April 21, 2015 By Etay Maor 2 min read

One of the interesting topics IBM teams analyze is the ways in which malware authors constantly innovate their cyberfraud techniques when it comes to evading detection either by endpoint solutions, such as antivirus tools, or research and enterprise security systems, such as sandboxes and reverse engineering techniques.

Attacks involving Trojans are always interesting since they differ from most other threats in that they try to stay covert. While attacks such as phishing, distributed denial-of-service, defacement and ransomware attacks are visible and do not try to hide the actual attack from the victim, Trojan horses are unique because their success in harvesting credentials and survivability rely on how well they evade researchers’ analysis, detect devices and persist on an infected system after they are detected.

1. Evading Security Researchers

Once a malware campaign starts, it’s only a matter of time before the new variant is detected and analyzed. However, malware authors benefit from prolonging the time it takes researchers to analyze the variant. It will take researchers longer to analyze the malware if there are barriers such as file encryption in place and security awareness mechanisms such as virtual machine-aware malware that will not install on virtual devices. This leads to a slower distribution of countermeasures. It is also worth noting that some types of malware use specific tricks to overcome detection by sandboxes, such as specific time delays and targeting micro-enabled Office applications.

2. Evading Endpoint Protection Systems

The most widespread and obvious example is that of antivirus solutions. Many Trojan horses and malware droppers use different tools and tricks to avoid antivirus detection. These range from encrypting software and services that help protect the malware from many antivirus solutions to cases in which the malware installs a lightweight Linux OS, reboots the device with the Linux kernel, deletes security software (something it cannot do in Windows mode since it would need administrative privileges) and rebooting back in Windows, now with no security software to get in the way.

3. Persistence After Cyberfraud Detection

Ultimately, the malware may hopefully get detected, but not all hope is lost when it comes to Trojan horses. There are several techniques malware authors use to remain on the infected system even after the Trojan is detected. These can include rootkits and infecting the system master boot record, or sunning a watchdog process that constantly monitors the malware files. If the malware is removed, the watchdog process will identify the change and initiate a new download of the malware.

Evading detection and analysis is just one area in which cybercriminals are investing time and effort. Join my “Major Cyberfraud Innovations of the Last Twelve Months” session at the RSA Conference 2015 to learn more about what malware, cybercriminals and fraudsters have been up to and hear about the latest case studies and research conducted by IBM Security’s innovation, security and threat teams.

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today