The more some malware changes, the more it stays the same

I was talking with a friend recently who had worked for a couple of large companies that were frequent targets of directed malware attacks. The companies were also afflicted with the usual variety of malware traffic that most companies face.

His security strategies seemed to me, however, the most successful of any I'd heard of. And the thing that strikes me each time I talk to him is how little his greater plan for avoiding malware changes.

He is a vocal proponent of retaining means for detecting older viruses (even boot viruses!), because these still appear in his environment. But the most important thing he's done since his early days in this industry, is to keep a hawk's eye on not just security trends but what is happening moment-to-moment in his network.

Malware writers have used this same tactic to their advantage (though to reverse purpose) since the beginning of financially motivated viruses. They create malware variants designed to stay one step ahead of signature-based anti-virus, and keep testing their creations for “detectability” by major AV vendors. When it comes time to release these creations, they use blackhat SEO techniques – crafting social engineering messages – to gain spots alongside top queries from the search engine sites. Or they put their creation where people will see them, by sending messages through popular sites such as Twitter and Facebook.

Moreover, malware authors often don't just use popular social networking sites for social engineering. Just as Twitter has been used for a variety of purposes, people often use it to prompt themselves to remember “To Do” items, as a sort of personal “command and control” system. It was a natural evolution for malware writers to use Twitter for similar, but more nefarious purposes: to control bots. They understand that security staffs may be less concerned by an increase of traffic to legitimate sites, so it may pass unnoticed.

The “Hybris” virus used news groups back in the days of Windows 95 to update itself. It was one of the first viruses to update its code, which is something now done by virtually every malware family. News groups had the benefit (at least to hackers) of being virtually impossible to shut down, unlike websites. This is useful for command-and-control channels, and increasingly malware authors began using them for this purpose.

Malware threats lurk on the web, and the same old attack vectors are still quite viable. In the West Coast Labs Real Time test network, we still see significant quantities of email, FTP, P2P, IM, and AutoRun malware -- and much of what we see coming into our global collection networks are years-old virus families. The types of malware haven't changed much either. Rogue anti-virus ploys dupe users into paying for software that fabricates detections on users' machines. DNS changers redirect users to hosted malware sites or unwanted ads. Bots send spam and set up DDoS attacks. And one thing never changes: Financial motivation is still the engine moving malware development.

What's the take away from all this? First, be relentless in finding ways to stay informed about what is going on in your network. And if you're having problems with malware infections in your environment, carefully examine each of your defenses. Malware authors have found fundamental ways that work for them and often do not stray afield. To beat them you must constantly re-evaluate your security strategy evolve a combination that works.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.