Malware: Evasive tactics challenging traditional security

Today, criminals are "all in," creating dangerous new malware weapons to target companies, governments, and private citizens. Hyper-evasive malware and threat distribution via HTTPS are growing rapidlyl mobile-devices–both Android and Apple–are increasingly targets; and Internet of Things devices, from refrigerators to televisions, are inviting new vectors.

Malware types

Adware

A type of malicious software that installs or renders advertising on a computing system to generate revenue.

Dropper

Malicious software that installs another type of malware such as a virus or backdoor. Droppers are often designed to avoid detection.

Ransomware

A form of malware, ransomware limits or blocks users from accessing individual files or entire systems until a ransom is paid.

Spyware

Malicious software that spies on the computer user, capturing keystrokes, emails, documents, or even turning on the video camera. Sometimes embedded in adware.

Malware distribution vectors

Email

Malware arrives via attachments containing embedded malware which is downloaded onto the sytem when the file is opened.

Local Access Via USB or Bluetooth

Malware is embedded on a device, such as a USB drive, and installed when the USB is inserted into the port, or distributed wirelessly when a user's device is close enough.

Web

Malware is delivered via drive-by downloads (unseen by the user) when visiting a website or by convincing the user to download and run a file when the user is on a website.

Cross-vector

Malware arrives via email with links that when opened connect to a malicious website which then executes malware.

"I'm the creeper. Catch me if you can!"

THE FIRST MALWARE – These playful words were the payoff for the first malware, known as "Creeper." Created in 1971, this self-replicating virus was designed to do nothing more than transfer itself between mainframe computers connected to the APRANET and display the above message on the teletypes of infected computers.

Forty-six years later, any such malware message would not be so innocuous.

The Creeper

A brief history of malware

1971 to 1975–Programmers play "gotcha"

The first years of malware were marked primarily by experimentation and exploration on the part of programmers. Creeper (1971), The Rabbit (1974), and Animal (1975) were all essentially non-malicious viruses designed mostly as research tools or perhaps to amuse the programmer.

1981 to 1989–The PC launches a new industry: Hacking

While the early years of personal computers were marked by increased business productivity, they also launched the hacker era, with the first virus epidemic appearing in 1986, the first self-encrypting virus in 1987, the first worm in 1988, and the first ransomware in 1989.

1990s & 2000s–Morphing malware

Cybercriminals in the 1990s introduced increasingly sophisticated threats requiring increasingly sophisticated terminology. These threats were classified by experts into the categories polymorphic, metamorphic, and oligomorphic malware. Generally speaking, this new generation of malware was designed to evade detection by early antivirus software by mutating its code and changing appearance.

 

Malware: yesterday, today, and beyond

Traditional malware techniques

Polymorphic Malware–Decryptor-type malware with variable elements which affect the size and/or shape of the code.

Metamorphic Malware–Outputs a logical equivalent (but not exact) version of the malware when the malware is initially executed. Oligomorphic Malware–Used by a virus to generate a decryptor (for itself) by randomly selecting pieces of the decryptor from several predefined options.

Advanced hyperevasive malware techniques

Characterized by the incorporation of many known evasion techniques, such as sandbox awareness and limited attack windows (usually only a few hours), to increase the odds against rapid detection by researchers or automated security systems. Cerber and Locky ransomware are both examples of hyperevasive malware use.

Malware in the future

IoT-distributed Malware–Criminals will increasingly leverage IoT devices to distribute viruses, ransomware, and malware, since these devices offer enough power to host bots, and frequently offer little or no protection.

Ransomware-as-a-Service–More criminals will get into the ransomware business with the proliferation of exploit kits and self-service ransomware. More ransomware will be distributed in a "Ransomware-as-a-Service" (RaaS) model, where affiliates distribute the ransomware, while the ransomware developers earn a commission from each ransom payment.

HTTPS is not secure

MALWARE INCREASINGLY HIDES IN HTTPS TRAFFIC

The SSL/TSL/HTTPS icons that say "100 percent secured website guaranteed" create confusion around what SSL does and does not do. While SSL encryption protects from criminal eavesdropping and the altering of online communications (such as man-in-the-middle attacks), it does not enforce any security standards beyond encryption and authentication. This means SSL can hide valid data as well as cyber threats.

Malware authors have also been making the move to encrypted traffic, effectively hiding their malware from any security system which does not inspect HTTPS. In fact, malware delivered via HTTPS has increased from a mere 1% of all malware in 2013 to almost 40% of all malware today.

HTTPS text

Stay up to date with the latest in cybersecurity from Cyren

The malware wars are heating up.

Download report

How changing malware is changing security.

Play on-demand webinar

Evasive Malware Now a Commodity

Read blog post

Innovation is the only defense

THE SANDBOX ARRAY

By exponentially improving the analytical capacity of cybersecurity systems, including behavioral analysis systems, companies can improve their fight against hyper-evasive malware.

Cyren has developed a next-generation sandboxing array that subjects malware to several different sandboxing environments, dramatically increasing the probability of detection.

Learn what Cyren can do
Malware defense

The malware wars are heating up – learn how to protect your organization

Cyren Cyberthreat report cover

Routers and DVRs offering up malware

The much-talked-about malware onslaught delivered via IoT botnets has decidedly arrived. During 2016 and 2017, the Bashlight and Mirai botnets (comprised primarily of IoT devices) exploited weaknesses in the devices' telnet remote connection protocol to deliver malware.

As malware and ransomware continue to grow at epidimec levels, the unlimited and unsecured IoT device supply will present serious dangers. When a criminal can garner $50k to $100k in a single ransomware attack, IoT botnets that can be hired for as little as $3,000 per attack offer an excellent return on investment.

Ransomware lettersBy the billions...

Ransomware skull and bones

Ransomware increased by an estimated 2300% in 2016 and by an additional 250% in 2017.

Pay Me letters

During the initial Locky outbreak, Cyren observed up to 37 BILLION ransomware-infected emails being distributed in one day.

Ransomware made easy:
Roll your own in minutes

Found on the dark web's TOR network, "Satan" is a ransomware creation service that provides a complete, one-stop ransomware package for any would-be criminal. "Ransomware-as-a-service" packages significantly lower the barrier for entering the ransomware "business," allowing even the not-so-technically-inclined to configure their own ransomware payload.

For a small fee, the aspiring criminal only needs to register, log in, and follow simple configuration options (like "How many days until the payment period expires?") to create a new variant of the Satan virus. Once the virus is created, the criminal downloads it and begins distribution.

Roll your own ransomware screenshot 1 Roll your own ransomware screenshot 2

How Cyren helps stop malware

Cyren Email Security
  • Outbound protection blocks botnet-infected devices from sending malware or spam from your domain.
  • Blocks delivery of sophisticated, large-scale email attacks on a global basis, as attacks happen in real time.
  • Policy-based encryption of email traffic for senders and recipients.
Cyren Web Security
  • Blocks outbound botnet calls to “command-and-control” servers.
  • Continuously monitors and blocks access to known and unknown botnet sites, malicious URLs, malware, APTs and zero-day attacks.
  • Finds hidden threats in encrypted SSL traffic.
  • Blocks identified threats cloud-wide in seconds.