Malware Evolution

This thoroughly researched paper by Dave Dittrich at the University of Washington, reflects on how malware and cyber criminals have evolved their techniques and activites over recent years. Hybrid combinations of penetration methods make it more difficult to defend against the malware and good use of social engineering increases the success percentage.

Nugache in fact was propagated using at least five tactics, including one direct attack exploiting a vulnerable service, two direct methods involving social engineering using instant messaging and email, and two entirely indirect methods involving social engineering using blog posts and a trojaned shareware application.

Increasing levels of sophistication in command and control devices used after the initial penetration maximize both the usefulness of the compromised system and it’s effective lifetime of compromise.

The effect of resilient and concealed command and control is to lengthen the time that systems remain infected.

Malware to crimeware: How far have they gone, and how do we catch up?” – [washington.edu]

The late 1990s saw the advent of distributed and coordinated computer network attack tools, which were primarily used for the electronic equivalent of fist fighting in the streets. It only took a few years for criminal activity—extortion, click fraud, denial of service for competitive advantage—to appear, followed by mass theft of personal and financial data through quieter, yet still widespread and automated, keystroke logging. Despite what law-abiding citizens would desire, crime does pay, and pay well. Today, the financial gain from criminal enterprise allows investment of large sums of money in developing tools and operational capabilities that are increasingly sophisticated and highly targeted. These advances are outpacing the technologies and skill sets on the defensive side of the equation. The results are increasing losses, frustration, and calls for more aggressive actions to counter this threat to society.

Dittrich wraps the paper up with some conclusions on defending against these increasingly complex attacks, but notes:

Some of these ideas are not exactly novel and have already been implemented in some form in certain networks. Others go beyond what is done today by existing AV and anti-malware companies. The issue here is that the bad guys are paid well to learn and adapt successful attack techniques, creatively combining technical with social aspects, while the defensive side is not yet as well funded, as fast to learn, or as agile in similarly adopting blends of technical and social defenses. We can, and we must, change this.

Leave a Reply

You must be logged in to post a comment.