What Makes Advanced Malware So Scary?

Malware is code that is written to accomplish a malicious purpose. In most cases the malware also has the ability to spread or infiltrate other systems or programs. Sometimes the malware’s purpose is just to show off the author’s hacking prowess, but more recently the purpose has typically been to make money, steal information or cause damage. In some cases, the scope of the malicious intent and damage has been to such an extent that we call it cyberterrorism or cyberwarfare. Think of the recent attack on Sony, which appears to be prompted by the film The Interview.

Over the years, types of malware are often given colorful and even scary names. Viruses, worms and Trojan horses were terms coined in the 1980s for various types of malicious code. More recently, we have described certain attacks as advanced persistent threats (APTs) and advanced malware. Advanced malware tends to be targeted, stealthy, evasive and adaptive. This compared to previous types of malware that generally tried to spread to as many programs or systems as possible, often in an indiscriminate and “noisy” fashion.

APTs are advanced malware which The US National Institutes of Standard (NIST) defines as follows:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

The definition is a bit heavy, but completely in line with the concept that advanced malware has a clear “who” behind it that is writing the code to attack a specific target and carry out a specific mission. The attack is likely to be against a targeted enterprise or even certain individuals like systems administrators within an enterprise. Moreover, the malware is likely to be multipronged with a variety of different ways and techniques to infiltrate a system and extract the desired information. It can be patient and wait for some time before attacking. Also, it will adapt to conditions and try different methods automatically.

Finding and blocking this type of code can be difficult for traditional antivirus software because chances are the attack will never have been seen before. This means that no antivirus signature will have been created for the malware. Behavior blocking and reputation-based antivirus techniques might be somewhat effective. For instance, since the malware will likely try to extract and send confidential data somewhere, that type of unusual behavior might be discoverable and blocked. However, the people creating advanced malware are likely to test their creations’ evasive and stealth capabilities against most popular antivirus and security products.

So who writes this stuff? While individual hackers might write advanced malware, more often it is the product of dedicated teams from nation states, organized crime groups or terrorist organizations. Advanced malware is built and tested with a degree of professionalism and dedication similar to that found in legitimate software product teams.

Scared? You’re not alone. One in five respondents noted that their organization has already experienced an APT attack in a recent ISACA survey, and 66 percent believe it is only a matter of time before their organization is hit by one. Additionally, 92 percent believe that APTs are a serious threat.

So what can an organization do to protect against advanced malware? Improved training and multiple layers of security are clearly part of the answer, and ISACA’s Cybersecurity Nexus (CSX) has a helpful guide on the subject available.

I also discussed the reality of advanced malware in an article for Processor. Read the full article here.

Rob Clyde, CISM
CEO, Adaptive Computing

[ISACA]