One of the interesting topics IBM teams analyze is the ways in which malware authors constantly innovate their cyberfraud techniques when it comes to evading detection either by endpoint solutions, such as antivirus tools, or research and enterprise security systems, such as sandboxes and reverse engineering techniques.
Attacks involving Trojans are always interesting since they differ from most other threats in that they try to stay covert. While attacks such as phishing, distributed denial-of-service, defacement and ransomware attacks are visible and do not try to hide the actual attack from the victim, Trojan horses are unique because their success in harvesting credentials and survivability rely on how well they evade researchers’ analysis, detect devices and persist on an infected system after they are detected.
1. Evading Security Researchers
Once a malware campaign starts, it’s only a matter of time before the new variant is detected and analyzed. However, malware authors benefit from prolonging the time it takes researchers to analyze the variant. It will take researchers longer to analyze the malware if there are barriers such as file encryption in place and security awareness mechanisms such as virtual machine-aware malware that will not install on virtual devices. This leads to a slower distribution of countermeasures. It is also worth noting that some types of malware use specific tricks to overcome detection by sandboxes, such as specific time delays and targeting micro-enabled Office applications.
2. Evading Endpoint Protection Systems
The most widespread and obvious example is that of antivirus solutions. Many Trojan horses and malware droppers use different tools and tricks to avoid antivirus detection. These range from encrypting software and services that help protect the malware from many antivirus solutions to cases in which the malware installs a lightweight Linux OS, reboots the device with the Linux kernel, deletes security software (something it cannot do in Windows mode since it would need administrative privileges) and rebooting back in Windows, now with no security software to get in the way.
3. Persistence After Cyberfraud Detection
Ultimately, the malware may hopefully get detected, but not all hope is lost when it comes to Trojan horses. There are several techniques malware authors use to remain on the infected system even after the Trojan is detected. These can include rootkits and infecting the system master boot record, or sunning a watchdog process that constantly monitors the malware files. If the malware is removed, the watchdog process will identify the change and initiate a new download of the malware.
Evading detection and analysis is just one area in which cybercriminals are investing time and effort. Join my “Major Cyberfraud Innovations of the Last Twelve Months” session at the RSA Conference 2015 to learn more about what malware, cybercriminals and fraudsters have been up to and hear about the latest case studies and research conducted by IBM Security’s innovation, security and threat teams.