The Malware Factory

The days of malware being the pastime of bored teenagers are well behind us. Not only has the malware business become a lucrative revenue stream for some of society's seedier elements but it's entered the age of automation in a big way.

Chris Elisan is a member of RSA's FirstWatch team, focussing on emerging and sophisticated threats. With a speciality in reverse engineering malware, he has first hand experience of how online criminals perpetrate their crimes. It's through those insights that he's come to understand how organised the malware business has become and how they have adopted mass-production techniques to create malware factories.

"When it comes to malware freshness, there are only few malware that are really new", Elisan said. "But most of the malware out there is really old. I call it 'green malware' – made from 100% recycled malware".

Developers of malicious software are only interested in the functionality of a piece of malware. So, rather than reinventing the wheel, they simply take an existing application and repackage it. Elisan's observation is that most of the attacks come from recycled malware.

"All they need to do is subject it to different armouring tools like packers or encrypters – any tool that obfuscates the malware," he said.

This makes it possible for the same attack tool to bypass discovery by traditional security and detection tools.

This leads to what Elisan calls the 'malware factory' – an automated approach to creating and delivering malware. Elisan has been able to create and distribute new malware, as part of live demonstrations, in just seconds using tools that are readily available.

"You can create hundreds of thousands of unique pieces of malware every day using these tools" he said.

It's also why security reports released each year need to be read with some perspective. While many millions of new pieces of malware are detected each year, most are simply repackaged versions of existing software created in the 'malware factory'.

This makes detection, using traditional methods problematic said Elisan. Sophisticated phishing attacks will send thousands of emails to individuals within an organisation, each with an individually crafted malicious payload. So, even if the IT department is able to detect and stop one email, hundreds, or thousands, of other messages will get to their intended recipients. From there, it only takes one user to open the attachment – from what seems to be a clean email.

"Once the malware has compromised the system, it's very easy for the attackers to update the malware that's already in the system. They could update the malware in the system in minutes, even seconds." he adds.

Even if the malware that has bypassed the initial protection is detected by infrastructure or network teams that detect irregular network traffic or other behaviours, the malicious software can be changed and avoid future detection. This is happening in the wild according to Elisan.

All of this paints a very grim picture. Malware can be engineered in seconds, it can be modified once it's in a compromised system remotely to avoid detection and the bad guys are well resourced and motivated. Is there some light at the end of what looks to be a long, dark tunnel?

"We need a more intelligent way of stopping this," said Elisan. "How do you stop an army of malware?"
The key is big data said Elisan.

"Malware, and how it behaves is just data. Making something out of that data to stop future generations from generating malware is the right way to approach it."

Elisan points to machine learning as a valuable tool. Instead of creating signatures, patterns or a blacklist for malware, Elisan says it's really about creating an intelligent system that uses algorithms that can identify future generations of that malware. This approach means that the obfuscation methods used by attackers become less relevant.

Underlying many of the attacks that Elisan sees is a social engineering element – something that many companies fail to comprehend. For example, job postings are used to find out what systems are used in a company so that threats can be targeted at organsations running particular platforms. Information from social forums such as LinkedIn and expert information exchange forums are used to target companies and individuals through social engineering attacks.


Anthony Caruana travelled to RSA Conference as a guest of RSA
 

Tags malwarersa conference 2014#rsa2014RSA Firstwatch team#RSACChris Elisna

Show Comments