There was an interesting posting on the codeinsecurity blog a little over a month ago, which we didn’t see until recently, called “The anti-virus age is over.” The author, Graham Sutherland, argues that anti-virus (AV) programs cannot keep up with all the new types of malware in circulation and should just be considered “…a filter for the most basic attacks.” We know a lot of libraries still depend primarily on AV software for protection, so it seemed like it might be worthwhile to look this week at some of those new types of malware mentioned by Mr. Sutherland. (We’ve put the names of the malware types in bold.)
- What is a polymorphic virus? (wiseGEEK) “Human viruses are infamous for being able to mutate rapidly to avoid detection and prevent the buildup of immunities, and when a computer virus has a similar trait, the results can be unpleasant for computer users. It can be difficult to mount an adequate defense against a polymorphic virus, even with excellent antivirus software which has been designed to attempt to detect such viruses.”
- Advanced Persistent Threats: The new reality (Dark Reading/Michael Cobb) “What is an APT? Though the term originally referred to nation-states engaging in cyber espionage, APT techniques are also being used by cybercriminals to steal data from businesses for financial gain. What distinguishes an APT from other threats is that it is targeted, persistent, evasive and advanced. Unlike the majority of malware, which randomly infects any computer vulnerable to a given exploit, APTs target specific organizations with the purpose of stealing specific data or causing specific damage. The Conficker worm, for example, used many advanced techniques but did not target a particular organization. It infected millions of computers in more than 200 countries. In contrast, Stuxnet was designed to target a certain type, a certain brand and a certain model of control system.”
- Advanced Persistent Threats get more advanced, persistent and threatening (The Register/John Leyden) “Attackers are getting even smarter by coming up with sneakier way to evade detection. For example, FireEye has uncovered examples of malware that execute only when users move a mouse, a tactic which could dupe current sandbox detection systems since the malware doesn’t generate any activity. In addition, malware writers have also incorporated virtual machine detection as a means to frustrate security analysis of their wares and DLL files to improve persistence. By avoiding the more common .exe file type, attackers using DLL files stand a better chancing of avoiding detection for longer.”
- New course teaches techniques for detecting the most sophisticated malware in RAM only (Network World/Linda Musthaler) “The part of The Invisible Man is now being played by highly sophisticated malware that is memory-resident only. Because it only exists in RAM, the malware never gets written to disk, which is where you would normally look for most kinds of malware. It’s a real challenge to find the malware in RAM until you follow the subtle clues that indicate something is there that shouldn’t be there.”
One article above mentions a “sandbox.” Anti-virus software can sometimes combat difficult malware by using a virtual environment (sandbox) on a computer to run and test code from untrusted sources before it is installed for actual use.