You can’t teach an old dog new tricks, as the old saying puts it; but this does not seem to apply to malware. Using threat intelligence from the ThreatCloud World Cyber Threat Map, Check Point’s research teams monitor malware attacks globally through the year, identifying the types of infectious agent that are most frequently used, and the scale of attacks against organisations in different countries.
Throughout 2015, the company observed over 3000 different malware ‘families’ in action and targeting organisations’ networks worldwide.
The number of different active families isn’t too surprising, as the volume of malware attacks has been doubling and redoubling over the past five years.
What is surprising is that 80% of those families identified during 2015 have been active for years – in some cases, up to eight years – yet are still infecting networks and causing damage.
Indeed, out of the entire ‘Top 100’ malware families identified (which accounted for almost 90% of all attacks during the year) only three families were completely new in 2015 – and all of these three new families sat outside the top 40.
The most prevalent of these ‘old dogs’ is Sality, a malware family first detected in 2010 that allows remote operations and downloads of additional malware to infected systems, providing a way for an attacker to get remote control of a network.
In second place was Conficker – first discovered in 2008 – which again allows remote control and malware downloads. Together, these two families were responsible for nearly 40% of all malware attacks detected in 2015.
Even the highest-ranked ‘new’ malware, CryptoWall 3.0 (the 44th most common malware), is part of the ransomware evolution which dates back to 2014.
So why are these older malware families still being used effectively to attack networks? And how are malware authors developing these established malware families, to teach these old dogs the new tricks that enables them to get around organisations’ defences?
Old malware infections are still a risk
The key reason why long-established malware is still actively being used is simple: it’s still highly effective at spreading and persisting stealthily within networks, and the code for established malware families is cheap and readily accessible to criminals.
And there are two main reasons for how old malware is able to infect networks. First, many organisations’ networks globally may only have basic levels of protection against malware, and that security may not be regularly updated.
This explains why the countries that experience the largest numbers of attacks globally are developing nations such as Burundi, Malawi and Nepal.
Second, it’s easy for hackers to use off-the-shelf obfuscation tools to make small changes to the existing malware code, which enables it to bypass conventional anti-virus defences.
As mentioned above, the core functions of these established malware families are still highly effective; so by using these tools, criminals can give old malware the new trick needed to fool the organisation’s security products, so that it can infect networks and perform its malicious work.
Revealing tricks in the sand trap
How can we counter these tricks? To strengthen conventional anti-malware defences, an additional method of detection known as threat emulation, or sandboxing, is used.
Early versions of this technology worked by intercepting suspicious files as they arrived at the organisation’s gateway, and inspected the files’ contents in a virtualised, quarantined area (the sandbox) for any unusual behaviour.
If the file’s behavior is found to be malicious – such as attempting to make abnormal registry changes or network connections – it would be quarantined, preventing the infection from reaching the network.
While this approach considerably boosts malware detection rates, criminals recognised that the technology is deployed on a percentage of networks, and responded by using further evasion techniques: some malware is capable of detecting when it is being examined in a virtual sandbox, and shuts down its malicious actions to avoid being quarantined.
As such, a next-generation approach is being introduced: CPU-level sandboxing. This enables a deeper, more insightful look at a suspicious file’s activity.
It takes advantage of the fact that there are only a handful of exploitation methods that can be used to infect a host PC with malware. As it operates at the chip level, below the application or operating system layers, CPU-level sandboxing detects the use of malware exploitation methods by examining assembly-code activity on the CPU itself.
This strips away any disguises applied to malware, and makes it impossible for it to evade detection. It can then be blocked and quarantined before ever reaching the corporate network.
This makes CPU-level sandboxing a powerful method for detecting unknown attacks, especially existing malware that has been altered using obfuscation tools. It also enables detection of the far more sophisticated (and much rarer) zero-day exploits: the hand-built malware that exploits software vulnerabilities that vendors aren’t even aware of yet.
Sharing threat information for immunity
There is another key advantage to this approach. When a new malware is identified and blocked, the fingerprint and signature of the new threat can be immediately shared in the cloud with other organisations, vaccinating networks worldwide against both brand-new threats and new adaptations of old malware.
In conclusion, criminals are constantly refreshing existing, proven malware agents with new tricks, to try and compromise networks.
However, organisations can respond to this threat with new security techniques, which can see through the smoke and mirrors and stop malware from compromising their defences.
Hackers might have been able to trick us once, but they can be stopped from tricking us twice.
Sourced from Aatish Pattni, head of threat prevention, Northern Europe, Check Point