Advanced Malware Attacks

L

LabZero

Thread author
Hello everyone,

Lately we hear more and more often speak of advanced malware attacks and in this thread I gathered the main characteristics of these attacks.

Traditional security measures, for instance based on signatures and such as firewall, antivirus, no longer enough. Work against less sophisticated attacks but cannot do much against new cyber criminals, who often (70-90% of cases) use malware not known, obfuscated, masked to be unrecognizable!

Here is a brief description of these very dangerous techniques, some recent others less.


Polymorphism: is the ability of a malware to change continuously, to make digital signatures based systems ineffective at detection.

Binary Retraining: same goal of tactics above, reached by modifying the binary structure of the object while maintaining unchanged the malicious functionality.

Recoding with Masking: the malicious executable object is hidden within commonly used file types, to push the unsuspecting user to run the malicious code. These are file types, for example, PDF or Microsoft Office files.

Malware Encapsulation : the malicious code is hidden by extending to legitimate files, commonly used by users. For example, a new version of a popular text editor or a game may hide dangers.

Multi-Flow Attacks: attack is fragmented across multiple flows of information, so as to confound even the tools of modern sandboxing but perform individually analysis objects. These items will be labeled as harmless, because they are only a part of the attack.

Multi-Vector Attacks: the attack is launched with a logic that integrates components inoculated on more vectors (web, mail, file) of the surface of intrusion in order to hide the activity to solutions that monitor only one vector (e-mail gateway).

Escape from Sandbox: the malware code controls the environment in which it is performed to search for signs of typical monitoring of virtual environments (sandbox), remaining harmless or non-operational to deceive these systems.


This is not an exhaustive list, but i hope to raise the level of concern over the choice of defense systems.

Regards.:)
 
  • Like
Reactions: Venustus, FireShootSK, jamescv7 and 6 others
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
As always classic concept like polymorphism is totally deadly even in the cope of modern techniques. Hooking or alert every process which needs user intervention can only be fate solution.
 
  • Like
Reactions: frogboy, Venustus and LabZero
S

sinu

Thread author
Klipsh said:
Hello everyone,

Lately we hear more and more often speak of advanced malware attacks and in this thread I gathered the main characteristics of these attacks.

Traditional security measures, for instance based on signatures and such as firewall, antivirus, no longer enough. Work against less sophisticated attacks but cannot do much against new cyber criminals, who often (70-90% of cases) use malware not known, obfuscated, masked to be unrecognizable!

Here is a brief description of these very dangerous techniques, some recent others less.


Polymorphism: is the ability of a malware to change continuously, to make digital signatures based systems ineffective at detection.

Binary Retraining: same goal of tactics above, reached by modifying the binary structure of the object while maintaining unchanged the malicious functionality.

Recoding with Masking: the malicious executable object is hidden within commonly used file types, to push the unsuspecting user to run the malicious code. These are file types, for example, PDF or Microsoft Office files.

Malware Encapsulation : the malicious code is hidden by extending to legitimate files, commonly used by users. For example, a new version of a popular text editor or a game may hide dangers.

Multi-Flow Attacks: attack is fragmented across multiple flows of information, so as to confound even the tools of modern sandboxing but perform individually analysis objects. These items will be labeled as harmless, because they are only a part of the attack.

Multi-Vector Attacks: the attack is launched with a logic that integrates components inoculated on more vectors (web, mail, file) of the surface of intrusion in order to hide the activity to solutions that monitor only one vector (e-mail gateway).

Escape from Sandbox: the malware code controls the environment in which it is performed to search for signs of typical monitoring of virtual environments (sandbox), remaining harmless or non-operational to deceive these systems.


This is not an exhaustive list, but i hope to raise the level of concern over the choice of defense systems.

Regards.:)
Click to expand...
which AV can protect from these types of malwares?
 
H

hjlbx

Thread author
sinu said:
which AV can protect from these types of malwares?
Click to expand...

Unfortunately, sinu, one cannot rely upon any single AV - or even multilayered security configuration using various softs - to completely protect system against every type of malware attack.

Best base-line protection requires a number of things - most of it user dependent:

1. Safe computing habits
2. User awareness of system (so user can identify unusual system activity and knows what to expect from their AV and how to operate it)
3. System\software maintenance (updates)
4. Good security configuration

Highest-level protection requires more than just installing good AV... requires on-going, proactive efforts on user's part.

However, even if you are vigilant and do all the above with discipline, you might still get infected... :confused:
 
  • Like
Reactions: WinXPert, jamescv7, Venustus and 1 other person
H

hjlbx

Thread author
Klipsh said:
I agree with @hjlbx and i would add that some chance plus can give HIPS that is not signature based
Click to expand...

With really sneaky malware, HIPS and firewall are probably user's best chance at identifying infection - but it may require user to have very high level experience. For example, extremely well crafted FUD malware with fake digital signatures that appears completely legitimate... and somehow gets rated as "Trusted" by AV file rating database (Comodo, ESET, Kaspersky, etc)...

it stays "under the radar" so to speak and doesn't draw any unnecessary attention to itself (besides typical user is oblivious anyways).

What user is going to stop and take the time to do even a very basic inspection and analysis of system\file activity? (Besides, doing this most of time is not practical.)

Malware writers know this truth regarding typical user attitude and behavior - even when it is plainly obvious to user that something just isn't right - their intuition is telling them "Don't do it - don't click on that button." In fact, they can count on it. User clicks away despite what their gut is telling them...
 
  • Like
Reactions: Venustus and LabZero
L

LabZero

Thread author
Behavior blocker that acts in a way completely different from a antivirus maybe is a solution

In fact, unlike these, which work by blocking the file is reported as a virus looking for matches between the data in the computer with a database file, a behavior blocker instead acts by controlling the behavior of applications, processes, and procedures for installation, shielding the system from the actions (behavior) generally implemented from viruses and malware:

-writing to file executable
-writing in the areas of system
-editing registry keys
 
  • Like
Reactions: FireShootSK, frogboy and Venustus
H

hjlbx

Thread author
Klipsh said:
Behavior blocker that acts in a way completely different from a antivirus maybe is a solution

In fact, unlike these, which work by blocking the file is reported as a virus looking for matches between the data in the computer with a database file, a behavior blocker instead acts by controlling the behavior of applications, processes, and procedures for installation, shielding the system from the actions (behavior) generally implemented from viruses and malware:

-writing to file executable
-writing in the areas of system
-editing registry keys
Click to expand...

Blue Ridge Networks' AppGuard will do all of the above... reliably. AG is not Behavior Blocker - as you know it is an anti-executable (AE) - designed to do precisely what you have listed. Plus it has some active memory protections.

I'm not so sure about Emsisoft's Behavior Blocker - especially where scripts are concerned. Nor am I absolutely sure about Comodo's BB - but from what I see, CIS is definitely better in terms of malicious scripts and protecting system resources...

Verifying the quality of such protections requires testing...
 
  • Like
Reactions: Venustus and LabZero
NekoJonez

NekoJonez

Level 5
Verified
Well-known
Jun 3, 2015
200
The first time I saw the message "This can't be run in a VM" and my pc decided to restart due to automatic updates... Man, I jumped. I was so glad that it wasn't a trojan that was trying to escape my VM.
 
  • Like
Reactions: Behold Eck, LabZero and frogboy
Behold Eck

Behold Eck

Level 15
Verified
Top Poster
Well-known
Jun 22, 2014
717
Scary stuff indeed.

Best defence maybe a wee bit of everything i.e. the layered approach, Sandbox + HIPS + AV etc.

Regards Eck:)
 
  • Like
Reactions: LabZero
Behold Eck

Behold Eck

Level 15
Verified
Top Poster
Well-known
Jun 22, 2014
717
bunchuu said:
and I believe back up + virtualization are essential for all system

..only paranoid survive...
Click to expand...

Yup you got it buddy. When you leave something out of the mix then that`s the thing that probably could have saved you when it all goes pear shaped.

WinXPert said:
This the best ever: Never turn on your PC. Cheers
Click to expand...

I agree amigo but if you really ,really have to turn on your pc get someone else to do it...just incase.

Regards Eck :)
 
  • Like
Reactions: WinXPert
WinXPert

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
For behavior blocking, here is one app I use with XP (Works whit W7 too)

Threatfire
 
  • Like
Reactions: frogboy
MartinAB

MartinAB

Level 1
Jan 27, 2015
14
Against such advanced attacks only apt detection systems can protect.

I had access to a FireEye as well as to a Checkpoint Threat Emulation appliance.

Both could detect yet unknown malware and 0Day exploits by emulating the file in a sandbox and analyzing the behavior. For sure there is some amount of malware out there which might detect sandboxes but then you got hit by yet a minority of malware.

For home use I use a Zonealarm Extreme installation because this version now also includes this threat emulation cloud component. For testing or a lab it's fantastic.
 
  • Like
Reactions: LabZero
MartinAB

MartinAB

Level 1
Jan 27, 2015
14
sinu said:
which AV can protect from these types of malwares?
Click to expand...
Hi, a good chance you might have with ZoneAlarm Extreme Security. As I posted before, I have access to ZA Threat Emulation (TE) system and the ZA Antivirus includes that feature as well. Downside; at the moment it only detects threats in Office Documents, PDFs and ZIP Files. My personal thought; the signatures of threats CheckPoint TE systems detect will also be provided to the ZA signature base so the database might also include 0day threats others don't know yet.

Just a couple of days before I posted a word file here containing an exploit which was - based on Virus Total - not known yet by the majority of AV vendors. TE detected it already at day one it hits our systems by its signature based detection and of course by emulating the threat.

Btw, I am not working for CheckPoint, just like the product and its capabilities ;-)
 
  • Like
Reactions: LabZero
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
sinu said:
Can we depend on zone alarm free antivirus firewall?
Click to expand...

If I'm not mistaken the free version is too way limited, especially in Antivirus component as signatures to be deliver is once per day which not enough to cope up with the latest threat nor integrated cloud included.
 
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Like
    • +Reputation
Security News VPNs may become victim to password spraying attacks, Cisco warns
Replies
0
Views
1,190
Security News
vtqhtr413
vtqhtr413
CyberPanther
    • Like
Security News VULNERABILITIES Possibly Exploited Fortinet Flaw Impacts Many Systems, but No Signs of Mass Attacks
Replies
0
Views
726
Security News
CyberPanther
CyberPanther
silversurfer
    • Like
    • Wow
    • +Reputation
Security News 300,000 Systems Vulnerable to New Loop DoS Attack
Replies
0
Views
907
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top