The Myth of the Obvious Malware

September 1, 2015
| |
4 min read

Wouldn’t it be nice if life were like a movie where we had the rugged handsomeness of a neo-noir hero, it was easy to tell the good guys from the bad and malware announced itself as soon as it entered your network? Alas, cyberattacks don’t reveal themselves in blaring lines of identifiable code that ignite a room of perfectly coifed forensics analysts into action. Well, the last part is true with enough money and enough concern, but the first part is sheer Hollywood fiction.

Crippling malcode now lies in wait: a dormant dweller that you’ll never be able to identify without smart (not well-coifed) IT professionals and analytic algorithms that expect the unexpected. Remember the “Blade Runner” Replicants of the far-off future, with androids becoming more than machine? It was an android so sophisticated that Harrison Ford’s Decker could only see behind the veil by breaking down the very root of the being’s logic and semblance of awareness with a sophisticated bio-response lie detector. Malware is smart, and it’s getting Replicant-smarter every day.

But you can be a Decker in days with the right endpoint protection.

We’ve Seen Things You Wouldn’t Believe

The security researchers at IBM X-Force have seen a multitude of malware samples. With 270 million monitored endpoints sending in data, that’s a lot of malcode to wade through. Although there are many variants, advanced persistent threats (APTs) share some common traits.

Successful malware is highly evasive. It can remain stealthy on the machine for long periods of time until certain criteria are met, using sophisticated techniques to bypass detection. It is not engineered to stroll into a noodle bar and announce itself in Cityspeak; rather, it sidles into the network through vectors such as sophisticated phishing or social engineering schemes. For advanced malware that is massively distributed, the threats are even greater: Off-the-shelf malware campaigns can be purchased by attackers with a comprehensive menu of functions and repurposable config files.

These new capabilities use a mix of techniques that can include keystroke logging, RAM scraping, browser hooking to get one-time passwords (OTPs), man-in-the-browser capabilities, dynamic webinjection, persistent rootkits and even virtual network computing (VNC) to launch a connection to the target site from an infected machine. These APT kits are made to be reusable and adaptable to the target environment.

The Voight-Kampff for Advanced Malware

Since real-life malcode doesn’t announce itself with distinguishing red lettering on your screen like in the movies, you have to watch for more subtle signs, or the equivalent of bio-response micro-tells. Here are a couple things to watch for to indicate if you’ve been infected on an endpoint:

  • Sluggish performance: Even with no resource-heavy applications running, random system crashes or constantly churning CPUs can be a sign of infection. If you also hear the CPU fan running at full speed for sustained periods as soon as the computer is booted, it is another indication of potential compromise.
  • Unexpected email activity: Perhaps your emails are being received or sent erratically, you are hearing from colleagues that they received emails from you that you did not send or you are getting out-of-office notices for emails you did not send. It’s possible your email password was stolen or your system was infiltrated.
  • Strange windows or messages: If programs are starting or stopping without your intervention, you’re getting notification pop-ups like a sea of billboards in a dystopian future, new programs are attempting to access the Internet or you open a PDF and it instantly disappears, you could be infected with malcode.
  • Sudden endpoint protection disablement: Advanced malware will often disable traditional antivirus protection to save itself from certain death. If you notice your antivirus or endpoint protection is suddenly disabled, this is most certainly a sign of trouble.

Do Hackers Dream of Electric Sheep?

Recently, the security researchers at IBM Security X-Force have discovered several particularly potent malware samples in the wild, including the Tinba Trojan and new variants of Dyre. The creators of this type of malcode work together in an ecosystem, collaborating on penetration and evasion strategies to maximize their investment in the code creation. Their best hope is to lull the target system into a sense of complacency — to be the virtual wolf in electric sheep’s clothing, waiting for the right time to expand and gather sensitive data.

Although potentially highly entertaining, the “Hollywood O/S” does not exist. Clumsy malware does not last long in the wild, and we are left to fight insidious malcode that snakes through networks and hides itself in plain sight like a Nexus-6 replicant. There is no four-year expiration date on this code either, as it continues to be reinvented, reinvigorated and rebuilt to attack more and better targets.

Advanced malware protection solutions can help stop exploits by focusing on and stopping the behavior of malware. By blocking malicious communication channels between the malware and the attacker, stopping anomalous activity caused by exploits and protecting credentials against reuse or submission on phishing sites, these solutions can help stop attackers from stealing your data.

To learn more about advanced malware protection, watch this video from IBM Security Trusteer Apex — flying cars sold separately.

Pamela Cobb
Market Segment Manager, IBM X-Force and Security Intelligence

Pamela Cobb directs product marketing activities for the IBM X-Force and Threat Protection offerings developing messaging, collateral, website content. She c...
read more