When it comes to malware, there are no two pieces that are exactly alike. On one hand, that’s to avoid detection on the end user’s device. On the other, it’s because that malware is influenced by a wide variety of information gathering, tools, utilities and even a community to construct their attacks.
As a security professional, understanding what tools attackers are utilizing in their approaches can shape the way security policy is administered across an organization’s network and its connected end points.
- Information — Whether the attack is targeted or generic in nature – if an attack is targeted, then an attacker will likely have used reconnaissance (including social engineering employees at the target organization) to determine the specific detection product(s) in use. This will influence what evasion techniques are used, compared to a generic “infect as many endpoints as possible” attack.
- Time and Money — A well-funded attacker will take the time to develop their own crypters and evasions and test them extensively, or purchase custom, unique crypter stubs from malware supplier sites. Lower resourced attackers will rely on cheaper and/or freely available tools, which utilize older techniques that are commonly known and are more likely to be detected.
- Malware-as-a-Service (MaaS) — Depending on their technical sophistication, an attacker may use a MaaS offering, which reduces the bar to entry to almost nothing. A MaaS provides an attacker with malware that has been tested against popular anti-virus products, a mechanism to spread the malware (spam email runs) and a web-based GUI in order to track infections and control the malware.
- Malware Community — Various forums on both the visible and dark web allow attackers to trade tips, techniques, code snippets and provide assistance in the creation of custom malware. When a technique is proving to be effective, it is almost guaranteed to be adopted by other attackers – there’s definitely no honor among thieves and many attackers have reverse engineering skills.
- Malware Utilities — Many attackers use utilities (either self-written or purchased) that allow them to package their malicious code for distribution. These utilities allow attackers to choose which packer they wish to use, add polymorphism to the code, add configuration values (such as command and control addresses) to optimize their attack, what strings they wish to add to junk portions of the code and how many variants they wish to create. The results can also be passed through crypters to make detection less likely.
Gaining a better understanding of how attacks happen and how you can best avoid them, we encourage you to download our popular whitepaper, Always-On Next Generation Malware Detection. It discusses the limits of endpoint-based security solutions, why malware is still succeeding, the advantages of network-based malware detection and how you can enable better detection with the power of machine learning.