Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Three Malware Trends to Watch in 2012

2011 was a landmark year to say the least, in terms of network security and the overall evolution of malware, and there are no indications that things will slow down anytime soon. With that in mind lets embark on that traditional new year exercise and predict a few of the trends we’re likely to see in 2012.

The Malware Arms Race Will Continue to Accelerate

2011 was a landmark year to say the least, in terms of network security and the overall evolution of malware, and there are no indications that things will slow down anytime soon. With that in mind lets embark on that traditional new year exercise and predict a few of the trends we’re likely to see in 2012.

The Malware Arms Race Will Continue to Accelerate

Malware TrendsWhile in 2011 the headlines were filled with the escapades of high profile groups such as Anonymous and LulzSec, it is the appearance of Stuxnet and Duqu that will likely have the most significant impact on security as we move into 2012. At the most basic level, the seemingly related code of Stuxnet and Duqu present a major technical leap forward in the sophistication of malware. The malware industry is obviously a very Darwinian crucible, where tactics that are seen to work in one type of malware are quickly pilfered and incorporated into other competing types of malware. With Duqu and Stuxnet the technical leap is so stark that it can’t help but be analyzed and emulated by other malware authors.

However, in the case of Stuxnet/Duqu, the “who” is just as important as the “what”. The very sophistication of Stuxnet implies that it was created by a much more sophisticated organization than we have seen from malware before. We have all witnessed the change in malware and intrusions over the past several years as “hackers” evolved from being individuals honing their skills and looking for fame into more sophisticated criminal enterprises. As the organizations behind malware continue to trend ever more sophisticated, one would have to assume that things will continue to get worse before they get better.

Controlling the Dark Side of Applications Will Become Essential

Modern malware is defined just as much by its communications as it is the actual infecting file. The vast majority of malware today is designed to remain resident on a host machine, provide repeated access for an attacker and remotely control the infected host. All of this means that the malware in question must be able to communicate repeatedly without being detected or arousing suspicion. This also means that malware needs communications channels that can remain anonymous, or at least can hide from the prying eyes of security. Today this is being done by repurposing a variety of security technologies for the benefit of the malware, such as encrypting malware traffic to avoid inspection, using proxies or Tor to anonymize traffic, tunneling communications within accepted applications or using evasive tunneling applications.

These are incidentally many of the same techniques that employees have learned to leverage in order to avoid network security controls when looking to engage in non-corporate sanctioned application or web activity. As a result, it will be increasingly important for IT to be able to recognize and control these attempts to subvert security policy in much the same way they have learned to control peer-to-peer applications and social networking applications over the past few years. The truth is that if you can remove the ability for malware to communicate, you can typically take away a great deal of its power.

Sandbox Analysis of Malware Will Go Mainstream in Network Security

As discussed in the prior section, malware has become much more of a network-based animal than at any point in the past. This means that anti-malware technologies are no longer the sole domain of end-point security, and increasingly network security will have a critical role to play. As malware has become more sophisticated and adept at avoiding traditional anti-virus signatures using obfuscation techniques, dynamic code or simply designing custom malware that is unique to its target, IT teams have been forced to look for new techniques for finding and controlling malware.

Advertisement. Scroll to continue reading.

Over the past year, we have seen a familiar anti-malware technology, the sandbox, find a new home in network security. This makes sense for a variety of reasons.

First, a sandbox provides an environment where a suspicious file can be executed to observe what it really does. This means IT can determine whether a file is a malicious or not, based on what it actually does, and not simply relying on whether it matches a signature that their AV vendor provided.

Secondly, integrating this technology into network security provides a centralized point of visibility where all traffic can be analyzed. Network security by design creates choke-points where traffic can be inspected without actually being an end-point in the conversation. This is incredibly powerful for anti-malware technologies, which are highly adept at owning one or both ends of a conversation. This sort of behavior-based sandbox analysis of malware is now being incorporated into high-throughput inline firewalls, allowing more and more IT teams to actually bring the technology out of the lab environment and put it in production. This will be a very timely addition to the IT security arsenal at a time when malware seems to be on the march.

These techniques of course won’t be a panacea for the problems facing IT and security managers today, but they will provide new types of visibility and control that security staff will need to have in order to keep pace with a changing threat landscape. If we can shine light on the covert channels where malware hide their communications, and detect malware based on their actual behavior then we, as an industry, will be able to see and control the fundamental building blocks of even the most advanced malware moving forward.

Read Wade’s other columns on Malware here.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.