are evidence of thinking out of the box when it comes to crime. Hence the development of custom HTML injection into financial sites, for example, to obtain protected information.

As we begin to map the evolution of malware, there are several common themes of stealth and camouflage, including:
  • Custom run-time packers (compression)
  • Server-side polymorphism
  • Virtual machine/sandbox detection
Approximately 90 percent of all malware uses some form of packer, and the trend indicates they are becoming more customized by the day, making the analyst's job harder. Packers are used because compressing the code prevents AV analysts from easily decoding the sample, therefore increasing reaction time dramatically. AV vendors are constantly evolving generic unpacking routines (techniques that decompress the file and reveal the malware) to combat the rise of packers.

A major risk to security is the emergence of server-side polymorphism or “Crimeware as a Service (CaaS)”, in which the polymorphic engine does not reside within the virus code itself, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume; and PCs that are part of a botnet -- a specific bot variant can mutate remotely via a command over HTTP. This is called crimeware as a service because the actual viral code does not actually reside on the host, but in the cloud -- similar to a software-as-a-service platform. In other words, CaaS provides malware on demand to the infected host.

This methodology has proven to be harmfully effective and difficult to counteract when approaching it with traditional anti-malware models. Server-side polymorphism is hard to detect because the transformation function (the routines used to change the signature of the code) are not visible to the virus analyst. The actual algorithms or techniques that are involved in this process cannot be studied to the degree necessary to create an effective “vaccination.” Botnet communication is often encrypted as a defense mechanism to prevent the easy discovery of a command and control server that dishes out the mutated malware. Attacks using server-side polymorphism often succeed in infecting their target while flying under the radar.

In a typical real-world scenario, server-side polymorphism can be used to carry out identity theft while remaining completely undetected. On-demand creation of identity stealing Trojans is now feasible. This strategy is used to ensure that the infection remains hidden for as long as possible while harvesting credit card and banking information.

The best bet for stopping server-side polymorphism is through the use of host-based intrusion prevention technologies, better known as HIPS. HIPS are designed for security over host-based systems, in which intrusions and infections are dealt with at individual workstations. HIPS are widely regarded by security experts as an effective safeguard against malware. HIPS solutions are only as effective to the degree that they implement multiple layers of inspection, ranging from the network stack to the application layer using proactive technologies (heuristics, behavioral analysis, behavioral blocking, etc.) to provide a holistic view of threats.

If corporations do not take a holistic approach to end-point security, server-side polymorphism, CaaS and other stealth tactics will continue to open the door to all sorts of problems, from the increase in targeted attacks to undisclosed data breaches. By using the most effective means of stopping hackers and preventing the onslaught of malware, you can rest assured that your valued information and assets will remain protected. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.