Protect Against Attack
Stop theft of credit card and other biographical data
- By Brian Laing
- Feb 04, 2014
The one thing consistent about malware attacks
is that they continue to change quite
a bit as time goes by. Initially, many attacks
were unstructured and untargeted, indiscriminately
honing in on large numbers of
hosts in an attempt to find their vulnerabilities.
The outcome of these initial attacks was often simple
defacement or destruction of data with very few of the overall
volume of these attacks covered in the news.
Fast forward to 2014.
The goals of attackers have shifted away from basic defacement
(“smash-and-grab” approach of rapid infection) with a
decided move towards stealth, driven by financial gain or data
theft. This shift was generated from the theft of credit card and
other biographical data, and has driven up the creation of new
malware, the number of breaches and the total cost of a breach.
Recent Breach Statistics
Indications from the AV-TEST Institute (www.av-test.org) demonstrate
where the amount of created malware increased to over
30 million in 2012. Currently, however, this institute registers
more than 200,000 new malicious programs every day. This rapid
increase in new malware has had a major impact on breaches, as
well. Verizon research shows that 69 percent of breaches during
2011 incorporated malware.
Looking at the financial side of the equation, the 2013
Ponemon Institute shows companies paying as much as $199
per record with total costs as high as $5.4 million for a breach in
the United States. Tracking from 2005 to present, Privacy Rights
Clearinghouse shows nearly 622 million (621,955,664 to be exact)
records compromised from 4,088 data breaches that were made
public in the United States.
While the financial loss from handling record breaches is
staggering, the additional loss from the fraudulent use of any
breached data records is significant. LexisNexis shows $21 billion
in losses due to identity fraud in 2012, adding to the trend
that this is worse, not better. One only needs to look at the 2013
Thanksgiving Target breach as evidence.
Weapons-Grade Malware Lying in Wait
So far, we have only talked about information covering breaches
that have become public and the creation of known malware.
But, there is also a large amount of unknown, weapons-grade
malware, elevated to a quality level that allows it to be used in
advanced targeted attacks, lying in stealth-mode, waiting for
These new attacks are now highly targeted, using code that
has been QA-tested to levels that rival many commercial applications.
This level of QA has allowed attacks to now use multiple
code modules that can be updated or swapped out via built-in,
Each module has its own task, for example, profiling systems
to help in the identification of target systems that report back
on potential targets. Other modules add evasion and protection
capabilities. These modules can locate security or monitoring systems
that can potentially detect, disable or feed them false information
to allow the malware to remain undetected. If a module
cannot handle a given defense, other modules can be loaded to
breach profiled targets, collect targeted information or deliver
some destructive payload.
New Options in Malware
The options are constantly expanding with examples such as
Stuxnet, Duqu, Flame, and PlugX showing what can be done.
Although not all unknown malware is as complex as a Stuxnet,
it will still use various techniques of its more complex brethren.
This new malware is not just used by cybercriminals. A recent
report shows that the NSA has 50,000 or more hosts where
they have installed malicious software on systems belonging to
telecommunications providers and others around the globe. This
software has been designed to remain dormant until the NSA
calls it into action through an established command-and-control
channel. Once the sleeper agent is called-to-action, it can collect
personal data and feed that information back to the NSA, be
updated with new functionality or execute other tasks based on
installed modules in the malware.
New forms of detection have come about to detect these new
forms of attacks.
APT – A New Type of Security System
Moving away from the traditional signature matching of antivirus
software that we all hopefully have installed, new protection
systems must be able to protect against the quantity and voracity
of unknown threats. This new type of security system, advanced
protection system (APT) or advanced malware protection system,
has been adopted faster than any other security technology.
Instead of focusing on the signatures of known malware, these
new systems focus on behavior analysis to determine if a file is
malicious. Each file is run in an advanced malware analysis system
that opens the file and uses either operating system calls or
CPU emulation to collect and then analyze the needed behaviors
to determine maliciousness. While traditional systems will monitor
basic behaviors such as windows registry changes, file activity
and more, CPU emulation can detect advanced forms of evasion
along with a broader set of behaviors.
Some basic behaviors that would typically indicate malicious
behaviors include file and settings changes. The basic behaviors
in this sample would normally be enough for this file to be suspicious
while the additional, advanced behaviors of disabling Windows
security center and updates, and system error reporting,
two examples of evasive behaviors, place this file firmly in the
malicious category. The attack finishes with trying to steal passwords.
Currently, when Lastline analyzes a sample containing
one of these three advanced behavior types, they are split between
13 percent disable, 31 percent evasion and 56 percent steal.
Enterprise Strategy Group (ESG) asked 198 security professionals
at companies of at least 1,000 employees if their organizations
had deployed network anti-malware technology; 52 percent
were doing pilots, with 13 percent looking to deploy within the
next 24 months. Not only are a high number of companies now
deploying these solutions, 74 percent have increased their budget
significantly or at least somewhat as a direct response to APTs
over the past two years. Fifty-five percent of enterprises claimed
that they have allocated budget dollars specifically for one of
these new anti-malware technologies.
In today’s malware environment, the challenge is less about
tackling the known malware with traditional security technologies
and more about how to effectively protect against unknown
advanced malware. The challenge and opportunity for security
professionals will be on using practical technologies, like advanced
malware analysis systems, that go beyond traditional sandboxing
and specialized staff that are well-trained and equipped to defend
against today’s bad guys.
This article originally appeared in the February 2014 issue of Security Today.