One of the interesting topics IBM teams analyze is the ways in which malware authors constantly innovate their cyberfraud techniques when it comes to evading detection either by endpoint solutions, such as antivirus tools, or research and enterprise security systems, such as sandboxes and reverse engineering techniques.

Attacks involving Trojans are always interesting since they differ from most other threats in that they try to stay covert. While attacks such as phishing, distributed denial-of-service, defacement and ransomware attacks are visible and do not try to hide the actual attack from the victim, Trojan horses are unique because their success in harvesting credentials and survivability rely on how well they evade researchers’ analysis, detect devices and persist on an infected system after they are detected.

1. Evading Security Researchers

Once a malware campaign starts, it’s only a matter of time before the new variant is detected and analyzed. However, malware authors benefit from prolonging the time it takes researchers to analyze the variant. It will take researchers longer to analyze the malware if there are barriers such as file encryption in place and security awareness mechanisms such as virtual machine-aware malware that will not install on virtual devices. This leads to a slower distribution of countermeasures. It is also worth noting that some types of malware use specific tricks to overcome detection by sandboxes, such as specific time delays and targeting micro-enabled Office applications.

2. Evading Endpoint Protection Systems

The most widespread and obvious example is that of antivirus solutions. Many Trojan horses and malware droppers use different tools and tricks to avoid antivirus detection. These range from encrypting software and services that help protect the malware from many antivirus solutions to cases in which the malware installs a lightweight Linux OS, reboots the device with the Linux kernel, deletes security software (something it cannot do in Windows mode since it would need administrative privileges) and rebooting back in Windows, now with no security software to get in the way.

3. Persistence After Cyberfraud Detection

Ultimately, the malware may hopefully get detected, but not all hope is lost when it comes to Trojan horses. There are several techniques malware authors use to remain on the infected system even after the Trojan is detected. These can include rootkits and infecting the system master boot record, or sunning a watchdog process that constantly monitors the malware files. If the malware is removed, the watchdog process will identify the change and initiate a new download of the malware.

Evading detection and analysis is just one area in which cybercriminals are investing time and effort. Join my “Major Cyberfraud Innovations of the Last Twelve Months” session at the RSA Conference 2015 to learn more about what malware, cybercriminals and fraudsters have been up to and hear about the latest case studies and research conducted by IBM Security’s innovation, security and threat teams.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…