These Days, Malware Plays Hide ‘n Seek

I was recently reading about yet another security breach that has been discovered. This time, a supermarket chain in the Northeast says that in excess of 4 million credit card numbers have been exposed… Here’s the story.

However, stories like this are no longer a big surprise… through newspaper headlines and the six o’clock news, we have been made aware of such breaches happening to the likes of TJ Max, Google, and the United States Navy. I am just amazed that it doesn’t happen more often… or does it?

Malware today is focused on financial gain. Long gone are the days when virus writers simply tried to outdo each other for big glitzy headlines. Today, stealth and guile are the more important attributes of a successful attack. By not making its presence known, the malware just sits there, day in and day out, communicating with the bot master, sending him, or her, our credit card numbers, bank account information, passwords, Social Security numbers and everything else we hold dear.

I wouldn’t be at all surprised to find that 90% of the fortune 500 systems are infected by bot-net Trojans and worms.

If I were the author, I would go about it a little differently. I would write a multi-tiered Trojan with dozens of versions that are significantly different; much like a polymorphic virus.

My hypothetical Trojan would just sit there until a specific date and time, synchronized through NTP, then activate all copies at once. This concerted effort would be intended to initially overwhelm the system. As the victims became aware of the Trojan, and a method became available to remove it, the next tier would discover that fact and start its own activation timer.  That way, by not activating immediately, it wouldn’t be as likely to be discovered in the recheck that inevitably follows a disinfection process. People forget quickly, it seems.  When a certain time had elapsed the process would start all over again until all tiers had fired and delivered their payloads.

How do these units get infected in the first place? Who knows?  While the most expected method is email delivery and removable media, there are so many other avenues of attack it is almost impossible to defend against them all. Not every infection comes from visiting porn sites or pirating software and serial numbers. There are now traditionally legitimate websites that have been hacked and infected. Just browsing to one of these sites can result in a “drive-by” infection.

The way most infections are discovered are by traditional signature-based anti-malware programs, due mostly to their prevalence in the marketplace.. Unfortunately, by the time the malware is discovered, the signatures written and the updated signatures distributed and installed, much of the damage has already been done. This is commonly referred to as a “Zero Day Attack” and accounts for more and more malware damage.  That’s why I usually suggest anti-malware programs that work on the so-called “whitelist” principle of allowing known clean programs to run and denying those that can not be validated, whether infected or not. It may be a little more inconvenient, but then again so is identity theft or having your bank account drained.

Go here to download an ebook on malware.

Next time… What IS the best defense?

Good Luck and Good Computing.

From way down in the trenches… Tom

Custom Search

This entry was posted on 23. May 2008 at 23:04 and is filed under Virus, Worm, Trojan, Malware, Troubleshooting, Computers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or trackback from your own site.