Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Three Malware Trends to Watch in 2012

2011 was a landmark year to say the least, in terms of network security and the overall evolution of malware, and there are no indications that things will slow down anytime soon. With that in mind lets embark on that traditional new year exercise and predict a few of the trends we’re likely to see in 2012.

The Malware Arms Race Will Continue to Accelerate

2011 was a landmark year to say the least, in terms of network security and the overall evolution of malware, and there are no indications that things will slow down anytime soon. With that in mind lets embark on that traditional new year exercise and predict a few of the trends we’re likely to see in 2012.

The Malware Arms Race Will Continue to Accelerate

Malware TrendsWhile in 2011 the headlines were filled with the escapades of high profile groups such as Anonymous and LulzSec, it is the appearance of Stuxnet and Duqu that will likely have the most significant impact on security as we move into 2012. At the most basic level, the seemingly related code of Stuxnet and Duqu present a major technical leap forward in the sophistication of malware. The malware industry is obviously a very Darwinian crucible, where tactics that are seen to work in one type of malware are quickly pilfered and incorporated into other competing types of malware. With Duqu and Stuxnet the technical leap is so stark that it can’t help but be analyzed and emulated by other malware authors.

However, in the case of Stuxnet/Duqu, the “who” is just as important as the “what”. The very sophistication of Stuxnet implies that it was created by a much more sophisticated organization than we have seen from malware before. We have all witnessed the change in malware and intrusions over the past several years as “hackers” evolved from being individuals honing their skills and looking for fame into more sophisticated criminal enterprises. As the organizations behind malware continue to trend ever more sophisticated, one would have to assume that things will continue to get worse before they get better.

Controlling the Dark Side of Applications Will Become Essential

Modern malware is defined just as much by its communications as it is the actual infecting file. The vast majority of malware today is designed to remain resident on a host machine, provide repeated access for an attacker and remotely control the infected host. All of this means that the malware in question must be able to communicate repeatedly without being detected or arousing suspicion. This also means that malware needs communications channels that can remain anonymous, or at least can hide from the prying eyes of security. Today this is being done by repurposing a variety of security technologies for the benefit of the malware, such as encrypting malware traffic to avoid inspection, using proxies or Tor to anonymize traffic, tunneling communications within accepted applications or using evasive tunneling applications.

These are incidentally many of the same techniques that employees have learned to leverage in order to avoid network security controls when looking to engage in non-corporate sanctioned application or web activity. As a result, it will be increasingly important for IT to be able to recognize and control these attempts to subvert security policy in much the same way they have learned to control peer-to-peer applications and social networking applications over the past few years. The truth is that if you can remove the ability for malware to communicate, you can typically take away a great deal of its power.

Sandbox Analysis of Malware Will Go Mainstream in Network Security

As discussed in the prior section, malware has become much more of a network-based animal than at any point in the past. This means that anti-malware technologies are no longer the sole domain of end-point security, and increasingly network security will have a critical role to play. As malware has become more sophisticated and adept at avoiding traditional anti-virus signatures using obfuscation techniques, dynamic code or simply designing custom malware that is unique to its target, IT teams have been forced to look for new techniques for finding and controlling malware.

Over the past year, we have seen a familiar anti-malware technology, the sandbox, find a new home in network security. This makes sense for a variety of reasons.

First, a sandbox provides an environment where a suspicious file can be executed to observe what it really does. This means IT can determine whether a file is a malicious or not, based on what it actually does, and not simply relying on whether it matches a signature that their AV vendor provided.

Secondly, integrating this technology into network security provides a centralized point of visibility where all traffic can be analyzed. Network security by design creates choke-points where traffic can be inspected without actually being an end-point in the conversation. This is incredibly powerful for anti-malware technologies, which are highly adept at owning one or both ends of a conversation. This sort of behavior-based sandbox analysis of malware is now being incorporated into high-throughput inline firewalls, allowing more and more IT teams to actually bring the technology out of the lab environment and put it in production. This will be a very timely addition to the IT security arsenal at a time when malware seems to be on the march.

These techniques of course won’t be a panacea for the problems facing IT and security managers today, but they will provide new types of visibility and control that security staff will need to have in order to keep pace with a changing threat landscape. If we can shine light on the covert channels where malware hide their communications, and detect malware based on their actual behavior then we, as an industry, will be able to see and control the fundamental building blocks of even the most advanced malware moving forward.

Read Wade’s other columns on Malware here.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.