Security Experts:

The Evolution of Malware

An Introduction to Modern Malware

Today’s threat landscape is in flux and modern malware is emerging as one of the most concerning forces at play. With the ability to potentially coordinate millions of infected nodes, pass through security boundaries undetected on demand, and to adapt functionality on demand, modern malware has more in common with a fully distributed cloud-based application than it does with the simple self-replicating viruses and worms that we have known in the past. This transformation demands an update to the ways that we think about these threats if we are to have a fighting chance and protecting our enterprise networks against them.

Introduction to MalwareA Brief History of Malware

40 years ago while working at BBN, Bob Thomas began experimenting with the concept of a mobile application. To this end he developed the Creeper program, which had the ability to move from machine to machine. Creeper quickly proliferated through ARPANET infecting everything in its path, and the emergence of the computer virus was upon us.

However, even this modest beginning exposed a fundamental lesson about malware that we still grapple with today – a decentralized, mobile application is implicitly tied to the presence of a network or some similar communication media. Creeper needed ARPANET, and malware has mirrored the evolution of networking ever since.

By 1988, the Morris Worm had taken hold and shown the power of relatively simple programs to use applications and the Internet to rapidly infect large numbers of machines in very short periods of time. Throughout the 1990s and early 2000s, malware continued to evolve, adding new functions and pushing the bar higher in terms of infection rates. Despite these advances, malware still remained very much a self-replicating message in a bottle. The power of the malware was largely predetermined at the time it was written. The program had a job to do, but the logic of the threat was largely contained within the malware’s code itself.

The Emergence of Malware Synthesis

By 2007, the steady evolution of malware gave way to a seismic lurch forward. Around this time the first botnets began to appear, and fundamentally changed the world of malware (and IT security along with it). Botnets differed from their predecessors in that all of the infected hosts could be centrally controlled by a remote attacker, allowing all the individual machines to cooperate as one massive distributed malware application. This alone would be a major step, however there is another equally important point – the intelligence behind the malware was now dynamic instead of fixed. A person could continually direct and modify the malware based on his needs as opposed to being locked into the capabilities that were initially written into the malware.

This evolutionary jump fundamentally changed the game, and impacted how malware writers developed their code. Instead of the focus of malware being some set action such as sending spam, now the attention shifted to designing a platform that could sustain an ongoing and dynamic attack. The command-and-control infrastructure charged with organizing the operation became paramount. Stealth became a primary objective because intruders could now control and take advantage of an infected machine for an indefinite period of time.

The attacker could always update the malware program as his needs changed—send spam one day, and steal credit card numbers the next. The strength of a piece of malware came to rest on the quality of its communication, management and ability to avoid detection. On the endpoint, this meant taking advantage of years of experience in hiding from and disabling client-side security, and at the network level it meant evolving into one of the most powerful and resilient network applications in the world.

Understanding Today’s Modern Malware

Given the evolution of malware, it is important that we look at more than simply the function of the malware (i.e. a banking botnet). It is just as important to understand how malware protects itself, communicates and foils our existing defense in depth. To assist in this classification we can follow the malware through its lifecycle:

Infection: How is the malware delivered? Via an executable, packed into a file, delivered via an infected webpage? How does the malware communicate?

Persistence: Once on the host, how is the host able to persist on the infected host without triggering host-based security? Does it use a rootkit? Does it disable antivirus? Does it install backdoors? This area can be very deep because malware authors have a long cat-and-mouse history relative to the anti-virus industry and there are a wealth of techniques to avoid detection.

Communication: The malware expects to be resident on the infected machine for a long time, so it is going to need a method of communicating that does not trigger network security solutions. Furthermore the ability to communicate largely represents the power of the malware. Without the ability to communicate, modern malware would quickly begin to look like our more traditional worms and viruses. Does it communicate on non-standard ports, encrypt its traffic, use proxies, or tunnel within other approved applications?

Command and Control: How is the command-and-control managed? Does it get updated configuration files, or send and receive messages from peer-to-peer networks? How does the malware cope with the loss of a command-and-control server?

Malicious Functions:  Of course we ultimately must keep track of the end behavior of the malware. Some malware will remain very focused, targeting a specific type of information within a specific organization. Others will vary over time, shifting with the needs and desires of bot owner.

These are the key factors that we can use to define an instance of modern malware, and in the process, provide a roadmap for how we will ultimately be able to control malware. The methods of communication, persistence and command-and-control provide malware with power, but also represent points of vulnerability. And contrary to popular opinion, we actually have the tools and best practices today to defend ourselves today. In my next column, I will dive into the specifics of what IT security teams can do today and the best practices that will be required to manage modern malware going forward.

Wade Williamson is a Senior Threat Researcher at Shape Security. He has extensive industry experience in intrusion prevention, malware analysis, and secure mobility. He has extensive speaking experience having delivered the keynote for the EICAR malware conference and led the Malware Researcher Peer Discussion at RSA. Prior to joining Shape, he was Sr. Security Analyst at Palo Alto Networks where he led the monthly Threat Review Series and authored the Modern Malware Review. He has also led the product management team at AirMagnet where he helped to develop a variety of security and network analysis tools targeted to WiFi networks. He has been a steady and active researcher of new threats and techniques used to compromise enterprise networks and end-users.