The recent McAfee Labs Threat Report: December 2016 illustrates how attackers are creating hard-to-detect malware by infecting legitimate code with Trojans, and leveraging that legitimacy to remain hidden as long as possible. The author, Craig Schmugar of McAfee Labs, also recommends policies and procedures to help you protect against these types of attacks. The following is an excerpt from Schmugar’s article on this important topic.
The concept of backdoor access has been coveted by malware authors, spies, and nation-states for decades. Tactics to achieve these goals range from persuading victims through social engineering techniques to hand over the keys to their devices and intercepting hardware in the supply chain, to inserting backdoors to gain remote access. However, the most common method is through the deployment of Trojan software.
Los ciberdelincuentes y sus ganancias
Most malicious applications today serve a single purpose: to generate profit for criminals by subjecting their victims to attacks. The tactical objectives of these crimes are generally to reach the target, establish a presence, and persist for an extended period of time. To achieve their goals, attackers lure victims through social engineering or intercept their everyday device use, most often through the exploitation of vulnerabilities. In either case, the goal is to keep the unfortunate individuals who come across malicious code unnoticed.
The longer attacks remain undetected, the greater the reward. To this end, attackers are becoming increasingly sophisticated in generating durable and completely undetectable creations. The more authentic a piece of code appears, the more likely it will be overlooked. This is the primary driver of a growing trend of “Trojanizing” legitimate applications, which are injected with malicious code that does not replicate. The misuse of reputable applications provides attackers with several benefits. Payloads are hidden behind a recognizable brand, contributing to the impression of legitimacy and helping to ensure that certain users take the bait. This brand recognition continues after a system has been compromised, through recognizable directories, files, processes, and registry key names and attributes. These elements can provide cover during security scans and forensics, with recognizable properties that blend in with hundreds or even thousands of known programs.
Another benefit is built-in persistence, or a method of restarting previously terminated code. Malware persistence falls into one of two categories: self-persistence, which involves installing startup hooks to support restarts; and companion persistence, which leverages existing startup hooks to automatically load before, during, or after other desired applications. Every system change made by malicious code is an indicator of compromise. So the fewer the changes, the smaller the detection surface. Trojanizing legitimate applications provides free persistence; the software’s natural method of startup is all that’s needed to load malicious code. In fact, if the program is run manually periodically, then persistence is self-perpetuating by the victims themselves.
For more information, visit www.mcafee.com for the full report .
Mantente al día
Síguenos para mantenerte al día de las novedades de McAfee y estar al tanto de las amenazas de seguridad más recientes para particulares y dispositivos móviles.
