IT Compliance Institute, January 30, 2007:

Trends and Technologies

Rise of the Mutant Malware

The latest generation of malware is mercurial—able to adapt to defeat the latest detection and eradication measures. Who’s building the better mutant, and how is IT security taking this more “liquid” malware into account? Learn what’s being done to stop this evolved malware, and how companies are protecting themselves.

By Mathew Schwartz

Where have all the viruses and worms gone? Last year was quiet—no mass infections akin to previous years’ Love Bug, Mydoom, Netsky, or Sobig outbreaks. In fact, 2006 was the first year without a major virus or worm outbreak. Security experts expect that trend to continue.

But nature abhors a vacuum. Now, the driving force behind the most damaging online attacks—often aimed at stealing people’s personal financial information, and intellectual property from corporations—is malware. This software with bad intentions utilizes a combination of rootkits, Trojan applications, and operating system backdoors to exploit computers and steal information. Malware arrives via e-mail, through browsers, or across the Internet, often by exploiting known vulnerabilities in operating systems and applications.

In the arms race between malware creators and the security companies who sell software to stop such attacks, the malware writers often have the edge. Indeed, the latest generation of malware is mercurial, and able to adapt to defeat the latest detection and eradication measures. Security researchers are tackling the malware problem in a variety of ways, and are frequently stopping variants in less than a day. But is it enough to protect corporate networks and keep regulated companies in compliance?

Criminals Push Malware

How exactly does malware work? Here’s one scenario: Users receive a Trojan application in their e-mail and then run it, or browse to an Internet site that exploits a known ActiveX vulnerability to silently push the Trojan code down to a user’s PC and execute it. The program runs silently, often giving the user no indication that something has happened. In the background, however, the application may open a backdoor to an Internet Relay Chat (IRC) channel; download additional code modules; await instructions about how and when to launch phishing attacks or spam from the compromised (“zombie”) PC; and place multiple, redundant copies of itself with different names across the PC, making it more difficult to eradicate once it is detected. (Researchers refer to networks of zombie PCs as bot networks, or “botnets.”)

Law enforcement officials say organized crime rings—perhaps just 5 to 10—are behind the majority of today’s malware attacks and botnets. “The criminal activity is focused on a few things: stealing people’s identities and their log-ins, and spambots—malware that combines really invasive behavior with turning PCs into spam cannons,” says Dave Cole, director of Symantec Security Response.

Malware is relatively common. “Every day, there will be between one and three releases of new botnet malware,” notes Alex Shipp, an antivirus specialist and “imagineer” for MessageLabs. Roughly two percent of all e-mail today carries malware, while 80 percent is spam. One often begets the other.

Malware Gets Resilient

Malware used to live and die akin to the plot of a B-movie science fiction film: kill the leader, and the invasion withers. These days, however, most malware lives on even when the command-and-control computer running the botnet—what some dub the “mothership”—goes offline. For example, take SpamThru, a piece of image-based spam that receives instructions via a preset IRC channel. Yet SpamThru also stays in touch with other computers in the botnet, and in a pinch can receive instructions from them, including directions to a new IRC channel.

In addition, the latest malware is becoming harder to detect, more damaging, and more difficult to eradicate. For example, take Rustok (aka Spambot). This malware uses advanced rootkit techniques to stay relatively hidden even while generating massive quantities of spam. “It’s basically been designed by someone who has a deep understanding of how antivirus and anti-spyware companies do their work, and as a result, it circumvents most techniques for detecting rootkits,” notes Cole.

As that suggests, attackers are getting savvier at delaying security researchers’ discovery efforts. For example, many researchers utilize virtual machines to analyze suspect code. So attackers increasingly design their malware to “play nice” when run in a virtual environment or scanned by a debugger. In a twist, some malware has even exploited known flaws in virtual machines to actually infect researchers’ PCs. In response, antivirus companies are creating their own virtual machine sandboxes for analyzing suspect code, and zealously guard the source code so malware writers can’t study it.

Increasingly, attackers also distribute malware using a “polymorphic dropper” which compresses (“packs”) malicious code, using a slightly different algorithm for each distribution. “Packing is something like WinZip Evil Edition,” says Cole. Each packed copy is unique, and doesn’t match existing signatures for known bad code. Researchers can eventually unpack and discover that it is malware, but that takes time and computing resources.

In the interim between when researchers discover new malware and update scanners, some anti-malware software also keep a watch on a PC’s behavior. Is an unknown application attempting to alter the registry, load its own kernel, or place something in a user’s start folder? If so, the anti-malware software may block the suspect activities, believing the application is a rootkit.

Beware the Targeted Attack

Most botnets aim for consumers’ information—bank account and credit card numbers, passwords, and so on. By contrast, “the main worry to corporate networks is industrial espionage,” notes Shipp. For example, attackers may handcraft a brand-new Trojan application to attack a specific corporation, and distribute just a few copies over e-mail. Malware scanners typically cannot catch this one-off code, because it doesn’t match any known bad signatures.

Beware these targeted attacks, and be especially concerned if your company apparently hasn’t been attacked. “If you haven’t detected one of these attacks over the last year, then chances are you did have one,” says Shipp. “We cover 12,000 companies, and of those, a large amount—especially the bigger and more interesting ones—are attacked every single year.” He says MessageLabs saw an average of just one targeted attack per week crossing the Internet in 2005. By the end of 2006, however, it was detecting two per day.

Malware in Regulated Environments

Malware, and especially targeted attacks using malware, are of special concern in regulated environments. For example, take the Sarbanes-Oxley requirement to maintain controls around a public company’s financial reporting process. “If I’m a financial team infected with spyware, how could I be close to anything called compliance, in terms of Sarbanes-Oxley?” asks Gerhard Eschelbeck, chief technology officer of Webroot. Indeed, a Trojan application could be siphoning away a copy of every e-mail or Office document saved to a chief financial officer’s PC.

In accordance with the data protection laws of numerous states, malware attacks on companies storing consumers’ personal information could trigger the need for data breach notifications. “When you’ve got a targeted attack where someone penetrates a network, gets onto a machine, and begins looking for customer information, or when you have a targeted attack,” says Cole, “that would absolutely trigger the need for disclosure.”

Vista: No Silver Bullet

Will Microsoft’s latest generation operating system, Vista, help defend against malware attacks? One highly touted new feature in Vista, User Account Control (UAC), requires a user to explicitly approve certain activities, sometimes by having to enter an administrative password, and this could help defeat malware. Still, this feature is more likely to be used by consumers (assuming they don’t deactivate it) than in the enterprise. Indeed, many IT administrators will likely lock down Vista to prohibit users from doing anything that requires administrator-level access, such as installing software, and this should help stall some malware.

Overall, however, security experts say it’s likely attackers will simply find new vulnerabilities to exploit in Vista. Meanwhile, former Windows operating systems will remain widespread for years, and will no doubt continue to be widely used platforms for launching malware attacks.

Battling Enterprise Malware

Want to conquer malware? Take a three-pronged approach, recommends Webroot’s Eschelbeck: manage vulnerabilities, utilize tools to protect PCs and servers against malware, and educate users, particularly about not opening strange-looking attachments, and about how to avoid phishing attacks.

“Today we mostly spend time on the malware piece, but it goes hand in hand with the vulnerability management piece as well,” he notes. “A lot of malware is used and triggered today by vulnerabilities not being patched in a timely fashion—be it in Internet Explorer, or any other software.” Hence, by patching vulnerabilities as quickly as possible, companies can help stop the majority of even the most rapidly mutating malware. At the very least, it will be a minor battle won in this long, digital war between malware and security.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.