Targeted malware attacks are growing in number, sophistication and severity in the potential damage they can inflict on victims. While traditional host-based anti-virus (AV) has established its role in protecting against widespread malware, the proliferation of successful targeted attacks has revealed a weakness in the general detection of unique malware. This is not strictly a failing of the AV technology, however. It is an example of the edge cases that fall outside the usefulness of a given tool. Understanding the challenges posed by targeted malware can illuminate why AV is not a panacea to malicious software woes.
Targeted malware survives in the shadows, avoiding detection from AV products simply by virtue of not being captured for examination. Some of the malware families take complex precautions to prevent identification, while others get by simply on the relative uniqueness of their code. With the use of crypters and packers, malware authors can easily generate an endless supply of functionally identical malware with unique hash signatures to avoid simplistic detection.
Developers of targeted malware have different objectives from their common counterparts, and the tools they develop have significant architectural and operational differences. Propagation functionality – the ability for malware to replicate – is often absent in targeted malware, while it is a defining feature of traditional worms and viruses.
Attackers are finding ways to avoid even the network-based protections of advanced AV suites. Directly delivering non-replicating malware through email in cleverly disguised container files or malicious links is a common tactic used in targeted attacks. Seeding an area with infected USB drives or even mailing optical media with malicious AutoRun files are techniques that have been used in real-world attacks to literally walk right past the organization's security controls.
The threat of targeted malware will continue to grow and a comprehensive defense involves more than relying on detection by AV technology. A deep security posture includes the controls preventing malicious code from compromising sensitive data and alerting on the activities associated with an attack.